In-depth materials on anonymity, privacy, and information security. All articles are written for educational purposes and will help you better understand data protection technologies in the modern internet.
Tor Browser is the primary tool for anonymous access to the internet. However, the default installation does not provide the maximum level of protection. In this article, we will walk through the step-by-step configuration of Tor Browser, including torrc configuration, bridge usage, stream isolation, and additional measures that significantly enhance your anonymity.
Step 1: Installing Tor Browser
Download Tor Browser exclusively from the official Tor Project website or the official repository. Never use third-party sources, as they may contain modified builds with backdoors. On Linux, the installation is performed as follows:
# Download from the official website
wget https://www.torproject.org/dist/torbrowser/13.5/tor-browser-linux-x86_64-13.5.tar.xz
# Verify the GPG signature
gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
gpg --verify tor-browser-linux-x86_64-13.5.tar.xz.asc tor-browser-linux-x86_64-13.5.tar.xz
# Extract the archive
tar -xf tor-browser-linux-x86_64-13.5.tar.xz
cd tor-browser
# Launch
./start-tor-browser.desktop
Always verify the GPG signature each time you download a new version. This ensures that the files have not been tampered with during transmission.
Step 2: Configuring the Security Level
Tor Browser has three security levels: Standard, Safer, and Safest. For maximum anonymity, it is recommended to use the Safest level. This level completely disables JavaScript, blocks web fonts, disables media autoplay, and restricts the functionality of many potentially dangerous web technologies. Yes, many websites will not function correctly, but JavaScript is one of the primary vectors for deanonymizing Tor users.
Step 3: Configuring torrc
The torrc file allows fine-tuning of the Tor client behavior. Open it for editing:
# File path on Linux
nano ~/tor-browser/Browser/TorBrowser/Data/Tor/torrc
# Key parameters for enhanced anonymity:
# Use only specific entry nodes (Guard Nodes)
# Country restriction — exclude countries with aggressive surveillance
ExcludeNodes {ru},{us},{gb},{au},{nz},{ca}
ExcludeExitNodes {ru},{us},{gb},{au},{nz},{ca}
StrictNodes 1
# Stream isolation — each request goes through a separate circuit
IsolateSOCKSAuth 1
IsolateClientAddr 1
IsolateClientProtocol 1
IsolateDestPort 1
IsolateDestAddr 1
# Force use of secure protocol versions only
ClientUseIPv4 1
ClientUseIPv6 1
The StrictNodes 1 parameter ensures that Tor will not use nodes from excluded countries under any circumstances. The country list {ru},{us},{gb},{au},{nz},{ca} includes Five Eyes alliance members and Russia — states with the most advanced internet surveillance systems.
Step 4: Using Bridges
Bridges conceal the very fact of Tor usage from your internet service provider. This is critically important in countries where Tor usage is monitored or blocked. To obtain bridges, do the following:
# Request bridges via BridgeDB:
# Visit https://bridges.torproject.org/
# Or send an email to bridges@torproject.org
# with the subject: get transport obfs4
# Adding bridges to torrc:
UseBridges 1
ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy
Bridge obfs4 IP_ADDRESS:PORT FINGERPRINT cert=CERTIFICATE iat-mode=0
Bridge obfs4 IP_ADDRESS:PORT FINGERPRINT cert=CERTIFICATE iat-mode=0
The obfs4 protocol disguises Tor traffic as regular HTTPS traffic, making it virtually indistinguishable during deep packet inspection (DPI).
Step 5: Additional Measures
For complete protection, it is recommended to combine Tor Browser with the following practices: do not resize the browser window (screen resolution fingerprinting), do not install additional extensions, do not log into personal accounts through Tor, use a separate operating system profile or a virtual machine. The Tails or Whonix operating systems are the best choice for sensitive tasks, as they route all system traffic through Tor.
In the field of internet privacy, three main tools are frequently mentioned: VPN, proxy servers, and the Tor network. Each of them works in fundamentally different ways and is designed to solve different problems. Understanding the differences between them is critically important for choosing the right tool in a specific situation.
VPN (Virtual Private Network)
A VPN creates an encrypted tunnel between your device and the VPN server. All your internet traffic passes through this tunnel, and external observers see only the VPN server's IP address instead of your real one. The main VPN protocols include WireGuard, OpenVPN, and IKEv2. You can verify VPN operation through the terminal:
# Connect to VPN via OpenVPN
sudo openvpn --config /path/to/config.ovpn
# Check current IP address
curl https://check.torproject.org/api/ip
# Check for DNS leaks
cat /etc/resolv.conf
# nameserver should point to the VPN server, not your ISP
# WebRTC leak test (in browser):
# Visit https://browserleaks.com/webrtc
Advantages of VPN: high connection speed, encryption of all system traffic, ease of setup, compatibility with most services and applications. VPN is suitable for bypassing geographic restrictions, protecting data on public Wi-Fi networks, and hiding activity from your internet service provider.
Disadvantages of VPN: single point of trust — the VPN provider sees all your traffic. Even so-called no-log providers have repeatedly handed over user data to law enforcement agencies. A VPN does not provide anonymity; it merely shifts the point of trust from the ISP to the VPN company. Additionally, subscription payments may be linked to your identity.
Proxy Servers
A proxy server acts as an intermediary between your device and the target resource. There are various types of proxies: HTTP proxies work only with web traffic, SOCKS5 proxies support arbitrary protocols, and CGI proxies work through a web interface. Setting up a SOCKS5 proxy via SSH:
# Create a SOCKS5 proxy via SSH tunnel
ssh -D 9050 -f -C -q -N user@remote-server.com
# Use the proxy with curl
curl --socks5 127.0.0.1:9050 https://check.torproject.org/api/ip
# Configure system proxy on Linux
export http_proxy="socks5://127.0.0.1:9050"
export https_proxy="socks5://127.0.0.1:9050"
# Verify the proxy chain via proxychains
proxychains4 curl https://ifconfig.me
Advantages of Proxy: many servers are freely available, no software installation required for HTTP proxies, ability to build chains via proxychains.
Disadvantages of Proxy: most proxies do not encrypt traffic, free proxies often keep logs and may inject malicious code, they operate only at the application level (do not protect system traffic), low reliability and connection instability.
Tor (The Onion Router)
Tor routes traffic through three randomly selected nodes (entry, middle, and exit), applying multi-layered encryption. Each node knows only the previous and next node in the chain, but no single node knows both the sender and the recipient simultaneously. This provides a significantly higher level of anonymity compared to VPN and proxy.
Advantages of Tor: decentralized architecture with no single point of failure, free and open source, access to onion services, no need to trust any single organization, resistance to traffic analysis.
Disadvantages of Tor: significant speed reduction (traffic passes through three nodes), exit nodes can intercept unencrypted traffic, some websites block Tor exit node IP addresses, unsuitable for torrents and streaming video.
Comparison Table
VPN
Anonymity: Low — VPN provider sees everything
Speed: High (5-15% loss)
Encryption: Full (AES-256 / ChaCha20)
Cost: Paid ($3-12/month)
Best for: Bypassing restrictions, protection on public networks
Operational Security (OPSEC) is a systematic process of protecting critically important information from a potential adversary. In the context of internet privacy, OPSEC encompasses not only technical tools (VPN, Tor, encryption) but also behavioral practices, habits, communication methods, and even writing style. Technical tools are useless if the user makes behavioral mistakes that allow their anonymous activity to be linked to their real identity.
The Principle of Compartmentalization
Compartmentalization is a fundamental OPSEC principle meaning the strict separation of different areas of your digital activity. Each "identity" on the internet must exist in isolation from others. This includes using separate devices or virtual machines, separate email accounts, different communication styles, and non-overlapping temporal activity patterns.
# Creating an isolated virtual machine with Whonix
# Whonix consists of two VMs: Gateway (routing through Tor)
# and Workstation (working environment)
# Install VirtualBox
sudo apt install virtualbox
# Import Whonix Gateway
VBoxManage import Whonix-Gateway.ova
# Import Whonix Workstation
VBoxManage import Whonix-Workstation.ova
# Launch in headless mode
VBoxManage startvm "Whonix-Gateway" --type headless
VBoxManage startvm "Whonix-Workstation"
# Verify routing inside the Workstation
curl https://check.torproject.org/api/ip
# Should display the IP address of a Tor exit node
Metadata — The Hidden Enemy
Metadata contains far more information than most users realize. A photograph may contain GPS coordinates, camera model, and the date of capture. Word documents store the author's name, organization, and editing history. PDF files contain metadata about the software that created the document. Even plain text can be identified through stylometric analysis — the unique writing patterns of each individual.
# Removing metadata from images using exiftool
sudo apt install libimage-exiftool-perl
# View file metadata
exiftool photo.jpg
# Remove ALL metadata
exiftool -all= photo.jpg
# Remove metadata from PDF
exiftool -all= document.pdf
# Bulk metadata removal from all files in a directory
exiftool -all= -overwrite_original -r /path/to/directory/
# Alternative — mat2 (Metadata Anonymisation Toolkit)
sudo apt install mat2
mat2 --inplace photo.jpg
Digital Communication Hygiene
When communicating anonymously, follow these rules: never mention details from real life, including the weather outside your window, local time, or events happening in your city. Avoid using the same nicknames, passwords, and avatars across different platforms. Do not use the same characteristic phrases and expressions. Vary your writing style across different anonymous accounts — sentence length, punctuation, level of formality. Stylometric analysis can identify the author of a text with high accuracy even from short fragments.
Data Encryption
Full-disk encryption is a mandatory measure for any device used in sensitive activities. On Linux, LUKS is recommended; on macOS, FileVault; on Windows, VeraCrypt (not BitLocker, as keys may be stored in the TPM and accessible to Microsoft). For individual files and correspondence, use GnuPG:
# Generate a GPG key with maximum parameters
gpg --full-generate-key
# Select RSA and RSA, key size 4096 bits
# Encrypt a file for a specific recipient
gpg --encrypt --recipient recipient@email.com secret.txt
# Encrypt a file with a symmetric key (password)
gpg --symmetric --cipher-algo AES256 secret.txt
# Create an encrypted VeraCrypt container via CLI
veracrypt --text --create /path/to/container \
--size 1G \
--encryption AES-Twofish-Serpent \
--hash SHA-512 \
--filesystem ext4 \
--random-source /dev/urandom
Network Connection Security
In addition to using Tor or a VPN, it is important to control DNS queries, prevent leaks through WebRTC and IPv6, and block unwanted network connections using a firewall. Configuring iptables to prevent leaks outside of Tor:
# Block all outgoing traffic except Tor
# (for systems where Tor runs as a system service)
sudo iptables -F OUTPUT
sudo iptables -A OUTPUT -m owner --uid-owner debian-tor -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
sudo iptables -A OUTPUT -j DROP
# Verify rules
sudo iptables -L OUTPUT -v -n
Key OPSEC Mistakes
The most common mistakes leading to deanonymization include: reusing credentials between anonymous and real profiles; logging into anonymous accounts without Tor even once; discussing real events that can reveal geolocation; using a single device for both anonymous and regular activities without virtualization; neglecting software updates; storing unencrypted logs and notes; using the same writing style. Remember that deanonymization often requires just a single mistake made at any point during the entire period of activity.
A curated collection of authoritative materials from external sources that complement the topics covered above. All links lead to trusted resources in the field of information security and privacy.
EFF: Surveillance Self-Defense
A comprehensive guide from the Electronic Frontier Foundation on protection against surveillance. Covers threat models, secure communication, data encryption, and device protection. One of the best introductory resources for learning digital security.
An exhaustive guide to online anonymity covering all aspects: from hardware selection to proper behavior on the internet. Regularly updated by the community and available for free.
Recommendations for choosing software and services with a focus on privacy. Includes reviews of VPN providers, messengers, email services, browsers, and operating systems.
Documentation for the Tails operating system, designed for anonymous use. Includes guides on installation, configuration, Persistent Storage usage, and secure data deletion.
Detailed Whonix project documentation on setting up a working environment for maximum anonymity. Contains specific configurations, attack model analysis, and recommendations for hardening system security.
The security section of ArchWiki is one of the most detailed technical resources on configuring Linux system security. Includes guides on encryption, firewalls, auditing, and system hardening.