summaryrefslogtreecommitdiffstats
path: root/wiki/src/doc/anonymous_internet/Tor_Browser.mdwn
blob: 97bec05cd4ee7cd386a9116d552c6ed2a63173db (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
[[!meta title="Browsing the web with Tor Browser"]]

[[!img Tor_Browser/mozicon128.png link=no alt=""]]

<span class="application">[Tor Browser](https://www.torproject.org/projects/torbrowser.html.en)</span> is a web
browser based on [Mozilla Firefox](http://getfirefox.com) and configured to
protect your anonymity. Given the popularity of Firefox, you might have used it
before and its user interface is like any other modern web browser.

Some frequently asked questions about the browser can be found in
[[the FAQ|support/faq#browser]].

Here are a few things worth mentioning in the context of Tails.

[[!toc levels=2]]

<div class="tip">

<p>If you want to browse web pages on your local network, refer to our
documentation on [[accessing resources on the local
network|advanced_topics/lan]].</p>

</div>

<a id="confinement"></a>

AppArmor confinement
====================

<span class="application">Tor Browser</span> in Tails is confined with
[[!debwiki AppArmor]] to protect the system and your data from some
types of attack against <span class="application">Tor Browser</span>.
As a consequence, it can only read and write to a limited number of
folders.

<div class="note">

This is why you might face <span class="guilabel">Permission
denied</span> errors, for example if you try to download files to the
<span class="filename">Home</span> folder.

</div>

- You can save files from <span class="application">Tor
Browser</span> to the <span class="filename">Tor Browser</span> folder
that is located in the <span class="filename">Home</span> folder.
The content of this folder will disappear once you shut down Tails.

- If you want to upload files with <span class="application">Tor
Browser</span>, copy them to that folder first.

- If you have activated the <span
class="guilabel">[[Personal
Data|doc/first_steps/persistence/configure#personal_data]]</span>
persistence feature, then you can also use the <span
class="filename">Tor Browser</span> folder that is located in the
<span class="filename">Persistent</span> folder. In that case, the
content of this folder is saved and remains available across separate
working sessions.

<div class="note">

<p>To be able to download files larger than the available RAM, you need
to activate the <span class="guilabel">[[Personal
Data|doc/first_steps/persistence/configure#personal_data]]</span>
persistence feature.</p>

</div>

<a id="https"></a>

HTTPS Encryption
================

Using HTTPS instead of HTTP encrypts your communication while browsing the web.

All the data exchanged between your browser and the server you are visiting are
encrypted. It prevents the
[[Tor exit node to eavesdrop on your communication|doc/about/warning#exit_node]].

HTTPS also includes mechanisms to authenticate the server you are communicating
with. But those mechanisms can be flawed,
[[as explained on our warning page|about/warning#man-in-the-middle]].

For example, here is how the browser looks like when we try to log in an email
account at [riseup.net](https://riseup.net/), using their [webmail
interface](https://mail.riseup.net/):

[[!img doc/anonymous_internet/Tor_Browser/riseup.png link=no alt=""]]

Notice the padlock icon on the left of the address bar saying "mail.riseup.net"
and the address beginning with "https://" (instead of "http://"). These are the
indicators that an encrypted connection using [[!wikipedia HTTPS]] is being
used.

You should try to only use services providing HTTPS when you are sending or
retrieving sensitive information (like passwords), otherwise its very easy for
an eavesdropper to steal whatever information you are sending or to modify the
content of a page on its way to your browser.

<a id="https-everywhere"></a>

HTTPS Everywhere
----------------

[[!img https-everywhere.jpg link=no alt=""]]

[HTTPS Everywhere](https://www.eff.org/https-everywhere) is a Firefox extension
included in <span class="application">Tor Browser</span> and produced as a collaboration between [The Tor
Project](https://torproject.org/) and the [Electronic Frontier
Foundation](https://eff.org/). It encrypts your communications with a number of
major websites. Many sites on the web offer some limited support for encryption
over HTTPS, but make it difficult to use. For instance, they may default to
unencrypted HTTP, or fill encrypted pages with links that go back to the
unencrypted site. The HTTPS Everywhere extension fixes these problems by
rewriting all requests to these sites to HTTPS.

To learn more about HTTPS Everywhere you can see:

 - the [HTTPS Everywhere homepage](https://www.eff.org/https-everywhere)
 - the [HTTPS Everywhere FAQ](https://www.eff.org/https-everywhere/faq/)

<a id="torbutton"></a>

Torbutton
=========

Tor alone is not enough to protect your anonymity and privacy while browsing the
web.  All modern web browsers, such as Firefox, support [[!wikipedia
JavaScript]], [[!wikipedia Adobe_Flash]], [[!wikipedia HTTP_cookie
desc="cookies"]] and other services which have been shown to be able to defeat
the anonymity provided by the Tor network.

In <span class="application">Tor Browser</span> all such features are handled from inside the browser by an extension
called [Torbutton](https://www.torproject.org/torbutton/) which does all sorts
of things to prevent the above type of attacks. But that comes at a price: since
this will disable some functionalities and some sites might not work as
intended.

<a id="javascript"></a>

Protection against dangerous JavaScript
---------------------------------------

Having all JavaScript disabled by default would disable a lot of harmless and
possibly useful JavaScript and render unusable many websites.

That's why **JavaScript is enabled by default** in <span class="application">Tor Browser</span>.

But we rely on Torbutton to **disable all potentially dangerous JavaScript**.

We consider this as a necessary compromise between security and usability and as
of today we are not aware of any JavaScript that would compromise Tails
anonymity.

<div class="note">

<p>To understand better the behavior of <span class="application">Tor
Browser</span>, for example regarding JavaScript and cookies, you can
refer to the <a href="https://www.torproject.org/projects/torbrowser/design/">
<span class="application">Tor Browser</span> design document</a>.</p>

</div>

<a id="security_slider"></a>

Security slider
---------------

You can use the security slider of <span class="application">Torbutton</span>
to disable browser features as a trade-off between security and usability.
For example, you can use the security slider to disable JavaScript completely.

The security slider is set to *low* by default. This value provides the
default level of protection of <span class="application">Torbutton</span>
and the most usable experience.

To change the value of the security slider, click on the [[!img torbutton.png link=no class=symbolic alt="green onion"]] button
and choose **Privacy and Security Settings**.

[[!img security_slider.png link="no" alt="Security slider in its default value (low)"]]

<a id="circuit_view"></a>

<span class="guilabel">Circuit view</span> feature
--------------------------------------------------
[[!img circuit_view.png link=no]]

The <span class="guilabel">Circuit view</span> feature of
<span class="application">Torbutton</span>
shows you the three Tor relays used for the website in the current tab,
including the corresponding IP addresses and the countries they're located
in. The node immediately above the
<span class="guilabel">Internet</span> node is the *Exit relay*; the
country it is located in might determine how the website is presented
to you. You can use
<span class="guilabel">[[New Tor Circuit for this Site|Tor_Browser#new_circuit]]</span>
to change to another country.

You can use
<span class="application">[[Onion Circuits|doc/anonymous_internet/tor_status]]</span>
to get more detailed information about the circuits being used.

<a id="new_circuit"></a>

<span class="guilabel">New Tor Circuit for this Site</span> feature
-------------------------------------------------------------------

The <span class="guilabel">New Tor Circuit for this Site</span> feature
of <span class="application">Torbutton</span> builds a new Tor Circuit for the website in the current
tab and reloads it. This is particularly useful if the *Exit relay* is
located in a country which negatively affects the presentation of the
website you are visiting, e.g. due to censorship, localization into a
language you do not know, and similar.

To use it, click on the
[[!img torbutton.png link=no class=symbolic alt="green onion"]] button and select
<span class="guilabel">New Tor Circuit for this Site</span>.

<a id="new_identity"></a>

<span class="guilabel">New Identity</span> feature
--------------------------------------------------

The <span class="guilabel">New Identity</span> feature of
<span class="application">Torbutton</span>:

  - Closes all open tabs.
  - Clears the session state including cache, history, and cookies
    (except the cookies protected by the **Cookie Protections** feature).
  - Closes all existing web connections and creates new Tor circuits.
  - Erases the content of the clipboard.

To use this feature click on the
[[!img torbutton.png link=no class=symbolic alt="green onion"]] button
and select <span class="guilabel">New Identity</span>.

<div class="caution">

<p>This feature is not enough to strongly [[separate contextual identities|about/warning#identities]]
in the context of Tails as the connections outside of
<span class="application">Tor Browser</span> are not restarted.</p>

<p>Shutdown and restart Tails instead.</p>

</div>

For more details, see the [design and implementation of the Tor Browser](https://www.torproject.org/projects/torbrowser/design/#new-identity).

<a id="noscript"></a>

NoScript to have even more control over JavaScript
==================================================

[[!img noscript.png link=no alt=""]]

To allow more control over JavaScript, for example to disable JavaScript
completely on some websites, <span class="application">Tor Browser</span> includes the <span class="application">NoScript</span>
extension.

By default, <span class="application">NoScript</span> is disabled and some
JavaScript is allowed by the <span
class="application">[[Torbutton|Tor_Browser#javascript]]</span> extension as
explained above.

For more information you can refer to the NoScript
[website](http://noscript.net/) and [features](http://noscript.net/features).