summaryrefslogtreecommitdiffstats
path: root/wiki/src/doc/anonymous_internet/Tor_Browser.mdwn
blob: 332a284d503f51ea3c3a843d407d0659c098b781 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
[[!meta title="Browsing the web with Tor Browser"]]

[[!img Tor_Browser/mozicon128.png link=no alt=""]]

<span class="application">[Tor Browser](https://www.torproject.org/projects/torbrowser.html.en)</span> is a web
browser based on [Mozilla Firefox](http://getfirefox.com) but configured
to protect your privacy.

Tor alone is not enough to protect your anonymity and privacy while browsing the
web. All modern web browsers, such as Firefox, support [[!wikipedia
JavaScript]], [[!wikipedia Adobe_Flash]], [[!wikipedia HTTP_cookie
desc="cookies"]], and other services which have been shown to be able to defeat
the anonymity provided by the Tor network.

<span class="application">Tor Browser</span> integrates all sorts
of security measures to prevent such attacks. But since
<span class="application">Tor Browser</span> disables some dangerous functionalities, some sites might not work as
usual.

Some frequently asked questions about <span class="application">Tor Browser</span> can be found in
[[the FAQ|support/faq#browser]].

[[!toc levels=2]]

<div class="tip">

<p>If you want to browse web pages on your local network, refer to our
documentation on [[accessing resources on the local
network|advanced_topics/lan]].</p>

</div>

<a id="confinement"></a>

AppArmor confinement
====================

<span class="application">Tor Browser</span> in Tails is confined with
[[!debwiki AppArmor]] to protect the system and your data from some
types of attacks against <span class="application">Tor Browser</span>.
As a consequence, <span class="application">Tor Browser</span> in Tails can
only read and write to a limited number of folders.

<div class="note">

This is why, for example, you might face <span class="guilabel">Permission
denied</span> errors if you try to download files to the
<span class="filename">Home</span> folder.

</div>

- You can save files from <span class="application">Tor
Browser</span> to the <span class="filename">Tor Browser</span> folder
that is located in the <span class="filename">Home</span> folder.
The content of this folder will disappear once you shut down Tails.

- If you want to upload files with <span class="application">Tor
Browser</span>, copy them to that folder first.

- If you have activated the <span
class="guilabel">[[Personal
Data|doc/first_steps/persistence/configure#personal_data]]</span>
persistence feature, then you can also use the <span
class="filename">Tor Browser</span> folder that is located in the
<span class="filename">Persistent</span> folder. In that case, the
content of this folder is saved and remains available across separate
working sessions.

<div class="note">

<p>To be able to download files larger than the available RAM, you need
to activate the <span class="guilabel">[[Personal
Data|doc/first_steps/persistence/configure#personal_data]]</span>
persistence feature.</p>

</div>

<a id="https"></a>
<a id="https-everywhere"></a>

HTTPS encryption with HTTPS Everywhere
======================================

Using HTTPS instead of HTTP encrypts your communications while browsing the web.

All the data exchanged between your browser and the server you are visiting is
encrypted. HTTPS prevents the
[[Tor exit node from eavesdropping on your communications|doc/about/warning#exit_node]].

HTTPS also includes mechanisms to authenticate the server you are communicating
with. But, those mechanisms can be flawed,
[[as explained on our warning page|about/warning#man-in-the-middle]].

For example, here is how the browser looks when we try to log in to an email
account at [riseup.net](https://riseup.net/), using their [webmail
interface](https://mail.riseup.net/):

[[!img doc/anonymous_internet/Tor_Browser/riseup.png link=no alt=""]]

Notice the padlock icon on the left of the address bar saying "mail.riseup.net".
Notice also the address beginning with "https://" (instead of "http://"). These are the
indicators that an encrypted connection using [[!wikipedia HTTPS]] is being
used.

When you are sending or retrieving sensitive information (like passwords), you
should try to only use services providing HTTPS. Otherwise, it is very easy
for an eavesdropper to steal whatever information you are sending, or to
modify the content of a page on its way to your browser.

[[!img https-everywhere.jpg link=no alt=""]]

[HTTPS Everywhere](https://www.eff.org/https-everywhere) is a Firefox extension
included in <span class="application">Tor Browser</span>. It is produced as a collaboration between [The Tor
Project](https://torproject.org/) and the [Electronic Frontier
Foundation](https://eff.org/). It encrypts your communications with a number of
major websites. Many sites on the web offer some limited support for encryption
over HTTPS, but make it difficult to use. For example, they might default to
unencrypted HTTP, or fill encrypted pages with links that go back to the
unencrypted site. The HTTPS Everywhere extension fixes these problems by
rewriting all requests to these sites to HTTPS.

To learn more about HTTPS Everywhere, you can see:

 - the [HTTPS Everywhere homepage](https://www.eff.org/https-everywhere)
 - the [HTTPS Everywhere FAQ](https://www.eff.org/https-everywhere/faq/)

<a id="torbutton"></a>

<a id="javascript"></a>

Protection against dangerous JavaScript
=======================================

Having all JavaScript disabled by default would disable a lot of harmless and
possibly useful JavaScript, and might render many websites unusable.

That's why JavaScript is enabled by default but
<span class="application">Tor Browser</span> disables all potentially
dangerous JavaScript. We consider this as a necessary compromise between
security and usability.

<div class="note">

<p>To understand better the behavior of <span class="application">Tor
Browser</span>, for example, regarding JavaScript and cookies, you can
refer to the <a href="https://www.torproject.org/projects/torbrowser/design/">
<span class="application">Tor Browser</span> design document</a>.</p>

</div>

<a id="security_slider"></a>

Security slider
===============

You can use the security slider of <span class="application">Tor Browser</span>
to disable browser features as a trade-off between security and usability.
For example, you can use the security slider to disable JavaScript completely.

The security slider is set to **Standard** by default which gives
the most usable experience.

To change the value of the security slider, click on the [[!img torbutton.png link="no" class="symbolic" alt=""]] button
on the left of the address bar and choose **Security Settings&hellip;**

[[!img security_slider.png link="no" alt="Security slider in its default value (low)"]]

<a id="circuit_view"></a>
<a id="new_circuit"></a>

Tor circuit
===========

[[!img circuit_view.png link=no]]

Click on the
[[!img i.png link="no" class="symbolic" alt="Show site information"]]
button in the address bar to show the Tor circuit that is used to connect to
the website in the current tab, its 3 relays, their IP addresses, and
countries.

The last relay in the circuit, the one immediately above the
destination website, is the *exit relay*. Its
country might influence how the website behaves.

Click on the
<span class="guilabel">[[New Circuit for this Site|Tor_Browser#new_circuit]]</span> button
to use a different circuit.

You can use
<span class="application">[[Onion Circuits|doc/anonymous_internet/tor_status]]</span>
to get more detailed information about the circuits being used.

<a id="new_identity"></a>

<span class="guilabel">New Identity</span> feature
==================================================

The <span class="guilabel">New Identity</span> feature of
<span class="application">Tor Browser</span>:

  - Closes all open tabs.
  - Clears the session state including cache, history, and cookies
    (except the cookies protected by the **Cookie Protections** feature).
  - Closes all existing web connections and creates new Tor circuits.
  - Erases the content of the clipboard.

To switch to a new identity, click on the
[[!img torbutton.png link="no" class="symbolic" alt=""]] button
on the left of the address bar
and choose <span class="guilabel">New Identity</span>.

<div class="caution">

<p>This feature is not enough to strongly [[separate contextual identities|about/warning#identities]]
in the context of Tails, as the connections outside of
<span class="application">Tor Browser</span> are not restarted.</p>

<p>Restart Tails instead.</p>

</div>

For more details, see the [design and implementation of the Tor Browser](https://www.torproject.org/projects/torbrowser/design/#new-identity).

<a id="noscript"></a>

NoScript to have even more control over JavaScript
==================================================

[[!img noscript.png link=no alt=""]]

<span class="application">Tor Browser</span> includes the
<span class="application">NoScript</span> extension to:

- Protect from more JavaScript attacks. For example, cross-site
  scripting attacks (XSS).
- Allow you to disable JavaScript completely on some websites.

For more information, you can refer to the NoScript
[website](http://noscript.net/) and [features](http://noscript.net/features).