News and discussion about the Tor anonymity software. New to Tor? Please read the Tor FAQ!
Am I [insert "safe" synonym here] whilst my TOR connection is established?
No.
But it says Connection secure?
No!!!
I have downloaded a/an [insert file extension here] while on TOR -
NO!!!!!!!!!
Don't download shit from TOR to open outside of TOR, just like you wouldn't work with chemicals without gloves. Because you had gloves when you started the process doesn't mean you can take them off before you're done!
But I've already downloaded [insert file description] and opened it. Am I safe?
See third answer, but with more exclamation points.
What can I do if I've already opened the file?
Given you do not know what you're doing, probably nothing. Your best shot is to back up and secure vital information you have on your computer. If you're more cautious, change all your passwords. if you're paranoid-level cautious, pay a Cybersecurity expert to investigate your computer.
Is the dark web illegal?
As they say in french, non.
Can I get in trouble for going on the dark web?
No! - Well, yes. Depends what you do on it, as explained bellow.
Should I use [input VPN name] with TOR?
NON NON NON!!!
In a nutshell, TOR already hides your internet traffic. If you don't know what you're doing - and this post is made for people that don't - then I highly recommend you don't use a VPN with TOR. Yes, you might have seen posts that talk about TOR over VPN or VPN over TOR or TOR over TOR - not for you.
On a more serious note, if you're unfamiliar with something, treat it with caution and reason. You don't need to be a genius to know that ordering a drug illegal in your country is I L L E G A L and can get you into some trouble. So, consider something else:
If you wouldn't do it on the clear web, don't do it on the dark web
There is no magic formula - would you feel safe downloading a file from some Chinese, phishing, "Download some RAM for free" website? If not, simply don't do it on the dark web! It's okay to not know stuff, and it's okay to ask for stuff, but we're not talking about expertise here, we're talking about common sense.
Edits:
Edit n°1: Added VPN with TOR answer.
Sort by:
Best
Open comment sort options
Best
Top
New
Controversial
Old
Q&A
Then how can I download something from Tor? It is safe if I download something from the normal web?
Good question!
Firstly, Dark Web, Normal Web - doesn't make a difference. I can inject malware in a PDF file regardless of the internet medium. What matters is the trustworthiness of the website. Chances are you won't get malware if you download a file from apple.com because it's secured (in its case, with certificates to prove it).
Secondly, it all comes down to the level of safety you want to reach.
Technically, you could simply assume people aren't even and open it. That's the least safe.
Then, incrementally, you can add protection layers:
Scan the file on virustotal.com
Scan the file offline with your own antivirus and/or Windows Defender
If you want to be safe, open it with Tails or Whonix, two Linux distribution packages that emphasize safety and privacy.
Adding a level, you could do it all on a Virtual Machine, which is sandbox and therefor anything that happens only happens in that environment
If you want to be batshit safe, you could buy a cheap $50 very old computer, download the file, disconnect it from the internet so it's airtight (disconnected from anything) and use it to open files so that if it gets infected you don't care
These may all seem like funnily secure methods but the truth is, a paranoid mind is a creative one. The less compromising, sensitive and vital information you have on your computer, the less you are at risk.
Edit: CH4CH8 is not a conventional molecule - why the name?
Thanks for the response! And what do you mean with is not a conventional molecule? My friends calls me "chacho" (I'm from Argentina) and I change the "a" for 4 and the "o" for 8 (?
Aaah, alright! I thought it was a chemical formula…
It might be in a future(? Hahaha
Comment deleted by user
hahahah well said. I chose apple.com as an example of a trusted website - we know who owns it and we can assume they don't want to ransomware us.
Your comment however gives me a good idea of something to introduce - checksums.
If you really trust the source but you don't trust the file, then check the file's checksum.
What is a checksum?
it's a digit representing the sum of the correct characters in a piece of stored or transmitted digital data, against which later comparisons can be made to detect errors in the data. In other words, with a checksum, you can assign a value to your file.
Let's say I put a file online. I tell you the file's checksum is ABCD. You trust me so you know the file should be secure, but you don't trust my website. However, checksums are absolutely consistent, meaning that a file will at all points have the same sum. So, if you see the file I tell you to get from my website with a checksum like ACDB, it's corrupt!
They're great ways of telling if the file is the original one, and therefor, if they're trustworthy.
This is absolutely correct. But actually downloading somethings the hardest part TOR is so slow bouncing your connection between so many places that it takes hours to finish single files.
It's definitely not optimal for downloads but if you do need to download something for x or y reasons (usually because file sharing on TOR is the only place you could find that exact file) and if there is no other way, better be safe while doing it!
It's easy to be safe, if you know what you're doing I just wish there was a way to speed it up. The majority of the filehosts on TOR have no Clearnet alternative.
Nope: Heartbleed permitted before to imitate certificates so yur lying
Heart bleed was a very short time bug discovered in 2014 and killed 9 days after that, in 2019 it was assessed that less than 100,000 machines were still vulnerable to heartbleed. Unless you’re downloading from a website that uses a 2013 version of OpenSSL you’re fine.
Wait r u sure forrrrr Spectre???
If you're a linux user just torsocks wget "DDL link here". There is also torify base on torsocks. Better to google about it to learn more.
The Tor project recommend if you download anything to not unzip or open any of the files until you have disconnected from the internet.
Thanks!
The only way to be safe with some of the unsafe practices mentioned in the OP, is use a computer that is specifically for doing things such as downloading, etc., that are are more than comfortable with wiping it and reinstalling the basic shit over and over again, with none of your sensitive stuff on it, and don't do any of your sensitive activities like banking on it. Then do whatever you want, it doesn't matter.
Like I was told in one of my first computer courses, the only time a computer is 100% safe is when it's powered down, disconnected, in a box, in a locked closet. And even then shit can happen to the building.
Definitely, airgapping a shit computer is an easy way to deal with these problems, I actually recommended this is one of my comments.
Even if there is no personal information on the computer can’t people still figure out who you are if you are connected to your private WiFi?
is there any other benefit of using tor for a 20 year old boy except privacy??
If your sole intention is browsing the internet like a normal, average, lawful 20 year boy, then privacy (all aspects, including anonymity, anti cookies, hiding your online activity and having no history) and less adds are the pros.
If you live in a censored country, you’ll bypass that, so yet another pro.
can i be hacked if i just used tor for browsing and normal stuff
Again, it comes back to your definitions.
If "normal stuff" is Facebook, Reddit an 9GAG, some trusted-ish webistes, without downloading PDFs or programs from shady websites, then you will have no problem.
If you start downloading stuff from ukrainian rip off websites or clicking peculiar adds, then yes, you can get "hacked"
Browse reasonably and only reasonable stuff will happen :)
OP has been giving great advice, but i would like to add a caveat (OP is not wrong in what he is saying, i just want to add to it)
tor will provide certain protections to the client side
If you are interacting with a site, lets say random.co.ukz and the server side/backend/ application layer is shite, and has vulnerabilites and gets breached tor will add no layer of protection
further caveat: providing you use gen information on both for registration/account details
What about for a 37 year old boy?
Are you equally as lawful as that 20 year old boy? Then same result but with back pain
major precautions while using tor??
I guess my biggest call-out would be towards having a fake shield - TOR is not your protector. It's not an Anti Virus, it's not a cybersecurity analyst. TOR is a browser that gets you to pages. If you see TOR like that, like a "different Google Chrome", then you'll act reasonably.
If something seems shady on a normal browser, it's shady on TOR too, you won't be safe from it.
thanks
I would like to add that Tor is not a magical blanket. You need to understand why you use Tor in the first place.You have to do some opsec first. You do not need AV / firewall for everything, so you do not need Tor for everything. You should understand why you are using tor in the first place
That's true, I think TOR has become more of a recreational tool nowadays than an useful one...
no, its still very useful. Like bitcoin, the pros just know the tool a lot better. Its a lot more sophisticated than what the videos show
Is tor a series of tubes?
Comment deleted by user
editing!
Great guide
Appreciate it :)
Am I [insert "safe" synonym here] whilst my Tor connection is established?
Depends on why you are using it.
But it says Connection secure?
Again, depends.
I have downloaded a/an [insert file extension here] while on Tor
Ok. Many people do that.
I've downloaded [insert file description] and opened it. Am I safe?
Depends, on the file type, who you are, who your adversary is, if the connection is secure (HTTPS or onion), and more. Many people are probably fine and safe.
What can I do if I've already opened the file?
Again, it depends. If you believe you are a target, or it was a virus, that's of course bad. And the most
Is ""the dark web"" illegal?
No.
Can I get in trouble for going on ""the dark web""?
No. Though doing stuff on some of the illegal websites can (at least theoretically)
Should I use [input VPN name] with Tor?
Probably not.
In a nutshell, Tor already hides your internet traffic. If you don't know what you're doing - and this post is made for people that don't - then you probably won't gain anything by using a VPN with Tor. Yes, you might have seen posts that talk about Tor over VPN or VPN over Tor or Tor over Tor (the last one won't even work), there are some theoretical upsides, though there are also theoretical downsides, but note what Matt says at the very start: "Users may not lose any safety by adding a VPN, but they probably aren't gaining any."
There is no magic formula - would you feel safe downloading a file from some Chinese, phishing, "Download some RAM for free" website? If not, simply don't do it! It's okay to not know stuff, and it's okay to ask for stuff, but we're not talking about expertise here, we're talking about common sense.
(you can even capitalize Tor correctly. To quote the Tor support website: "Note: even though it originally came from an acronym, Tor is not spelled "TOR". Only the first letter is capitalized. In fact, we can usually spot people who haven't read any of our website (and have instead learned everything they know about Tor from news articles) by the fact that they spell it wrong.", have you?)
As I said in my post, I answered questions for inexperienced users. Now, by experience, inexperienced users do not have the time or will to get experience. So to them, it doesn't matter if it depends, because they're not going to study possibilities, and if the answer to "am I safe" is "it depends", then it's best to just say no.
Clearly, my guide is not the holy truth, it's not about "theoretical" possibilities.
As for capitalization, TOR (yes, not Tor) is an acronym, and despite it meaning The onion router as per se on their website, in the English language, acronyms gets capitals on EVERY letter, whether it's a unit, element or anything else.
But again, this wasn't about flexing my TOR knowledge, it's about providing a starter's guide to people who need it, and I can guarantee people who need it won't complain if I write TOR or TOR.
No, and neither is it the "ultimate".
https://matt.traudt.xyz/posts/tor_spelling/
I do not wish to argue because this is not what the post is about.
Am I a T browser god? No
Am I an English teacher? no
Am I helping people? Some people seem to appreciate the guide
I'm sorry if you don't feel that way.
Sir this page is down
https://matt.traudt.xyz/posts/vpn-tor-not-mRikAa4h/
Any alternatives for this?
https://matt.traudt.xyz/posts/2016-11-12-vpn-tor-not-net-gain/
Thank you sir, please guide here too https://www.reddit.com/r/TOR/comments/panueo/comment/j7u39dm/?utm_source=share&utm_medium=web2x&context=3
Was kind of hoping for an actual beginner's crash course. This is just meme material.
But this is a beginners course! I know the format is kind of meme-ish because I wanted to make it accessible but nothing I say is fake.
Many people asked further details in comments, to which I replied more seriously. Would you like to ask questions too?
I recommend changing the name and icon on your computer if your living with other people because even if you don't so anything illegal on Tor, it is still very suspicious if you have it.
Comment deleted by user
This goes back to what I said in Answer 3. Just because the file is downloaded safely doesn't mean that double clicking it won't harm your computer - from what I saw beneath, it's an image. bitmap files (JPG, PNG) are harder, nearly impossible to embed with malware, so it's "safer" to download.
Like the person that's been replying to you said, TOR is about not being more anonymous, not about being safe. You can download anything using any method, if the file has a virus, it'll have a virus regardless if you downloaded it with Google, Bing, TOR or whatever else.
Yes. But then again depends on the file.
Comment deleted by user
I mean you can download that from a normal browser too, tor won't provide any extra security. It just provided anonymity.
Comment deleted by user
Comment deleted by user
It's alright, the no's were supposed to be an accessible way to read this.
Well, as some pointed in the comments, it really depends on the file.
As far as I know, there is no hacker good enough (or at least none that has enough free time) to upload a malware-imbued file so that when you click it, all your data is exposed to the people.
How?
Javascript – Javascripts are used in the website coding to control browser appearance and functionality. In past, it has been used to exploit multiple vulnerabilities in PDF readers.
System Commands – Launch action in PDF can open Command window and execute commands to initiate malware. Most of the commands have now been disabled by Adobe but they might be open in other readers or earlier versions.
Hidden Objects – PDFs can have embedded and encrypted objects which prevents being analyzed by antivirus scanner. These objects are executed when file is opened by the user.
Multimedia Control – When we say PDF can have embedded objects, it could be a quick-time media or flash file. Attacker can exploit vulnerability in media players.
These are the "gateways", so to call them. Using these methods, you can implant spywares to spy your activity, ransomwares to block your computer until ransom is payed, keyloggers to check for keys entered on a specific app or website (like banks), and the list goes on.
From your first sentence I can tell you're quite scared for your information to be exposed - so to answer exactly that, it is possible to get your information out of you, as mentioned in the previous paragraph.
Now, don't get paranoid about it - it doesn't mean every PDF will contain viruses. It just means that when you do something shadier than usual, on a website you might not be supposed to be, or if you download from an untrusted source, keep in mind that there exists a possibility the file is corrupt.
I can't tell you if the possibility is big, nor can I tell you it's inexistant. I'm simply trying to inform.
O thought you could download way worse files from tor than from clear web
Definitely not. Actually, i think most black hat hackers (those who want to do evil stuff for profit or chaos) will privilege the clear web because there’s more people to attack.
Well yes and clear web people are usually stupidier than dark web people
Well, many people that are inexperienced will assume that the dark web is the “bad” web so the clear web is safe. Like an older man telling you weed is bad but doesn’t feel and drinking 3 glasses of whiskey per day. Neither is dangerous, all people need to do is show a little reason and think about what and how they act online, they’ll be fine instantly
Subs
What is the Tor Browser Bundle? I downloaded the Tor Browser but I've reading stuff about different versions like the Tor Network and Browser Bundle. What is the distinction between them?
TBB or tor browser bundle is a customized browser based on Firefox. It contains tor button, tor launcher, tor proxy, HTTPS everywhere, NoScript, and lots of other addons.
Basically, for basic usage of Tor, you can simply download Tor, or you could get TBB which will allow you to further download addons. I’m not 100% sure of this but I think that today, Tor basic download will already feature the ones I listed in the first paragraph (but back in the days, it didn’t).
The distinction isn’t very clear today but I believe it was a lot more clear a few years back. If somebody would like to add please of because I can’t really say much more. If you Google for TBB, most posts will be from 2013, back when that was the name.
Here is tors page that explains it, with an example of downloadable plugin:
https://blog.torproject.org/ways-get-tor-browser-bundle
So if I don't want to download anything do regular Tor and TBB provide the same level of anonymity?
I believe so. TOR’s anonymity is provided by its way of working - in a nutshell, before getting to the page you want to explore, it will bounce your signal between other computers. That being done, if the website is evil, it’s very hard for its operator to find where the signal originated from. Now this service is basic to Tor, so if you downloaded Tor browser only, you’ll have that implemented by default.
Thanks. Another question, do they both hide hardware identifiers like device ID to the same extent?
If you want to protect the non-Tor traffic coming out of your system (from updaters, services, other apps, email client, etc), use a VPN.
If you want to run Tor Browser, leave the VPN running, and launch Tor. You'll have "Tor over VPN". Tor is secure by itself, you're not using the VPN to "help" Tor. The VPN is there to protect the non-Tor traffic.
Simple.
Yes, but ultimately (exactly as you said) the VPN will do tor no good nor bad, so why do that?
The VPN is to protect the non-Tor traffic, which can come at any time, even while you're using Tor.
@ u/BioFrosted u/billdietrich1 u/HackerAndCoder
I am from a place where whistleblowers are slaughtered. I am not a whistleblower in the real sense but I contribute of the little what I can to the cause. Why I was thinking to use vpn+tor well because any city or zone wise politician here, can get whatever info they want from the ISP in seconds. If a vpn is used, the office and servers of which are situated outside the country, then it will be hard for them to get the info from them. Maybe real hard because the adversary here won’t be the national government, we are just trying to expose corruption on a state level. Now in some of the subs here, I read people mentioning about money trail associated with the vpn. What if a free version is used? A vpn will log, whether the user is a free user or is paying, period. Both the isp and vpn(free or paid) are the devils here. As it might be hard, I am not sure here, for the concerned to get hold of the vpn than the isp so I wanted to use tor over vpn. Yes they will log but it might be better than just calling the isp and saying hey I am abcd politician hand me over the logs and everything of user A. Sounds a good enough reason for torn over vpn? Not saying that it will increase protection, just asking from the pov that getting details from the vpn will require additional time and effort. Also why is that tor over vpn is possible with some vpn’s and not with the others? For example, if a paid or free version of Keepsolid vpn is activated before pressing the connect button on Tor, Tor never connects.
This is the main question, the free vpns, with which tor over vpn seems to be possible, do not have a kill switch in case the internet drops. Now say one is connected in tor over free vpn mode (ignore the vpn collecting logs for a second) and the internet breaks, now as there is no kill switch so will this leak one’s ip to the websites being browsed in Tor? Is Tor having any countermeasure to prevent this?
If there is any major security flaw if Tor over vpn is used then please please enlighten me.
Tor is safe, no matter how malicious or faulty the VPN is.
As far as protecting your non-Tor traffic, at worst the VPN will know what your ISP would know if you weren't using a VPN. If you can sign up for VPN without giving ID, then VPN will know less than ISP would. Use HTTPS, and don't use VPN's custom client (use OS's built-in generic client).
...and first and foremost read manual.
I don't expect most people to, but yes
u/BioFrosted
Great Write up, few queries
I am from a place where whistleblowers are slaughtered. I am not a whistleblower in the real sense but I contribute of the little what I can to the cause. Why I was thinking to use vpn+tor well because any city or zone wise politician here, can get whatever info they want from the ISP in seconds. If a vpn is used, the office and servers of which are situated outside the country, then it will be hard for them to get the info from them. Maybe real hard because the adversary here won’t be the national government, we are just trying to expose corruption on a state level. Now in some of the subs here, I read people mentioning about money trail associated with the vpn. What if a free version is used? A vpn will log, whether the user is a free user or is paying, period. Both the isp and vpn(free or paid) are the devils here. As it might be hard, I am not sure here, for the concerned to get hold of the vpn than the isp so I wanted to use tor over vpn. Yes they will log but it might be better than just calling the isp and saying hey I am abcd politician hand me over the logs and everything of user A. Sounds a good enough reason for torn over vpn? Not saying that it will increase protection, just asking from the pov that getting details from the vpn will require additional time and effort. Also why is that tor over vpn is possible with some vpn’s and not with the others? For example, if a paid or free version of Keepsolid vpn is activated before pressing the connect button on Tor, Tor never connects.
This is the main question, the free vpns, with which tor over vpn seems to be possible, do not have a kill switch in case the internet drops. Now say one is connected in tor over free vpn mode (ignore the vpn collecting logs for a second) and the internet breaks, now as there is no kill switch so will this leak one’s ip to the websites being browsed in Tor? Is Tor having any countermeasure to prevent this?
If there is any major security flaw if Tor over vpn is used then please please enlighten me.