Dos and Don'ts of the Tor Browser

A friend of mine asked recently about dos and don’ts of using the Tor Browser, and there are quite a few; in fact, I may not know all of them offhand, which is why it’s good to read the official Tor Browser manual and other documentation made by the Tor Project.

That being said, there are some definite things that you should and shouldn’t do with the Tor Browser:

Do use the official Tor Browser from the Tor Project: The only Tor Browsers you should use are ones made by the official Tor Project, including ones for different platforms. Currently, the official ones work with Windows, OS X, Linux, and Android.


Do use .onion services if they’re available: Some clearnet sites also have Tor hidden services (.onion sites) as mirrors. If you have the option to use either, the onion service, if configured correctly, is likely to have better anonymity.

Do use different passwords and usernames on Tor: Depending on what your threat model is, on Tor, it’s better to use different passwords and/or usernames than what you’d use on the clearnet. Use your password manager or something like Diceware to generate new passwords for Tor sites.

Don’t install plugins or add-ons: Tempting as it might be to install plugins like password managers and other plugins that you’re accustomed to on other browsers, with Tor, these can be harmful rather than helpful. Because Tor’s purpose is anonymity and security, installing add-ons differentiates you from other Tor users. Using the example of password managers, you can use a manager like KeePass, which can store your passwords offline, and copy the passwords into the sites on Tor.

As user SuperSluether put it on StackExchange:

Look, using plug-ins in the Tor Browser is the same as using your default browser. Any protection from Tor is lost because the plugins COMPLETELY IGNORE THE PROXY SETTINGS.

If you want to use plugins, don’t use Tor. Trying to use both at the same time is most wasted effort. The only difference between doing this and using your normal browser is the fact that your normal browser already has the plugins installed.

In fact, it’d be easier to set up a local Tor proxy, and tell your default browser to use that. Since plugins ignore the proxy, you’ll get the exact same effect as on the Tor Browser.

Don’t torrent over Tor: Tor notoriously is bad for torrenting, for two reasons: breaking your anonymity and also slowing down the network for everyone else. In fact, Tor addresses this directly in their FAQ:

Torrent file-sharing applications have been observed to ignore proxy settings and make direct connections even when they are told to use Tor. Even if your torrent application connects only through Tor, you will often send out your real IP address in the tracker GET request, because that’s how torrents work. Not only do you deanonymize your torrent traffic and your other simultaneous Tor web traffic this way, you also slow down the entire Tor network for everyone else.

Other anonymity networks, like I2P, Freenet, and ZeroNet, are better suited to things like torrenting. For instance, I2P can be used with I2P-Snark.

Don’t use “unofficial” Tor browsers: There are a number of “imitation” Tor browsers on places like the Google Play store (which, if you’re already anti-Google, you probably don’t use anyway). For instance, there’s an app called Onion Search Browser, which, in theory, allows you to access onion sites, but contains ads and is terrible with anonymity. Any of these other “Tor browsers” are likely to be awful, even if they are able to access onion sites.

Be careful about enabling JavaScript and other site features: While some sites won’t function without JavaScript and other features, be aware that allowing them on some sites and not others can enabling tracking as well. The current version of the Tor Browser has three security levels: standard, safer, and safest. Under “standard,” all Tor Browser and website features are enabled. Under “safer,” some website features that can be dangerous are disabled: JavaScript is disabled on all non-HTTPS sites; some fonts and math symbols are disabled; audio and video (HTML5 media) are click-to-play. On “safest,” only website features required for static sites and basic services are enabled, so images, media, and scripts are blocked. Also, JavaScript is disabled on all sites, while some fonts, icons, and math symbols are disabled as well. Audio and video (i.e. HTML5 media) are set as click-to-play.

Don’t use a VPN provider with Tor: There are still a lot of articles and videos that claim you need to use a VPN provider with Tor, which is essentially a myth started by VPN providers. Doing so can actually compromise your anonymity, because you’re then relying on the VPN provider for privacy. If the VPN company is compromised in any way, then so is your data. This isn’t to say that VPNs don’t have other uses, but using the two together is pointless. If you’re concerned about hiding your Tor usage from your ISP, then using a Tor bridge can get around this problem: Relay Search.

.Onion sites: As on the clearnet, there are some .onion sites with malicious intent. Sites listed on directories like the Hidden Wiki, especially financially-related ones, tend to be scams. Use your good judgment. While this doesn’t correlate with the browser itself, these types of sites are aimed at those who are new to Tor and hope to take your money. Such sites have stolen people’s bitcoins, PGP keys, passwords, and other personal information.