Tor OpSec

1. Safe Tor Usage
2.  
3. As a very long time Tor user, the most surprising part of the NSA documents was how little progress they have made against Tor. Despite its known weaknesses, it's still the best thing we have, provided it's used properly and you make no mistakes.
4.  
5. Since you want security of "the greatest degree technically feasible", I'm going to assume that your threat is a well-funded government with significant visibility or control of the Internet, as it is for many Tor users (despite the warnings that Tor is not sufficient to protect you from such an actor).
6.  
7. Consider whether you truly need this level of protection. If having your activity discovered does not put your life or liberty at risk, then you probably do not need to go to all of this trouble. But if it does, then you absolutely must be vigilant if you wish to remain alive and free.
8.  
9. Contents
10.  
11. 1 Your Computer
12.  
13. 2 Your Environment
14.  
15. 3 Your Mindset
16.  
17. 4 Hidden Services
18.  
19. 5 Conclusion
20.  
21. Your Computer
22.  
23. To date, the NSA's and FBI's primary attacks on Tor users have been MITM attacks (NSA) and hidden service web server compromises (FBI) which either sent tracking data to the Tor user's computer, compromised it, or both. Thus you need a reasonably secure system from which you can use Tor and reduce your risk of being tracked or compromised.
24.  
25. 1. Don't use Windows. Just don't. This also means don't use the Tor Browser Bundle on Windows. Vulnerabilities in the software in Tor browser button figure prominently in both the NSA slides and FBI's recent takedown of Freedom Hosting.
26.  
27. 2. If you can't construct your own workstation capable of running Linux and carefully configured to run the latest available versions of Tor, a proxy such as Privoxy, and a web browser (with all outgoing clearnet access firewalled), consider using Tails or Whonix instead, where most of this work is done for you. It's absolutely critical that outgoing access be firewalled so that third party applications cannot accidentally leak data about your location.
28.  
29. 3. If you are using persistent storage of any kind, ensure that it is encrypted. Current versions of LUKS are reasonably safe, and major Linux distributions will offer to set it up for you during their installation. TrueCrypt might be safe, though it's not nearly as well integrated into the OS. BitLocker might be safe as well, though you still shouldn't be running Windows. Even if you are in a country where rubber hosing is legal, such as the UK, encrypting your data protects you from a variety of other threats.
30.  
31. 4. Remember that your computer must be kept up to date. Whether you use Tails or build your own workstation from scratch or with Whonix, update frequently to ensure you are protected from the latest security vulnerabilities. Ideally you should update each time you begin a session, or at least daily. Tails will notify you at startup if an update is available.
32.  
33. 5. Be very reluctant to compromise on JavaScript, Flash and Java. Disable them all by default. If a site requires any of these, visit somewhere else. Enable scripting only as a last resort, only temporarily, and only to the minimum extent necessary to gain functionality of a web site that you have no alternative for.
34.  
35. 6. Viciously drop cookies and local data that sites send you. Neither the Tor browser button nor Tails do this well enough for my tastes; consider using an addon such as Self-Destructing Cookies to keep your cookies to a minimum. Of zero.
36.  
37. 7. Your workstation must be a laptop; it must be portable enough to be carried with you and quickly disposed of or destroyed.
38.  
39. 8. Don't use Google to search the Internet. A good alternative is Startpage; this is the default search engine for Tor browser button, Tails, and Whonix. Another is DuckDuckGo which also has a hidden service. Plus it won't call you malicious or ask you to fill out CAPTCHAs.
40.  
41. Your Environment
42.  
43. Tor contains weaknesses which can only be mitigated through actions in the physical world. An attacker who can view both your local Internet connection, and the connection of the site you are visiting, can use statistical analysis to correlate them.
44.  
45. 1. Never use Tor from home, or near home. Never work on anything sensitive enough to require Tor from home, even if you remain offline. Computers have a funny habit of liking to be connected. This also applies to anywhere you are staying temporarily, such as a hotel. Never performing these activities at home helps to ensure that they cannot be tied to those locations. (Note that this applies to people facing advanced persistent threats. Running Tor from home is reasonable and useful for others, especially people who aren't doing anything themselves but wish to help by running an exit node, relay, or bridge.
46.  
47. 2. Limit the amount of time you spend using Tor at any single location. While these correlation attacks do take some time, they can in theory be completed in as little as a day. And while the jackboots are very unlikely to show up the same day you fire up Tor at Starbucks, they might show up the next day. I recommend for the truly concerned to never use Tor more than 24 hours at any single physical location; after that, consider it burned and go elsewhere. This will help you even if the jackboots show up six months later; it's much easier to remember a regular customer than someone who showed up one day and never came back. This does mean you will have to travel farther afield, especially if you don't live in a large city, but it will help to preserve your ability to travel freely.
48.  
49. 3. When you go out to perform these activities, leave your cell phone turned on and at home.
50.  
51. Your Mindset
52.  
53. Many Tor users get caught because they made a mistake, such as posting their real E-mail address in association with their activities. You must avoid this as much as possible, and the only way to do so is with careful mental discipline.
54.  
55. 1. Think of your Tor activity as pseudonymous, and create in your mind a virtual identity to correspond with the activity. This virtual person does not know you and will never meet you, and wouldn't even like you if he knew you. He must be kept strictly mentally separated.
56.  
57. 2. If you must use public Internet services, create completely new accounts for this pseudonym. Never mix them; for instance do not browse Facebook with your real E-mail address after having used Twitter with your pseudonym's E-mail on the same computer. Wait until you get home.
58.  
59. 3. By the same token, never perform actions related to your pseudonymous activity via the clearnet, unless you have no other choice (e.g. to sign up for a provider who blocks Tor), and take extra precautions regarding your location when doing so.
60.  
61. 4. If you need to make and receive phone calls, purchase an anonymous prepaid phone for the purpose. This is difficult in some countries, but it can be done if you are creative enough. Pay cash; never use a debit or credit card to buy the phone or top-ups. Never insert its battery or turn it on if you are within 10 miles (16 km) of your home, nor use a phone from which the battery cannot be removed. Never place a SIM card previously used in one phone into another phone. Never give its number or even admit its existence to anyone who knows you by your real identity. This may need to include your family members.
62.  
63. Hidden Services
64.  
65. These are big in the news lately, with the recent takedown of at least two high-profile hidden services, Silk Road and Freedom Hosting. The bad news is, hidden services are much weaker than they could or should be. The good news is, the NSA doesn't seem to have done much with them (though the NSA slides mention a GCHQ program named ONIONBREATH which focuses on hidden services, nothing else is yet known about it).
66.  
67. In addition, since hidden services must often run under someone else's physical control, they are vulnerable to being compromised via that other party. Thus it's even more important to protect the anonymity of the service, as once it is compromised in this manner, it's pretty much game over.
68.  
69. The advice given above is sufficient if you are merely visiting a hidden service. If you need to run a hidden service, do all of the above, and in addition do the following. Note that these tasks require an experienced system administrator; performing them without the relevant experience will be difficult or impossible.
70.  
71. 1. Do not run a hidden service in a virtual machine unless you also control the physical host. Designs in which Tor and a service run in firewalled virtual machines on a firewalled physical host are OK, provided it is the physical host which you are in control of, and you are not merely leasing cloud space.
72.  
73. 2. A better design for a Tor hidden service consists of two physical hosts, leased from two different providers though they may be in the same datacenter. On the first physical host, a single virtual machine runs with Tor. Both the host and VM are firewalled to prevent outgoing traffic other than Tor traffic and traffic to the second physical host. The second physical host will then contain a VM with the actual hidden service. Again, these will be firewalled in both directions. The connection between them should be secured with IPSec, OpenVPN, etc. If it is suspected that the host running Tor may be compromised, the service on the second server may be immediately moved (by copying the virtual machine image) and both servers decommissioned. Both of these designs can be implemented fairly easily with Whonix.
74.  
75. 3. Hosts leased from third parties are convenient but especially vulnerable to attacks where the service provider takes a copy of the hard drives. If the server is virtual, or it is physical but uses RAID storage, this can be done without taking the server offline. Again, do not lease cloud space, and carefully monitor the hardware of the physical host. If the RAIDarray shows as degraded, or if the server is inexplicably down for more than a few moments, the server should be considered compromised, since there is no way to distinguish between a simple hardware failure and a compromise of this nature.
76.  
77. 4. Ensure that your hosting provider offers 24x7 access to a remote console (in the hosting industry this is often called a KVM though it's usually implemented via IPMI which can also install the operating system. Use temporary passwords/passphrases during the installation, and change them all after you have Torup and running (see below). The remote console also allows you to run a fully encrypted physical host, reducing the risk of data loss through physical compromise; however, in this case the passphrase must be changed every time the system is booted (even this does not mitigate all possible attacks, but it does buy you time).
78.  
79. 5. Your initial setup of the hosts which will run the service must be over clearnet, albeit via SSH; however, to reiterate, they must not be done from home or from a location you have ever visited before. As we have seen, it is not sufficient to simply use a VPN. This may cause you issues with actually signing up for the service due to fraud protection that such providers may use. How to deal with this is outside the scope of this answer, though.
80.  
81. 6. Once you have Tor up and running, never connect to any of the servers or virtual machines via clearnet again. Configure hidden services which connect via SSH to each host and each of the virtual machines, and always use them. If you must connect via clearnet to resolve a problem, again, do so from a location you will never visit again.
82.  
83. 7. Hidden services must be moved regularly, even if compromise is not suspected. A 2013 paper described an attack which can locate a hidden service in just a few months for around $10,000 in cloud compute charges, which is well within the budget of even some individuals. It is safer, though not at all convenient, to move the hidden service at least monthly. Ideally it should be moved as frequently as possible, though this quickly veers into the impractical. Note that it will take approximately an hour for the Tor network to recognize the new location of a moved hidden service.
84.  
85. Conclusion
86.  
87. Anonymity is hard. Technology alone, no matter how good it is, will never be enough. It requires a clear mind and careful attention to detail, as well as real-world actions to mitigate weaknesses that cannot be addressed through technology alone. As has been so frequently mentioned, the attackers can be bumbling fools who only have sheer luck to rely on, but you only have to make one mistake to be ruined. We call them "advanced persistent threats" because, in part, they are persistent. They won't give up, and you must not.