3

If running the Tor browser, should you still have the same privacy add-ons as you would if you were running a "regular" browser? Or will some of them be superfluous because of the built-in functionality in the Tor browser? For reference, a list of commonly recommended privacy tools:

  • uBlock
  • Ghostery
  • HTTPS Everywhere
  • Lightbeam
  • AdBlock Plus
  • Disconnect
  • Privacy Badger
  • NoScript
  • Self-destructing cookies
forthrin
  • 1,741
  • 1
  • 13
  • 21
  • Please note that Tor Project **very strongly** recommends against installing non-default addons specifically because they make you _easier_ to fingerprint, not harder. – forest Feb 14 '19 at 11:11

2 Answers2

3

First of all, NoScript and HTTPS-Everywhere are included in the bundle by default (see "What is Tor browser").

Other than that, it boils down to your personal list of pros and cons. You will alter the browser's fingerprint by customizing it with add-ons which may result in your instance being more unique/trackable. This goes against recommendations and warnings to keep the bundle as default as possible to be indistinguishable from other Tor browsers on the net. This applies to actions like installing/removing add-ons, resizing the window, enabling/disabling title bar/menu bar etc.

The best way to stay anonymous is most likely to use Tor via Tails which will - by design - take care of things like cookies, and leave everything to default. Just make sure that JavaScript is disabled. That way, most of the tracking functionalities will be disabled and you'll be near-indistinguishable from other Tor browsers.

Additionally, you may want to check out Michael Hampton's thorough and in-depth answer regarding other Tor best practices (although he recommends installing Self-Destructing Cookies).

forest
  • 64,616
  • 20
  • 206
  • 257
SeeYouInDisneyland
  • 1,428
  • 9
  • 20
  • Thanks for a good answer and good references. Stay as equal as possible to other TOR users. I get the point. However, doesn't TOR block access to fingerprint-able information like the window size? (If not, wouldn't changing the window size immediately create an almost certainly unique fingerprint, and if so, shouldn't resizing the TOR application window be forcibly disabled by its developers to prevent users from doing this accidentally or unknowingly?) – forthrin Feb 14 '19 at 09:12
  • 1
    @forthrin Tor (not TOR) Browser unfortunately cannot block window size, as there are a variety of methods to fingerprint it even with JavaScript disabled. That is why it starts up with a specific window size. – forest Feb 14 '19 at 11:10
  • @forest: 1) How does one read window size with JavaScript disabled? 2) And why hasn't the program window been forcibly set to a fixed size if this is such a major issue. I'm sure all relevant Operating Systems have a "can resize" flag that can be set for program windows. – forthrin Feb 14 '19 at 11:50
  • FWIW: Tor browser displays a prominent message box/warning if you put it to full screen (IIRC not when you're just adjusting the window size) – SeeYouInDisneyland Feb 14 '19 at 11:51
  • 1) The CSS @media elements allow reading window size by fetching resources conditionally based on window size. 2) While that would be possible, I assume the reason is simply to allow people who don't care about fingerprinting to resize their browser. You'd have to ask the devs. – forest Feb 14 '19 at 11:51
  • @forest: Why would anyone use Tor and not care about fingerprinting? That doesn't make sense. I hope a dev or someone else with knowledge will see this and make a comment about the window size. – forthrin Feb 14 '19 at 11:54
  • You can only show a person the way, not force them to walk it. It should be possible for people to make an informed decision. If they choose to maximize their window, so be it (after an already implemented warning message). – SeeYouInDisneyland Feb 14 '19 at 11:56
  • 1
    @forthrin It depends on the threat model. Many people use Tor to evade censorship, not avoid fingerprinting. – forest Feb 14 '19 at 11:57
  • @SeeYouInDisneyland: Well, the warning doesn't appear when resizing the window outside of full screen mode. It's pretty obvious to me that someone is bound to resize the window either out of forgetfulness or simple lack of knowledge. Such an obvious pitfall should definitely be addressed by the maintainers. – forthrin Feb 14 '19 at 12:09
1

There are three categories of addons

Addons not needed

The tor-browser-bundles contains some additional fixes to fingerprinting techniques. You can read more when you lookup the "resistFingerprinting" Firefox setting, which uplifts quite a few of these settings.

Example: You do not need to change your user agent string, as the tor browser automatically uses a common Firefox user agent.

Addons still needed

Example: uBlock Origin can still block a lot of things, which may improve your privacy and your comfort reading websites.

Harmful Addons

Again take an user agent changing addon as example. The tor browser uses a common user agent, which is the same for all users. The addon may try to use a common user agent, but it differs from the tor browser user agent string.

Especially when you visit hidden services, which see almost only tor browser user agent strings, the addon will make it easier to track you.

And keep in mind, that there are many addons out there, which may be insecure or include their own tracking mechanisms. The less code you run, the better.

allo
  • 3,173
  • 11
  • 24