Go Online Without Getting Snooped: Tor (The Onion Router)





Introduction: Go Online Without Getting Snooped: Tor (The Onion Router)

When you go online, you leave tracks all over the place. You could be hanging out with friends on IM, checking out websites, or downloading music. If you live in a country where snoops are prying into what ordinary citizens do online (lke, um, the US) you want a way to cover those tracks.

If you're in school, though, then it's even worse. No matter what country you're in, chances are that your access to the internets is as snooped-on as any police state in the world.

So, how do we escape our little virtual prisons? In this Instructable, I'll tell you about something called Tor (The Onion Router.) I'll tell you how it works, and then offer some simple instructions on how to get your web browser hooked up. No more getting snooped!

Step 1: How Tor Works

An "onion router" is an Internet site that takes requests for web-pages and passes them onto other onion routers, and on to other onion routers, until one of them finally decides to fetch the page and pass it back through the layers of the onion until it reaches you. The traffic to the onion-routers is encrypted, which means that the school can’t see what you’re asking for, and the layers of the onion don’t know who they’re working for. There are millions of nodes—the program was set up by the US Office of Naval Research to help their people get around the censorware in countries like Syria and China, which means that it’s perfectly designed for operating in the confines of an average American high-school.

Tor works because the school has a finite blacklist of naughty addresses we aren’t to visit, and the addresses of the nodes change all the time—no way could the school keep track of them all.

There's a more complete overview, here, but let's get on to installing Tor.

Step 2: Install Tor

Tor is pretty easy to install. You can leave most of the defaults as-is. First, go to the download page to get the latest version of Vidalia (which bundles Tor and a few other good privacy apps.) Get the right one for your operating system. Then follow the instructions to install it. The "Install and Configure" guides next to every package on that page are really helpful.

A screenshot of the installed Vidalia app on OS X is below. The window shows that Tor is up and running, ready protect me!

Next, we have to set up the internet program I use the most: my web browser.

Step 3: Set Up Your Web Browser With Tor

... and when I say "web browser," I mean "Firefox." Cuz what else would you use?

Setting up TOR with Firefox is also really easy, since there's a ready-made add-on for Firefox: Torbutton. Just go to this link to download the add-on, install it, and restart Firefox to get it running.

When it's installed right, you'll see a link at the bottom right of your browser window, reading "Tor Disabled." Just click that and it will switch to "Tor Enabled." A series of screenshots are below to help you out.

Once it's running, you're protected! All of your data will be running from computer to computer and switching paths, hiding your location. Web pages will load a little more slowly because of this, but when you need to get online safely, that's a small price to pay.

BTW, when I say you're protected, I mean that you're mostly protected. Read on; my last step talks about other things you can do to improve your security even more.

Step 4: Now, Be Careful

Having Tor up and running won't help if you slip up.

The first thing to do is to remember always to enable Tor when you're online. Maybe you want to maintain a profile on a site somewhere (like Instructables!) that no one can trace to you. If you forget and log in just once without Tor enabled, your real location will be recorded in the logs. So, be careful!

Second, you can start Tor-ifying your other internet apps: IM clients, email, etc. There's more information about this here on the Tor wiki.

Computer security is a constant arms race. There are smart people all over the world (criminals, government snoops, not to mention ADULTS at your school) who are always trying to see what you're up to or block where you want to go. No security is perfect, and they'll find ways to chip away at your defenses.

Good luck, out there.



    • Epilog Challenge 9

      Epilog Challenge 9
    • Paper Contest 2018

      Paper Contest 2018
    • Science of Cooking

      Science of Cooking

    We have a be nice policy.
    Please be positive and constructive.




    I'm sorry - this is a nice article but I strongly advise against anyone considering doing this. - Using TOR is not as secure as a lot of people think:

    The TOR network works by channeling your data through a chain of highly encrypted SSH proxy tunnels, a so called "proxy chain".

    If you visit, for example, this link: http://www.google.com/search?hl=en&q=paris+hilton, your request will be encrypted and tunnelled to another TOR user, then another, then another and so on. Your data could be passed around 20 times. The other TOR users cannot see the link you typed in (as it is encrypted). This sounds very very secure.

    However, the data has the be decrypted again before google can understand what you searched for. In order to do this, the last TOR user in a proxy chain is called an "exit node". The exit node decrypts the data, contacts google for your results, encrypts the results and sends them back through the chain to you.

    Sound secure so far? Well, actually, it does.

    But what happens if the exit node runs a packet sniffer (like Wireshark) on their computer to monitor outgoing network connections? The url you typed in appears in plain text on their screen. They don't know who you are, but they saw what you did.

    I hear you ask; "So what? - I don't care if a random Ukranian sees that I searched for 'Paris Hilton'." True. Most random Ukranians won't care at all if you searched for Paris Hilton. In fact, they may enjoy calling up the same link you searched for. But what about if you had been reading your hotmail email instead? - They get to see what you typed and to who you sent it.

    The problem gets even worse if you start channeling E-Mail and Instant messenger programs through TOR. The POP3 E-Mail protocol sends usernames and passwords in PLAIN TEXT to the mail server. This means, that an exit node could sniff outgoing traffic and steal your email account. - They could then probably go to Paypal.com and request that your password be sent to your registered email address. The would then steal your Paypal information directly from your email account. - Is it sounding very secure now? Bye bye money.

    But that isn't all... Some exit nodes act as bridges between you and the website you want to access, altering the data before it is send back to you. e.g. They could change all references to the name, "Paris Hilton" into "Bill Gates". - All of a sudden, you aren't looking at the innocent pictures you intended.

    Even worse: It is possible for exit nodes to dynamically swap out SSL certificates of secure websites. If you called up https://www.myreallysecurebank.com over TOR, you might be sent back an SSL certificate which doesn't actually belong to your bank. - This would mean that your login details for your online banking are also visible to the exit node. - Bye bye money, again.

    Sorry to rant on, but this should really be known before anyone tries to use the TOR network.

    I am not saying TOR is bad - but don't ever consider sending anything personal over it or you might end up with less security than you bargained for.


    Dave from Germany.

    Hi Dave,

    I am a random Ukrainian (in US) but I will snoop your packets, no doubt, no doubt at all.

    TOR users - you have been warned.

    Random Ukrainian - Thorax Impailor

    Unless you run an exit node have fun looking at pages of encrypted text and webpages.

    Thanks a lot for sharing this. it clear my concepts about overall flow of Onion Router.
    it was nice article.

    Another thing; some school security filters are programmed to detect proxy servers, and content, not specific sites

    Tor is used in war zones and countries were people aren't allowed to share their ideas or think for themselves. I'm sure those situations have filters design a lot better than those put in place by your schools system admins. If the connection is in fact blocked tor has an option for networks were tor would be blocked.

    I get what you are trying to say but for things non email and IM would it be safe to use?

    Please explain in simpler terms, I'm afraid I don't understand.

    the last computer it goes through is the one that decrypts it, and therefore can see in plain text what it is you put in i.e. google search, personnel information

    Tor doesn't claim to solve all your Internet security problems.

    It does protect you against determination of your location by the Internet sites you visit, and against traffic analysis -- inspection of your destinations by a person looking at your computer's link. It can get your communications through a hostile filter or firewall, because it encrypts the links from your computer to the Tor entry node, and at all points between there and the exit (3 hops, if you haven't changed configuration).

    If you want to communicate securely, you should still use encryption direct to your destination (https), and you should heed browser warnings if the SSL security certificates don't match.