DON’T USE MICROSOFT INTERNET EXPLORER AS YOUR BROWSER! IT IS FULL OF SECURITY HOLES THAT THE REGIME CAN USE TO TRACK YOU.
Download the Firefox browser and follow these directions, provided by our friends at the Tactical Technology Collective:
Every computer on the internet has or shares an IP address. These addresses aren’t the same thing as a physical address, but they can lead a smart system administrator to your physical address. In particular, if you work for an ISP, you can often associate an IP address with the phone number that requested that IP at a specific time. So before we do anything anonymous on the Internet, we need to disguise our IP.
What to do if you want to blog from your home or work machine:
Internet Explorer has some egregious security holes that can compromise your online security. These holes tend to go unpatched for longer on IE than on other browsers. (Don’t believe me? Ask Bruce Schneier.) It’s the browser most vulnerable to spyware you might inadvertently download from a website. And many of the privacy tools being released are being written specifically to work with Firefox, including Torbutton, which we’ll be using in a future step.
Download the program from the Tor site. If access to Tor main website is blocked in your country, there are afew mirrors of it in other places where it can also be downloaded from. You can also go to Google cache for viewing the mirrors page by googlng for “site:torproject.org mirrors”. Pick the “latest stable release” for your platform and download it onto your desktop. Follow the instructions that are linked to the right of the release you downloaded. You’ll install two software packages and need to make some changes to the settings within your new installation of Firefox.
In case your internet connection blocks access to the Tor website, you can request a bundle by sending an email to the “gettor” robot at gettor [AT] torproject [DOT] org. Remember that the emails to email@example.com has to come from Gmail, otherwise they won’t get a response. Select one of the following package names and put the package name anywhere in the body of your email:
- tor-im-browser bundle
- tor-browser bundle
Shortly after sending your email, you will receive an email from “Gettor” robot with the requested software as a zip file. Unzip the package and verify the signature.
Tor is a very sophisticated network of proxy servers. Proxy servers request a web page on your behalf, which means that the web server doesn’t see the IP address of the computer requesting the webpage. When you access Tor, you’re using three different proxy servers to retrieve each webpage. The pages are encrypted in transit between servers, and even if one or two of the servers in the chain were compromised, it would be very difficult to see what webapge you were retrieving or posting to.
Tor installs another piece of software, Privoxy, which increases the security settings on your browser, blocking cookies and other pieces of tracking software. Conveniently, it also blocks many ads you encounter on webpages.
c) Install Torbutton. Read about it and install it, following the instructions on the installation page. You’ll need to be using Firefox to install it easily – from Firefox, it will simply ask you for permission to install itself from the page mentioned above.
Turning on Tor by hand means remembering to change your browser preferences to use a proxy server. This is a muiltistep process, which people sometimes forget to do. Torbutton makes the process a single mouse click and reminds you whether you’re using Tor or not, which can be very helpful.
You may find that Tor slows down your web use – this is a result of the fact that Tor requests are routed through three proxies before reaching the webserver. Some folks – me included – use Tor only in situations where it’s important to disguise identity and turn it off otherwise – Torbutton makes this very easy.
Turn Tor on in Firefox and test it out
With Tor turned on, visit https://check.torproject.org/. After clicking, if you get this message telling you, “Congratulations. You are using Tor. please refer to the Tor website for further information about using Tor safely.”, then you’ve got everything installed correctly and you’re ready for the next step.
Otherwise you will get this message telling you “Sorry. You are not using Tor. If you are attempting to use a Tor client, please refer to the Tor website and specifically the instructions for configuring your Tor client.”
It’s always a good idea to see whether the software you’ve installed works, especially when it’s doing something as important as Tor is. The page you’re accessing is checking to see what IP address your request is coming from. If it’s from a known Tor node, Tor is working correctly and your IP is disguised – if not, something’s wrong and you should try to figure out why Tor isn’t working correctly.
What if Tor never connects?
If you have problems connecting to the Tor network you should read the FAQ about problems with running Torproperly. In case your internet connection blocks access to the Tor network and in case the Vidalia onion icon in the system tray is always yellow, you may consider using bridge relays. This would be the next logical step to get you connected to the Tor network.
“Bridge relays (or “bridges” for short) are Tor replays that aren’t listed in the main Tor directory. Since there is no complete public list of them, even if your ISP is filtering connections to all the known Tor replays, they probably won’t be able to block all the bridges. If you suspect your access to the Tor network is being blocked, yo umay want to use the bridge feature of Tor.”
You can get bridged by sending an email, from a gmail account, containing “get bridges” in the body of the email to the following email address firstname.lastname@example.org. After this, you will receive an automatic message with the bridges. It is also possible to acquire bridges from the following url: https://bridges.torproject.org/
Open Vidalia’s control panel, go to settings > network and click “My ISP blocks connections to the Tor network”. Add each bridge address one at a time by pasting it into the “Add a Bridge” window and then clicking the “+” sign.
Then, generate a new email account (the regime probably has your existing one). Here’s how:
Most web services – including blog hosting services – require an email address so that they communicate with their users. For our purposes, this email address can’t connect to any personally identifiable information, including the IP address we used to sign up for the service. This means we need a new account which we sign up for using Tor, and we need to ensure that none of the data we use – name, address, etc. – can be linked to us. You should NOT use an existing email account – it’s very likely that you signed up for the account from an undisguised IP, and most webmail providers store the IP address you signed up under.
a) Choose a webmail provider – we recommend Riseup.net and Gmail, but as long as you’re using Tor, you could use Yahoo or Hotmail as well. Also, you can easily register a free and quick webmail account with fastmail.fm.
Webmail is the best way to create a “disposeable” email address, one you can use to sign up for services and otherwise ignore. But a lot of users also use webmail as their main email as well. If you do this, it’s important to understand some of the strengths and weaknesses of different mail providers.
Hotmail and Yahoo mail both have a “security feature” that makes privacy advocates very unhappy. Both include the IP address of the computer used to send any email. This isn’t relavent when you’re accessing those services through Tor, since the IP address will be a Tor IP address, rather than your IP address. Also, Hotmail and Yahoo don’t offer secure HTTP (https) interfaces to webmail – again, this doesn’t matter so long as you use Tor every time you use these mail services. But many users will want to check their mail in circumstances where they don’t have Tor installed – for your main webmail account, it’s worth choosing a provider that has an https interface to mail.
Riseup.net provides webmail with a very high degree of security. They support PGP encryption (Pretty Good Privacy) – which is very useful if you correspond with people who also use PGP. You can sign up for a free account at www.riseup.net and ask your correspondents (recipients) to register a free account as well.
Gmail, while it doesn’t advertise itself as a secure mail service, has some nice security features built in. If you visit this special URL, your entire session with Gmail will be encrypted via https. (I recommend bookmarking thatURL and using it for all your Gmail sessions.) Gmail doesn’t include the originating IP in mail headers, and you can add PGP support to Gmail by using the FireGPG, a Firefox extension that adds strong crypto to Gmail.FireGPG brings an interface to encrypt, decrypt, sign or verify the signature of text in any web page using GnuPG.
A warning on all webmail accounts – you’re trusting the company that runs the service with all your email. If that company gets hacked, or if they are pressured by other governments to reveal information, they’ve got access to the text of all the mails you’ve received and sent. The only way around this is to write your mails in a text editor, encrypt them on your own machine using PGP and send them to someone also using PGP. This is way beyond the level of secrecy most of us want and need, but it’s important to remember that you’re trusting a company that might or might not have your best interests at heart. Yahoo, in particular, has a nasty habit of turning over information to the Chinese government - Chinese dissidents are now suing the company for illegal release of their data. Just something to think about when you decide who to trust…
b) Turn Tor on in your browser, or start XeroBank. Visit the mail site of your choice and sign up for a new account. Don’t use any personally identifiable information – consider becoming a boringly named individual in a country with a lot of web users, like the US or the UK. Set a good, strong password (at least eight characters, include at least one number or special character) for the account and choose a username similar to what you’re going to name your blog.
c) Make sure you’re able to log onto the mail service and send mail while Tor is enabled. It is most likely that Tor changes its circuit every 10 minutes and this could disrupt your webmail operations, so you should consider limiting the process of writing a new email to 10 minutes.