Also don't use non-HTTPS websites while using Tor, and avoid downloading things on hidden services. Using a clearnet website's hidden service is better than the https version if available (duckduckgo and reddit offer both, for example), too, although only marginally so

There's a ton of little things like this (e.g. you also should consider not using bookmarks, or at least avoiding obscure ones).

A good overview is available at https://www.whonix.org/wiki/Tor_Browser#Unsafe_Tor_Browser_H...

> That's pretty much all you need to know.

Depends on the level of anonymity the end-user desires. That rabbit hole is deep, but not that deep: https://www.ivpn.net/privacy-guides/advanced-privacy-and-ano... / https://archive.today/9DhtT (by u/mirmir)

For a guide that goes into so much detail (as far as suggesting enterprise-grade drives, recommended RAID configurations, etc.), not even a passing mention of Tails or Qubes-Whonix is a really interesting choice (read: discouraging omission)!

> All tor browsers instances have the same default window size, which prevents websites from tracking you.

Wouldn't that in and of itself be a possible clue that someone was using Tor?

Figuring out someone is using Tor is trivial (e.g. list of exit node IPs https://www.dan.me.uk/torlist/?exit).

This mitigation helps protect the individual Tor user (e.g. with a unique 1726x907 px window) being fingerprinted across multiple sessions / sites.

While not perfect, I thought tor rounded reported resolution to a small set of values

You are correct. I was going off my memory. They say [1]

> To prevent fingerprinting based on screen dimensions, Tor Browser starts with a content window rounded to a multiple of 200px x 100px. The strategy here is to put all users in a couple of buckets to make it harder to single them out.

Moreover, even if you resize your window, the browser tries to protect you

> by adding margins to a browser window so that the window is as close as possible to the desired size while users are still in a couple of screen size buckets that prevent singling them out with the help of screen dimensions.

[1] https://tb-manual.torproject.org/anti-fingerprinting/#letter...

They removed OS spoofing just recently, and there isn't a mitigation for Raptor, some think meek might help with Raptor, but its very much up in the air.

There is partial mitigation for RAPTOR: Counter-RAPTOR from 2017 (https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=795...) with mostly the same authors.

I haven't kept up with the space much since then, so am unaware if there is more recent work.

In any case, there are valid threat models where you want to mitigate website fingerprinting but aren't necessarily concerned with AS-level adversaries.

I've seen that, but I didn't see much of a mitigation, though I'll go back and recheck just to be sure, I was pressed for time last time I look at that.

In fairness, most of big tech are AS-level adversaries at this point.

Active attack through BGP-hijacking may be partially mitigated, but this isn't really needed for the most pernicious attacks which are interception/injection from a regional entity that's routing to the broader internet (outbound connections).

The same entities can do early transparent encryption termination for outbound connections (to the general web) since they have their own private signing keys tied to root trust CAs (just not the one the valid cert was issued to), and that lets them collect a treasure trove of forensic artifacts to improve their citizen dossier for advertisers/highest-bidder, or inject content that is ephemeral in nature.

> There is partial mitigation for RAPTOR: Counter-RAPTOR from 2017 (https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=795...)

Oh I had missed that, thank you btw! Need more of those BGP monitoring systems...

(and they performed an actual live BGP attack (not just simulation), neat)

Note this means instead of always sending a Windows user-agent, they send either Windows, Mac, or Linux: one of three user-agents. They don't send more than that, e.g. they don't reveal your Windows version.

It was always trivial to find the real OS behind a tor browser user because navigator.platform has never been spoofed by TBB, even when the user-agent was.

The list of Tor nodes is public so it's trivial to detect a user is using Tor you just have to check the IP.

Or a computer of that window size, and there a lot browsers that dont support js.

Is window size visible to web sites when java script is turned off? It's off by default in Tor browser.

It's on by default in Tor browser.

You have to explicitly switch to "Safest" mode to turn it off completely.

>Why does Tor Browser ship with JavaScript enabled?

We configure NoScript to allow JavaScript by default in Tor Browser because many websites will not work with JavaScript disabled. Most users would give up on Tor entirely if we disabled JavaScript by default because it would cause so many problems for them. Ultimately, we want to make Tor Browser as secure as possible while also making it usable for the majority of people, so for now, that means leaving JavaScript enabled by default.

https://support.torproject.org/tbb/tbb-34/

Yes, even without JS a website can tell what size your browser window is. One way would be to use a large amount of media queries like so:

    @media (min-width: 1000px) {
      #tester-1000 {
        background-image: url("1000.png");
      }
    }

You could also imagine a website first using ~15 queries to know what the window width is upto 100px, and then provide coarser media queries on the next page load.

*finer, not coarser

Yes, CSS and <picture> etc. can load different resources based on viewport size. Then there are side channels like lazy loading, layout + what you interact with.