How NOT to Use Tor: Common Mistakes and Risks

By Ava McKinneyOnline Safety

How NOT to Use Tor

Tor is a powerful tool for online anonymity, but using it incorrectly can compromise your privacy and security. Below are common mistakes users make with Tor and how to avoid them.

Avoid Visiting Your Own Website Anonymously

Curious about how your website looks when accessed anonymously? It’s best to avoid visiting personal sites tied to your real name or pseudonym, especially if you’ve ever accessed them without Tor or from your real IP address. Very few people visit your personal site via Tor, so you could be the only unique Tor client doing so. This behavior can leak your anonymity, as exit nodes may easily deduce that the visitor is the site owner. From that point, it’s reasonable to assume that subsequent connections from that exit node also come from your computer.

Don’t Log Into Social Media Accounts and Assume You’re Anonymous

Never log into your personal Facebook or other social media accounts through Tor. Even if you use a pseudonym, your account is likely linked to friends who know you. Social networks can make educated guesses about your real identity. No anonymity system is perfect. While anonymity software can hide your IP and location, platforms like Facebook already know your friends, private messages, and more. This data is stored on their servers and can’t be erased by any software—only the platforms themselves or hackers can remove it.

Logging into social media accounts via Tor only protects your location, not your identity. Many users misunderstand this:

Mike, will I be completely anonymous if I log into my Facebook account? I’m using Firefox 3.6 with Tor and NoScript on Windows 7. Thanks.

Never Log Into Accounts You’ve Used Without Tor

Always assume that every visit is logged by the server, including:

  • Client IP address/location
  • Date and time of request
  • Specific page addresses requested
  • HTTP code
  • Amount of data transferred
  • Browser user agent
  • Referrer site

Your ISP may also log your online time, IP address, sites visited, and data transferred. Unless traffic is encrypted, your ISP can see exactly what you do online. Even a single login to an account without Tor can permanently link that account to your real identity, making one-time mistakes often fatal for anonymity.

Don’t Use Tor for Online Banking or Payment Systems Without Understanding the Risks

Logging into online banking, PayPal, eBay, or other financial accounts registered to your name via Tor is not recommended. Financial systems may freeze your account due to “suspicious activity” because hackers sometimes use Tor for fraud. Using Tor with financial accounts is not truly anonymous; it only hides your IP or helps bypass provider blocks. If your account is frozen, you may need to contact support to restore access. Be aware that using Tor for banking can lead to temporary or permanent account blocks.

Don’t Alternate Between Tor and Open Wi-Fi

Some users mistakenly believe open Wi-Fi is a faster, safer alternative to Tor because the IP can’t be linked to their real name. However, open Wi-Fi still reveals your city or neighborhood, and router owners may log MAC addresses and user activity. This narrows down the pool of suspects and reduces your anonymity. Always use as much protection as possible.

Avoid “Tor over Tor” Scenarios

This issue is specific to services like Whonix. Running Tor sessions both on the client and on a transparent proxy creates a “Tor over Tor” scenario, which is unsafe. In theory, traffic passes through six nodes instead of three, but there’s no guarantee the extra nodes are different. The Tor Project advises against longer paths, as they increase network load without improving security and may even harm anonymity.

Don’t Send Sensitive Data Without End-to-End Encryption

Tor exit nodes can eavesdrop on communications and perform man-in-the-middle (MiTM) attacks, even with HTTPS. End-to-end encryption is the only way to ensure your confidential data isn’t intercepted by hostile third parties.

Don’t Reveal Identifying Information Online

De-anonymization can occur through social means, not just technical ones. To protect yourself:

  • Don’t include personal info or interests in usernames.
  • Avoid discussing personal details like location, age, or family status.
  • Don’t mention gender, tattoos, piercings, or physical traits.
  • Don’t discuss your job, hobbies, or activist groups.
  • Avoid using keyboard symbols unique to your language.
  • Don’t post in the clearnet while being anonymous.
  • Avoid social networks like Twitter and Facebook.
  • Don’t share Facebook image links; filenames may contain your personal ID.
  • Vary the times you visit sites.
  • Remember that IRC, chats, forums, and mailing lists are public spaces.
  • Never discuss anything personal, even in secure, anonymous groups—one informant can compromise everyone.

If you must reveal identifying data, treat it as confidential information.

Use Bridges if Tor Is Dangerous or Suspicious in Your Area

Bridges can help, but they’re not a perfect solution. They may not fully protect against advanced adversaries capable of identifying Tor users.

Don’t Use the Same Digital Identity for Too Long

The longer you use the same pseudonym, the higher the risk of making a mistake that reveals your identity. Once compromised, all past activity under that pseudonym can be traced. Regularly create new digital identities and retire old ones.

Don’t Use Multiple Digital Identities Simultaneously

Using different pseudonyms in the same session can lead to mistakes and leaks. Tor may reuse circuits within the same browsing session, potentially linking your identities. Whonix can’t magically separate digital identities by context.

Don’t Stay Logged Into Accounts Longer Than Necessary

Minimize the time you’re logged into Twitter, Facebook, Google, or other accounts. Log out immediately after finishing your tasks. For extra safety, close Tor Browser, change the Tor circuit using Tor Controller, wait 10 seconds, and restart Tor Browser. Consider using multiple virtual machines or Whonix-Workstations for better separation.

Many websites include social media widgets (e.g., Facebook Like, Twitter Tweet). These third-party services are present on a large percentage of popular sites and can track your online behavior, building detailed user profiles that may include sensitive information.

Don’t Mix Anonymity Modes

There are different anonymity modes:

  • Mode 1: Anonymous user; any recipient. Example: anonymous forum posts. Your IP and location are hidden.
  • Mode 2: User and recipient know each other; both use Tor. No third party knows about the communication, but the user is not anonymous to the recipient.
  • Mode 3: Non-anonymous user uses Tor; any recipient. Example: logging into services with your real name. The site knows your identity, but your IP/location are hidden.
  • Mode 4: Non-anonymous user; any recipient. Example: regular browsing without Tor. Both your identity and location are exposed.

Don’t mix modes in the same session, as this can link your identities and leak personal information.

Don’t Change Settings If You Don’t Understand the Consequences

It’s usually safe to change interface settings for offline apps, but be cautious with any settings that affect networked applications. Always consult documentation before making changes. For example, changing the Tor Browser’s interface can alter your browser fingerprint and reduce anonymity. Only change network settings if you fully understand the impact.

Don’t Use the Clearnet and Tor Simultaneously

Using a regular browser and Tor Browser at the same time increases the risk of mixing them up and de-anonymizing yourself. Simultaneous connections to the same server via anonymous and non-anonymous channels are risky, as services like Google Analytics can correlate your activity. If you must do this, use separate desktops to avoid confusion.

Don’t Connect to the Same Server Anonymously and Non-Anonymously at the Same Time

Making both Tor and non-Tor connections to the same server is highly discouraged. If your internet connection drops, both sessions will disconnect simultaneously, making it easy for an adversary to correlate your real IP with your Tor session. This also enables timing attacks to link your sessions.

Don’t Confuse Anonymity and Pseudonymity

Anonymity means the destination server can’t determine your origin (IP/location) or assign you an identifier. Pseudonymity means the server can’t see your origin but can assign you an identifier (like a username or cookie). Logging into an account makes your session pseudonymous, not anonymous, even if your IP is hidden.

Don’t Be the First to Share Your Own Link

Don’t rush to promote your anonymous project. The more separated your identities, the better. If you must share a link, do so with extreme caution and avoid linking it to your known identities or accounts.

Don’t Open Random Files and Links

Be cautious with files or links sent to you, regardless of format. The sender or their account may be compromised, and the file could be crafted to infect your system. Avoid opening files with standard tools; use online viewers or open them in disposable virtual machines for safety.

Don’t Use Phone Verification

Sites like Google and Facebook may request your phone number when you log in via Tor. Never provide your real number, as it can be logged and linked to your identity. Even anonymous SIM cards can be traced via device serial numbers. If you must verify by phone, use a new phone and SIM far from home, then destroy both after use. Online SMS services may work, but are often blacklisted by major platforms.

Conclusion

Tor can provide strong anonymity, but only if used correctly. Avoid the mistakes above to protect your privacy and security online.

Leave a Reply