New Projects - Fresh from the Labs

Tor Browser Bundle—Tor Goes Portable (https://www.torproject.org/projects/torbrowser.html.en)

I've never covered a subproject of something I've reviewed before, but I noticed this a few weeks ago when trawling the Tor site (I've no idea how I missed it until now). It seemed so important that I instantly gave it top billing for this month's column.

Tor has become increasingly famous/infamous in the past few months due to its use by Web sites like WikiLeaks, as well as its crucial role in getting information out to the world during the recent Egyptian revolution.

For those unfamiliar with Tor, LJ has covered it before—see Kyle Rankin's article “Browse the Web without a Trace” in the January 2008 issue and my New Projects column in the April 2010 issue. But to recap, the Tor Web site sums it up nicely:

The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites that are blocked.

However, in standard form, Tor is a rather cumbersome beast, with all sorts of background process dæmons, complex configuration files, startup services and so on. Even if you're a pretty advanced user, there's still a good chance of something going wrong somewhere, delaying your chance to jump on-line securely. This is where the Tor Browser Bundle comes to the rescue:

The Tor Browser Bundle lets you use Tor on Windows, Mac OS X or Linux without needing to install any software. It can run off a USB Flash drive, comes with a pre-configured Web browser and is self-contained. The Tor IM Browser Bundle additionally allows instant messaging and chat over Tor.

Before I continue, the Web site offers a caveat that LJ readers probably will find more important than most: “Note that the Firefox in our bundles is modified from the default Firefox; we're currently working with Mozilla to see if they want us to change the name to make this clearer”.

Extending your options greatly, the Vidalia Control Panel is a great tool when using Tor.

If you get this message in big green letters, Tor's running fine!

The default no-script settings can send some Web sites haywire!

Installation

Although the bundle was designed to run on a Flash drive, that needn't be the case. Like many others, I simply saved this to hard drive and ran it from there. Feel free to do the same if you're so inclined.

As for installing the bundle (well, sort of), the Tor people were good enough to offer the following instructions, saving me a lot of trouble:

Download the architecture-appropriate file above, save it somewhere, then run: tar -xvzf tor-browser-gnu-linux--dev-LANG.tar.gz (where LANG is the language listed in the filename), and either double-click on the directory or cd into it, then execute the start-tor-browser script. This launches Vidalia, and once that connects to Tor, it launches Firefox.

Usage

Before continuing, this bundle is designed to run on machines that don't have Tor installed. If you do have Tor installed and running, stop the process and then you can carry on.

Now, with the Browser Bundle running, first the Vidalia control panel will start, which is designed to establish a Tor connection as well as manage various Tor options using a GUI front end. I recommend exploring the Vidalia control panel, as it has neat features, such as bandwidth monitoring, network viewer, settings dialog and more.

Provided all has gone well, Firefox should start and will try to load a Web page. This Web page takes a while to load—don't worry; the Tor network is pretty slow at the best of times, and if everything worked, you'll soon have a message that says in big green letters: “Congratulations. Your browser is configured to use Tor.”

From here, you can browse like you would any other day, but the uninitiated may be in for a shock. Most modern Web sites have fancy scripts and Flash objects, and these very features are what causes the greatest security holes. Hence, Tor's browser disables these scripts by default. Chances are that the only Web sites that will work without hassle are deliberately minimalist in their design.

However, don't worry. If you look at the screen's bottom right, you'll see an icon with a blue S. Click on that icon, and you can choose either to enable scripts for this particular Web site or enable scripts globally (not recommended for the security reasons just mentioned).

Those willing to take the risk can choose new default settings for security in the preferences, available under Edit→Preferences. Given the nature of this project, the default settings are understandably set for paranoia. If you're undertaking work that involves a serious security risk, be very careful with what you enable or disable. If you're unsure of the risk you're taking, perhaps a more secure, minimalist and less-script-reliant Web service would be a better choice for your activities (assuming an alternative is available, of course).

Something I couldn't get working under the Linux version was Flash in general. My older brother said he used Tor to watch some overseas TV shows not available in Australia and inaccessible to those with IP addresses external to a certain country. He was using the Windows version of Tor, and I'm guessing that he would've used the Browser Bundle, instead of setting up a machine with Tor permanently installed. The content he was viewing was Flash-based, so he must have been able to enable it for such a session.

I realize that Flash presents a security risk, but many people will want to use the Tor Browser Bundle for something as trivial as watching international TV shows—not really the sort of thing that will have the authorities kicking down your front door. If any readers out there know how to get Flash running with the Linux bundle, feel free to drop me an e-mail. I'd love to hear from you!

Moving back onto more serious topics, in journalism in particular, projects such as Tor will become increasingly indispensable in moving information beyond borders and protecting user privacy against prying eyes. When I last tried Tor, it gave me a headache and was far from intuitive in its use. However, a clever little bundle such as this gives Tor's power of anonymity to those with average PC skills, and regardless of its use, that's an important thing.

______________________

John Knight is the New Projects columnist for Linux Journal.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix