Tor Browser Bundle-Tor Goes Portable

I've never covered a subproject of something I've reviewed before, but I noticed this a few weeks ago when trawling the Tor site (I've no idea how I missed it until now). It seemed so important that I instantly gave it top billing for this month's column.

Tor has become increasingly famous/infamous in the past few months due to its use by Web sites like WikiLeaks, as well as its crucial role in getting information out to the world during the recent Egyptian revolution.

For those unfamiliar with Tor, LJ has covered it before—see Kyle Rankin's article "Browse the Web without a Trace" in the January 2008 issue and my New Projects column in the April 2010 issue. But to recap, the Tor Web site sums it up nicely:

The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites that are blocked.

However, in standard form, Tor is a rather cumbersome beast, with all sorts of background process dæmons, complex configuration files, startup services and so on. Even if you're a pretty advanced user, there's still a good chance of something going wrong somewhere, delaying your chance to jump on-line securely. This is where the Tor Browser Bundle comes to the rescue:

The Tor Browser Bundle lets you use Tor on Windows, Mac OS X or Linux without needing to install any software. It can run off a USB Flash drive, comes with a pre-configured Web browser and is self-contained. The Tor IM Browser Bundle additionally allows instant messaging and chat over Tor.

Before I continue, the Web site offers a caveat that LJ readers probably will find more important than most: "Note that the Firefox in our bundles is modified from the default Firefox; we're currently working with Mozilla to see if they want us to change the name to make this clearer".

Extending your options greatly, the Vidalia Control Panel is a great tool when using Tor.

If you get this message in big green letters, Tor's running fine!

The default no-script settings can send some Web sites haywire!

Installation

Although the bundle was designed to run on a Flash drive, that needn't be the case. Like many others, I simply saved this to hard drive and ran it from there. Feel free to do the same if you're so inclined.

As for installing the bundle (well, sort of), the Tor people were good enough to offer the following instructions, saving me a lot of trouble:

Download the architecture-appropriate file above, save it somewhere, then run: tar -xvzf tor-browser-gnu-linux--dev-LANG.tar.gz (where LANG is the language listed in the filename), and either double-click on the directory or cd into it, then execute the start-tor-browser script. This launches Vidalia, and once that connects to Tor, it launches Firefox.

Usage

Before continuing, this bundle is designed to run on machines that don't have Tor installed. If you do have Tor installed and running, stop the process and then you can carry on.

Now, with the Browser Bundle running, first the Vidalia control panel will start, which is designed to establish a Tor connection as well as manage various Tor options using a GUI front end. I recommend exploring the Vidalia control panel, as it has neat features, such as bandwidth monitoring, network viewer, settings dialog and more.

Provided all has gone well, Firefox should start and will try to load a Web page. This Web page takes a while to load—don't worry; the Tor network is pretty slow at the best of times, and if everything worked, you'll soon have a message that says in big green letters: "Congratulations. Your browser is configured to use Tor."

From here, you can browse like you would any other day, but the uninitiated may be in for a shock. Most modern Web sites have fancy scripts and Flash objects, and these very features are what causes the greatest security holes. Hence, Tor's browser disables these scripts by default. Chances are that the only Web sites that will work without hassle are deliberately minimalist in their design.

However, don't worry. If you look at the screen's bottom right, you'll see an icon with a blue S. Click on that icon, and you can choose either to enable scripts for this particular Web site or enable scripts globally (not recommended for the security reasons just mentioned).

Those willing to take the risk can choose new default settings for security in the preferences, available under Edit→Preferences. Given the nature of this project, the default settings are understandably set for paranoia. If you're undertaking work that involves a serious security risk, be very careful with what you enable or disable. If you're unsure of the risk you're taking, perhaps a more secure, minimalist and less-script-reliant Web service would be a better choice for your activities (assuming an alternative is available, of course).

Something I couldn't get working under the Linux version was Flash in general. My older brother said he used Tor to watch some overseas TV shows not available in Australia and inaccessible to those with IP addresses external to a certain country. He was using the Windows version of Tor, and I'm guessing that he would've used the Browser Bundle, instead of setting up a machine with Tor permanently installed. The content he was viewing was Flash-based, so he must have been able to enable it for such a session.

I realize that Flash presents a security risk, but many people will want to use the Tor Browser Bundle for something as trivial as watching international TV shows—not really the sort of thing that will have the authorities kicking down your front door. If any readers out there know how to get Flash running with the Linux bundle, feel free to drop me an e-mail. I'd love to hear from you!

Moving back onto more serious topics, in journalism in particular, projects such as Tor will become increasingly indispensable in moving information beyond borders and protecting user privacy against prying eyes. When I last tried Tor, it gave me a headache and was far from intuitive in its use. However, a clever little bundle such as this gives Tor's power of anonymity to those with average PC skills, and regardless of its use, that's an important thing.

Read more: https://www.torproject.org/projects/torbrowser.html.en

______________________

John Knight is the New Projects columnist for Linux Journal.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Tor FF flash and addons

Anonymous's picture

Instead of enabling flash (and thus disabling Tor's security), install a FF addon such as downloadhelper or netvideohunter. Even though the video will not play, these addons may detect the video and allow you to download it.

Other ideas for the Tor FF: install the following addons (if any of these compromise Tor's security, please say).

Adblock Plus
BetterPrivacy
CookieKiller
Ghostery
QuickJava
Redirect Cleaner

Installation is easy

puertas automaticas's picture

Thanks for the installation introduction, It seems this is not difficult.

What?

Stephen's picture

You know, I always appreciate new product/services reviews. I 've heard about TOR
before, and frankly, what good is it if you can't Flash? While I find it refreshing
for the honesty by John Knight, my question is this. I'd want to get TOR for...??

I believe you can watch

Wellwisher's picture

I believe you can watch YouTube/Flash by enabling the "dynamic contents" in the tor configuration :-) however this is highly not recommended as enabling these / plugins may lead to revealing of your identity.

If you want Flash, you don't

John Knight's picture

If you want Flash, you don't want security (see the reply to my last post). My wanting to use it with Flash entirely compromises it from a security point of view, but would have made a convenient way of getting international streaming sites.

Tor is not for everyday browsing - it's too slow for starters - it's designed for things like sending emails or accessing websites in countries where certain topics or content is politically sensitive and can get you thrown in jail or killed. Think journalists, aid workers, and so on.

John Knight is the New Projects columnist for Linux Journal.

Flash plugin

Anonymous's picture

Try grabbing the flash plugin from an working install of Firefox and copying it to the USB mozilla copy. The bundled browser probably doesn't have the Flash plugin installed to the USB and doesn't know to look for it elsewhere.

First thing I tried (despite

John Knight's picture

First thing I tried (despite the awful effect on security). :( My main reason for trying this combo was simply as a handy way of watching tv shows in foreign countries, where the location check stops you if you're an outsider (Hulu for instance, a lot of BBC content...).

John Knight is the New Projects columnist for Linux Journal.

A little trick

William Armstrong's picture

I also use Tor for viewing iplayer movies. (Think Doctor Who on release day.) I use the browser bundle, but leave flash uninstalled. I also use Tor for other purposes, so don't want to compromise the security. My trick? Tor is setup as a socks5 proxy, so I copy the proxy settings found in the portable firefox version into chrome, and it works wonderfully.
Some caveats. Chrome uses the internet explorer settings in Windows, so these changes affect all programs that use that, re: any Microsoft programs such as WMP. Under Mac, were I use it the most, this is not an issue.
Also, to target specific countries, you must target servers in those countries by editing the torrc file.
I am realizing my solution has not saved me much time, as I now use two separate installs of Tor, one with default security, and one with the changes.

Anyway, hope that helps.

Don't use flash with tor.

Anonymous's picture

Flash is the quickest way to compromise the anonoymity/deniability which tor gives you. Don't use it in the tor browser.

It keeps its own version of cookies, and is likely to subvert the proxy, especially if you don't you haven't modified the underlying computer to block all unproxied traffic.

lets its detect as mobile websites

linuxmalaysia's picture

Just an idea to use firefox plugin thats will change its to be detect as browsing from mobile device and serve mobile minimal design websites thats support it.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix