Comments

4

quandyalaterreux wrote

It says that Searx has multiple instances available, including a Tor Hidden Service. What does that mean, is searx a way to reach the same information as Tor or does it mean that you can use searx through Tor?

It means that some searx instances have a Tor onion site of the form "stuff.onion" that can only be accessed using Tor.

Does using a VPN+Tor increase security at all? I was reading an article that said if you use the VPN to enter Tor it will leave your exit nodes insecure, is this the same as normal Tor or does the added VPN create that vulnerability?

Please read this: https://matt.traudt.xyz/posts/vpn-tor-not-mRikAa4h.html

Browser plugins don't have any effect on Tor, right?

They can mess up your anonymity.

Edit: Since I can't find a straight answer for this online, can I download a pdf off Tor without revealing my IP and all that jazz?

If you're opening the pdf in the Tor Browser, then it's probably safe (I say probably because there's always the possibility of a bug).

1

quandyalaterreux wrote

I admit I haven't done it, but if I were to use a VPN I would rent a virtual server with cheap bandwidth and run the VPN software on it myself. An interested government snoop could track down my data, but they would have to target me personally to do that.

What about the case when your VPS provider snoops on you? (Again this doesn't address the first-party isolation side and even the fingerprinting one)

4

quandyalaterreux wrote

If the point of DuckDuckGo is to remain more private while searching the web, it doesn’t make sense to have your search terms visible to anyone with access to your computer (or your network).

  1. The claim "or your network" is absolutely false as DDG uses HTTPS.

  2. It's not even a problem, just don't record your history, or delete all duckduckgo.com/* urls from your history.

  3. Never use DuckDuckGo nor this "SearchEncrypt" instead use Tor if you want privacy by design with whatever search engine or website you want.

1

quandyalaterreux wrote (edited )

How much more? Your ISP won't know that you visited gmail but if you are using https then the local ISP would not know your account name anyway. And if you are not using https then the exit node would know your account name and that is a lot less private.

The Tor Browser includes HTTPS Everywhere and in fact gmail is preloaded in the HSTS preload list so HTTPS should be forced. In the first case the ISP will know that you visited gmail, whereas in the second the ISP won't know that - which is a net gain in privacy terms.

1

quandyalaterreux wrote

Surfing yes. Checking e-mail, no. They even talk about this in their docs. If you use an account that is tied to you you aren't getting the same kind of protection that TOR was designed for.

You can sign-up using the Tor Browser with a web email service that allows Tor (such as tutanota.com) and hence your identity won't be tied to that email (unless you leave personally identifiable information, email is unencrypted by default so don't forget about that).

2

quandyalaterreux wrote

For Tor never use it with anything besides the Tor Browser.

For something else, you can include privacy.resistFingerprinting -> true privacy.firstparty.isolate -> true and some others (but not all, ask if you're unsure): https://www.privacytools.io/#about_config Also there's another one for anti-font fingerprinting but I can't recall its name.

Don't forget to test on https://browserprint.info

1

quandyalaterreux wrote

I just learned the hard way that if you try to configure Tor to use a whole bunch of bridges at the same time, it will struggle to connect to the Tor network.

Tor never connects to a lot of bridges at the same time.

Also since Tor 0.3.0.x two bridge lines are required for normal, obfs4 bridges.

Alternatively just use Snowflake since meek will be basically gone as a pluggable transport.