Do not use tor with browsers other than tor browser

[Alex Vong]

Hello everyone,

I've seen recommendations on this list of using tor with browsers other
than tor browser,
e.g. <https://lists.gnu.org/archive/html/help-guix/2019-04/msg00063.html>,
<https://lists.gnu.org/archive/html/help-guix/2019-05/msg00024.html> and
<https://lists.gnu.org/archive/html/help-guix/2019-05/msg00046.html>.

It is a really bad idea, the tor project faq recommends against it:
<https://www.torproject.org/docs/faq.html.en#TBBOtherBrowser>.

The reason is as followed: Tor allows you to browse the internet
anonymously. It works by making users using the same version of tor
browser indistinguishable (i.e. in the same anonymity set[0]). This only
works if all the browsers have the same fingerprint. Using browsers
other than tor browser makes you distinguishable from that anonymity
set.

Another reason is that modern browsers allows loads of way for
fingerprinting: user agent string, screen resolution, canvas
fingerprinting, webgl fingerprinting...

This page:
<https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb-fingerprinting>
should give you an idea how many fingerprinting issues exist in modern
browsers.

This page:
<https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs>
shows bugs specific to chromium-based browsers.

My recommendation for now is to download tor browser from the tor
project website. AFAIK, tor browser for GNU/Linux are built with free
software only. In the future, we may want to build it ourselves, but of
course we need to be careful not to introduce fingerprinting bugs.

[0]: https://privacypatterns.org/patterns/Anonymity-set

Thanks,
Alex

signature.asc
Description: PGP signature