Configuring Tor For Maximum Anonymity

Maximizing Tor's Anonymity

Maximum anonymity in Tor Browser goes well beyond the default settings. Here's a complete hardening guide.

Critical Warning: The Anonymity Paradox

Two things are true simultaneously. Every change you make from Tor Browser defaults creates a more unique fingerprint — if your about:config tweaks differ from thousands of other Tor Browser users, you become a smaller haystack. But many of those same tweaks also reduce attack surface. You must choose between blending in with the Tor Browser crowd and reducing your vulnerability to browser exploits.

For a pentest where your traffic may face active interception or the target runs .onion services with browser exploits: hardening wins over blending. For general darknet research: defaults win.

I'll give you both paths.

Level 1: Built-In Security Slider

This is the only change you should make if blending in is the priority:

1. Click the shield icon (🔰) in the address bar

2. Advanced Security Settings

3. Set to Safest

   
   

This changes three things invisibly:

• JavaScript disabled everywhere (including .onion and HTTPS sites)

• Just-In-Time (JIT) compilers for JavaScript disabled

• Some font and SVG rendering features disabled (they can fingerprint)

• Audio/video requires click-to-play

  
  

Most .onion sites work at Safest level. The sites that break (captchas, heavy JS SPAs) are often attack surfaces anyway.

Level 2: about:config Hardening (Max Protection)

Type about:config in the address bar. Accept the warning. These are the additional tweaks.

Disable WebGL (fingerprinting vector, GPU driver attack surface)

webgl.disabled                         → true
webgl.enable-webgl2                    → false
pdfjs.enableWebGL                      → false

Disable WebRTC (IP leak vector — Tor Browser already disables this by default, but verify)

media.peerconnection.enabled           → false
media.peerconnection.ice.no_host       → true
media.peerconnection.ice.proxy_only    → true
media.peerconnection.ice.obfuscated    → true

Disable Canvas Extraction (fingerprinting)

canvas.capturestream.enabled           → false

Tor Browser already prompts for canvas fingerprinting access on Safer/Safest, but this hardens further.

Disable Web Audio API (speaker/microphone fingerprinting)

media.webspeech.enabled                → false
media.webspeech.synth.enabled          → false
dom.webaudio.enabled                   → false

Disable Sensors API (accelerometer, gyroscope, ambient light — device fingerprinting)

device.sensors.enabled                 → false
device.sensors.motion.enabled          → false
device.sensors.orientation.enabled     → false
device.sensors.proximity.enabled       → false
device.sensors.ambientLight.enabled    → false

Disable Battery Status API (historical tracking vector)

dom.battery.enabled                    → false

Disable Gamepad API (fingerprinting)

dom.gamepad.enabled                    → false

Disable Web Bluetooth/USB/Serial/NFC (hardware access)

dom.bluetooth.enabled                  → false
dom.usb.enabled                        → false
dom.serial.enabled                     → false
dom.nfc.enabled                        → false

Disable Speech Synthesis/Recognition

media.webspeech.recognition.enable     → false
media.webspeech.recognition.force_enable → false

Disable MIDI API

dom.midi.enabled                       → false

Networking Hardening

network.http.sendRefererHeader         → 0
network.http.referer.XOriginTrimmingPolicy → 2
network.http.referer.XOriginPolicy     → 2
network.http.referer.spoofSource       → true
browser.send_pings                     → false
network.predictor.enabled              → false
network.prefetch-next                  → false
network.dns.disablePrefetch            → true
network.dns.disablePrefetchFromHTTPS   → true

Anti-Download Tracking

browser.download.manager.addToRecentDocs → false

DOM/Clipboard Isolation

dom.event.clipboardevents.enabled      → false
dom.allow_cut_copy                     → false (breaks some UX, high security only)
dom.storage.enabled                    → false (severe — breaks many sites)

Cache Reduction

browser.cache.disk.enable              → false
browser.cache.offline.enable           → false
browser.cache.memory.enable            → false (may cause perf issues)
network.http.use-cache                 → false

Disable Telemetry (should all be off in Tor Browser, verify)

toolkit.telemetry.enabled              → false
datareporting.healthreport.uploadEnabled → false
datareporting.policy.dataSubmissionEnabled → false
browser.newtabpage.activity-stream.feeds.telemetry → false
browser.ping-centre.telemetry           → false

Font Fingerprinting Mitigation

layout.css.font-visibility.level       → 2

Level 2 means only base system fonts are exposed. Level 1 (default in Tor) limits to language-specific fonts. Level 2 is stricter.

Disable Auto-Play Media

media.autoplay.default                 → 5
media.autoplay.ask-permission          → true
media.autoplay.block-webaudio          → true

DOM Rect Fingerprinting (advanced)

privacy.fingerprintingProtection       → true
privacy.fingerprintingProtection.overrides → +AllTargets

Tor Browser already has extensive anti-fingerprinting (letterboxing, etc.), but verifying these are on or maxing them adds protection.

Level 3: Network-Level Hardening

Bridges (Obfuscated)

Bridges hide the fact you're using Tor, not just your destination.

1. Tor Browser → Settings (hamburger menu) → Connection

2. Under Bridges: check Use a bridge

3. Select Request a bridge from torproject.org → solve CAPTCHA → receive obfs4 bridges

4. Alternatively: select Choose from Tor Browser's built-in bridges → pick obfs4

   
   

What this does: Your ISP sees a TLS connection to a random server, not Tor traffic. The bridge relays you into the Tor network. This defeats simple Tor-blocking and hides Tor usage patterns from passive monitoring.

Pluggable Transports Comparison

If your threat model includes an adversary that actively blocks Tor (corporate network, nation-state firewall), use obfs4 + Snowflake as backup.

Torrc Advanced Config

From Tor Browser directory, you can edit Browser/TorBrowser/Data/Tor/torrc (or use Tails → /etc/tor/torrc with admin password):

# Force all traffic through Tor (no fallback to non-Tor)
SocksPort 9150 IPv6Traffic PreferIPv6
AutomapHostsOnResolve 1

# Circuit isolation — different destinations get different circuits
# (default behavior, but verify)
IsolateClientAddr 1

# Strict nodes — exclude certain countries
# ExcludeNodes {RU},{CN},{IR}   # Uncomment if needed
# StrictNodes 1

# Circuit build timeout — faster rotation
LearnCircuitBuildTimeout 1
CircuitBuildTimeout 30

Stream Isolation on Tails

Tails already isolates different applications to different Tor circuits. In Tor Browser on Tails, every first-party domain gets its own circuit by default (this is standard Tor Browser behavior, not Tails-specific).

To verify: visit two different .onion URLs, click the padlock → Connection → you'll see different circuits.

Level 4: Operational OPSEC (More Impactful Than Config Tweaks)

Browser settings mean nothing if you violate these:

The Tabs Rule

Never open a .onion and a clearnet site in the same Tor Browser session. Memory leaks, timing correlations, and browser cache can link the two activities. If you must switch contexts:

1. New Identity: Padlock → New Identity — this restarts Tor Browser, clears all state, and starts fresh circuits. Use it.

2. Alternatively, use separate Tails sessions — reboot between different research activities.

   
   

The Download Rule

Files downloaded through Tor Browser can deanonymize you when opened outside Tor:

• PDFs: can make outbound HTTP requests, phone home, or contain tracking pixels. Open in a dedicated offline air-gapped environment or not at all.

• Office documents: Word/Excel/LibreOffice files can contain embedded content that fetches external resources

• Video/audio: metadata tags, cover art URLs, track listings

  
  

Safe handling:

1. Download through Tor Browser → save to Tails persistent storage

2. Disconnect networking entirely (Tails Greeter → Offline Mode)

3. Reboot into offline session

4. Open/view documents

Or transfer to an air-gapped analysis VM via USB (clean USB, not the Tails drive).

The Metadata Rule

Never upload files from Tor that were created outside Tor:

• JPEGs from your phone contain EXIF GPS coordinates

• Screenshots from your host OS contain display configuration metadata

• Documents contain author names, edit timestamps, and revision tracking

  
  

Clean metadata before uploading:

bash

# Strip EXIF from images
exiftool -all= image.jpg

# Or with ImageMagick (re-encode, more thorough)
convert input.jpg -strip output.jpg

# PDF metadata
pdftk input.pdf output output.pdf
exiftool -all= document.pdf

# Check what metadata remains
exiftool -a -u file.jpg

The Identity Rule

Never:

• Log into any account you've ever accessed outside Tor (Google, GitHub, client portal, anything)

• Mention your real name, location, or organization

• Use language patterns, writing style, or references that could be linked to your clearnet persona

• Reuse passwords or usernames from real accounts when creating research accounts

• Open the same .onion from different Tor sessions with persistent storage IDs that could link sessions

  
  

The Time Correlation Rule

If you access a .onion at 2:14 PM on Tuesday from Tor, and then something anomalous happens on the clearnet side of your target at 2:14 PM on Tuesday, those events are correlated regardless of Tor.

Consider:

• Schedule automated monitoring at randomized intervals

• Add realistic delays and jitter to any research-triggered actions

• Understand that Tor hides who, not when

Level 5: Beyond Tor Browser - Whonix Instead of Tails

For maximum anonymity where you need persistence (can't reboot for every session):

Whonix runs Tor in a separate VM that acts as a gateway:

[Workstation VM] → (internal network) → [Tor Gateway VM] → Tor → Internet

The Workstation has zero knowledge of its real IP. It can only talk through Tor. Even if the Workstation is fully compromised by malware, the attacker only gets an internal IP behind the gateway.

Tails vs Whonix tradeoff:

Verification: Test Your Setup

After hardening, verify anonymity:

1. https://check.torproject.org — confirms Tor exit node is active

2. https://browserleaks.com — check for:

   
   

   • WebRTC leaks (should be blank)

   • Canvas fingerprint (should show randomized or "not supported")

   • Font enumeration (should be limited)

   • WebGL (should show nothing)

     
     

3. https://dnsleaktest.com — should show only Tor exit node DNS, not your ISP

4. https://ip-check.info — comprehensive, tests many vectors

   
   

In Tor Browser, open the circuit display: click the padlock → Connection → see your three-hop circuit. Different sites should show different circuits.

Common Anti-Anonymity Mistakes Researchers Make

• Running Tails in a VM — the host can see everything. Tails is designed for bare-metal boot.

• Using Unsafe Browser for "just this one thing" — instant deanonymization.

• Enabling browser extensions — uBlock Origin ships with Tor Browser; adding anything else creates a unique fingerprint.

• Full-screening Tor Browser — bezel-breaking reveals your screen resolution, a strong fingerprinting vector. Stick to the default letterboxed window.

• Copy-pasting between Tor Browser and host — clipboard cross-contamination on your host OS.

• Using your real voice on any platform — if you must use voice, a text-to-speech tool or you've already failed anonymity.