Downloading movie on tor browser traced

You should always remember that despite the reputation, Linux mainstream distributions Ubuntu for instance are not necessarily better at security than other systems such as macOS and Windows. For other distros, you will have to document yourself, but it will likely be similar. Encryption during install is just much easier in the context of this guide. There are several ways to achieve plausible deniability on Linux and it is possible to achieve. Here are some more details about some of the ways I would recommend.

All these options require some higher level of skills at using Linux. This is not supported by Veracrypt System encryption is only supported on Windows and requires some tinkering with various commands. This is not recommended at all for unskilled users and should only be used at your own risk.

Any other distro: You will need to document yourself and find out yourself how to disable telemetry if there is any. As explained previously, you should not use the sleep features but shut down or hibernate your laptop to mitigate some evil-maid and cold-boot attacks.

Unfortunately, this feature is disabled by default on many Linux distros including Ubuntu. It is possible to enable it, but it might not work as expected. Follow this information at your own risk.

If you do not want to do this, you should never use the sleep function and power off instead and set the lid closing behavior to power off instead of sleep. After Hibernate is enabled, change the behavior so that your laptop will hibernate when you close the lid by following this tutorial for Ubuntu Unfortunately, this will not clean the key from memory directly when hibernating.

Any other distro: you will have to find the documentation yourself, but it should be quite similar to the Ubuntu tutorial. Due to Virtualbox not supporting this architecture yet. It could however be possible if you use commercial tools like VMWare or Parallels but those are not covered in this guide.

Again, this is to prevent some cold-boot and evil-maid attacks by powering down your RAM and cleaning the encryption key when you close the lid. You should always either hibernate or shut down. On macOS, the hibernate feature even has a special option to specifically clear the encryption key from memory when hibernating while you might have to wait for the memory to decay on other Operating Systems. Once again there are no easy options to do this within the settings so instead, we will have to do this by running a few commands to enable hibernation:.

Run: sudo pmset -a destroyfvkeyonstandby 1. Now when you close the lid of your MacBook, it should hibernate instead of sleep and mitigate attempts at performing cold-boot attacks. But you should document yourself on the actual issue before acting. Up to you really.

I would block it because I do not want any telemetry at all from my OS to the mothership without my specific consent.

Be careful when enabling. Do not store the recovery key at Apple if prompted should not be an issue since you should be offline at this stage. You do not want a third party to have your recovery key. Unfortunately, macOS does not offer a native convenient way of randomizing your MAC Address and so you will have to do this manually.

This will be reset at each reboot, and you will have to re-do it each time to ensure you do not use your actual MAC Address when connecting to various Wi-Fis. Turn the Wi-Fi off networksetup -setairportpower en0 off. Change the MAC Address sudo ifconfig en0 ether Turn the Wi-Fi back on networksetup -setairportpower en0 on.

You should follow Appendix A: Windows Installation. Veracrypt is the software I will recommend for full-disk encryption, file encryption, and plausible deniability. It is a fork of the well-known but deprecated and unmaintained TrueCrypt. It can be used for:. Full Disk encryption with plausible deniability this means that depending on the passphrase entered at boot, you will either boot a decoy OS or a hidden OS. File container simple encryption it is a large file that you will be able to mount within Veracrypt as if it were an external drive to store encrypted files within.

It is to my knowledge the only convenient and usable by anyone free, open-source, and openly audited encryption software that also provides plausible deniability for widespread use and it works with Windows Home Edition.

After installation, please take a moment to review the following options that will help mitigate some attacks:. This setting will also disable hibernation which does not actively clear the key when hibernating and instead encrypt the memory altogether to mitigate some cold-boot attacks. This could help in case your system is seized while still on but locked. This will prevent Windows from writing some logs about your mounts in the Event logs and prevent some local data leaks.

Be careful and have a good situational awareness if you sense something weird. Shut your laptop down as fast as possible. If you do not want to use encrypted memory because performance might be an issue , you should at least enable hibernation instead of sleep.

This will not clear the keys from memory you are still vulnerable to cold boot attacks but at least should mitigate them if your memory has enough time to decay. For this case, I will recommend the use of BitLocker instead of Veracrypt for the full disk encryption.

The reasoning is that BitLocker does not offer a plausible deniability possibility contrary to Veracrypt. Normally, you should have installed Windows Pro in this case and the BitLocker setup is quite straightforward. Only save the recovery key to an external encrypted drive. To bypass this, print the recovery key using the Microsoft Print to PDF printer and save the key within the Documents folder.

Delete that file later. Encryption should now be started in the background you can check by clicking the Bitlocker icon on the lower right side of the taskbar.

Unfortunately, this is not enough. With this setup, your Bitlocker key can just be stored as-is in the TPM chip of your computer. To mitigate this, we will have to enable a few more options as per the recommendations of Microsoft :. Run manage-bde -protectors -delete c: this will delete current protection: the recovery key we will not need. Again, as explained earlier.

Instead, you should Shut down or hibernate. You should therefore switch your laptop from sleeping to hibernating when closing the lid or when your laptop goes to sleep.

Note that you cannot enable hibernation if you previously enabled RAM encryption within Veracrypt. The reason is that Hibernation will actually shut down your laptop completely and clean the memory.

Sleep on the other hand will leave the memory powered on including your decryption key and could leave your laptop vulnerable to cold-boot attacks.

You could be compelled by an adversary to reveal your password and all your secrets and will have no plausible deniability. Route B: Simple encryption of your current OS with later use of plausible deniability on files themselves:. As you can see, Route C only offers two privacy advantages over the others, and it will only be of use against a soft lawful adversary. Always be sure to check for new versions of Veracrypt frequently to ensure you benefit from the latest patches.

Especially check this before applying large Windows updates that might break the Veracrypt bootloader and send you into a boot loop. So, make sure you check when doing the test boot what keyboard layout your BIOS is using. You do not have to have an HDD for this method, and you do not need to disable Trim on this route. Trim leaks will only be of use to forensics in detecting the presence of a Hidden Volume but will not be of much use otherwise.

This route is rather straightforward and will just encrypt your current Operating System in place without losing any data. Be sure to read all the texts Veracrypt is showing you, so you have a full understanding of what is going on.

Here are the steps:. Enter a strong passphrase longer the better, remember Appendix A2: Guidelines for passwords and passphrases. To rescue disk or not rescue disk, well that is up to you. I recommend making one just in case , just make sure to store it outside your encrypted drive USB key for instance or wait and see the end of this guide for guidance on safe backups. This rescue disk will not store your passphrase and you will still need it to use it.

If you have sensitive data on an SSD, Trim alone should take care of it but I would recommend one pass random data just to be sure. Test your setup. Veracrypt will now reboot your system to test the bootloader before encryption. This test must pass for encryption to go forward. After your computer rebooted and the test is passed. You will be prompted by Veracrypt to start the encryption process. There will be another section on creating encrypted file containers with Plausible Deniability on Windows.

This is only recommended on an HDD drive. This is not recommended on an SSD drive. Therefore, this route will recommend and guide you through a full clean installation that will wipe everything on your laptop. As you can see this process requires you to have two partitions on your hard drive from the start. Encrypt your second partition the outer volume that will look like an empty unformatted disk from the decoy OS.

Create a hidden volume within the outer volume of that second partition. This is where the hidden OS will reside. This means that your current Windows 10 will become the hidden Windows 10 and that you will need to reinstall a fresh decoy Windows 10 OS. Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything.

But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability The only way around this at the moment is to have a laptop with a classic HDD drive instead. Do not connect this OS to your known Wi-Fi.

You should download the Veracrypt installer from a different computer and copy the installer here using a USB key.

Use a strong passphrase remember Appendix A2: Guidelines for passwords and passphrases. At this stage, you should copy decoy data onto the outer volume. In case you need to reveal a password to this Volume.

Remember you must leave enough space for the Hidden OS which will be the same size as the first partition you created during installation. Use a strong passphrase for the Hidden Volume obviously a different one than the one for the Outer Volume. Veracrypt will now restart and Clone the Windows where you started this process into the Hidden Volume.

This Windows will become your Hidden OS. Veracrypt will inform you that the Hidden System is now installed and then prompt you to wipe the Original OS the one you installed previously with the USB key. See Appendix A: Windows Installation and proceed with installing Windows 10 Home again do not install a different version and stick with Home. Pre-Test your setup. You are mounting it as read-only now because if you were to write data on it, you could override content from your Hidden OS.

Before going to the next step, you should learn the way to mount your Outer Volume safely for writing content on it. Basically, you are going to mount your Outer Volume while also providing the Hidden Volume passphrase within the Mount Options to protect the Hidden Volume from being overwritten. Veracrypt will then allow you to write data to the Outer volume without risking overwriting any data on the Hidden Volume:. This operation will not actually mount the Hidden Volume and should prevent the creation of any forensic evidence that could lead to the discovery of the hidden OS.

However, while you are performing this operation, both passwords will be stored in your RAM and therefore you could still be susceptible to a Cold-Boot Attack. To mitigate this, be sure to have the option to encrypt your RAM too as instructed before. We must make the Decoy OS as plausible as possible. We also want your adversary to think you are not that smart.

Therefore, it is important to voluntarily leave some forensic evidence of your Decoy Content within your Decoy OS. This evidence will let forensic examiners see that you mounted your Outer Volume frequently to access its content. Be sure to keep a history of those. Remember that you will need valid excuses for this plausible deniability scenario to work:.

You are using Veracrypt because you are using Windows 10 Home which does not feature Bitlocker but still wanted Privacy. You have two Partitions because you wanted to separate the System and the Data for easy organization and because some Geek friend told you this was better for performance. You have used a weak password for easy convenient booting on the System and a Strong long passphrase on the Outer Volume because you were too lazy to type a strong passphrase at each boot.

You encrypted the second Partition with a different password than the System because you do not want anyone in your entourage to see your stuff. And so, you did not want that data available to anyone.

If you did this, it would create forensics evidence of the Hidden Volume within the Decoy OS that could jeopardize your attempt at plausible deniability. If you did this anyway intentionally or by mistake from the Decoy OS, there are ways to erase forensics evidence that will be explained later at the end of this guide. You should always mount it as read-only. The Hidden OS is only meant to protect you from a soft adversary that could gain access to your laptop and compel you to reveal your password.

Be careful of any tampering with your laptop. Evil-Maid Attacks can reveal your hidden OS. This step and the following steps should be done from within the Host OS. In this route, we will make extensive use of the free Oracle Virtualbox software. Even if your VM is compromised by malware, this malware should not be able to the VM and compromise your actual laptop.

It will allow us to force all the network traffic from your client VM to run through another Gateway VM that will direct torify all the traffic towards the Tor Network.

Your VM will lose its network connectivity completely and go offline if the other VM loses its connection to the Tor Network. With this solution, all your network goes through Tor, and it should be sufficient to guarantee your anonymity in most cases.

To mitigate this, you might have to consider the next option: VPN over Tor but consider some risks associated with it explained in the next section. This solution can bring some benefits in some specific cases vs using Tor only where accessing the destination service would be impossible from a Tor Exit node.

If an adversary somehow manages to compromise the Tor network too, they will only reveal the IP of a random public Wi-Fi that is not tied to your identity. If an adversary somehow compromises your VM OS with malware or an exploit for instance , they will be trapped within the internal Network of Whonix and should be unable to reveal the IP of the public Wi-Fi. This solution however has one main drawback to consider: Interference with Tor Stream Isolation Stream isolation is a mitigation technique used to prevent some correlation attacks by having different Tor Circuits for each application.

Here is an illustration to show what stream isolation is:. When you do not mind using a shared Tor circuit for various services. For instance, when using various authenticated services. If your goal however is to use the same identity at each session on the same authenticated services, the value of Stream isolation is lessened as you can be correlated through other means.

You should also know that Stream Isolation is not necessarily configured by default on Whonix Workstation. It is only pre-configured for some applications including Tor Browser. Also, note that Stream Isolation does not necessarily change all the nodes in your Tor circuit. It can sometimes only change one or two. In many cases, Stream Isolation for instance within the Tor Browser will only change the relay middle node and the exit node while keeping the same guard entry node. Well, I would not necessarily it:.

We do not trust them. I prefer a situation where your VPN provider does not know who you are. It does not add much in terms of anonymity. It does not help in terms of convenience. See Appendix X: Using Tor bridges in hostile environments. This will of course have a significant performance impact and might be quite slow, but Tor is necessary somewhere for achieving reasonable anonymity. Achieving this technically is easy within this route, you need two separate anonymous VPN accounts and must connect to the first VPN from the Host OS and follow the route.

Or just because you can and so why not. If you can use VPNs then you should be able to add a Tor layer over it. One of the VPN providers will know your real origin IP even if it is in a safe public space and even if you add one over it, the second one will still know you were using that other first VPN service. This will only slightly delay your de-anonymization. Yes, it is an added layer … but it is a persistent centralized added layer, and you can be de-anonymized over time. This is just chaining 3 ISPs that are all subject to lawful requests.

In the context of this guide, Tor is required somewhere to achieve reasonable and safe anonymity and you should use it if you can. If you cannot use VPN nor Tor where you are, you probably are in a very hostile environment where surveillance and control are extremely high. Just do not, it is not worth it and too risky IMHO. You can be de-anonymized almost instantly by any motivated adversary that could get to your physical location in a matter of minutes. In addition, using Tor where you are could put you in trouble just for that.

But Tor is still the best solution for anonymity and must be somewhere for anonymity. It might be a bit less secure against correlation attacks due to breaking Tor Stream isolation but provides much better convenience in accessing online resources than just using Tor. If your intent however is just to browse random services anonymously without creating specific shared identities, using tor friendly services; or if you do not want to accept that trade-off in the earlier option.

If both Tor and VPN access are impossible or dangerous then you have no choice but to rely on Public wi-fi safely. This route will use Virtualization and Whonix as part of the anonymization process. Whonix is a Linux distribution composed of two Virtual Machines:. The Whonix Gateway this VM will establish a connection to the Tor network and route all the network traffic from the Workstation through the Tor network. You will be able to decide which flavor to use based on my recommendations.

I recommend the second one as explained before. Later, you will create and run several Virtual Machines within Virtualbox for your sensitive activities. If for any reason later you want to go back to that state, you can restore that snapshot at any moment. Meaning that you will be able to erase all the traces of your activities within a VM by restoring a Snapshot to an earlier state. Forensics studies have shown the ability to recover data from a reverted VM Fortunately, there will be ways to remove those traces after the deletion or reverting to an earlier snapshot.

Such techniques will be discussed in the Some additional measures against forensics section of this guide. This will conclude the preparations and you should now be ready to start setting up the final environment that will protect your anonymity online. Do not enable 2D acceleration. This one is done running the following command VBoxManage modifyvm "vm-id" --accelerate2dvideo on off.

This one is done running the following command VBoxManage modifyvm "vm-id" --acpi on off. Disable the USB controller which is enabled by default. This offset should be within a millisecond range and should be different for each VM and here are some examples which can be later applied to any VM :. If you intend to use Tor over VPN for any reason. Remember that in this case, I recommend having two VPN accounts.

More on that later. You can decide if you prefer to conduct your sensitive activities from the Whonix Workstation provided in the earlier section highly recommended or from a Custom VM that will use the Whonix Gateway like the Whonix Workstation less secure but might be required depending on what you intend to do. Just use the provided Whonix Workstation VM. It is the safest and most secure way to go on this route. It is also the only VM that will provide Stream Isolation pre-configured for most apps by default Do not forget to apply the VM hardening recommendations here: Virtualbox Hardening recommendations.

Be careful, any customization you make to the non-Whonix guest VMs keyboard layout, language, time zone, screen resolution, or other could be used to fingerprint your VMs later. Use the Linux Distro of your choice. I would recommend Ubuntu or Fedora for convenience but any other would work too. Be sure to not enable any telemetry.

See Appendix V1: Hardening your Browsers as well. Shut down the Whonix Gateway VM this will prevent Windows from sending out telemetry and allow you to create a local account. Follow the steps in Appendix A: Windows Installation. IP address Subnet prefix length 18 Gateway DNS Every time you will power on this VM in the future, make sure you change its Ethernet Mac Address before each boot.

You can only do this while the VM is powered off. Because sometimes you want to run mobile Apps anonymously too. You can also set up an Android VM for this purpose. As in other cases, ideally, this VM will also be sitting behind the Whonix Gateway for Tor network connectivity. Select Advanced if you want persistence, Live if you want a disposable Boot and skip the next steps. Set up as you wish disable all prompts for data collections. I recommend using the TaskBar Home.

You can run any version of macOS you want. Afterward, and during the install, you will need to input an IP address manually to connect through the Whonix Gateway. There are some drawbacks to running macOS on Virtual Machines. The main one is that they do not have a serial number 0 by default and you will be unable to log in to any Apple-provided service iCloud, iMessage… without a genuine ID. Note: I also ran in multiple issues with running these on AMD processors.

This can be fixed so here is the configuration I used which worked fine with Catalina and Big Sur which will tell Virtualbox to emulate an Intel Processor instead:. This is the ability to create entries for 2FA authentication with the authenticator feature. You should never do any sensitive activities from your Host OS.

If you decided to not use a cash-paid VPN and just want to use Tor, skip this step. If your VPN client does this or asks this, you should consider changing the provider. I would recommend against this unless you are in a hurry or very lazy.

This should keep things in check in terms of security. For now, users can send private and group messages, share files, and send e-mails using uMail which is an isolated e-mail network accessible only inside Utopia. Everything required for the environment E-mail client, Wallet, Games, Messenger etc. It also has its own fully functional financial-structure, users can conduct financial transactions using Crypton, the private Cryptocurrency of Utopia.

No party controls the transactions, neither has access to the transaction details. The storage is encrypted using bit AES encryption. Is currently in its Beta version and users are invited to join the program and contribute their skills. Psiphon alike Whonix or a number of other tools on this list is an anti-censorship tool. Neither can they monitor our internet habits, browsing history, messages or anything else.

It allows access to content other browsers may not. Also unlike a VPN it only proxies the activities conducted explicitly through the Psiphon browser. All other internet connections are unencrypted and public. Yandex is yet another deep web browser you can get your hands on, a browser which understands your privacy and need to be anonymous.

Zero Net was created in In other words, every visitor of a website is a host of the website as well only if they wish to. It has plans to implement BitMessage as well as OpenBaazar 2.

Both of which will potentially make it the next Dark-web hub much similar to Tor itself. It already features alternatives to Facebook, Gmail, Twitter etc. Rather a network which supports Deep web browsers, and offers deep web alternatives to almost everything available on the Clearnet.

Tor is pre-bundled with the Windows version of ZeroNet as well. The final solution I can lay out for you as a deep web browser is I2P. It protects us from data-leaks, activities being tracked online, identity being publicized and so on.

So basically it protects our digital lives. And all this is anonymous, as well as decentralized. Lastly, you can access the eepsites anonymous sites not available on the clearnet with I2P as well. Plus, ExpressVPN has been independently audited to prove its no-logs policy. It does this by blocking all internet traffic until the VPN connection is re-established. I tested how straightforward the process was by requesting a refund through live chat — the money was back in my bank account in less than a week.

This is a limited offer so be sure to grab it now before it's gone. See more information on this offer here. These bespoke servers combine military-grade bit encryption with hands-on hardware maintenance. These servers are located in Romania outside the reach of the 5- and Eyes Alliance , and are designed to withstand hardware attacks. I was able to browse Tor without any slowdowns, regardless of which server I was connected to.

CyberGhost also features 4 different VPN protocols. WireGuard, on the other hand, is easy to use and secure, and is a strong contender against OpenVPN in terms of security. Every three months, the CyberGhost team publishes transparency reports that detail legal requests, infrastructure statistics, and malicious activity flags. I requested a refund via live chat, and received the money on my account immediately.

The entire process took less than 5 minutes. Use Tor with CyberGhost. This is a limited offer so grab it now before it's gone. Loading Tor websites while connected to servers in the US was quick my actual location is close to the US. Browsing Tor on an Australian server was slower, and downloading files was near impossible. PIA allows 10 devices to connect simultaneously , which allows you to protect all of your devices, or to extend the protection to your entire household.

PIA has a clear-cut no-logs policy : they never store or share any personal information. Asking for a refund via live chat was a quick and easy process, and the refund was in my account in less than a week. Try Tor with PIA. Hurry and check out the deal here! Some free VPNs will actually sell your information, too.. For either method, I highly recommend that you anonymously pay for your VPN subscription. The safest way is to connect to a VPN and then launch Tor.

Tor hides your information from your ISP, but might not protect it from websites. Similar browsers such as Chrome, Firefox, or DuckDuckGo can leak your information to websites you visit and Tor could do the same. The level of security that you get depends on the VPN you use. Tor inevitably slows down your connection, so a bad VPN will slow your experience down to a crawl. A VPN without a kill switch will also leak data to Tor nodes if your internet connection unexpectedly drops, and this is particularly dangerous if you happen to be connected to a malicious exit node.

My number one recommendation is ExpressVPN. It is backed by a 30 -day money back guarantee so you can test its features risk-free. Keep reading for a guide to installing and using Tor on your devices. You can also connect to Tor and then to your VPN. Connecting to a VPN while using Tor allows you to visit sites on the clear web normal sites outside the dark web that normally block Tor addresses, and it allows you to hide your online activity from the Tor exit node operator.

The biggest downside to VPN over Tor approach is that it prevents access to. When you use Tor, your data goes through an entry node, middle node, and exit node. The main trick is to hide your IP address.

If your IP is hidden, it becomes much harder to trace what you do online. There are still a few other ways that people can use to trace you, but these are generally a fair bit more complex and not as common as IP-tracking, such as browser fingerprinting. This is why a proxy is very useful for circumventing geographic online barriers and blocks, but not for exchanging sensitive information. In general, the anonymity and protection a proxy offers is minimal. The Tor browser allows you to send all your online traffic via a worldwide network of servers.

With each step, the Tor network adds layers of encryption to your data. Moreover, the Tor browser gives you access to the dark web. Tor is meant to provide its users with a safe and anonymous internet experience. Sadly, the strong encryption Tor uses makes for a significantly slower connection. A VPN connection is the most advanced option when it comes to online privacy and safety.

A VPN is, in its most basic sense, a proxy connection with additional strong encryption: a safer and more anonymous alternative to other services that cloak your IP. Please note: the Tor browser is a great way to improve your privacy. As such, there are people who try to get a hold of these servers to steal your data traffic. As such, we advise always connecting to a VPN before using the Tor browser, for an added layer of encryption and protection.

Plenty of parties are eager to get their hands on your personal information. This data can be used to personalize ads or improve services, but also to keep a close eye on you or steal from you. You can do this by using a proxy, the Tor browser, or a VPN. Using both will protect you even more: you can easily get yourself a VPN and use the Tor browser at the same time. This way, other parties will have great trouble trying to get to your personal information.

Have you got a question about your privacy or about measures you can take to improve it? In that case, have a look at our FAQ down below. There are tons of different parties who can spy on you online, such as websites you visit, governments, hackers, search engines, internet service providers and many other parties. What these ways are you can check in our article about surfing the web anonymously.

There are several ways to improve your privacy, such as using privacy-minded search engines like DuckDuckGo and the Tor-browser, installing ad blockers and extensions that remove cookies and many other ways. A great way that we wholeheartedly recommend to everyone is by using a VPN. This greatly depends on a number of factors, such as what parties are involved and which of your data they have obtained. On the other hand, cybercriminals can very easily obtain your bank details to enrich themselves with your hard-earned cash, if you fill out your login info on an unsafe public WiFi network.

These are just a few of the reasons why we always recommend taking several precautions online, such as using a VPN. This will keep your browsing history from being recorded in your browser and by other parties. However, if you use a VPN, this information will no longer be visible for them. This partly depends on your Windows settings. There are options that allow Windows to store your activity history on your device, and even to send it to Microsoft.

If you make sure these options are turned off, however, as well as using a VPN, you should be fine. More about how to increase your privacy on Windows 10 can be read in this article. With Safari, you can choose yourself for how long you wish the browser to remember your history, up to one year. This could mean that others see all of this as well. By using a VPN and the incognito mode , you can keep others, such as your roommates, but also your ISP, from seeing which web pages you visit.

By: Tove Marks Reading time: 15 minutes Update: