Tor Browser is a web browser based on Mozilla Firefox and configured to protect your anonymity. Given the popularity of Firefox, you might have used it before and its user interface is like any other modern web browser.

Some frequently asked questions about the browser can be found in the FAQ.

Here are a few things worth mentioning in the context of Tails.

If you want to browse web pages on your local network, refer to our documentation on accessing resources on the local network.

AppArmor confinement

Tor Browser in Tails is confined with AppArmor to protect the system and your data from some types of attack against Tor Browser. As a consequence, it can only read and write to a limited number of folders.

This is why you might face Permission denied errors, for example if you try to download files to the Home folder.
  • You can save files from Tor Browser to the Tor Browser folder that is located in the Home folder. The content of this folder will disappear once you shut down Tails.

  • If you want to upload files with Tor Browser, copy them to that folder first.

  • If you have activated the Personal Data persistence feature, then you can also use the Tor Browser folder that is located in the Persistent folder. In that case, the content of this folder is saved and remains available across separate working sessions.

To be able to download files larger than the available RAM, you need to activate the Personal Data persistence feature.

HTTPS Encryption

Using HTTPS instead of HTTP encrypts your communication while browsing the web.

All the data exchanged between your browser and the server you are visiting are encrypted. It prevents the Tor exit node to eavesdrop on your communication.

HTTPS also includes mechanisms to authenticate the server you are communicating with. But those mechanisms can be flawed, as explained on our warning page.

For example, here is how the browser looks like when we try to log in an email account at riseup.net, using their webmail interface:

Notice the padlock icon on the left of the address bar saying "mail.riseup.net" and the address beginning with "https://" (instead of "http://"). These are the indicators that an encrypted connection using HTTPS is being used.

You should try to only use services providing HTTPS when you are sending or retrieving sensitive information (like passwords), otherwise its very easy for an eavesdropper to steal whatever information you are sending or to modify the content of a page on its way to your browser.

HTTPS Everywhere

HTTPS Everywhere is a Firefox extension included in Tor Browser and produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.

To learn more about HTTPS Everywhere you can see:

Torbutton

Tor alone is not enough to protect your anonymity and privacy while browsing the web. All modern web browsers, such as Firefox, support JavaScript, Adobe Flash, cookies and other services which have been shown to be able to defeat the anonymity provided by the Tor network.

In Tor Browser all such features are handled from inside the browser by an extension called Torbutton which does all sorts of things to prevent the above type of attacks. But that comes at a price: since this will disable some functionalities and some sites might not work as intended.

In Tails, the circuit view of Tor Browser is disabled because we are not sure whether it would have security implications in the particular context of Tails (see #9365 and #9366). This feature is safe to use outside of Tails.

You can see the Tor circuits in Onion Circuits.

Protection against dangerous JavaScript

Having all JavaScript disabled by default would disable a lot of harmless and possibly useful JavaScript and render unusable many websites.

That's why JavaScript is enabled by default in Tor Browser.

But we rely on Torbutton to disable all potentially dangerous JavaScript.

We consider this as a necessary compromise between security and usability and as of today we are not aware of any JavaScript that would compromise Tails anonymity.

To understand better the behavior of Tor Browser, for example regarding JavaScript and cookies, you can refer to the Tor Browser design document.

Security slider

You can use the security slider of Torbutton to disable browser features as a trade-off between security and usability. For example, you can use the security slider to disable JavaScript completely.

The security slider is set to low by default. This value provides the default level of protection of Torbutton and the most usable experience.

To change the value of the security slider, click on the green onion button and choose Privacy and Security Settings.

Security slider in its default value (low)

New Identity feature

The New Identity feature of Tor Browser:

  • Closes all open tabs.
  • Clears the session state including cache, history, and cookies (except the cookies protected by the Cookie Protections feature).
  • Closes all existing web connections and creates new Tor circuits.
  • Erases the content of the clipboard.

This feature is not enough to strongly separate contextual identities in the context of Tails as the connections outside of Tor Browser are not restarted.

Shutdown and restart Tails instead.

For more details, see the design and implementation of the Tor Browser.

NoScript to have even more control over JavaScript

To allow more control over JavaScript, for example to disable JavaScript completely on some websites, Tor Browser includes the NoScript extension.

By default, NoScript is disabled and some JavaScript is allowed by the Torbutton extension as explained above.

For more information you can refer to the NoScript website and features.