Browsing the web with Tor Browser
Download Tails 0.23 March 19, 2014

Iceweasel icon

Tor Browser is a rebranded version of the Mozilla Firefox web browser. Given its popularity many of you have probably used it before and its user interface is like any other modern web browser.

Here are a few things worth mentioning in the context of Tails.

  1. HTTPS Encryption
  2. HTTPS Everywhere
  3. Torbutton
  4. Protection against dangerous JavaScript
  5. NoScript to have even more control over JavaScript

HTTPS Encryption

Using HTTPS instead of HTTP encrypts your communication while browsing the web.

All the data exchanged between your browser and the server you are visiting are encrypted. It prevents the Tor exit node to eavesdrop on your communication.

HTTPS also includes mechanisms to authenticate the server you are communicating with. But those mechanisms can be flawed, as explained on our warning page.

For example, here is how the browser looks like when we try to log in an email account at lavabit.com, using their webmail interface:

Tor browser

Notice the small area on the left of the address bar saying "lavabit.com" on a blue background and the address beginning with "https://" (instead of "http://"):

address bar showing 'lavabit.com' / 'https://lavabit.com/'

These are the indicators that an encrypted connection using HTTPS is being used.

You should try to only use services providing HTTPS when you are sending or retrieving sensitive information (like passwords), otherwise its very easy for an eavesdropper to steal whatever information you are sending or to modify the content of a page on its way to your browser.

HTTPS Everywhere

HTTPS Everywhere logo

HTTPS Everywhere is a Firefox extension shipped in Tails and produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.

To learn more about HTTPS Everywhere you can see:

Torbutton

Tor alone is not enough to protect your anonymity and privacy while browsing the web. All modern web browsers, such as Firefox, support JavaScript, Adobe Flash, cookies and other services which have been shown to be able to defeat the anonymity provided by the Tor network.

In Tails all such features are handled from inside the browser by an extension called Torbutton which does all sorts of things to prevent the above type of attacks. But that comes at a price: since this will disable some functionalities and some sites might not work as intended.

To learn more about Torbutton you can see:

Protection against dangerous JavaScript

Having all JavaScript disabled by default would disable a lot of harmless and possibly useful JavaScript and render unusable many websites.

That's why JavaScript is enabled by default in Tails.

But we rely on Torbutton to disable all potentially dangerous JavaScript.

We consider this as a necessary compromise between security and usability and as of today we are not aware of any JavaScript that would compromise Tails anonymity.

For more technical details you can refer to the Torbutton design document.

NoScript to have even more control over JavaScript

NoScript logo

For more information you can refer to the NoScript website and features.