The Tor Browser is basically a tool that helps us browse the internet, just like Chrome, Opera, Firefox, or other web browsers. However, unlike standard browsers, it directs all internet traffic through the Tor network. This allows us to access hidden services that are referred to as the "Dark Web" on the Tor network and the "Surface Web" while bypassing all restrictions in a secure manner. The Tor Browser is a customized version of the Firefox browser for the Tor network and is a practical solution for connecting to the Tor network through various operating systems. While there is no official browser for iOS at the time of preparing this education, there are official browser supports available for Android, Windows, Linux, and Mac.
Tor browsers, in addition to directing all internet traffic through the Tor network, come with various restrictions and security measures that are different from those of normal browsers. They are optimized for security and privacy.
Before discussing details about using the browser, let's first learn where and how to download the Tor Browser.
Downloading Tor Browser
There are multiple alternatives to download Tor browser. All of these alternatives are designed to enable us to securely download Tor browser from any restricted network. Let's take a look at the download sources one by one.
Downloading from Tor Website
The most basic and common method of downloading Tor browser is to download the appropriate version from its official website.
To download the browser, we need to visit the website first. If you wish, you can select the Turkish language to better understand the written content. After changing the language of the website, click on "Download Tor Browser" section.
On the opened page, you will see download options for multiple platforms. However, for more options, click on "See other downloads for languages and platforms.
Link: https://www.torproject.org/download/
Downloading from the Tor Website The most basic and common method to download the Tor Browser is from its official website. First, go to the website's address. If you prefer, you can change the language to Turkish to better understand the instructions. After changing the language, click on the "Download Tor Browser" section. On the opened page, you will see download options for multiple platforms and languages. However, my suggestion would be to choose the English version, which has a much wider user base, unless it is necessary for you to download Turkish or other languages that may be associated with your identity. This way, you can make your real identity more ambiguous with a widely used version of the browser. Nevertheless, if you think you might have difficulties or if anonymity is not crucial for your usage, you can choose the language pack you prefer. You can also choose the Turkish language pack for initial usage until you get familiar with the browser. Additionally, make sure to download the "signature" file of the downloaded installation file by right-clicking on the "sig" link and selecting "Save link as". The downloaded signature file is a digital signature of the original version of the Tor Browser, which verifies the integrity of the file.
We will use this file to test the security of the file during the installation process. So, we have covered the first download alternative. However, even though it is the first, it is actually the most blocked alternative. Typically, many websites related to the Tor project can be inaccessible on many networks by default. In fact, while you were following this tutorial, you may not have been able to access the Tor website. In this case, you can use the second alternative download source or download it using the Tor website through any VPN. In fact, I was able to access the website by using a simple VPN application installed on my browser while preparing this guide because I had trouble accessing the website. So, you can use simple VPN extensions that can be installed on browsers for downloading or try the second download method. Also, I would like to mention that free VPN services that run on the browser are not secure and they record many of your personal data. We only used it for the download process, which is not very important for our privacy. Besides, before using such free services, I recommend you to read the terms of use to learn what kind of information they collect about you. For now, let's move on to our second alternative source, putting VPN usage aside.
Downloading from Github
In this alternative, which provides a much more uninterrupted access compared to the first one, we can access the download files via Github. First, let's go to the Github source of the Tor Project; https://github.com/TheTorProject/getTorBrowser To download the published sources on Github, click on the "release" tab. As you can see, all downloadable files are listed here. From here, we can select the version suitable for our system and download it. Also, please do not forget to download the ".asc" signature file together with the installation file you downloaded.
As I mentioned before, we will use this file to test the security of the downloaded file during the installation process.
In the recent past, access to Github has been blocked in our country. If such a situation arises again or if your access to these Tor installation files on Github is somehow blocked, you can download the files using a VPN or the next email management method.
Downloading via Email
If you cannot access the download sources of Tor Browser through the previous methods, you can simply send an email to gettor@torproject.org. For instance, if you want to download the Turkish version of Tor Browser for Windows, you need to send a message to gettor@torproject.org and write "windows tr" as the message.
As you can see, shortly after, I received download links containing many alternative methods as a response.
As you can see, all of the methods and addresses I have explained so far may change over time for various reasons. In such a case, what you need to do is to check the download guide on the Tor Project website. Since there is also Turkish support, you can easily read many documents and guides. Additionally, if you have any problems, you can always ask me questions through the Q&A section of the course.
Some of you may wonder, or even criticize, why I have explained a simple download process in such a long and detailed way. The reason for this is hidden in the structure of the Tor Project. Due to its structure, the Tor Project has always had to create alternative routes as it constantly struggles with censorship. Therefore, I have explained in such detail so that you know alternative ways to access resources in any situation.
In the end, we have covered how to obtain the files we need to download for the installation process, including alternative methods. However, before proceeding with the installation process, there is one more step we need to take, which is to verify the downloaded files.
But why do we need to verify the files? Weren't the sources we used the main sources of the Tor Project?
Link: https://tb-manual.torproject.org/tr/downloading/
Veryfing the File
We should verify the installation files regardless of where we downloaded them from, as the content of the installation files may have been tampered with by attackers before or during the download process. For example, a file downloaded from the Tor project website may have been replaced with a malicious version by attackers who hacked the website. While this may seem like a low probability for many people, it's worth noting that in 2016, Linux Mint servers were hacked and their ".iso" files were replaced with malicious ones, and many people downloaded and installed the malicious Mint versions. Additionally, even if the direct download source is not hacked, there is still a possibility that the file can be replaced with a malicious version by attackers who control the connection at any point during the download process.
To verify installation files, it's necessary to check their authenticity regardless of where we download them from, as the contents of installation files can be altered by attackers either before or during the download process. For instance, a file downloaded from the Tor project's website could have been replaced with a malicious version by attackers who hacked the website. Although this possibility may seem low to many people, it's worth remembering that in 2016, Linux Mint servers were hacked, and the ".iso" files were replaced with malware-infected versions, causing many people to unwittingly download and install malicious Mint releases. You can check the source for more information.
Furthermore, even if the direct download source isn't hacked, there's still the possibility that the file may be replaced with a malicious version by attackers who control the connection during our download process.
The most reliable solution to prevent these and similar scenarios is to verify the downloaded file. To do this, we need to compare the digital signature of our downloaded file with the one published by the Tor project developers. Digital signatures are unique signatures assigned by developers only to a specific version of the program. Even the slightest change to the program content will break this signature, allowing us to easily test whether the program has been tampered with.
As I mentioned earlier, when we download the installation file, we also need to download ".asc" signature files. These ".asc" files are actually signature files created with the PGP encryption protocol. They contain a unique key created specifically for this purpose. We can use these files to test whether the program's content has been changed or not. If you didn't download these signature files, you can obtain the signature files with the same name as the version you downloaded from the download source.
If the terms I used during the explanation seem unfamiliar and incomprehensible to you, don't worry. We will also discuss this signature format in the "Encryption" section later in the training. For now, just focus on the part we use for verification. Since this process is quite simple, you won't have any problems if you follow the guide carefully. After obtaining the installation file and the signature file, we also need to use a tool to test the installation file. Although these tools may differ depending on the operating system used, their functions and usage are basically the same. For example, we will use the Gpg4win tool to verify the signature on Windows. On MacOS, we will use the tool called GPG Suite for signature verification. Finally, on Linux, we will test our signature using an already installed verification tool.
We will be addressing the verification and installation processes separately for each operating system. Therefore, you do not need to follow the installation instructions for operating systems other than the one you are using. We will be discussing how to perform the same process on the current operating system in each case.
Without further ado, let's start with how to verify and install the Tor Browser installation file on a "Windows" system.
Tor Browser Verification and Installation (Windows)
Before proceeding with the installation process, let's verify the contents of the installation package we downloaded earlier. Since we will be using the "Gpg4win" tool to perform signature verification on Windows, we first need to obtain the tool. To download the "Gpg4win" tool, visit the https://gpg4win.org website and open the download page. If you want to make a donation, you can specify the amount you want here. If you are not going to donate, select "0" and click the download button.
gpg --auto-key-locate nodefault,wkd --locate-keys torBrowser@torproject.org
This will retrieve the Tor developer's verification key from a secure location.
After completing this step, we can verify the contents of the installation package we downloaded by specifying the location of the downloaded files, including the signature file. For example, if the files are located in the "Downloads" folder, we can run the following command:
gpg --verify Downloads\TorBrowser-install-XYZ_en-US.exe.asc Downloads\TorBrowser-install-XYZ_en-US.exe
It's important to specify the signature file first when entering the command.
And as a result, the output we obtained matched the secure Tor key we imported, proving that our file is a signed and unmodified file from the Tor developers. If our file had been a modified file, we would not have been able to obtain this output because the signature would not have matched. Now that we have verified our file, we can start the Tor Browser installation by double-clicking on the installation file. When the Tor browser is installed, unlike many programs, it does not spread throughout the system. It keeps all its files in a single location. We can select where to keep the file from the window that appears. I am keeping it on the desktop by not changing the default. You can choose a different location if you wish. The installation process is completed in a short time. If you want shortcuts to be created on the start menu and desktop, you can click finish without removing the selected checkbox. I remove the checkmark and click finish to open the program. To connect the browser to the Tor network, I click the "Connect" button in the window that appears.
After a short while, our browser opens smoothly as the connection is established. Also, when we check, we can confirm that our browser is installed inside the "Tor Browser" folder located on the desktop.
Installation of Tor Browser (Linux)
We do not need to install an external application for file verification as in other operating systems. Except for some exceptions, most Linux distributions come with the GPG verification tool. If the verification tool is not available on your Linux system, you can contact me via the Q&A section. To perform the verification process, first, let's enter the following command in our command line to securely import the developer key. If you have never opened the command line before, even if you are using Linux, you can open it by searching for "command line" or "terminal" or finding it from the applications list. Let's enter our command and acquire the developer key. "gpg --auto-key-locate nodefault,wkd --locate-keys torBrowser@torproject.org" If the above command does not work correctly, that is, if you cannot import the developer key, please try the following command as well. "curl -s https://openpgpkey.torproject.org/.wellknown/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf | gpg -import" - After importing the key, let's enter the following command with file locations, with the signature file first, to verify the installation file as shown in the example below. gpg -verify ~/Downloads/Tor-Browser-linuxXYZ.tar.xz.asc ~/Downloads/TorBrowser-linuxXYZ.tar.xz
After completing the verification process, we have proven that our file is signed by Tor developers and has not been tampered with. If the file content had been modified, we wouldn't have been able to obtain this output as the signature would not have matched.
Now that we have verified our file, we can extract the Tor Browser from the archive file to any location we prefer without needing to install it on Linux. All we need to do is decide where we want to store this file. I choose to extract the archive contents to my desktop location. To launch the browser, I navigate to the extracted file location and double-click on the icon. Then, I click on the "Connect" button to connect the browser to the Tor network.
After the verification process, we have proven that our file is a signed and unmodified file from Tor developers. If the file content had been modified, we would not have been able to obtain this output because the signature would not match. Now that we have verified our file, we can extract it to any location we want from the archive and start using the Tor browser. The Tor browser comes pre-installed without the need for installation when used on Linux. All we need to do is decide where to host this file. I extract the archive content to my desktop location. To run the browser, I double-click on its icon in the extracted file location. I click the "Connect" button in the window that opens to connect the browser to the Tor network. After a short time, the connection is established, and our browser opens smoothly. This way, we have downloaded and installed our Tor browser securely on the Linux system. In the following sections, we will discuss its usage in detail. Finally, I would like to emphasize that while the verification process is not mandatory, it is a crucial detail for our security. Moreover, since there is no difficulty in the implementation, I strongly recommend that you perform verification before the installation process.
Installation of Tor Browser on Android
When we do not have access to our desktop devices, we can use the Tor browser specifically developed for the Android platform to securely access the Tor network from our Android device. To obtain the browser, simply search for "Tor Browser" on the PlayStore. Once we are sure that we have selected the correct application from the options available, we can download and wait for it to install
After the installation is complete, open the application and click on the "Connect" button, then wait for the browser to connect to the Tor network.
About iOS Tor Browser
iOS devices don't have an official version of Tor Browser, but there are a few alternative apps you can use. However, unless it is necessary and security is very important, I do not recommend using them. I will not discuss alternative iOS applications and their usage in this section, as I do not find them secure. If you really need it, you can search the App Store to find a browser that allows you to connect to the Tor network, but it may not be reliable in terms of security and privacy. If the Tor project developers release a stable iOS application, I will add it to this section.
1 comments:
👌
Post a Comment