- Sometimes I have to use google for searching things. Does it impact my privacy/anonymity if I do it on Tor in Whonix? (in its own Tor session/Identity)
Would you recommend a different way? - Does it matter if I use the onion URL of a website or the regular one?
- Which free email providers do you recommend for privacy and anonymity?
- Which onion search engines do you recommend for finding onion-only websites?
-
Completely. Google scan and use metrics in all you search, they live from that. Use TOR could help, but if you use personal google accounts it will deanonymize you instantly. Avoid the use of big companies that live from your data, and use open-source or privacy focused software. Use tor browser and for search engine use DuckDuckGo or Startpage under .onion. Bot of them are good, try both and use the one you like best. DuckDuckGo vs. Startpage
-
Absolutely. When you use TOR, you will have a minimum of 3 nodes. Guard, middle, exit. If you connect to a website outside of the TOR network, you will be connecting with it directly with your exit node. But when you connect to an .onion website, you aren’t leaving TOR, you will connect to an intermediate server that will redirect your request to the first node of the tor website. Something like it:
Not onion website:
Your PC → Guard Relay → Middle Relay → Exit Relay → Website ServerOnion website:
Your PC → Guard Relay → Middle Relay → Exit Relay → Intermediate Node → Server Exit Relay → Server Middle Relay → Server Guard Relay → Website Server -
You should avoid emails for anonymity unless you self-host your own server. Email and anonymity is impossible, because all your metadata, messages and so on, will be saved in a server that you don’t own. For privacy I personally could recommend you Proton Mail or Tutanota. I use the first one, but I said, not for anonymity, but for privacy.
-
For onion-only website there aren’t search engines like in clean websites. What you could find are repositories with links for different websites, but there aren’t crawlers and robots for search engine basically because the links are create randomly and there are a lots of scams out there. Don’t trust the search engines, you will be probably scammed.
I don’t know if is allowed to share this kind of links here so, good luck.
Some other answers from a different perspective (I slightly disagree with some of alberto-765’s statements):
Doing a Google search alone should not compromise your anonymity if done from within Whonix. It is very true that Google tracks its users and that they have financial incentives to do so. However, you can’t truly know that any other search engine isn’t tracking what you do. Making your anonymity depend on the practices of any particular search provider is unwise if you want to stay truly anonymous, unless you are somehow able to completely audit the search provider’s processes, code, server infrastructure, their ISP’s practices, code, and infra, the practices, code, and infra of every possible intervening ISP, and so on.
Whonix makes it so that search providers (and websites in general) can’t track you even if they try. The wiki goes into much detail on this:
Using the onion URL will probably give you better cryptographic protection than using an HTTPS URL. The reason is that onion URLs are themselves public encryption keys, so the only way to talk to someone who tries to visit an onion URL is to own the private key corresponding to the URL. This is in contrast to HTTPS, where a malicious “certificate authority” can hand out encryption keys that can be used to intercept, decrypt, and modify traffic for any website. See:
Whonix does not have official recommendations in this area, but see:
Ahmia. See:
2 Likes
But if you need something like Google is better Start page, in my opinion. They works as a proxy after all, although they haven’t been audited since a lots of years.
But by any circumstance, don’t use an account or login.
When going in regular websites Tor shows me the button to switch to the onion site if the site offers one but I’ve already entered the regular site. Isn’t that already a breach of security? It seems hard to find the onion url for most sites. Any suggestions?
Thanks for the detailed replies!
Yes and no. If your first connection to the website happens to not be compromised, or only passively compromised (the attacker is reading everything but not modifying it), you’ll get a legitimate onion URL. Now you know the onion URL for the website, and can access it that way forever after. Of course, if the attacker compromises your connection the first time and hands you a malicious onion URL, then you have a problem.
How do you know if the attacker compromised your first connection? You don’t. You have to assume they weren’t paying attention on the first connection, and you need to be vigilant to always use the onion URL thereafter. This is the Trust-On-First-Use, a.k.a. TOFU, authentication scheme. See:
1 Like