HowTo: Use Tor for all network traffic by default on Mac OS X

Recently, I had the gratifying experience of doing some political work that earned me a bunch of hate mail and some threats of physical violence. It had already gotten to the point where I was being harassed by a self-described “Internet stalker” who would call up venues I went to and get the employees to find me and give me the phone. Enough is enough.

This prompted several changes in my behavior in order to protect myself. For instance, I started “checking in” to venues on Foursquare as I left rather than as I arrived. For the full belt and suspenders, I also started making much heavier use than I’d previously been doing of privacy-enhancing services like Tor: The Onion Router.

Tor is a best-in-class, free, open source anonymizing network proxy. Using a tool like Tor can help you obscure details about who you are and what you’re doing from an Internet Service Provider (ISP), company network filter, or other entities. And it turns out that its reputation as a piece of black magic is largely undeserved. Tor is simple to set up, very strong, and woefully underutilized by “normal people.”

So I thought I’d do what I can to demystify Tor and encourage you to use it, even if you’re a muggle rather than a technomage. :)

Why use Tor?

Every time you turn on your computer, you’re sending all kinds of signals to all kinds of people and companies about who and where you are, and what you’re doing. Naturally, some of these are necessary to complete your tasks, like logging into your email account to read your messages. But if you’re using a Wi-Fi hotspot at a café, why should everyone at the café, the café’s owners, and the café’s ISP know that you’re checking your email? Moreover, why should your email provider know that you’re at that specific Joe’s Coffee on the corner?

I realize this might not seem like a big problem to most people. After all, everyone and their mother knows you fancy the cute barista at Joe’s Coffee since you’ve confessed your undying love of their ability to serve you a mocha with perfect latte art every time, you snob. But after just a few visits to Joe’s, it becomes pretty easy for any of those companies (or, more to the point, the unscrupulous employees working in the IT department) to guess your next move, since you’ve (unknowingly?) been sharing your every move with them already. And it’s trivial for government agencies to do the same kind of spying on you.

Now, you might not be worried about government agencies tracking you, and you might feel like you have some legal recourse if a company abuses your information, but as an individual (who “has nothing to hide”), you are more likely to be targeted or stalked by other individuals than by institutions. This was exactly what happened to me when I picked up my mob of cyberbullies. So if you leave an “anonymous” comment on a blog, why tell the blog owner where you are?

What Tor can and can’t do

Tor isn’t magic. It’s not going to make you “Invincible!” That’s why when you go to download Tor the first thing you’ll see is a warning from the developers saying “You need to change some of your habits” for Tor “to really work.” I recommend reading their list of warnings, but at the end of this howto I’ll also offer you some guidelines for a few simple things you can do to set yourself up for success.

For now, you simply need to understand that Tor isn’t encryption. For instance, if you log into Facebook without checking for the little lock icon in your browser (HTTPS, or SSL/TLS) then people who are watching Internet traffic can still see, intercept, and modify the pages you’re seeing. Moreover, Facebook still knows who you are, and if you load any page that has one of Facebook’s “Like” widgets installed, Facebook will still be able to track where you go online. It’s just that, if you use Tor, Facebook won’t know where you are in person.

To block trackers like Facebook’s “Like” button, see the “Block trackers and web bugs” section at the end of this post.

Overview

Okay, so. Here is the world. Round! I mean, how are we gonna make this work?

Privacy and security are both like a chain. The strength of the chain is only as strong as its weakest link. So in order for something like Tor to be useful, you need to use it for anything and everything, if possible. Moreover, the more people who use it, the more useful it becomes for everyone using it since fewer and fewer uses of Tor will, themselves, arouse suspicion. Private browsing should be the default, not the exception.

But in order for something like Tor to actually get used, it needs to be unobtrusive, easy to use, and easy to stop using. In other words, we need a quick and easy “On/Off” switch for using Tor or not using Tor. We’ll get there, and then we’ll go one step further.

Step 1: Install the Tor Browser Bundle

First things first. Install the Tor Browser Bundle (TBB). Do this:

1. Using your Web browser, go to the Download Tor page.
2. Find the software for your operating system. Download and install it just as you would any other piece of software.

EDITOR’S NOTE: At the time of this article’s publication, the Mac OS X version of the Tor Browser Bundle included an additional application called Vidalia that offered a graphical interface for managing your connection to the Tor network. When version 3.5 of the Tor Browser Bundle for Mac OS X was released, Vidalia was replaced with a component built into the TorBrowser itself. The bad news is that advanced configuration of your connection to the Tor network on Mac OS X is harder. The good news is that, if you don’t want to do anything fancy, you can just ignore every part of this article that references “Vidalia” and assume that whatever was described in that step is already done for you; this means you can skip all of “Step 2.” If you do want to do the fancy stuff, see “One Minute Mac Tip: Open multiple Tor circuits in the new TorBrowserBundle 3.5 for Mac OS X.” With this new Tor Browser Bundle at version 3.5.x, as long as you keep the TorBrowser open, then by default you’ll have a connection to the Tor network on port 9150. Thanks, Tor developers!

The Tor Browser Bundle is a package deal. It gives you the Tor software itself, plus a graphical tool called Vidalia used to manage and configure your connection to the Tor network, as well as a completely clean browser based on Mozilla Firefox with some privacy-enhancing add-ons already pre-installed. When you run the TorBrowser for the first time, all three applications open and you’re sent to https://check.torproject.org. If everything’s working as it should, you’ll be greeted with a message that reads “Congratulations. Your browser is configured to use Tor.”

If all you wanted to do is browse the Web anonymously, you’re technically done. Using the TorBrowser, you can bypass Web censors that filter your view of the Web and surf the ‘net reasonably assured that your identity can’t be tracked (as long as you don’t log in to any services with your account, obviously).

However, only the TorBrowser application is using Tor. This means you’re still trackable if you use another browser. In fact, if you now go to https://check.torproject.org in Safari, you’ll see a message that reads “Sorry. You are not using Tor.”

Let’s fix that.

Step 2: Configure Tor to use an unchanging port

Since Tor is a network proxy, it works by accepting connections, forwarding them on behalf of the initiator, and then passing back any responses it receives. This means you need to tell your operating system to send connection requests it wants to make to Tor instead of out onto the network itself. But in order to do that, you need to know where Tor will be listening for connection requests.

EDITOR’S NOTE: In the past, the Tor Browser Bundle was configured to automatically find an unused network port. It was recently changed to use port 9150 by default. But since this guide was written before that change, its instructions refer to port 9050. All this means is that wherever you see me refer to port 9050 or similar, replace it with 9150 instead. (Thanks, milo!)

By default, the Tor Browser Bundle is configured to look for an unused network port on your system and use that. But this means we can’t know, ahead of time, where Tor will be listening, so we’re going to disable this feature and instead use a static port. The Tor FAQ provides instructions for doing this:

In Vidalia, go to Settings → Advanced and uncheck the box that says ‘Configure ControlPort automatically’. Click OK and restart TBB. Your Socks port will then be on 9050.

Step 3: Make a new Network Location for Tor

At this point, you should have a running Tor instance listening on its default port (9050) for incoming connection requests. All you need to do now is tell your operating system to send all its network requests to that location. To do this, we’ll make use of Mac OS X’s Network “Locations” feature. A network Location is simply a set of preferences you can switch to using the  (Apple) menu.

Apple provides instructions for making a new Network Location:

1. Choose System Preferences from the Apple () menu.
2. Choose Network from the View menu.
3. Choose Edit Locations… from the Location menu.
4. Click the + icon to add a new location.
5. Type a name for your new location, such as Mobile, then click Done. […]

In the last step listed above, I typed “Automatic (via Tor [localhost:9050])”, because I like to stuff as much information as possible into the names of things, but you can type whatever makes sense to you.

At this point, we have a “toggle” for turning our system-wide use of Tor on or off, but the toggle doesn’t actually toggle anything, yet.

Step 4: Configure your new Network Location to use Tor

With your new Network Location for Tor active, do this:

1. Select Airport from the list of interfaces.
2. Click Advanced…. The advanced Airport network options sheet will open.
3. Click Proxies in the list of panes.
4. Activate SOCKS Proxy by ticking its checkbox in the Select a protocol to configure: box.
5. In the SOCKS Proxy Server box, type localhost and 9050. (Remember, 9050 is the port Tor is listening on. If you used more than one SocksPort in Step 2, you can use any of the port numbers you configured.)
6. Click OK and then click Apply.

Repeat the above steps for each interface you have available, such as “Ethernet.”

To test that this worked, while you are connected to the Internet and have your Tor Network Location active, open Safari and go to https://check.torproject.org. If you were presented with the congratulatory message, you’ve done everything right!

At this point, any time an app on your system tries to access the network, the connection will be routed through Tor. All the built-in applications, like Mail.app, and all well-behaved third-party applications, will now be transparently proxied through the Tor network. Some applications, such as Adium, may still need to be explicitly told to use the “system wide” configuration rather than the app’s own defaults, though, so I strongly suggest double-checking the network preferences for every app you use. And if you’d like to isolate Adium’s or any other specific application’s network traffic from other traffic you send, then configure the app to use a SOCKS proxy on one of the additional Tor listening ports you configured in Step 2.

You can now easily toggle Tor on and off simply by changing the active Network Location from the Apple () Menu.

On my computer, the Network Location for Tor is the default, and I almost never change it away from that. I also set up the TorBrowser to open when I log in to my computer. (For obvious reasons, when the Network Location is set to use Tor but Tor isn’t running, it’s as if I have no internet connection available.) This means I now tunnel all my traffic through Tor by default.

But all or nothing is a rather blunt approach. Sometimes I really don’t want to use Tor, such as when I’m editing Wikipedia (which expressly blocks Tor exit nodes from making edits), so let’s set up some finer-grained control. We can do this in one of two ways. I’ll show you both, but I only use the latter.

Step 5-A: Bypass Tor using Network Proxies Preferences

If you know you never want to use Tor for specific domains or websites, you can enter them in a comma-separated list back where you set up the SOCKS proxy. For instance, if you never want to use Tor to get to Wikipedia, enter , wikipedia.org into the “Bypass proxy settings for these Hosts & Domains:” text box, as shown below:

You can also use this method to bypass Tor for multi-media sites like YouTube or Pandora Internet Radio, which are often frustratingly slow when proxied. Just be aware that any time you bypass Tor, the server you’re connecting to gets additional information about you from your IP address, and so on, so use this sparingly.

Anyway, this configuration will always bypass Tor for accessing any Wikipedia.org domain name regardless of what application initiated the connection. For instance, I monitor my Wikipedia watchlist using RSS feeds in Mail.app, but I read and edit Wikipedia in my Web browser

Since there’s no issue reading Wikipedia over Tor, only editing, using this configuration isn’t as private as it could be. I’m leaking information to Wikipedia about my whereabouts even when I’m just reading their articles. That’s why I don’t use this configuration, opting instead for a Web browser proxy manager that lets me bypass Tor only when I’m making an edit.

Step 5-B: Bypass Tor on-demand using Web browser proxy managers

A more secure (and, in my humble opinion, more convenient) option for bypassing Tor is to use a Web browser proxy manager, such as Proxy SwitchySharp for Google Chrome or FoxyProxy, which works in Mozilla Firefox, Google Chrome, and Internet Explorer. Since I use Proxy SwitchySharp, I’ll describe how I’ve set up that tool to bypass Tor so I can edit Wikipedia and more comfortably stream music from Pandora.

Do this:

1. If you haven’t already, install Proxy SwitchySharp to your Google Chrome Web browser.
2. Once installed, click the Proxy SwitchySharp icon (which looks like a grey globe) and select Options.
3. Click the + New Profile button to create a new Proxy Profile.
4. In the Profile Name field, type a meaningful name. I chose “Tor (localhost:9050)”.
5. Select the Manual Configuration radio button.
6. In the SOCKS Host field, type localhost. In the associated Port field, type 9050. Remember, this is where Tor is listening for connections.
7. Select the SOCKS v5 radio button. (SOCKS5 is what Tor uses. SOCKS4 is an older protocol we don’t need for this purpose.) When complete, it should look something like the following screenshot:
   
8. Click Save.

Proxy SwitchySharp lets you change Google Chrome’s proxy settings at the press of a button. It’s basically Network Locations but for Chrome instead of your whole Mac OS X system. If you want to send Chrome’s traffic through a different Tor circuit from any other application’s traffic, be sure to use a SOCKS port number in this Proxy Profile that’s different from the SOCKS port number you used for your Tor Network Location. You can also make multiple Proxy Profiles that each use a different port number you configured in Step 2.

In addition to each Proxy Profile you define (and, as you can see, I’ve defined three), Proxy SwitchySharp also always offers a “Direct Connection,” which means no proxy is used. Have a go at changing your active Proxy Profile and reloading https://check.torproject.org to get a sense of what it’s like.

When you’re comfortable with that, do this:

1. Open the Proxy SwitchySharp Options page again, and this time select the Switch Rules tab.
2. If it isn’t already, tick the checkbox labelled Enable Switch Rules.
3. In the “Default Rule” row, select the Proxy Profile you created for Tor from the Proxy Profile drop-down menu. This sets Proxy SwitchySharp to use Tor by default when you use the smart Switch Rules feature, which we’re about to.
4. At the bottom of the rules table, click the + New Rule button.
5. In the Rule Name column, type a meaningful name. I chose “Wikipedia editing” but, obviously, make the name relevant to the function of the rule.
6. In the URL Pattern column, copy-and-paste the URL you want to access using a different profile, and replace any variables with an asterisk (*) or the appropriate regular expression. For editing the English Wikipedia, I entered: https://en.wikipedia.org/w/index.php\?title=.*&action=(edit|submit)
7. In the Pattern Type column, choose the appropriate pattern. For the pattern to edit English Wikipedia pages, I set it to “RegExp”. (Regular expressions are beyond the scope of this how to. Suffice it to say that they’re extremely powerful, but you can also just use several different wildcard expressions to achieve the same effect.)
8. In the Proxy Profile column, select [Direct Connection].
9. Click Save, and close the tab.
10. Click the Proxy SwitchySharp icon (the grey globe) and select Auto Switch Mode.

That’s that! With this Proxy Rule configuration, which is very reminiscent of email rules, all of my Web browsing with the exception of editing Wikipedia articles will automatically be routed through Tor. I can now add additional bypass rules for browsing, say, Pandora.com or YouTube.com if I really wanted, and when I go to those sites, Proxy SwitchySharp will automatically re-route the network request away from Tor.

However, I prefer to write as few exceptions as possible, and sometimes I get a Tor connection that’s good enough to let me stream short videos, anyway. I don’t really mind the slowdown I experience using Tor because it forces me to do more of my work in batches (like email) and respond slower, to think more, to other things (like Twitter).

Still, sometimes Tor will dump me on the Internet from Romania or some country where Pandora blocks access. In those cases, I can click the Proxy SwitchySharp icon and select the name of the domain (in this case, “www.pandora.com”), which adds a temporary rule for the current website. Next time I open Pandora, Chrome will first attempt to connect through Tor—the default Proxy Profile I’ve set—again, which is what I want.

Step 6: Change your habits

You’ve now got your computer routing all of your network traffic through Tor by default, which protects you from the prying eyes of your ISP and your fellow Wi-Fi café patrons, but there’s still more you can do. For those of you who think the belt-and-suspenders approach is just too groovy to ignore, here are some additional things you could do to protect your privacy.

• Use DNSCrypt to encrypt your Domain Name System queries.
• Block third-party cookies.
• Block trackers and web bugs.
• Use HTTPS, everywhere.
• Anonymize your search queries.
• Fake your Referer HTTP header.
• Use your Web browser’s private browsing mode.
• Spoof your MAC address.
• Turn on “Do Not Track” and “Tracking Protection” options.

Consider using DNSCrypt to keep your DNS queries private, too.

When you joined that Wi-Fi hotspot, you were given the address of a Domain Name System (DNS) server operated by the ISP of whoever’s running the hotspot. A DNS server is a computer your computer asks to translate domain names (like “maymay.net”) into IP addresses. Even though you’re now using Tor for Web browsing, your computer will still have to eventually ask a DNS server for the IP address of the websites you’re going to. This means whoever operates that DNS server is going to know where you’re going, because you’re asking them for directions!

OpenDNS.com is a reputable company who offers a free utility called DNSCrypt that sets up an encrypted tunnel between your computer and their DNS servers. Using DNSCrypt, you’re not asking the Wi-Fi hotspot’s ISP for directions to websites. In fact, they never even know you’re sending DNS queries.

Block third-party cookies.

Cookies have long been a notorious privacy concern, but they’re also fundamental to the way the Web works. However, third-party cookies are arguably only useful for tracking purposes. We really don’t need them.

Sadly, every major browser vendor currently ships with third-party cookies enabled by default, with the notable exception of Apple’s Safari. If you’re not already blocking them, consider doing so. Instructions for blocking third-party cookies depend on the browser you’re using, and are left as an exercise for the reader.

That said, Steve Gibson over at GRC.com offers a very thorough breakdown of cookie privacy and related Internet surveillance issues.

Block trackers and web bugs.

As mentioned earlier, just using Tor won’t stop the Web server sending you the page that you’re loading from knowing who you are. And if that page contains an advertiser’s tracking code, then the advertiser will still be able to track you. To stop this from happening, you need to take some extra steps to pro-actively block trackers (sometimes called “web bugs,” “beacons,” or “widgets”) from loading and running code in your browser.

I recommend installing at least the following browser add-ons:

• AdBlock Plus
• Ghostery
• Disconnect.me

The only trustworthy ad blocking add-on also happens to be both the best and simplest one: uBlock Origin, and it is available for both Mozilla Firefox and Google Chrome. It’s actually a general-purpose blocking tool that is more akin to an HTML firewall than merely an “ad blocker,” but that also means it’s the best ad blocker around. Don’t bother with AdBlock Plus, Ghostery, or Disconnect.me. Each of those tools are made by companies that actually track you. :(

Use HTTPS, everywhere.

While Tor will stop people in your immediate vicinity from snooping on your network traffic, it isn’t a substitute for end-to-end encryption. In other words, if you request an insecure connection, you’ll get an insecure connection on that last hop from the Tor network to your final destination. Therefore, you really want to use HTTPS (SSL/TLS) everywhere you can. Luckily, the Electronic Frontier Foundation (EFF), the same folks who champion Tor, wrote a browser add-on called HTTPS Everywhere that does just that. In fact, it even comes bundled with the TorBrowser! Install it, use it, love it!

Anonymize your search queries.

In addition to outright tracking, monitoring, and other direct surveillance techniques, your identity and activities can be determined by inference after collating and analyzing a bunch of data about you. Your “Internet paper trail” (or “data trail”) can reveal things about you just as your IP address can. That’s why it’s prudent to do what you can to anonymize as much of your data trail, such as your search history, as possible.

Google claims to offer private search and the ability to erase your Google search history, but why give it to them in the first place? The TorBrowser’s home page is set to StartPage.com, which is a privacy-focused search service. It does a bunch of stuff to protect your privacy, and it’ll even proxy your search query to Google and return their results for you, so you don’t even have to stop using fancy Google search features.

To make sure I don’t accidentally query Google, I’ve switched my default search engine in all my Web browsers to use StartPage.com. Consider doing the same!

Fake your Referer HTTP header

When you click on a link from a given web page, let’s call it Page A, and that link takes you to another page, let’s call it Page B, your browser adds a bit of information to the request for Page B telling Page B’s server that you came by way of Page A. This information is known as a Referer [sic.] header because it tells the server you’re accessing which server referred you to it. If someone were to examine all the Referer headers you sent to all the servers you visited (for instance, if they sold this information like this to advertisers, which they do, it’s called “clickstream”), then that person could figure out the exact path you took through the Web that day.

Most Web browsers have an add-on that lets you control or disable the Referer header, and I’d suggest installing and using one. On Google Chrome you can use Referer Control for a simple solution, or ScriptSafe for a more robust one, which by default masks your Referer header as well as disabling JavaScript (another best practice, but outside the scope of this article).

Use your Web browser’s private browsing mode

In technical terms, a Web browser is called a User Agent because it’s basically the embodiment of you, on the Web. Now, you’re pretty unique. Your hair color, eye color, height, weight, and a vast array of other biometrics can be used to identify you. You’ve got a literal fingerprint, too. What you need to be aware of is that so does your Web browser. Everything from the make and model of your browser to your screen size to the fonts you have installed on your system can be used to pick you out of a crowd (of Web browsers).

This is even more true if you’ve gone all power-user and tricked out your cyber ride with a bunch of extensions and add-ons that weren’t written with privacy in mind. If that description fits you, then consider using your Web browser’s private browsing mode for any cyber-sleuthing you’re doing while trying to keep a low profile. On Google Chrome, this mode is called “Incognito,” but many other browsers have similar features where add-ons, bells, and whistles are disabled.

To test how unique (or plain-Jane) you are online, use the EFF’s Panopticlick, where you’re hoping for a low uniqueness score, labelled on their site as “bits of identifying information.” Section 6 of their whitepaper (on page 16 of this PDF) called “Defending Against Fingerprinting” is also worth a read. (TL;DR? Use NoScript, and tools like it.) Also, while not identical to Chrome’s Incognito mode, Mozilla Firefox has a “Safe Mode,” which might help.

Spoof your MAC address.

Every piece of network hardware, called a Network Interface Card (or NIC), contains its own globally-unique serial number, which itself is called a Media Access Control (or MAC) address. (Don’t confuse this with your Apple Mac’s serial number!) When you connect to a Wi-Fi hotspot or plug into a wired Ethernet network, your computer sends this MAC address to other computers on the physical network you’re connecting to as part of a lower-level protocol (called Address Resolution Protocol or ARP) in order to establish its physical connection to the network.

Every network-capable device, including Wi-Fi routers, have such MAC addresses. Anyone can scan the network looking for them. And yup, you guessed it, this MAC address can be tracked to the computer you’re using, which can then be tracked to you.

Think of a NIC’s MAC address like a license plate on a car, posted on the outside for anyone within line of sight to see. Changing your MAC address is called “spoofing,” and while spoofing a MAC address is a bit of a pain on Mac OS X, it can be done. I recommend doing this if you’re willing to get your hands a bit dirty.

Turn on “Do Not Track” and “Tracking Protection” options.

Remember telemarketers? I hate telemarketing. To stop them from calling, I listed myself in the “Do Not Call” list. When they called me anyway, I’d ask them to identify what company they worked for, and then I’d file FCC complaints against those companies.

While not quite the same thing, an emerging technology standard called “Do Not Track” (DNT) is making its way into browsers that will, hopefully, one day be legally enforceable in much the same way that the “Do Not Call” list is today. Every major browser vendor offers you the option to turn on the “Do Not Track” signal, which I recommend you do even if it doesn’t do anything other than express your intent to not be tracked. (The previous advice about blocking trackers and web bugs is what will actually keep your browser tracker-free, regardless of how DNT evolves.)

As with blocking third-party cookies, Instructions for turning on “Do Not Track” depend on the browser you’re using, and are left as an exercise for the reader.

UPDATE, May 8^th, 2015: Two years after I wrote this post, the “Do Not Track” option seems to have failed. Unfortunately, simply by its nature as a voluntary self-regulation, almost no tracking companies obey this signal, making it worse than useless. In fact, adding “Do Not Track” to browsers that do not have it enabled by default (which, as of this update, is all of them) makes you more trackable, not less. So the new advice is to not turn on “Do Not Track” if it’s not on by default in your browser, and to not turn it off if it’s already enabled by default in your browser. Instead of Do Not Track, a new feature in Mozilla Firefox called “Tracking Protection” is integrating the web-bug blocking features from various popular browser add-ons into the browser itself. When that feature becomes generally available (slated for release in Firefox version 39), I suggest you turn it on. (Advanced users can already turn it on by typing about:config in their Firefox address bar, searching for trackingprotection and ensuring the privacy.trackingprotection.enabled flag is set to true.)

Step 7: Pay it forward

If you got all the way here, gain 10,000 experience points, and level up!! You are now a fledgling technomage.

Your mission, should you choose to accept it, is to share what you’ve learned with anyone and everyone who’ll listen. In the age of online social networks, protecting your privacy is a network problem. That means your friends need to be in on it, too! It’s all very nice and well to have your Web browser locked down, but if I find your Facebook profile and all of your friends are doing that kiss-and-tell thing….

Well, let’s just say there are many ways of tracking people online.