How-To OS X

How to Surf the Web Anonymously on your Mac with Tor

The Internet has completely revolutionised the way we access information. When you’re connected to the World Wide web, it often feels like you have all the information in the world at your fingertips, but the Internet does have its downsides. In recent years many users have become particularly concerned that their online activities may be being monitored – and with good reason.

The most obvious digital spies, are hackers or other criminals who may be watching your online movements in an attempt to obtain your personal information, but they’re not the only prying digital eyes you need to worry about. Your Internet provider, government agencies or even corporations may be monitoring your online movements, whether they’re targeting you specifically (unlikely) or passively gathering data (much more likely).

With growing concerns over online privacy, many Internet users are looking for ways to make sure their online activities remain private, and one possible solution is to browse the web anonymously, using the infamous Tor browser.

What is Tor, and how does it work?

Both the Tor network and browser have gained a bit of a reputation as something that’s intrinsically linked with the Dark Web and illegal activities, but in reality Tor is much less scary: it’s just a modified version of the Firefox browser and a network that’s carefully designed to disguise your identity.

While anything that keeps your identity hidden is inevitably going to attract people who want to hide their identity for all the wrong reasons, there’s plenty of legitimate reasons why someone might want to use Tor.

Tor provides whistleblowers with a way of anonymously communicating with journalists and leaking information without fear of reprisal, and can be a valuable tool for law enforcement officials who need to perform covert operations online. For people living in countries with restrictions on the Internet, Tor also offers a way to explore the wider web without censorship.

Even if you don’t fall into any of these categories, if you’re concerned about privacy then the Tor network and browser can still be a useful way of keeping your online movements private.

To understand how Tor works, we need to look at how information is exchanged over the Internet. The Internet is essentially a series of connections between computers. Some of these computers act as servers and host the data that’s stored on the Internet, and other devices act as the clients that access this data. When your Mac accesses a website, it’s a client accessing a server.

Whenever a client initiates a connection to a server, data is exchanged in the form of packets. During this exchange, the client gets information from the server, but the server also gets information from the client, including information about you. The problem is that there’s no guarantee that someone isn’t monitoring this exchange of data, potentially gathering important information about you and your location.

Tor helps to ensure your online activities cannot be traced back to you, using a technique called “onion routing.” When you visit a website using the Tor browser, your Internet traffic gets routed through numerous randomly-selected nodes (also sometimes known as relays), before exiting the Tor network and arriving at the server. This makes it more difficult for anyone viewing your activity to work out who you really are.

In addition, while your typical packet includes the sender’s address and the destination, the Tor browser wraps its packets in successive layers, like an onion (hence the term “onion routing”). Each node in the series takes off a layer, sees where the packet needs to go next, and forwards it to the next node in the sequence. Each node only knows the packet’s previous location, and the next place it will be. Since no node knows the complete path, anyone who happens to be spying on that node won’t know the complete path either. It also means that the exit node in the sequence will have no idea what your IP address is – even the website you’re accessing won’t be able to see your IP address.

Downloading and installing Tor

For the majority of users, it makes sense to download the Tor Browser Bundle. This Bundle contains a customised version of Firefox that’s preconfigured with the settings and extensions you’ll need to connect to the Tor network.

Head over to the Tor download page and download the latest version of this bundle. While you could go ahead and simply install the Tor browser from this file, it’s recommended that you check the installer hasn’t been tampered with in any way. After all, it doesn’t matter how carefully the Tor network encrypts your traffic if you’re using a version of the Tor browser that’s been modified to reveal your information.

To verify that you’ve downloaded a legitimate Tor installer, you’ll need to download its accompanying .asc file, which contains the installer’s GPS signature. Download this file by Control-clicking the ‘sig’ link beneath the ‘Download’ button (where the cursor is positioned in the following screenshot) and selecting ‘Save link as….’

tor browser sig

You’ll also need the GnuPG program, so download and install this now. Next, launch your Mac’s Terminal by navigating to Applications/Utilities/Terminal.

mac terminal

Type the following into the Terminal window, and then press the ‘Enter’ key on your keyboard:

gpg –keyserver pool.sks-keyservers.net –recv-keys 0x4E2C6E8793298290

The Tor team sign their releases with the 0x4E2C6E8793298290 key – just in case you were wondering where the numbers in the previous command came from.

Next, verify that the file’s fingerprint is correct, by entering the following command into the Terminal:

gpg –fingerprint 0x4E2C6E8793298290

You should now see the following Terminal output:

pub 4096R/93298290 2014-12-15 [expires: 2020-08-24] Key fingerprint = EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
uid [ unknown] Tor Browser Developers (signing key) <[email protected]>
sub 4096R/F65C2036 2014-12-15 [expires: 2017-08-25] sub 4096R/D40814E0 2014-12-15 [expires: 2017-08-25] sub 4096R/C3C07136 2016-08-24 [expires: 2018-08-24]

You verify that the installer’s signature is correct, by issuing the gpg –verify command followed by the complete path and filename of the .asc file you downloaded earlier. Your command should look something like this:

gpg –verify /Users/jessicathornsby/Downloads//TorBrowser-6.0.8-osx64_en-US.dmg.asc

The output must contain the words “Good signature,” for example here’s the output of my Terminal:

gpg: assuming signed data in ‘/Users/jessicathornsby/Downloads//TorBrowser-6.0.8-osx64_en-US.dmg’
gpg: Signature made Tue 13 Dec 12:46:21 2016 GMT using RSA key ID D40814E0
gpg: Good signature from “Tor Browser Developers (signing key) <[email protected]>” [unknown] gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
Subkey fingerprint: BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0

Check the subkey fingerprints. At the time of writing, the valid subkey fingerprints were:

5242 013F 02AF C851 B1C7 36B8 7017 ADCE F65C 2036
BA1E E421 BBB4 5263 180E 1FC7 2E1A C68E D408 14E0
A430 0A6B C93C 0877 A445 1486 D148 3FA6 C3C0 7136

If you see anything different, then check the Tor website to see whether these fingerprints have changed. If you’re seeing any fingerprints that aren’t listed on the Tor website, then chances are this isn’t a legitimate version of the Tor installer.

Also, don’t be put off by the scary, capitalised WARNING text in your Terminal output, as this just means that you haven’t assigned a trust index to this developer yet.

Once you’re confident that you have an unmodified version of the Tor installer, install Tor by double-clicking the file and following the onscreen instructions.

The first time you launch your newly-installed TorBrowser app, you’ll see a dialogue with several options. Most of the time, you’ll want to make a direct connection to the Tor network, so give the ‘Connect’ button a click.

After a few moments the browser will launch and you’ll be connected to the Tor network. You’re now ready to start browsing the web anonymously!

tor browser

Don’t reveal your identity!

Although the Tor network is designed to be anonymous, if you use Tor incorrectly then anyone who’s monitoring your traffic will have no problems working out who you are.

Stick to these guidelines, to make sure you don’t end up inadvertently broadcasting your identity to the World Wide Web:

  • Never log into your email, social networks, or other personal accounts. If you log into an account that’s associated with you in any way, then you’ll immediately lose your online anonymity.
  • Don’t enable or install browser plugins. Certain plugins and add-ons can be manipulated into revealing your IP address. The Tor Browser will automatically disable plugins such as Flash and Quicktime for you, but if you manually install any plugins or add-ons then these may bypass Tor and compromise your privacy.
  • Never use torrenting programs with Tor. Torrent file-sharing apps rely on broadcasting your IP address so that peers can connect and share files with you – which immediately defeats the entire purpose of Tor.
  • Never open downloaded documents while you’re connected to the Internet. When you open a document that you downloaded through Tor in an external application, it’s possible that this app may connect to the Internet in order to download additional resources, such as missing images or embedded video. In the process, these apps may expose your IP address.
  • Beware of malware. While the Tor network can keep you safe from digital spies, the Tor browser is still vulnerable to attacks and exploits, just like any other web browser. Malware may also be able to track your Internet activity and reveal your location, even when you’re using Tor. For advice on how to keep your Mac malware-free, check out our How to protect your Mac from malware article.
  • Always use SSL/TSL encryption (HTTPS) versions of websites, where available. If you don’t use the HTTPS version of a website, then your online activities can potentially be visible to the person running your exit node. Keep an eye on your browser’s URL bar to make sure all the websites you visit start with https://.

https

  • Be careful what you click on! Tor has lots to offer the everyday Internet user who’s concerned about their online privacy, but Tor is also famous for being a gateway to the Dark Web. While the majority of the Dark Web is fairly mundane (it’s essentially the portion of the Internet that’s not indexed by search engines) not all of its content is innocuous. If you do make the decision to browse Tor’s hidden services (something we haven’t covered in this article) then be very careful what you click on. Some parts of the Dark Web contain illegal and disturbing material, and even stumbling on this content by accident can land you in serious legal trouble.

About the author

Chris

I've been a passionate evangelist for Apple and the Macintosh throughout my working life, my first love was a Quadra 605 working with a small creative agency in the south of Norfolk UK in the mid 1990's, I later progressed to other roles in other Macintosh dominated industries, first as a Senior graphic designer at a small printing company and then a production manager at Guardian Media Group. As the publishing and printing sector wained I moved into Internet Marketing and in 2006 co-founded blurtit.com which grew to become one the top 200 visited sites in the US (according to Quantcast), at its peak receiving over 15 million visits per month. For the last ten years I have worked as an Affiliate and Consultant to many different business and start ups, my key skill set being online marketing, on page monetisation, landing page optimisation and traffic generation, if you would like to hire me or discuss your current project please reach out to me here.

You can also follow me on: and

Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.