How to make sure you’re using the real Tor Browser

One of the most widely used tools for protecting online anonymity is the Tor Browser. It’s loathed by government spies and corporate data collectors, and this week became the most secure way to update your Facebook News Feed. 

None of that matters, of course, if users are easily duped into downloading a fake product laden with malicious code—something that’s recently become a cause for concern.

“People with bad intentions set up mirrors to serve software that includes injected advertisements or other badness,” Griffin Boyce, a prominent hacker who works for the Tor Project, tells the Daily Dot. “Tor works hard to try and get them shut down, but it’s hard because the process takes time and costs a lot of money.” 

ICANN, the international group that coordinates the Internet address system, charges up to $4,000 to take down websites serving malware infested version of Tor. “That’s money that has to come out of Tor’s very limited donations,” Boyce says. 

So, how can you know for sure the Tor Browser you’re using is safe and was actually created by the Tor Project rather than some skeevy hacker trying to capture your data? Don’t run the risk of being fooled—the consequences may be dire. 

Attack of the clones

First and foremost, the easiest way to protect yourself from fake versions of Tor is to always download the browser bundle directly from the project’s website: https://www.torproject.org. “The https part means there’s encryption and authentication between your browser and the website, making it much harder for the attacker to modify your download,” the Tor Project explains. 

And just to be clear, that’s torproject.org, not thetorproject.org, a convincing clone that offers users an infected version of the browser. (Note the “the” in the URL.)

“The malware sends the victims IP, MAC address and computer username back to a command and control server over Tor hidden services,” Donncha O’Cearbhaill, another prominent hacker from Ireland, told the Daily Dot. He first discovered the crooked site and reported it to the Tor Project. It’s linked to another website, tor-chat.org, a compromised version of a common peer-to-peer instant messenger that also contains malware. 

O’Cearbhaill believes that whoever is pushing the infected browser may have been up to no good for some time. There’s no way to know for sure, but they may be the same person, or persons, behind another scammer website, torbundlebrowser.org, which was described in great detail by another coder, Julien Voisin, earlier this year. 

According to O’Cearbhaill, the group is using the same malware family and similar malicious domain names.

On his website, Voisin recalls sparking up a conversation with the malware’s creator: “She/he told me that they are a small group (maybe from China) trying to catch pedophiles; by spreading the link to the fake website on pedo-boards, adding that one pedophile was already reported to cybertip. I’m not convinced, since the miscreant not only shipped a malware instead of the real [Tor Browser bundle], but also replaced the donation page with his own BTC address.”

Don’t trust. Verify.

Thanks to government-enforced online censorship in various parts of the world, not all users can gain access directly to the Tor Project website. This is can be a problem in countries like Turkey where Tor is seen as a necessary tool for citizens who disagree with Prime Minister Recep Tayyip Erdo?an, who has characterized social media as “a menace.” Relying on mirrored versions of Tor, such as those available by torrent, is sometimes the only way for users to access the privacy software. 

There are, however, ways to verify browser bundles downloaded from alternative sources. Each authentic version comes with a “.asc” GPG signature file. This allows users to verify for themselves that the file they’ve downloaded is an actual browser created by the Tor Project. 

“For example, tor-browser-2.3.25-13_en-US.exe is accompanied by tor-browser-2.3.25-13_en-US.exe.asc,” Tor’s website notes. 

The GPG signature file accompanying the software should match up with signed keys viewable on Tor’s website. This verification process might seem slightly more complicated for the average user at first, but the Tor Project has easy-to-follow instructions on its website. (There are also scripts to automate this process, but as the website notes, they require a few modifications by the user.)

“If a malware website springs up, it’s not possible to know right away,” says Boyce. “Right now there’s a lot of work underway in the community to identify all websites that serve malware instead of the Tor Browser.” If you hear of one, you should report it right away. 

The Tor Project is a US 501(c)(3) non-profit dedicated to research, development, and education about online anonymity and privacy. If you’d like to contribute financially to its success, and help it take down more malicious websites, just visit the website—the real one

H/T The Tor Project | Photo via Eunice/Flickr (CC BY-SA 2.0) | Remix by Rob Price

Dell Cameron

Dell Cameron

Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.