Hi, I want to use my Twitter account via Tor network. Naturally, I’m getting some errors when trying to log in. Is there a way to use my Twitter account without exiting the Tor network?
What is the risk of losing anonymity when using Twitter on Tor with JavaScript and cookies enabled? Even though I’ll continue using Tor circuits, how susceptible am I to being identified by intermediate or advanced attackers?
Oops I checked and found what I think is a bad thing: Twitter / X used to have an .onion address (this) and while it works it gives a warning about an expired certificate, so if you accept that, a worse thing happens: it redirects you straight to https://x.com/ so there’s not really a hidden service for it anymore. Of course you can still use Tor browser to access X. First of all consider you are no longer anonymous when you enter any personal info on any website such as X / Twitter, for example you need an email to register etc. Otherwise it will be pretty hard to deanonymize you as that is the point of Tor. For added security you can use Tails as it will also contain local traces of you visiting the site.
Seems this whole thing went down the drain after the Musk takeover at some point.
Yep 
.
Maybe Musk doesn’t even know Twitter has Onion Location 
.
Many things (cookies, etc…) are isolated by first party domain (the one you see in the address bar) to reduce the risk.
Moreover, NoScript’s Tab Guard was developed to reduce a specific attack that was about Twitter/X and social media.
However, if you want to reduce the risk even more, you could avoid doing other stuff apart from Twitter in that session, then run new identity/restart the browser. (Even though this might be worse from a network fingerprinting point of view: tor does multiplexing, and doing multiple stuff at once should theoretically make it more difficult to fingerprint the network activity, but I’m not an expert on that).
If you feel adventurous, you can try to change the port the Tor daemon is listening on to use several instances of Tor Browser at once (either with multiple profiles, or with multiple installations), or control the daemon from one profile, and only connect to the SOCKS port from the other one.
It turned out that the login section, which was supposed to open in a new window on Twitter, wasn’t opening and was giving an error. However, when I tried to open a new window by typing the URL address instead of clicking, it worked. I think it’s about JS settings on tor
I thought about setting a fixed Tor exit node to avoid getting banned from my account, since I would have a different IP address every time I logged in. However, I heard that this is risky. How risky do you think this would be? I might use the Brave browser and route the network through Tor when using my Twitter account. I’ve heard that Brave is better than Tor when it comes to fingerprinting. I’m also considering using a dedicated virtual machine just for my Twitter account.
Not even Peter Snyder would say that. Are you a FPing expert? Is the person saying this a FP expert? If not, then don’t listen to random strangers on the internet.
My tests, and I work with FPing, say otherwise
I don’t have much knowledge in general, but I remember reading from a security source, if I understood correctly.
When I tested it myself, I remember that Brave had slightly fewer ‘Bits of identifying information’. So, how likely is it that these fingerprints can be used to identify me by an average-level attacker, or is this only a threat for valuable targets?
had slightly fewer ‘Bits of identifying information’.
entropy figures from test sites are nonsense. The data is tainted beyond anything meaningful
Here is an example
back of the napkin math
1 in 6.86 people are in timezone Atlantic/Reykjavik (from cover your tracks) - which is absolute garbage. Whilst population is not a perfect metric vs internet usage, 400k people live in Iceland. If that’s 1 in 6.86 then the world’s population is 2.75 million - which is about 2900 times difference. (2.9k x 2.75mn ~8 billion)
Even if we said half the world’s population had none or negligible internet usage, and that ALL of Iceland did (including all the babies at six weeks old with their ipads), and they had a 100k tourists at any given time with their devices automatically changed to the local timezone… it would still be well over a 1000 times difference
Here’s Icelandic as a language - again, not perfect, not everyone in Iceland will use is as their default web content language. But people outside of Iceland using Atlantic/Reykjavikwould be next to zero given the world’s internet population.
Also that figure is somewhat misleading, as it’s most likely under represented given all the users constantly testing and inflating en-US
So the site’s own data is telling you that 28323/6.86 is 4000+ times out of whack (but there’s a twist to this).
Iceland’s population (400k) is 0.005%, i.e 1/200th of 1%, of 8 billion. It’s a rounding error. Which, all things being equal, would make it’s timezone about 1 in 20k. At best (exclude half the world for being internet poor), it would be 1 in 10k of the internet population.
However, this is the timezone that TB uses, and TB has around 6mn users (I think, we’ll just roll with that). This barely moves the needle - 6.4mn/8bn is 0.08%
All this is just some back of the napkin math. The point is that the figures are tainted by small datasets, and repeated testing by users. The fact that TB and RFP’s timezone is so wildly overinflated proves this
The only way to get any idea of actual entropy is via studies/surveys where only one fingerprint per profile is collected.
Otherwise, if you’re not a FPing expert, do you even know what is being tested, if the test is any good, if something is actually equivalency and not entropy, and so on. In actual fact, the test has hardcoded biases for Brave (not Brave’s fault) to return better results in it’s summary simply on the basis of the number of randomized items. Which is not explained. In reality it means nothing, as all randomizing can be detected (as proven by the site itself) and the real purpose of antu-FPing is to protect the real value. So Brave get a massive thumbs up and Tor Browser gets pooped on.
The EFF has a lot to answer for pushing this entropy nonsense
Thank you for your math. I understand. Do you also know how likely is that these fingerprints can be used to identify me by an average-level attacker or is this only a threat for valuable targets?
Do you also know how likely
Always assume the worse. Here’s some FPing protection basics
We cannot hide that we are Tor Browser. We can’t hide the OS. We can’t hide the Firefox engine or FF version, we can’t hide fonts (either you have them or not). These are what we call equivalency - e.g. if your fonts are macOS fonts big deal, that’s equivalency of mac OS.
And some things we can’t lie about because that is the value that is used - e.g a timeZone name, web-content languages.
But what we can do is limit that. e.g. we make all users have the same timeZone. We make each OS on desktop limited to a set of allowed fonts and bundled fonts to achieve that.
So, in TB, when we access a FP threat, we first check if it’s equivalency. And we only care about TB users (you can’t hide this fact) - so our starting point is all TB users per base/equivalency (e.g. TB users on Linux using en-US). Anything that increases entropy after that is something we can try to address.
So on coveryourtracks - timeZone entropy for us = zero. userAgent for us is effectively zero - it’s equivalency of OS. Languages entropy for us is effectively zero (the web has to be usable, no point in asking for en-US when you only speak Arabic), where we tightly control the languages in navigator and HTTP headers. And so on.
The actual entropy for us would be the distribution of TB users over each basic “bucket” - e.g. TB users on Linux with en-US vs TB users on Linux with Arabic. etc. And the bigger the number of TB users, the more users hopefully in each “bucket”
tl;dr: don’t sweat it … TB has you covered - EFF’s test is extremely basic and has been dealt to a long time ago