Hi guys, I’m new here in the community and I’m still learning to use Tor. Since sometimes when I use Tor my English isn’t that good, I use an extension that translates web pages. Is it possible that because of this extension, it could de-anonymize me or collect my data?
The best practices listed in the FAQ tell you to not install additional browser extensions: Tor Browser best practices - Security - Tor Browser — Tor
Your Tor Browser is configured to look identical to other users’ Tor Browser to avoid fingerprinting (this is also why you should never maximize your the browser window so your screen dimension can’t be fingerprinted). Installing an additional plugin can make your fingerprint unique allowing you to be tracked across sessions.
An extension may also be a risk for deanonymization. E.g, for translation it could send the page content to a cloud-server which handles the translation, for this request it could ‘bypass’ the Tor proxy leaking your real IP.
The Tor Browser does have built-in protection against these cases but using additional extensions is still a bad habit.
1 Like
Hi @N3mesis, welcome to the forum.
This is a common question and covered in the support section on the torproject.org website here.
Tor Browser includes NoScript by default to help control JavaScript, but installing other plugins or add-ons is strongly discouraged because they can harm your privacy, weaken security, and make you easier to track.
You will certainly be more easy to track if you use a web extension of this kind. Bear in mind the fact that you use this extension may be discoverable by any website you visit, not just ones you wish to translate.
An alternative option is to use a web translation service such as Google, Yandex or one of the many others available out there. Here best practice would be to use a new Tor identity* each time you use the service - i.e. for each website you wish to translate. If you do not do this Google/Yandex or whoever you use will be able to track you across all the sites you visit via their service, as the way these work is that all pages belong to the service provider’s second level domain - e.g. translate.goog in the case of Google.
*Tor Browser will close and reopen when you hit the “New identity” button and ‘forget’ everything about your previous browsing session. You will appear as a new visitor to a translation service provider, or any other website for that matter.
1 Like
E.g, for translation it could send the page content to a cloud-server which handles the translation, for this request it could ‘bypass’ the Tor proxy leaking your real IP.
Is bypassing the Tor proxy actually possible via a web extension, i.e. are requests originated by a web extension in Tor Browser not forced to use the Tor proxy? I’m (thankfully) not aware of any way to circumvent the Tor proxy via JavaScript and would be very interested to learn that this was indeed possible.
It depends, I have not looked deeply into it but I’m certain it’s possible to craft a extension which can deaononymize the Tor Browser under certain conditions.
E.g, by default the Tor Browser blocks WebRTC, but if you’re tinkering you’re browser settings and installing extensions, WebRTC can be used to get your real IP since it used direct UDP connections.
1 Like
A lethal combination indeed..
Is bypassing the Tor proxy actually possible via a web extension, i.e. are requests originated by a web extension in Tor Browser not forced to use the Tor proxy? I’m (thankfully) not aware of any way to circumvent the Tor proxy via JavaScript and would be very interested to learn that this was indeed possible.