I opened one site in two tabs. According what I read in about:manual I understand that the site couldn’t know that both of the requests are from me, but when I changed the site to dark mode in one of the tabs and reload the second one, the second tab turned to dark mode too! So someone (Google for example) can track me from one tab to another?
This functionality would come from a cookie that the website temporarily places after you enable dark mode. Tor doesn’t delete this cookie until you close the windows. That would be why when you refreshed the second window, it checked the cookie and applied the dark mode. This is the expected functionality of Tor, in fact the about:manual actually specifies this. I think you may be misunderstanding a section of the manual.
You are referring to this part of the about:manual, from the MANAGING IDENTITIES topic:
THE URL BAR
Tor Browser centers your web experience around your relationship with the website in the URL bar. Even if you connect to two different sites that use the same third-party tracking service, Tor Browser will force the content to be served over two different Tor circuits, so the tracker will not know that both connections originate from your browser.
On the other hand, all connections to a single website address will be made over the same Tor circuit, meaning you can browse different pages of a single website in separate tabs or windows, without any loss of functionality.
This part of the manual states that only in the situation in which you are connected to two different websites that use the same third-party tracking service, will Tor use a different identity (exit node IP address, and your traffic is routed through three nodes). It then states that if you have connections to a single website, they will all be over the same IP address.:
“all connections to a single website address will be made over the same Tor circuit,”
Note that this does not refer to your personal IP address, but an IP-address within the Tor network which does not identify you. The following sentence, which you may have misinterpreted is:
“meaning you can browse different pages of a single website in separate tabs or windows, without any loss of functionality.”
The offending word here is ‘functionality’, because it is somewhat of a technical term. Functionality in this instance is referring to the same website being functional between different tabs, which means features such as remaining logged in, having the same settings (e.g. dark mode), and so on. The term functionality in this instance is not referring to the shielding of your identity and IP address, because there is generally no advantage to doing this within the same website through different tabs; rather it can cause issues for the majority of users.
Each window for the same website will be using the same identity, and same IP address. It’s just that this IP address is not your home’s IP address, it is a different one that has no connection to you, therefore the website does not know that it is you that is accessing it. Your identity is protected. This is the intended functionality of Tor, and there is no compromise of security when operating in this manner.
If you specifically require two identities for a single website, I suggest installing Tor on an additional machine to create a second Tor instance. If you do not have a second machine, install a virtual machine on your computer, such as VirtualBox. You then install an operating system on the VM, install Tor on it, and create the second Tor instance in there. In this way you can run two tor instances from the same machine, and open the same website in two different Tor instances.
3 Likes
FPI (first party isolation, Tor Browser’s very restrictive original version) also known as dFPI (dynamic first party isolation) in Firefox, network partitioning, Total Cookie Protection - see https://privacytests.org/ … etc is … wait for it … restricting all data/connections/activity to the FIRST PARTY, so 3rd parties can’t track you.
Restrictions per tab, let alone per site-tab, is not a thing! (ignoring the fact that you can in fact in non-PB mode use containers and isolate the same domain but this doesn’t cover little t-tor)
2 Likes
So Tor browser shares coockies among websites which I opened in a number of tabs and if the website is not google’s itself, google can’t track me, right?