The Ultimate Deep Web Security Guide for Noobs
By taking the fact that you’re taking the time to read this deep web security guide you may be concerned you’re going to get caught, perhaps by “Elite Hackers” or even law enforcement. If you’re worried about the former, don’t be. If you’re just intending to browse a few pages then simply using the Tor browser bundle in Windows will probably be perfectly fine (Assuming you’re being sensible) to ensure your anonymity and security.
If you plan on being a regular user though I’d recommend using a Linux OS for an added layer of protection, especially if you want to download files.
Therefore this post is intended for the more tin foil hat-wearing conspiracy theorists sort of user or those needing to circumvent extreme national censorship laws (That may not look too kindly on your Tor Browsing), Individuals needing to escape law enforcement for certain activities or even people just wanting to educate themselves on some best practices.
Now that that’s out the way let’s continue.
Operating System (OS)
The Operating System you use is is a crucial part of your security. You can have the best security software in the world but ultimately if it’s built on a weak OS it’s a waste of time. A secure OS gives you the strong foundation you need to then build the rest of your security from.
For this reason Windows is a no-no, Microsoft have a history of security flaws and its widespread popularity ensures it is a constant target for attackers. It is also a poor tool for Privacy, Windows 10 has a terrible record for snooping on its users activities and many even suspect it of containing back doors and with good reason too.
What’s the alternative? Use a Linux distribution, the open source nature of Linux ensures it can be closely scrutinised by anyone for backdoors and security flaws. If you’re making you’re first transition I’d recommend Ubuntu as an easy to use system though there are other good options such as Mint
The above are both good options but seen as this is The “Ultimate Guide” you want some serious security. You have two options, you can either use a virtual environment which will run inside software on your existing OS or you can go down the route of a live system which enables you to run it straight from a disc or USB without leaving a trace on your hard drive. Using these setups also means you can download file without the worry of infecting or damaging your system.
VirtualBox is a great programme for the former as it enables you to run any OS from within a Virtual Machine which will stop your real hardware being identified. If you choose to go for this setup, I’d recommend you try Whonix
The second option is even more secure though admittedly it’s far less convenient as it requires rebooting your computer every time. The advantage in return is that all data is stored on a removable media (USB or CD/DVD) and means no trace will ever be left on your hard drive.
Tails is the most popular example of this setup thanks to its high security and useful functionality being preinstalled with the OS.
Connecting to Tor
While everything you do on the Tor network may be anonymous your connection to the service probably isn’t.
If you’re connecting from your home broadband your ISP can see you are connecting to Tor nodes. Connecting to Tor itself isn’t illegal so this isn’t usually a problem however some ISPs have been known to cause issues, even filtering connection to the network entirely. Secondly you might just not want that sort of data being tracked that shows exactly when and for how long you were on Tor for.
If your ISP is tracking and/or blocking connections to Tor nodes either under company policy or government orders you can use a Bridge to connect you to the network. These bridges aren’t publicly listed, allowing you to connect to them without it being flagged, and then connected to the wider Tor network.
You can use a VPN to mask your Tor connection. This way your ISP will only see the connection to the VPN, leaving your Tor connection private. You may even want to consider using a VPN full time to protect your privacy even when you’re not on Tor.
The problem with VPNs is they can keep logs of your activity just like your ISP even if they claim not to (They need you to pay for their service remember). So this is always something to bear in mind, never place complete trust in your VPN (or any service for that matter).
Some users prefer to avoid connecting from home entirely and instead connect to a public WiFi hotspot. This means there are no identifying details linked directly to your point of connection which keeps you more secure online but it comes with its own risks as there are even more factors at play once in public. For example, if you’re the only person connecting to a network, then you will be easily identified. Not too mention nosy folk peeking over your shoulder.
Online Accounts
If you want to start fully participating on sites rather than just lurking you’re going to need to create an account, just like the ‘surface web’
If you already have a username you go by online, don’t be tempted to reuse it on Tor. Instead you need to keep your identities separate and think of a new name to use.
You can maintain this across all the sites you visit if you want to keep an online identity but it’s probably better to use multiple pseudonyms for different activities, such as one name for buying and another you can use for forum discussions, that way they are kept isolated and won’t impact each other.
Seen as we are talking of accounts we should make a quick note on password security. Sadly, the most used password is apparently still ‘123456’ so don’t be that guy, have good security practises and use strong passwords. Use different passwords for every site and store them using password management software such as the one available on Tails (You’ll need to enable persistent storage).
Communications
At some point you may wish to send private messages externally from any website, it would be handy if there was some form of electronic mail or something you could use… Don’t use your normal email of course for obvious reasons.
Instead consider using a .onion email address such as TorBox or my personal favourite Sigaint (NOTE: Sigaint is currently down, unknow if it will return online) which also has a clearnet address too (sigaint.org).
If you’re concerned about people gaining unauthorised access to your messages you can encrypt the contents of your mail using PGP to ensure only the desired recipient can read the message using their private key to decrypt its contents. I’m not going to go in-depth with an explanation here as there are other tutorials online which do so though I may write one up myself if there’s demand.
You should get comfortable using PGP as you’ll be expected to use it to communicate with certain users and most vendors.
What Now?
By following these techniques and other good practises you vastly increase your security, on the deep web and in general. Ultimately though, never assume your complete security and safety, if you become a target of the government you should expect probably expect to get caught. Great security is one thing, but ultimately it’s nothing if you choose to pit yourself against a nation state. The major surveillance agencies of the world have the resources to punish, and break you in the end regardless of your skills or security.
Stay secure out there!