Security & OpSec Guide

Maintaining a strict barrier between your real-life identity (RLI) and your Tor identity is the foundation of operational security. Cross-contamination destroys anonymity instantly.

• Zero Reuse: Never use a username, password, or moniker that you have previously utilized on clearnet sites (Reddit, Twitter, forums).
• Information Siloing: Never disclose personal contact details, location data, timezone cues, or identifying linguistic habits.
• Hardware/Software Separation: Conduct all research within a dedicated, isolated environment such as Tails OS or Whonix to prevent localized data leakage.

Man-in-the-Middle (MitM) attacks occur when an adversary intercepts and alters communications between you and the hidden service. The only definitive defense is cryptographic validation.

• Mandatory PGP Signature Verification: Verifying the PGP signature of an onion link against the known canonical public key is the only reliable method to confirm the authenticity of a routing address.
• Source Skepticism: Do not blindly trust addresses sourced from open wikis, public indexing forums, or social media platforms. Always execute secondary verification before establishing a connection.
• Mirror Analysis: Validate all secondary nodes against the master PGP key block.

The default state of the Tor browser requires manual configuration to mitigate tracking and deanonymization vectors before engaging in network analysis.

• Security Level: Adjust the Tor Browser security slider to "Safer" or "Safest" immediately upon launch.
• Script Restriction: Ensure JavaScript is disabled (via NoScript) across all untrusted domains to prevent active exploitation of browser vulnerabilities.
• Window Dimensions: Never maximize or resize the browser window. Doing so alters the viewport dimensions, creating a unique fingerprint that can track you across varying sessions.

Blockchain architectures are inherently transparent unless actively obfuscated. Tracing cryptocurrency movements is a trivial task without proper compartmentalization.

• Exchange Isolation: Never transmit funds directly from a centralized, KYC-compliant exchange (e.g., Coinbase, Binance) to a hidden service address.
• Intermediary Wallets: Utilize personal, non-custodial local wallets (such as Electrum for BTC or the official Monero GUI) as an intermediary buffer zone.
• Protocol Preference: Educational models highly recommend utilizing Monero (XMR) due to its default privacy-preserving ring signatures and stealth addresses, far superior to transparent Bitcoin (BTC) ledgers.