Common Tor Mistakes That Break Your Anonymity

Deanonymization rarely starts with broken Tor routing. It starts with small conveniences — a resized window, a quick login, an opened PDF — that make sense one at a time and read as compromise in hindsight. The failures are behavioral, not in the three-hop path.

Logging Into Google, Facebook, or Any Real Account

This is the single most common way Tor anonymity collapses. When you log into Google, Facebook, your bank, or any account tied to your real identity, you hand the service provider exactly what they need to identify you — the account. Your Tor exit relay's IP is irrelevant at that point. You've authenticated yourself.

It gets worse. Google and Facebook run trackers on a large fraction of the sites you visit, including sites you might access over Tor for legitimate privacy reasons. If you log into Google in Tab A and visit a sensitive site in Tab B — even in the same Tor Browser session — Google's trackers on that sensitive site may correlate the two tabs through shared session cookies or browser fingerprinting signals.

The rule is simple: real-identity accounts and Tor Browser belong in different browser sessions, different browser profiles, or different devices entirely. If you need to access a Google account and also do private research over Tor, use a standard browser for Google and Tor Browser for the private work. Never in the same session.

For a broader framework on separating identities, read our threat modeling guide.

Resizing the Browser Window

Tor Browser defaults to 1000×800 pixels for a reason. Window dimensions are one of the browser fingerprinting signals that JavaScript can read — and they're surprisingly effective at distinguishing users. A 2019 study by the Tor Project found that window dimensions alone, combined with a handful of other signals, could narrow a user's identity down significantly within the anonymity set.

When you maximize Tor Browser to fill your 2560×1440 monitor, you've announced your screen resolution to every site you visit. Your Tor exit relay's IP changes per circuit; your window dimensions identify you across circuits.

The fix is also simple: don't resize the window. If content is hard to read at 1000×800, zoom in with Ctrl+Plus instead of dragging the window edge. The zoom level is a much weaker fingerprinting signal than absolute window dimensions.

Enabling JavaScript on Sensitive Sites

Tor Browser's Standard security level enables JavaScript everywhere. At Safer, it's disabled on non-HTTPS sites. At Safest, it's off everywhere. Most people leave it at Standard because many sites break without JavaScript — and that's a reasonable tradeoff for general browsing where your threat model doesn't require strict anonymity.

The problem is using Standard security level on sites where anonymity is the entire point. JavaScript can:

Read your screen resolution, time zone, installed fonts, and available hardware
Execute WebRTC calls that leak your real IP address in some configurations
Exploit browser vulnerabilities — the FBI used a JavaScript-based exploit against Tor Browser users on a .onion service in 2013, deanonymizing hundreds of users despite valid Tor connections

For .onion services or any site where anonymity genuinely matters, use Safest. For general clearnet browsing where anonymity is a nice-to-have rather than a requirement, Standard is acceptable. Know which context you're in.

Downloading and Opening Files Outside Tor

When you download a PDF, DOCX, or media file through Tor Browser and open it in an external application, the connection leaves Tor. Adobe Reader, Microsoft Word, and similar apps make network connections when opening files — to verify licenses, download fonts, check cloud updates, or load embedded content. Those connections go through your regular internet connection, revealing your real IP to whatever server the file contacts.

The Tor Project explicitly warns that documents opened outside Tor Browser can reveal your IP. This isn't a theoretical risk — it has been used in operational deanonymization.

If you must open documents downloaded over Tor:

Use Tails OS, which routes all traffic through Tor by default (including applications outside the browser)
Open files in a sandboxed VM with no direct internet access
Disable network access for the application before opening (possible on some OSes; not reliable)
Use a PDF viewer that doesn't make outbound connections (some lightweight viewers don't)

The safest option is not opening files outside Tor. If the document is important enough to need, it's important enough to handle carefully.

Mixing Clearnet and Tor Identities

This one is subtle and takes longer to cause problems — which makes it more dangerous. Mixing identities means using a Tor-anonymous persona and a clearnet persona in ways that allow them to be linked.

Examples:

You run a pseudonymous blog over Tor. You post about a topic specific enough that it's recognizable. You also post about that topic on your real-name Twitter. The content correlation links the two.
You access a .onion service using a username you also use on a clearnet forum. The username itself is the link.
You access a sensitive service over Tor, then access the same service from your regular browser two hours later. The service's server logs see both IPs on the same account.

The underlying problem is what the EFF's Surveillance Self-Defense calls "identity correlation" — the adversary doesn't need to break Tor's cryptography if behavioral or content signals link your Tor sessions to your real identity.

Our threat modeling guide covers compartmentalization specifically. The summary: one identity per purpose, no exceptions.

Forgetting Tor Bridges in Censored Regions

Direct Tor connections are detectable. Your ISP can compare your connection endpoints against the public Tor consensus — a list of all public relays published by the Tor Project. In countries like China, Iran, Russia, and Belarus, ISPs actively block direct Tor connections.

Bridges are unlisted relays not in the public consensus. obfs4 bridges obfuscate the traffic further so it doesn't look like Tor traffic at all. The mistake is assuming Tor works in a censored region without bridges, then getting confused when it doesn't connect — or worse, assuming that a failed connection means you're safe.

If Tor doesn't connect in your region, configure a bridge before concluding the network is unavailable. The Tor Browser setup guide covers bridge configuration in Step 6. Bridges are available at bridges.torproject.org or via email to bridges@torproject.org.

One more mistake in this category: not keeping bridge addresses current. Bridge addresses change; the same bridge that worked six months ago may be blocked now. Refresh your bridges periodically if you rely on them.

Frequently Asked Questions

Can Tor Browser leak your IP address?

Yes, in a few documented ways. JavaScript can use WebRTC to bypass the Tor circuit and reveal your real IP — at Standard security level. Downloading files and opening them outside Tor can expose your IP when the external application makes network connections. DNS leaks are possible in misconfigured setups. At Safest security level with no external file opens, IP leakage risk is low.

Is it safe to use Tor Browser with extensions installed?

No. Every browser extension changes your fingerprint. Even a widely-used extension like uBlock Origin makes you distinguishable from the default Tor Browser fingerprint — because most Tor Browser users don't have it installed. Tor Browser's fingerprint protection relies on uniformity. Extensions break that uniformity. Don't install them.

Does clearing cookies in Tor Browser help?

Tor Browser already clears cookies and session data between sessions by default. Clearing them manually mid-session is sometimes useful if you've made a session-linkage mistake, but it's not a substitute for the actual hygiene rules above. The bigger issue is preventing cross-site tracking within a session, which Tor Browser handles through site isolation — a different mechanism than cookie clearing.

How do I know if my Tor Browser setup is working correctly?

Visit https://check.torproject.org/ — it confirms you're exiting through a Tor relay. For a more thorough check, browserleaks.com will show you what information your browser exposes (screen resolution, WebRTC status, timezone). Run it at Standard security level, then at Safest, and compare.