8 Common Tor Mistakes That Break Your Anonymity
Eight common Tor mistakes that break anonymity — installing extensions, logging into accounts, going full-screen, or opening files outside the browser sandbox.
Tor Browser does most of the anonymity work automatically — but eight common mistakes reliably undo it. Most follow the same pattern: users add something (an extension, an account login, a plugin) or do something (open a file, maximize the window) that creates a unique identifier. Tor's protections assume identical browser behavior across all users. The moment your browser is distinguishable from others, you're trackable.
Mistake 1: Installing Browser Extensions
Tor Browser ships without extensions for a specific reason. Every extension has a fingerprint. uBlock Origin, Privacy Badger, a password manager — each adds detectable characteristics to your browser that distinguish it from a standard Tor Browser instance.
The Tor Project's research with the EFF showed that even a small set of extensions narrows the browser fingerprint dramatically. Tor Browser's letterboxing, standardized fonts, and disabled WebGL are calibrated to make all users look identical. Add an extension, and you become identifiable within that anonymity set.
The only modification safe to make: change the security level (Standard / Safer / Safest) via the shield icon. Everything else should stay at factory settings.
Mistake 2: Logging Into Personal Accounts
Tor hides your IP address from websites. It doesn't hide your identity.
Logging into a Google account, Facebook profile, email, or any personal service while using Tor Browser immediately tells that service who you are. Your account name, session cookies, and behavioral patterns are visible to the platform regardless of the IP it sees. Worse: the platform can correlate your Tor session with previous non-Tor sessions using your account history.
If you log into any personal account over Tor, the IP masking becomes irrelevant. The OPSEC principle here is simple: keep anonymous sessions completely separate from any identity-linked sessions.
Mistake 3: Using Full-Screen Mode
Your screen resolution is a browser fingerprinting vector. Standard Tor Browser includes letterboxing — it pads the window edges with gray bars to round your effective resolution to a standardized value. This prevents websites from using window.screen to determine your real display size.
Maximizing Tor Browser to full-screen overrides letterboxing and exposes your actual screen resolution. Combined with other attributes, exact screen resolution significantly narrows the fingerprint.
Keep the window at its default size. If the window feels small, resize it to a non-maximized position — the letterboxing adapts.
Mistake 4: Opening Downloaded Files Outside Tor
PDFs, Word documents, spreadsheets, and media files can all contain tracking mechanisms. PDF readers can make external HTTP requests when rendering embedded content. Microsoft Office files can attempt to load remote templates. Video files can contact external servers for metadata.
When you open a downloaded file in your system's default application — outside the Tor Browser sandbox — that application makes those requests using your real IP address. Tor Browser's sandbox is bypassed the moment the file leaves it.
The Tor Project's guidance: when possible, open documents in a viewer inside the browser. If you must use an external application, disconnect from the internet first, view the file offline, then reconnect. For sensitive work, use Tails OS — it provides a more isolated environment.
Mistake 5: Torrenting over Tor
BitTorrent is designed for high-bandwidth, long-lived connections, and it uses UDP traffic alongside TCP. Tor's relays run over TCP. UDP traffic bypasses Tor entirely and reveals your real IP to the torrent swarm and any monitoring peers.
Beyond the IP leak, BitTorrent over Tor saturates relay bandwidth that other users depend on. High-bandwidth connections over the volunteer relay network degrade the experience for everyone. The Tor Project explicitly asks users not to torrent over Tor.
If you need to torrent with privacy, that's a case for a VPN with a proven no-logs policy — not Tor.
Mistake 6: Trusting HTTP Sites
The Tor circuit protects your connection from your machine to the exit relay. The exit relay to the destination is a separate segment, and if that segment is unencrypted HTTP, the exit relay can read it.
A malicious exit relay operator can perform a man-in-the-middle attack on HTTP connections: reading traffic, injecting content, or modifying responses. Tor Browser includes HTTPS-Only Mode (enabled by default since version 11.0) to prevent this.
If a site shows an HTTP connection inside Tor Browser, treat the content as potentially compromised. For dark web .onion services, the hidden service protocol provides end-to-end encryption regardless of HTTPS, so the risk is specific to clearnet HTTP connections.
Mistake 7: Reusing the Same Circuit Too Long
Tor rotates circuits for general browsing connections every 10 minutes by default. But a long session on a specific site — particularly a .onion service — can accumulate traffic patterns that make timing correlation more feasible.
The practical mitigation: use "New Circuit for This Site" (available from the site identity button in the toolbar) when switching contexts or after a long session. For sensitive research, restart Tor Browser between sessions. Each restart generates a fresh set of circuits with different relay paths.
This matters more in high-risk contexts than in general privacy browsing. But as a habit, keeping sessions short and circuits fresh reduces the correlatable data available to any observer.
Mistake 8: Mixing Identities in the Same Session
Switching between an anonymous session and a personal account within the same Tor Browser window creates correlation opportunities. Even if you don't log in, browser cookies, local storage, and session data can link activity across tabs or across different portions of a browsing session.
Tor Browser's New Identity function (from the top-right menu: Tor Browser → New Identity) closes all open tabs, clears cookies and local storage, and builds fresh circuits. Use it when switching contexts — for instance, moving from researching one topic to accessing a different service.
If you're installing Tor correctly from the start, a fresh install has none of this residual session state. The default behavior is clean. The mistakes happen when users treat Tor Browser like a regular browser across multiple identities.
Frequently Asked Questions
Does Tor Browser prevent all tracking?
No. Tor Browser substantially reduces network-level tracking by hiding your IP and encrypting your traffic to the exit relay. It does not prevent tracking through account logins, behavioral fingerprinting, malicious JavaScript exploits, or files opened outside the browser. The security level setting (Safer/Safest) reduces the JavaScript attack surface significantly.
Should I use a VPN with Tor?
Only if you have a specific reason — primarily, if you need to hide Tor usage from your ISP. Adding a VPN does not strengthen the Tor circuit's anonymity. It shifts who can see your Tor usage from your ISP to the VPN provider. If that trade-off is worthwhile for your situation, see using a VPN with Tor for the full breakdown.
Can I use Tor Browser on public Wi-Fi?
Yes, and it's relatively safe to do so. Public Wi-Fi means the local network operator (coffee shop, hotel, etc.) can see you're using Tor — they cannot see your traffic. The entry guard handles encryption before your traffic hits the access point. The main risk on public Wi-Fi isn't Tor-specific: rogue access points can attempt man-in-the-middle attacks on pre-Tor connections. HTTPS and Tor together handle that.