Sign up. Trademark, copyright notices, and rules for use by third parties can be found in our FAQ. Defend yourself. Protect yourself against tracking, surveillance, and censorship. Download for Windows Signature. Download for macOS Signature. Download for Linux Signature. Download for Android. Read the latest release announcements. Select "Tor Network Settings" and "Use a bridge". We do not recommend installing additional add-ons or plugins into Tor Browser Plugins or addons may bypass Tor or compromise your privacy.
Stand up for privacy and freedom online. I understand that if I download an untrusted file containing a script it could reveal my IP address. However, I want to know if my IP address is still completely hidden if I download a web based email attachment such as Word, Excel or other file that I trust?
Tor provides anonymity for the download part. A download is: to obtain a sequence of bytes. What you do with these bytes is then completely up to you. Some sequences of bytes encode executable instructions that a computer will be eager to run. Executable files, scripts If the file you download contains instruction, and these instructions have been designed to be hostile to you and your anonymity, and you execute them nonetheless, well, then you get what you asked for.
The warning popup displayed by Tor is a kind of disclaimer: it reminds you that the magic of Tor stops at the downloading, but does not guarantee that the file you obtained is not full of nastiness. Now for Word documents. Theoretically, a Word file contains the description of a written document, possibly with pictures; but, in practice, a Word document can embed just about anything, including executable applications.
Word also supports a complex system of macros, which are, by any reasonable definition, a programming language. Thus, "opening" a Word document is quite akin to running a script. And, indeed, macro virus do exist. Even with macros disabled , some nifty attacks against anonymity can be performed with Word files. For instance, Word documents can be signed.
Word will want to verify this signature, which means first validating some X. As such, a Word document which you merely open may imply network activity to target names that are embedded in the document well, in certificates which are embedded in the document. The nice part is that these accesses will be performed by some system components which may completely disregard your browser configuration -- thus happening outside of the Tor umbrella. Goodbye anonymity!
However, if you trust the file, then there is no problem, yes? At least as long as you can be sure that the file you got is really the one you believe it is Amusingly enough, digital signatures can help you there, but the mere act of verifying the signature can entail activity which makes you totally non-anonymous, as explained above.
That warning box is to inform you that, by using a 3rd party application, you might leak information over the internet. One example of this is media players that look up media information on a server, by sending the filename and other information such as file size or the hash of the file. The download itself is over Tor, so your IP is still hidden during the download, but other activities may not.
If the file has a script that is phoning home, and the application opening the file executes said script, then your real IP will be exposed whether you trust the source or not, whether the intent is malicious or not. Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group.