… My heart’s in Accra Ethan Zuckerman’s online home, since 2003

October 1, 2006

Anonymous Blogging with WordPress and Tor

Filed under: Geekery,Human Rights,ICT4D — Ethan @ 6:53 pm

One of the great joys of working on Global Voices has been having the chance to work with people who are expressing themselves despite powerful forces working to keep them silent. I’ve worked with a number of authors who’ve wanted to write about politicial or personal matters online, but who felt they couldn’t write online unless they could ensure that their writing couldn’t be traced to their identity. These authors include human rights activists in dozens of nations, aid workers in repressive countries as well as whistleblowers within companies and governments.

I wrote a technical guide to anonymous blogging some months back and posted it on Global Voices, outlining several different methods for blogging anonymously. Since then, I’ve led workshops in different corners of the world and have gotten comfortable teaching a particular set of tools – Tor, WordPress and various free email accounts – which used in combination can provide a very high level of anonymity. The guide that follows below doesn’t offer you any options – it just walks you through one particular solution in detail.

You can feel free to ignore the “why” sections of the guide if you want a quicker read and if you’re the sort of person who doesn’t need to know why to do something. I hope to format this more prettily at some point in the future, allowing the “why” sections to be expanded and compressed, making the whole document a lot shorter.

If I’ve been unclear somewhere in the document or got something wrong, please let me know in the comments – this is a draft which I hope to clean up before posting it on Global Voices. Should you find it useful and want to disseminate it further, feel free – like almost everything on this site, it’s licensed under a Creative Commons 2.5 Attribution license, which means you’re free to print it on coffee cups and sell them, if you think there’s a market and money to be made.

My disclaimer: If you follow these directions exactly, you’ll sharply reduce the chances that your identity will be linked to your online writing through technical means – i.e., through a government or law enforcement agency obtaining records from an Internet Service Provider. Unfortunately, I cannot guarantee that they work in all circumstances, including your circumstances, nor can I accept liability, criminal or civil, should use or misuse of these directions get you into legal, civil or personal trouble.

These directions do nothing to prevent you from being linked through other technical means, like keystroke logging (the installation of a program on your computer to record your keystrokes) or traditional surveillance (watching the screen of your computer using a camera or telescope). The truth is, most people get linked to their writing through non-technical means: they write something that leaves clues to their identity, or they share their identity with someone who turns out not to be trustworthy. I can’t help you on those fronts except to tell you to be careful and smart. For a better guide to the “careful and smart” side of things, I recommend EFF’s “How to Blog Safely” guide.

Onto the geekery:

Step 1: Disguise your IP.

Every computer on the internet has or shares an IP address. These addresses aren’t the same thing as a physical address, but they can lead a smart system administrator to your physical address. In particular, if you work for an ISP, you can often associate an IP address with the phone number that requested that IP at a specific time. So before we do anything anonymous on the Internet, we need to disguise our IP.

What to do if you want to blog from your home or work machine:

a) Install Firefox. Download it at the Mozilla site and install it on the main machine you blog from.

Internet Explorer has some egregious security holes that can compromise your online security. These holes tend to go unpatched for longer on IE than on other browsers. (Don’t believe me? Ask Bruce Schneier.) It’s the browser most vulnerable to spyware you might inadvertently download from a website. And many of the privacy tools being released are being written specifically to work with Firefox, including Torbutton, which we’ll be using in a future step.

b) Install Tor. Download the program from the Tor site. Pick the “latest stable release” for your platform and download it onto your desktop. Follow the instructions that are linked to the right of the release you downloaded. You’ll install two software packages and need to make some changes to the settings within your new installation of Firefox.

Tor is a very sophisticated network of proxy servers. Proxy servers request a web page on your behalf, which means that the web server doesn’t see the IP address of the computer requesting the webpage. When you access Tor, you’re using three different proxy servers to retrieve each webpage. The pages are encrypted in transit between servers, and even if one or two of the servers in the chain were compromised, it would be very difficult to see what webapge you were retrieving or posting to.

Tor installs another piece of software, Privoxy, which increases the security settings on your browser, blocking cookies and other pieces of tracking software. Conveniently, it also blocks many ads you encounter on webpages.

c) Install Torbutton. Read about it and install it, following the instructions on the installation page. You’ll need to be using Firefox to install it easily – from Firefox, it will simply ask you for permission to install itself from the page mentioned above.

Turning on Tor by hand means remembering to change your browser preferences to use a proxy server. This is a muiltistep process, which people sometimes forget to do. Torbutton makes the process a single mouse click and reminds you whether you’re using Tor or not, which can be very helpful.

You may find that Tor slows down your web use – this is a result of the fact that Tor requests are routed through three proxies before reaching the webserver. Some folks – me included – use Tor only in situations where it’s important to disguise identity and turn it off otherwise – Torbutton makes this very easy.

d) Turn on Tor in Firefox and test it out. With Tor turned on, visit this URL. If you get a message telling you, “You seem to be using Tor!”, then you’ve got everything installed correctly and you’re ready for the next step.

It’s always a good idea to see whether the software you’ve installed works, especially when it’s doing something as important as Tor is. The page you’re accessing is checking to see what IP address your request is coming from. If it’s from a known Tor node, Tor is working correctly and your IP is disguised – if not, something’s wrong and you should try to figure out why Tor isn’t working correctly.

Alternative instructions if you’re going to be writing primarily from shared computers (like cybercafe computers) or you’re unable to install software on a computer.

a) Download Torpark Download the package from the Torpark site onto a computer where you can save files. Insert your USB key and copy the Torpark.exe onto the key. Using this USB key and any Windows computer where you can insert a USB key, you can access a Tor-protected browser. On this shared computer, quit the existing web browser. Insert the key, find the key’s filesystem on the Desktop, and double-click the torpark.exe. This will launch a new browser which accesses the web through Tor.

b) Test that Torpark is working by visiting the Tor test site with the Tor-enabled browser and making sure you get a “You seem to be using Tor!” message.

Torpark is a highly customized version of the Firefox browser with Tor and Privoxy already installed. It’s designed to be placed on a USB key so that you can access Tor from shared computers that don’t permit you to install software. While I recommend Torpark and use it when I travel, it is not formally supported by the folks behind Tor – they’re not happy that early versions of the program weren’t released with source code, which meant that it was impossible to determine precisely what Torpark did and how it used Tor’s source code. A more recent version of the program includes source code – it will be interesting to see whether Tor’s programmers offer their blessing of this version. Roger Dingledine of Tor has also indicated that he and his colleages are planning an open source version of a portable browser with Tor installed, but the timeline for this new project is unknown.

Step 2: Generate a new, hard to trace email account.

Most web services – including blog hosting services – require an email address so that they communicate with their users. For our purposes, this email address can’t connect to any personally identifiable information, including the IP address we used to sign up for the service. This means we need a new account which we sign up for using Tor, and we need to ensure that none of the data we use – name, address, etc. – can be linked to us. You should NOT use an existing email account – it’s very likely that you signed up for the account from an undisguised IP, and most webmail providers store the IP address you signed up under.

a) Choose a webmail provider – we recommend Hushmail and Gmail, but as long as you’re using Tor, you could use Yahoo or Hotmail as well.

Webmail is the best way to create a “disposeable” email address, one you can use to sign up for services and otherwise ignore. But a lot of users also use webmail as their main email as well. If you do this, it’s important to understand some of the strengths and weaknesses of different mail providers.

Hotmail and Yahoo mail both have a “security feature” that makes privacy advocates very unhappy. Both include the IP address of the computer used to send any email. This isn’t relavent when you’re accessing those services through Tor, since the IP address will be a Tor IP address, rather than your IP address. Also, Hotmail and Yahoo don’t offer secure HTTP (https) interfaces to webmail – again, this doesn’t matter so long as you use Tor every time you use these mail services. But many users will want to check their mail in circumstances where they don’t have Tor installed – for your main webmail account, it’s worth choosing a provider that has an https interface to mail.

Hushmail provides webmail with a very high degree of security. They support PGP encryption – which is very useful if you correspond with people who also use PGP. Their interface to webmail uses https and they don’t include the sending IP in outgoing emails. But they’re a for-profit service and they offer only limited services to non-paying users. If you sign up for a free account, you have to log into it every couple of weeks to make sure the system doesn’t delete it. Because they’re aggresive about trying to convert free users to paid users, and because their system uses a lot of Java applets, some find that Hushmail isn’t the right choice for them.

Gmail, while it doesn’t advertise itself as a secure mail service, has some nice security features built in. If you visit this special URL, your entire session with Gmail will be encrypted via https. (I recommend bookmarking that URL and using it for all your Gmail sessions.) Gmail doesn’t include the originating IP in mail headers, and you can add PGP support to Gmail by using the FreeEnigma service, a Firefox extension that adds strong crypto to Gmail (it works with other mail services as well.) The problem with Gmail is their signup process – to sign up for a Gmail account, you either need an invitation from an existing Gmail member, or you need to use your mobile phone to sign up for an account. Needless to say, we do not recommend using your mobile phone to request an invitation – it gives Google far too much personally identifiable information about you linked to that account.

Instead, if you already have a Gmail account, send an invitation to yourself. This will send you an email with a unique URL in it – copy that URL into a text editor or write it down. Turn on Tor, paste that URL into your browser and use it to sign up for the new account. Better yet, get an invitation from soneone who doesn’t know you – visit Bytetest or FatWallet, both of which maintain lists of free Gmail invitations.

A warning on all webmail accounts – you’re trusting the company that runs the service with all your email. If that company gets hacked, or if they are pressured by other governments to reveal information, they’ve got access to the text of all the mails you’ve received and sent. The only way around this is to write your mails in a text editor, encrypt them on your own machine using PGP and send them to someone also using PGP. This is way beyond the level of secrecy most of us want and need, but it’s important to remember that you’re trusting a company that might or might not have your best interests at heart. Yahoo, in particular, has a nasty habit of turning over information to the Chinese government – Chinese dissidents are now suing the company for illegal release of their data. Just something to think about when you decide who to trust…

b) Turn Tor on in your browser, or start Torpark. Visit the mail site of your choice and sign up for a new account. Don’t use any personally identifiable information – consider becoming a boringly named individual in a country with a lot of web users, like the US or the UK. Set a good, strong password (at least eight characters, include at least one number or special character) for the account and choose a username similar to what you’re going to name your blog.

c) Make sure you’re able to log onto the mail service and send mail while Tor is enabled.

Step 3: Register your new anonymous blog

a) Turn Tor on in your browser, or start Torpark. Visit WordPress.com and sign up for a new account by clicking the “Get a New WordPress Blog” link. Use the email address you just created and create a username that will be part of your blog address: thenameyouchoose.wordpress.com

b) WordPress will send an activation link to your webmail account. Use your Tor-enabled browser to retrieve the mail and follow that activation link. This lets WordPress know you’ve used a live email account and that they can reach you with updates to their service – as a result, they’ll make your blog publicly viewable and send you your password. You’ll need to check your webmail again to retrieve this password.

c) Still using Tor, log into your new blog using your username and password. Click on “My Dashboard”, then on “Update your profile or change your password.” Change your password to a strong password that you can remember. Feel free to add information to your profile as well… just make sure none of that information is linked to you!

Step 4: Post to your blog

a) Write your blog post offline. Not only is this a good way to keep from losing a post if your browser crashes or your net connection goes down, it means you can compose your posts somewhere more private than a cybercafe. A simple editor, like Wordpad for Windows, is usually the best to use. Save your posts as text files.

b) Turn on Tor, or use Torpark, and log onto WordPress.com. Click the “write” button to write a new post. Cut and paste the post from your text file to the post window. Give the post a title and put it into whatever categories you want to use.

c) Before you hit “Publish”, there’s one key step. Click on the blue bar on the right of the screen that says “Post Timestamp.” Click the checkbox that says “Edit Timestamp”. Choose a time a few minutes in the future – ideally, pick a random interval and use a different number each time. This will put a variable delay on the time your post will actually appear on the site – WordPress won’t put the post up until it reaches the time you’ve specified.

By editing the timestamp, we’re protecting against a technique someone might use to try to determine your identity. Imagine you’re writing a blog called “Down with Ethiopia Telecommunications Company!” Someone at ETC might start following that blog closely and wonder whether one of their customers was writing the blog. They start recording the times a post was made on downwithetc.wordpress.com and check these timestamps against their logs. They discover that a few seconds before each post was made over the series of a month, one of their customers was accessing one or another Tor node. They conclude that their user is using Tor to post to the blog and turn this information over to the police.

By changing the timestamp of the posts, we make this attack more difficult for the internet service provider. Now they’d need access to the logs of the WordPress server as well, which are much harder to get than their own logs. It’s a very easy step to take that increases your security.

Step 5: Cover your tracks

a) Securely erase the rough drafts of the post you made from your laptop or home machine. If you used a USB key to bring the post to the cybercafe, you’ll need to erase that, too. It’s not sufficient to move the file to the trash and empty the trash – you need to use a secure erasing tool like Eraser which overwrites the old file with data that makes it impossible to retrieve. On a Macintosh, this functionality is built it – bring a file to the trash and choose “Secure Empty Trash” from the Finder Menu.

b) Clear your browser history, cookies and passwords from Firefox. Under the Tools menu, select “Clear Private Data”. Check all the checkboxes and hit “okay”. You might want to set up Firefox so that it automatically clears your data when you quit – you can do this under “Firefox -> Preferences -> Privacy -> Settings”. Choose the checkbox that says “Clear private data when closing Firefox”.

It’s very easy for someone to view the websites you’ve visited on a computer by reviewing your browser history. More sophisticated snoops can find out your browsing history by checking your cache files, which include stored versions of webpages. We want to clear all this data out from a public computer so that the next user doesn’t find it. And we want to eliminate it from our personal computer so that if that computer were lost, stolen or seized, we can’t be linked to the posts we’ve made.

Some parting thoughts:

– It’s not enough just to protect yourself when writing to your own blog. If you’re going to post comments on other blogs using your “nom de blog”, you need to use Tor when posting those comments as well. Most blog software records the IP a comment came from – if you don’t use Tor, you invite whoever runs that site to track your IP address back to your computer. Tor’s like a condom – don’t practice unsafe blogging.

– Just because you’re anonymous doesn’t mean you shouldn’t make your blog pretty. The “Presentation” tab in WordPress has lots of options to play with – you can pick different templates, even upload photos to customize some of them. But be very, very careful in using your own photos – you give a lot of information about yourself in posting a photo (if the photo was taken in Zambia, for instance, it’s evidence that you are or were in Zambia.)

– If you’re really worried about your security, you might want to go a step further in setting up your Firefox browser and turn off Java. There’s a nasty security bug in the most recent release of Java that allows a malicious script author to figure out what IP address your computer has been assigned EVEN IF YOU ARE USING TOR. We don’t worry too much about this because we don’t think that WordPress.com or Google are running these malicious scripts… but it’s something to seriously consider if you’re using Tor for other reasons. To turn off Java, go to “Firefox -> Preferences -> Content” and uncheck the box for Enable Java.

– If you’re the only person in your country using Tor, it becomes pretty obvious – the same user is the only one who accesses the IP addresses associated with Tor nodes. If you’re going to use Tor and you’re worried that an ISP might be investigating Tor use, you might want to encourage other friends to use Tor – this creates what cryptographers call “cover traffic”. You also might want to use Tor to read various websites, not just to post to your blog. In both cases, this means that Tor is being used for reasons other than just posting to your anonymous blog, which means that a user accessing Tor in an ISP’s server logs doesn’t automatically make the ISP think something bad is taking place.

A final thought on anonymity: If you don’t really need to be anonymous, don’t be. If your name is associated with your words, people are likely to take your words seriously. But some people are going to need to be anonymous, and that’s why this guide exists. Just please don’t use these techniques unless you really need to.


  1. Thanks yet again for the comprehensive tutorial on how to blog anonymously – it could not get any easier then how you have outlined it here in this post. Thanks

    Comment by Teeth Maestro — October 2, 2006 @ 5:45 am

  2. Anonym mit Tor und WordPress…

    Von Ethan Zuckerman gibt es die englischsprachige Anleitung Anonymous Blogging with WordPress and Tor, die auch mögliche Falltüren und wichtige Tipps enthält. Ansonsten ähnelt das Vorgehen den anderen Anleitungen zum anonymen Bloggen: Sei es das Ha…

    Trackback by rabenhorst — October 2, 2006 @ 8:38 am

  3. Ethan,

    Thanks for the timestamp tip: I have always wondered how I would set up my musical posts to self-publish late on Friday nights and ta-da – here’s how.

    – Steve

    Comment by Ntwiga — October 5, 2006 @ 1:58 pm

  4. […] Indeed, Tor is a hugely useful tool for people in China trying to evade the Great Firewall, or for people trying to publish online with a persistent, untraceable psuedonym. Roger was interested in meeting a group of dissidents to understand what their needs are and how future versions of Tor could be more useful in enabling access to information and free speech in repressive nations. […]

    Pingback by …My heart’s in Accra » “We’ve got to adjust some of our threat models” — October 6, 2006 @ 8:12 pm

  5. […] 8) Ethan Zuckerman shares how one can blog anonymously. […]

    Pingback by stillhaventfound.org » Occasional Links 15 — October 7, 2006 @ 9:11 am

  6. […] A technical guide to anonymous blogging – a very early draft with an October followup here   […]

    Pingback by Doctor Daisy » doing public private — October 7, 2006 @ 5:19 pm

  7. […] John Gormley also suggests that TDs could have anon blogs where they disclose all the gossip from Leinster House. That’s interesting. Or maybe someone that solicited gossip from there and printed it. But how could you verify this gossip? Actually that’s a very good question we could have asked Mr. Fawkes. On that topic Ethan Zuckerman has one technical suggestion for remaining anonymous while blogging using specialist software. […]

    Pingback by Damien Mulley » Blog Archive » So what *can* bloggers do? — October 9, 2006 @ 6:19 pm

  8. […] In other news, check out this post from Ethan Zuckerman about anonymous blogging. The man has such a way of connecting these tech-y things to real-life human rights issues. There’s no one like him. Thanks to my colleague Micah Sifry and Rebbecca Mackinnon for blogging about this before me. […]

    Pingback by Blank pages, absence, projects, anonymity at This is really happening. — October 10, 2006 @ 8:27 pm

  9. […] One thing that I was asked about in Iran a few times was how to blog anonymously. And about better ways to get around the filter. I tried my best to explain what I knew about the subject, but I think I lost most people pretty quickly. And besides, it can be somewhat complicated and these things are so much easier to understand when they’re written down. Now Ethan Zucherman, of the Berkman Center for Internet and Society, has compiled a step-by-step guide to explain the necessary procedures in great detail. […]

    Pingback by j|turn » How to Practice Safe Blogging — October 11, 2006 @ 8:48 pm

  10. Thanks so much for this one! I was in Iran recently and got asked about how to do this, and I had nowhere to point them to! You explain it so much better than I ever could! However, you do have any plans of trying to get it translated to other languages? Persian and Mandarin are obvious choices, but I’m sure there are other areas where there’s little knowledge of english that would benefit as as well. Would you mind if I pulled some strings to get a Persian translation up?

    Comment by Jonathan — October 11, 2006 @ 10:33 pm

  11. Jonathan – you’re absolutely welcome to translate it if you’d like. I’m waiting for a bit more feedback before I move the document to Global Voices, where we’ll actively encourage people to translate it.

    Comment by Ethan — October 12, 2006 @ 9:00 am

  12. […] Worldchanging.com has an excellent article covering the tools you can use to publish securely and anonymously. Indeed, Tor is a hugely useful tool for people in China trying to evade the Great Firewall, or for people trying to publish online with a persistent, untraceable psuedonym. Roger was interested in meeting a group of dissidents to understand what their needs are and how future versions of Tor could be more useful in enabling access to information and free speech in repressive nations. […]

    Pingback by ironcove.net - Security Awareness for .orgs. » Blog Archive » Using Technology to Protect Free Speech in Dangerous Places — October 12, 2006 @ 8:58 pm

  13. FYI you mistyped the URL in the Hushmail link. Also I’m surprised you recommended gmail, which proclaims they’ll never delete you email.

    Comment by Rob — October 15, 2006 @ 11:15 pm

  14. Thanks for the fix on the URL, Rob.

    As for Hushmail versus Gmail:
    – Gmail allows you to delete mail these days.
    – A lot of folks find Hushmail hard to use because of the nagware model it uses.
    – You don’t know what Hushmail’s doing behind the scenes – nor do we with Gmail. All webmail that you don’t run yourself is a leap of faith.
    – This account isn’t likely to be a heavily used account for the blogger – it’s being set up mostly to allow the blog creation.

    Choosing a secure email strategy for activists is another topic entirely – in that case, I can see arguments for both GMail and Hushmail, depending on the expertise of the user.

    Comment by Ethan — October 17, 2006 @ 4:08 pm

  15. […] Anonymous Blogging with WordPress.com and Tor, by Ethan Zuckerman. Hat tip: Lorelle. « Tailrank […]

    Pingback by Photo Matt » Anonymous Blogging — October 17, 2006 @ 9:03 pm

  16. […] >> Web anonymity for bloggers whose lives might really be in danger (earlier draft, via Lorelle) […]

    Pingback by Web Anonymity 101 - Digital Breadcrumbs « //engtech — October 17, 2006 @ 10:17 pm

  17. Interesting articel with nice tips to get a solution for. Thanks.

    Comment by Joerg Petermann — October 18, 2006 @ 2:03 am

  18. […] Ethan Zuckerman offers a way for bloggers to blog anonymously with WordPress.com. […]

    Pingback by Ethan Zuckerman: Blog Anonymously with Wordpress.com « Lorelle on WordPress — October 18, 2006 @ 3:29 am

  19. […] This article describe how to blog anonymously but you could just as well surf the internet anonymously as well.  Link. […]

    Pingback by Anonymous Surfing « Interknox Networks — October 18, 2006 @ 9:31 am

  20. Note that web browsers reveal a great deal of information about you, which Tor does nothing to hide. Also, flash, javascript, and java can all be used to discover your real IP address.

    True anonymous blogging is hard. Some of the issues and ways to improve the anonymity of the Torpark browser (or plain old firefox) are discussed at http://advosys.ca/viewpoints/2006/09/torpark-quick-look/

    Comment by D Webber — October 18, 2006 @ 9:40 am

  21. D Webber – Prixovy, which installs with Tor, does a pretty good job of covering a lot of the information browsers usually leave behind. Tor itself isn’t responsible for that aspect of cleanup, but installs Privoxy for precisely that reason – it cleans up the DNS leakage problem that the article you reference mentions.

    There’s a known Java bug that allows a hostile site to request a real IP from a user – in this case, we’re using two sites (Gmail and WordPress) which we don’t anticipate are running special hostile scripts to grab that real IP. Certainly one step you could take within these directions is disabling Java for fear that either service is using a Java applet solely to obtain your real IP – in absence of any confirmed threat, I haven’t chosen to recommend it.

    This method does work with both Java and Javascript turned off and without a flash player, but it’s pretty ugly and threatening for an average user in that configuration. My goal here was to document a method that addressed the known techniques being used to compromise anonymous bloggers – it isn’t guaranteed to protect privacy for a user who’s going to arbitrary sites on the web which may have hostile Java or Flash applets designed to try to reveal their private information.

    Comment by Ethan — October 18, 2006 @ 9:55 am

  22. […] a primer on how to blog anonymously…. Ethan Zuckerman (My Heart’s in Accra) states in Anonymous Blogging with WordPress and Tor: “I wrote a technical guide to anonymous blogging some months back and posted it on Global Voices, outlining several different methods for blogging anonymously. Since then, I’ve led workshops in different corners of the world and have gotten comfortable teaching a particular set of tools – Tor, WordPress and various free email accounts – which used in combination can provide a very high level of anonymity.” […]

    Pingback by Now, this blog article is extremely interesting — October 18, 2006 @ 10:44 am

  23. I just discovered dodgeit.com which are disposable free email addresses for receiving emails only.

    Comment by Lloyd D Budd — October 18, 2006 @ 6:34 pm

  24. […] …My heart’s in Accra » Anonymous Blogging with WordPress and Tor […]

    Pingback by Anonymous blogging - ‘he who aches the most, screams the loudest’ « Believing Impossible Things — October 18, 2006 @ 11:19 pm

  25. […] halte ich für sehr wichtig, dass man sich informiert, welche Möglichkeiten es gibt, anonym zu bloggen. Hierzu bitte in Ruhe das englischsprachige Tutorial durchlesen: Anonymous Blogging with WordPress and Tor […]

    Pingback by Basic Thinking Blog » Guide: Anonym mit Wordpress bloggen — October 20, 2006 @ 12:24 pm

  26. […] Ethan Zuckerman has setup a guide for blogging anonymously (via Lorelle On WordPress). The suggestions include using the free yet fantastic WordPress.com platform and Tor for anonymity. I think howmuchever a technology is good, there will always be technology that will break it. Probably the best way to blog anonymously is to blog from different places. […]

    Pingback by Blog Anonymously « Abhijit Nadgouda @ iface — October 20, 2006 @ 9:39 pm

  27. […] Svona að lokum, áður en ég fer að sofa, ætla ég að tæma hugann aðeins. Ég var að lesa grein eftir Ethan Zuckerman um það hvernig öruggast sé að blogga nafnlaust. Zuckerman þessi bloggar mikið um málefni fólks sem berst fyrir mannréttindum í Afríku og miðar grein sína aðallega að þeim hópi fólks, sem mikið er gert til að þagga niður í en leggur á sig ótrúlegt erfiði til að geta bloggað nafnlaust. Allt til að rödd þeirra megi heyrast og sannleikurinn (sem er stundum lyginni líkastur) geti komið fram. […]

    Pingback by Skoðanahorn Kristjáns Atla » Blog Archive » MacBook — October 21, 2006 @ 10:02 pm

  28. […] Web anonymity for bloggers whose lives might be in danger (earlier draft). […]

    Pingback by Web Anonymity 103 - Online Privacy « //engtech — October 26, 2006 @ 10:56 am

  29. […] Anonymous Blogging with WordPress and Tor Very nice… (tags: anonymous web blog tor privacy) […]

    Pingback by links for 2006-10-29 — October 28, 2006 @ 9:18 pm

  30. > Also, Hotmail and Yahoo don’t offer secure HTTP (https)
    > interfaces to webmail – again, this doesn’t matter so long as
    > you use Tor every time you use these mail services. But many
    > users will want to check their mail in circumstances where
    > they don’t have Tor installed – for your main webmail account,
    > it’s worth choosing a provider that has an https interface to
    > mail.

    I think that suggestion is wrong, at least I do not see why you would be making it. Using TOR is not a replacement for HTTPS. Tor-Traffic is only encrypted between the user and the Exit-Node. From Exit-Node to Destination server it’s just regular http-traffic and not encrypted (when using http; if you use https, of course it’s still encrypted). Some would even argue that the fact that Exit-Nodes are usually run by private people/enthusiasts _can_ make it less secure, because there is no company liable for abuse/sniffing. But like explained above, that is not even the main point.

    The recommendation is always to use TOR together with SSL where possible.

    Of course if the only possible attacker is suspected to be from the user’s LAN or the user’s ISP, than you could reasonably make the argument that using HTTP over TOR is an improvement over plain HTTP, but one should be careful to note the implicit assumptions for that reasoning. There’s too many people wrongly assuming that TOR encrypts all traffic everyhwere, and that it is inherently secure against everything when using TOR. The TOR people are very careful in their FAQs to mention which privacy-problems TOR solves, and which it doesn’t – this is even more important, when people’s health or even lifes might be affected by wrong assumptions/understandings.

    Comment by Sencer — November 1, 2006 @ 11:44 am

  31. The threat model we’re trying to deal with here, Sencer, is that one is being attacked via one’s ISP – keep in mind that this is a special purpose document. I am not trying to argue that Tor is safe for all purposes, or that Tor will prevent that email session from being intercepted at some other point in the chain.

    Comment by Ethan — November 1, 2006 @ 12:00 pm

  32. […] So I was reading once again this very good post by ethan zuckerman on anonymous blogging and it’s still extremely interesting. Besides the deep explanation about a proper use of Tor and a step-by-step guide to anynomous blogging, I think his final disclaimer is pretty neat:  A final thought on anonymity: If you don’t really need to be anonymous, don’t be. If your name is associated with your words, people are likely to take your words seriously. But some people are going to need to be anonymous, and that’s why this guide exists. Just please don’t use these techniques unless you really need to. […]

    Pingback by anonymous vs notorious aka stand up for something « bravi ma basta. — November 1, 2006 @ 6:29 pm

  33. […] http://www.ethanzuckerman.com/blog/?p=1015 […]

    Pingback by The Life of Nerdlinger » Blog Archive » Very interesting link about anonymous blogging — November 13, 2006 @ 8:39 am

  34. […] Ethan Zukerman nos enseña, en esta entradaCómo bloguear anonimamente usando WordPress y Tor. […]

    Pingback by El Blog de Luis Rull » Blog Archive » Bloguear anonimamente: tutorial usando Wordpress y Tor — December 5, 2006 @ 8:44 am

  35. Nice article. I just wrote a guide to registering a domain name, and creating a self-owned blog in the cheapest way possible. The article is at http://routineorder.com/filed/2007/02/26/how-to-blog-anonymously-and-independently-on-the-cheap/

    That’s my blog, and I blog anonymously.

    Comment by Orderer — February 27, 2007 @ 12:33 am

  36. […] – The strategies I outlined in my document on anonymous blogging with WordPress and Tor still give a high level of certainty to bloggers that they can write online while disguising their identity. This isn’t a guarantee of perfect security, but I feel comfortable recommending the strategy to my friends in repressive nations. […]

    Pingback by …My heart’s in Accra » Don’t stop using Tor. — February 27, 2007 @ 6:16 pm

  37. […] This won’t do much to protect those gutsy Egyptian bloggers standing out on a limb to expose torture in Egyptian detention centers, but given that Egypt has for the first time jailed a blogger for the contents of his blog, and given disturbing reports of harassment and intimidation of bloggers by security forces, less courageous bloggers should check out Ethan’s excellent guide to blogging anonymously with TOR and WordPress. RSF’s guide is also worth a look (Arabic here). […]

    Pingback by The Arabist » Public Service Announcement — February 28, 2007 @ 9:20 pm

  38. […] Writing in The Arabist, Tim Seah links to Global Voices Online Co-founder Ethan Zuckerman’s guide to blogging anonymously here. “If you’re an anonymous blogger, remember: your pseudonym affords you no protection against anyone with even a little bit of determination and know-how,” he cautions. Amira Al Hussaini […]

    Pingback by Global Voices Online » Blog Archive » Egypt: Anonymous Blogging Tips — March 1, 2007 @ 5:37 pm

  39. i’v got this from those tor test page, but im sure using tor, is there any other tor test page out there ?

    “You are (probably) NOT using Tor.

    You connected to this site from, hostname , which is NOT a valid Tor exit node. If you are attempting to use a Tor client, please refer to the Tor website and specifically the instructions for configuring your Tor client. If this is not the IP address from which you appear to connect when you disable your HTTP proxy, then it may be that the particular Tor node selected by your Tor client is multi-homed.”

    Comment by veek — March 8, 2007 @ 7:57 pm

  40. is wordpress.com offer secure HTTP (https) login ? is there any other wordpress that uses https ?

    Comment by amio — March 9, 2007 @ 11:34 am

  41. Yep, I second comment #39 by veek. The Harvard site tells me I not using Tor even when clearly I AM, LOL! Are you/the Harvard site trying to raise unnecessary FUD?

    OK, now for some justifiable serious FUD…

    I must make it known that Torpark is VERY suspicious.

    Download size of the OFFICIAL Tor Windows Installation vidalia-bundle- (6.26MB)

    Download size of Torpark for Windows? A whopping (10.9MB)! Why is it almost double of the official Windows installation? What other stuff is it HIDING in there that it needs to do the job that the ORIGINAL bundle already does admirably from http://tor.eff.org/download.html.en?

    What’s more, at the time of your article (Oct 2006), Torpark NEVER came with Privoxy installed (which is ESSENTIAL to prevent your IP being leaked when your browser make DNS calls) – hey I know since I field-tested Torpark – it has NO Privoxy!

    In additional, Torpark takes like FOREVER to build a circuit, and more often than not, it can’t connect! AND it lacks useful features like the bandwidth graph, network map, message log, etc that comes with the ORIGINAL Tor bundle that packs in Vidalia, Privoxy and QT. Hey I like my CIA map, k. :)

    Convenience of a portable apps in a USB key is a good feature, BUT Torpark’s POOR PERFORMACE in circuit connection is MORE trouble than it’s worth, even when it is launched from the hard drive. Imagine the CRAPPY performance from a USB key. *exasperation* and *hair-tearing*!

    I never experience any connection delay when using the ORIGINAL Tor bundle.

    Stick with your own notebook – that way, you sleep better knowing you’re not at the mercy of keyloggers installed in cybercafes the world over.

    By the way, Torpark is now planned as a COMMERCIAL service promising speeds IN EXCESS of the Tor network! Now how is that possible? It all looks very fishy. To attain that level of speed, they need to run on their own network, which means they own you on their infrastructure! The very fact that it is able to ID its clients to offer a higher speed through the Tor network (is this even possible on the public Tor network?) means it can track you IF it, OR anyone paying them enough, wants to track you. Caveat emptor!

    Hey, I’ll stick to the public Tor network anyday.

    It’s clear to all why you (Ethan Zuckerman) is not a tech guy. It’s grossly IRRESPONSBIBLE of you to recommend Torpark without due diligence. I pity the uninformed users who use Torpark on your flawed advice and get a false sense of security. Poor things!

    If you can’t give good advice – DON’T! You’ll harm more people that way!

    Comment by Wouldn't you like to know ;) — March 9, 2007 @ 1:34 pm

  42. #40, i dont know about wordpress.com login. but blogger.com use https though.
    #41, about the size, i think torpark bundled w/ ff. but yeah torpark suck and very fishy…

    Comment by hopely anon — March 11, 2007 @ 9:22 pm

  43. The problem with WordPress & Livelyblog is that you cannot use the interface if you turn off Javascript in your browser. This seems to be a major security threat.

    Comment by Richard Heck — March 31, 2007 @ 12:14 am

  44. […] As you might have expected, my real first or last name is nowhere to be found on this blog – I even might be a bored lesbian housewife from downtown Antwerp who just likes to have fun by creating multiple fictional but ever so exciting online personalities. And I might have gone to great lengths to cover my tracks. […]

    Pingback by Digital breadcrumbs: has blogging turned into a privacy hazard? « Antwerp Calling — April 4, 2007 @ 6:16 pm

  45. […] More: Believe in Tor, Require Fewer Layers of Tinfoil, U.S. Government Not Your Enemy? This Might Do Posted in Surveillance, Technology, Resistance | Trackback | Top Of Page […]

    Pingback by cryptogon.com » Archives » High-Traffic Colluding Tor Routers in Washington, D.C., and the Ugly Truth About Online Anonymity — May 2, 2007 @ 9:32 am

  46. Regarding publishing of photos: keep in mind that many cameras record EXIF data in the photo itself, which includes not only lens, shutter, and exposure info, but also information about the camera itself, which in some cases includes the serial number. Also, two photos can be compared and shown to have been taken by the same camera in much the same way that typewriters or bullets are compared.

    If anonymity is crucial yet you must post pictures you’ve taken yourself, use software that strips out the EXIF data and save the photo as a JPEG more than once (i.e. make it a second or third generation copy), preferably with more than one program. This will reduce image quality and sharpness; however, doing this prior to scaling the photo down to web page size should be sufficient for maintaining anonymity yet less likely to obscure details.

    Comment by Bryan — May 27, 2007 @ 11:00 pm

  47. […] http://www.ethanzuckerman.com/blog/?p=1015 Tags: blog, privacy, security, tor, wordpress, anonymous(del.icio.us history) […]

    Pingback by …My heart’s in Accra » Anonymous Blogging with Wordpress and Tor — June 10, 2007 @ 5:14 pm

  48. […] Anonymous blogging and commenting also allows individuals living under repressive regimes in Iran, Zimbabwe, Egypt to publish their opinions freely and to get out news that might otherwise not enter the mainstream media. Which is why Ethan wrote a technical guide to anonymous blogging. […]

    Pingback by El Oso, El Moreno, and El Abogado » Blog Archive » The End of Anonymity? — July 10, 2007 @ 3:48 pm

  49. Beware that while TOR does a good job of hiding the client to the server, anyone wanting to sniff a cross-section of what was intended to be hidden can operate exit nodes making a portion of the traffic easily loggable.


    I wonder how many exit nodes are operated by intelligence agencies of various countries…….

    Comment by sfromis — December 13, 2007 @ 1:59 pm

  50. […] a few articles around explaining how to anonymously write a blog at WordPress.com. Some, such as this one, are comprehensive and recommend secure methods such as TOR. Others offer techniques that are […]

    Pingback by Secure anonymous blogging at wordpress.com « cypherpundit — December 18, 2007 @ 6:16 pm

  51. Remember, go to your DOS prompt and type EDIT…..then type your cleartext into the OLLLD EDIT program. Leaves fewer ghost files, .tmp files etc.

    Just one more way to flaunt the NSA……….

    Remember this, older is sometimes better, really old is sometimes the BEST. And EDIT is old.

    Comment by Anonymous — January 23, 2008 @ 4:14 pm

  52. Woah.. I don’t know about TOR. I read major security issues and in a country where those vulnerabilities can have devastating effects, I’d steer clear of it.

    I went with Anonymizer last year and haven’t had any complaints. What’s good is that there systems are closed source and no logs are kept. I have heard about other companies sending supenas to get log info and provided with nothing but empty connection points.

    Comment by Jack Christopher — March 6, 2008 @ 2:49 pm

  53. I’d recommend reading more closely, Jack. Tor’s issue are largely theoretical, lab-based attacks. Systems like Anonymizer rely on you trusting that single company – you have no way of verifying their code or their assertions that they keep no logs.

    Comment by Ethan — March 6, 2008 @ 3:11 pm

  54. >I went with Anonymizer last year and haven’t had any >complaints.”

    Therefore, Anonymizer is 100% trustworthy. Like the Government.

    >What’s good is that there systems are closed source and >no logs are kept.

    How do you know this? Oh, ok, because they say so. Therefore it must be true.

    Comment by Biodegradable Pants — March 14, 2008 @ 5:51 am

  55. Tor is so good for hide our IP address but the con is that, sometime your connection be really slow since the information will go thorugh many computers before reach the target.

    Comment by smaelz83 — July 15, 2008 @ 2:37 am

  56. I never heard of Tor before. Is that similar to using proxies or is it totally different?


    Comment by Egypt Property — August 28, 2008 @ 5:26 am

  57. […] versão anterior deste guia foi escrita por Ethan Zuckerman em 13 de abril de 2005 e atualizada em 1º de outubro de 2006. Em 8 de agosto a Global Voices Advocacy publicou uma versão do guia em HTML atualizada e […]

    Pingback by Global Voices em Português » Blogando Anonimamente — September 27, 2008 @ 2:45 pm

  58. good article thank you

    Comment by mikel — October 5, 2008 @ 7:46 pm

  59. […] My heart’s in Accra – Anonymous Blogging with WordPress and Tor (tags: anonymous blogging blogs tutorials wordpress privacy security tips tools tor) […]

    Pingback by Dobschat » links for 2006-10-22 — August 22, 2009 @ 2:49 pm

  60. […] of the anonymous proxy server idea – Ethan Zuckermann explains how to set it up in “Anonymous Blogging with WordPress and Tor“. One of the great joys of working on Global Voices has been having the chance to work with […]

    Pingback by The Shockwave Rider | Hybrid Auto News - Hybrid Cars — October 15, 2010 @ 8:23 pm

  61. […] early draft of this guide was written by Ethan Zuckerman on April 13, 2005 and updated on October 1, 2006. On August 8, 2007 Global Voices Advocacy published an updated and linkable, blogging-friendly, […]

    Pingback by Anonymous Blogging with Wordpress & Tor – Global Voices Advocacy « WorldWright's … — March 3, 2011 @ 3:52 pm

  62. […] of the anonymous proxy server idea – Ethan Zuckermann explains how to set it up in “Anonymous Blogging with WordPress and Tor“. One of the great joys of working on Global Voices has been having the chance to work with […]

    Pingback by The Shockwave Rider « To Build Solar Panel — October 4, 2011 @ 2:42 am

  63. This guide (regarding tor) is practically useless if you can’t even access the MAIN tor website to download the bundle or even the webpage of mirrors.

    so much for anonymous blogging with wordpress and– oops. NOT tor.

    Comment by Anonymous — October 7, 2011 @ 1:00 pm

  64. […] early draft of this guide was written by Ethan Zuckerman on April 13, 2005 and updated on October 1, 2006. On August 8, 2007 Global Voices Advocacy published an updated and linkable, blogging-friendly, […]

    Pingback by Anonymous Blogging with WordPress & Tor « Flüchtlingshilfe Iran e.V. 2010 — February 7, 2012 @ 1:55 pm

  65. […] early draft of this guide was written by Ethan Zuckerman on April 13, 2005 and updated on October 1, 2006. On August 8, 2007 Global Voices Advocacy published an updated and linkable, blogging-friendly, […]

    Pingback by Huge attack on WordPress sites could spawn never-before-seen super botnet « nuclear-news — April 16, 2013 @ 7:06 am

  66. […] Zuckerman offers a way for bloggers to blog anonymously with […]

    Pingback by Ethan Zuckerman: Blog Anonymously with WordPress.com « Lorelle on WordPress — January 10, 2015 @ 11:01 pm

  67. […] Anonymous Blogging with WordPress and Tor | … My heart’s in Accra. […]

    Pingback by Anonymous Blogging with WordPress and Tor | … My heart’s in Accra | Забытый на скамье блокнот — May 13, 2015 @ 6:11 pm

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress