Due to current events, I2P has recently surged in popularity. Since I2P has no official browser, and the Tor Browser Bundle already has strong fingerprinting protections, many users choose to configure the Tor Browser to connect to I2P instead. This is my procedure for doing so, based on several guides from around the net.
Disclaimer: I am a hobbyist, not a computer security expert. This guide is based on guides from other people, common sense, and my prior knowledge from experience and quite a bit of reading on both Tor and I2P.
Also, don't trust me. Verify yourself that what I'm saying is true. If you think I'm an idiot, go write your own guide and send me a link.
Containing i2p in its own browser profile allows you to continue accessing Tor on the default profile.
Don't connect to the Tor network. Instead, navigate to about:config in the address bar and click "Accept the Risk and Continue".
Change the following settings. Use the search bar to make things faster.
|dom.security.https_first_pbm||false||Don't try connecting to a site with TLS first|
|dom.security.https_only_mode||false||Allow connections to HTTP sites|
|network.proxy.http||127.0.0.1*||The address of your i2p daemon's proxy|
|network.proxy.http_port||4444*||The port of your i2p daemon's proxy|
|network.proxy.no_proxies_on||127.0.0.1||(Optional) Connect directly to websites on this address|
|extensions.torlauncher.start_tor||false||Don't start Tor|
|extensions.torbutton.local_tor_check||false||Don't check for a running Tor process|
|extensions.torbutton.security_slider||1||Set the Tor Browser security level to 'Safest'|
|extensions.torbutton.use_nontor_proxy||true||Allow the use of non-tor proxies|
* You may need to change this value depending on your i2p setup.
Setting extensions.torbutton.use_nontor_proxy will cause Tor Browser to restart. If you see an error about Torbutton, you can safely ignore it.
While you're in about:config, you may want to set browser.startup.homepage to about:blank. Alternatively, you could set it to your I2P daemon's status page. For PurpleI2P (i2pd), it's http://127.0.0.1:7070/.
You probably shouldn't set it to an external site because that information could be used to identify you.
The Tor New Identity button does nothing if we're not connected to Tor. Let's remove it.
If you made a separate profile for i2p, this is the procedure to start it up.
The Tor Browser is (still) not a silver bullet! In fact, we actually weakened the security of the browser by configuring it to use an i2p proxy.
I could probably write a book about this, but here are some quick "don't"s before I wrap up this post.
Don't access the clearnet, use Tor instead. Unlike Tor, i2p does not have integrated support for accessing the clearnet. Instead, it's done through the use of outproxies, which are really just public SOCKS5 proxies available over i2p.
The outproxy operator might not know exactly who you are due to i2p's protections. However, since there are only a few public outproxies, he is in a much better position to snoop on your connection compared to a Tor exit node operator.
Don't access Tor hidden services. See above, except this is worse because Tor hidden services almost never provide TLS (and they don't have to). The outproxy operator can see (and modify!) everything you're doing in this case.
Tor and i2p aren't meant to be used in this way, and you're compromising the anonymity granted to you by each network.
Don't use public address books. Any address that doesn't end in .b32.i2p is using an address book to resolve that name to an i2p key. Regrettably, i2p daemons like to include address books from outside sources.
Public address books can't be trusted. If one gets compromised, example.i2p could point to a completely different server than it did yesterday, and there would be no indication to the user. Like Tor's .onion, addresses, .b32.i2p addresses are based on the public key of the hidden service; it cannot be forged unless an attacker has the private key.
Local address books that you've created are okay, but you should still just use .b32.i2p addresses unless your Ctrl, C, and V keys are broken.
[ ← Disabling Web Search | Notes Index | Ladybird's Current Progress on Yarn.social → ]