Anonymous web browsing refers to the utilization of the World Wide Web that hides a user's personally identifiable information from websites visited. The current popular application for anonymous browsing is the Tor Browser.
When a user opens a web page, his or her IP address and browser fingerprint becomes visible to the target web page's server.
The IP address of the user can be unique to the subscriber, but in many cases, due to the shortage of IPv4 address space, the user is behind a carrier-grade NAT which means multiple users share the same public IP-address. Regardless of the case, the IP-address can be traced by the ISP to the individual subscriber, even retrospectively.
The browser fingerprint consists of multiple pieces of information including, but not limited to user agent, tracking cookies, list of installed browser extensions, previously visited sites, installed fonts, and hardware information such as the operating system, screen size, screen orientation, hardware performance benchmarks, hardware IDs, and battery data. Furthermore, canvas fingerprinting can be used to determine information about the installed graphics driver and GPU.
Sessions during which the user is logged in to some website can be trivially linked together by the server. The patterns of actions of these sessions can be recorded by the server to create a behavioral fingerprint that can identify the same user, even across multiple user accounts.
Once the accumulated data can uniquely identify a user across browsing sessions, if at any point the user provides personally identifying information, e.g. if they log into the website with an account registered under their real name, or if they provide credit card information to the site, their real life identity can be associated with the fingerprint. This can also happen e.g. if the user is doxed: The revealed link between the user's real life identity and pseudonym can then be linked to the data associated with the previously linked pseudonym, browser fingerprint, and past actions done under the pseudonym.
Anonymous web browsing requires disconnecting the user's IP-address and browser fingerprint from their real life identity.
The IP-address of the user can be hidden by using one or more proxy servers. A proxy hides the source IP-address from the server the user tries to connect to, and only the proxy server's IP-address is visible to the server. All proxy services are useful when the user wants to visit a site that might be blocked in a specific country, office, or school, but most proxy services do not make the user sufficiently anonymous.[1]
Web proxy services and VPNs are single-hop proxies which means there is one third-party computer between user and target server. Tor on the other hand uses three random Tor nodes (meaning three hops) between the user and the target server.
Single-hop proxy services are centralized, and they are thus susceptible to subpoenas and NSLs issued by authorities.
Many VPN providers keep log files indefinitely[2] and many VPN providers lie about not keeping logs.[3]
A Web Proxy service or a VPN, is thus rarely enough alone, and such tools should not be relied on for anonymity, especially if the user is a dissident, whistleblower, activist, a journalist or, if the user belongs to an oppressed minority.
It should be noted Tor is vulnerable to end-to-end correlation attacks, which work regardless of the number of nodes. However, the fact Tor isn't perfect does not mean it's not more secure than all of its alternatives. E.g. the Top Secret NSA documents published since 2013 revealed that the FVEY intelligence community considers Tor "The king of high-secure, low-latency anonymity", and that "there are no contenders to the throne in waiting"[4]
Regardless of the length of proxy chain, the last node that establishes the connection to the target server (i.e. the Web proxy, the VPN service provider, or the Tor exit node) can eavesdrop on non-encrypted sessions at will. The only verifiable protection against this is to ensure the browser uses TLS-encryption. This can be checked from the address-bar of the browser. If there is a lock-icon and the URL starts with HTTPS, the connection is encrypted.
Proxy servers introduce some limitations. Primarily, the more nodes between the user and the target server, the more latency there is. This may have significant impact on low latency systems such as VoIP calls and video calls. Sometimes the available bandwidth is also limited either due to the current load experienced by the proxy server, or due to the set bandwidth limits. Some proxy services filter data flagged as inappropriate or suspicious, which may cause some elements of a web page to not load.
Eliminating the browsing fingerprint requires the user to not provide personal details at any point, to delete tracking data across sessions, and to use throw-away user accounts that are registered and used exclusively via the anonymity network.
The user also needs to reduce the fingerprint size by e.g. disabling in-browser features that leak identifying data, such as browser extensions like the Java virtual machine plugin and the Adobe Flash Player as well as JavaScript (e.g. with the NoScript add-on). Browser's privacy settings should be set to delete all data between sessions, and block tracking cookies and other web tracking elements.
An alternative method is to spoof randomizes values for the data fields that make up the browser fingerprint for every session. The problem of randomized fingerprints is, the size of the fingerprint is also revealing: E.g. if only one user happens to provide the low but exact amount of 3.123123 bits of identifying data, the server has some confidence that it's the same user, even if the content of the fingerprint is randomized for every session.
Thus, a much more effective anonymization method is to blend in with the crowd with pre-configured anonymity systems, e.g. Tor Browser,[5] which has been found to be very effective,[6] and where the millions of users all share a slightly larger (but still random) fingerprint of the same size (~10.79 bits).
The "blending in" approach to internet anonymity also explains why it is a bad idea to adjust Tor Browser's privacy settings from e.g. the about:config
section: doing so most likely results in a unique Tor Browser which defeats the anonymity the user desires. Tor Browser's adjustable security slider has three settings, meaning the user-base operates between three levels of security. This also means three sizes of fingerprint, but the buckets are still large enough to provide anonymity.