Security — Verification & OpSec Reference
Security documentation on this wiki covers hostname authenticity, phishing indicators, and research isolation — not destination-service internals. Treat every clearnet page as untrusted until signatures are validated.
PGP verification
Documented signing key fingerprint for mirror list verification:
Import from public keyservers. Verify detached signature files before trusting hostnames from any source, including this wiki. Signature rotation should be noted in article revision history.
Phishing indicators
- Hostnames shared only via paste sites or unsolicited chat messages
- Pages lacking valid PGP signatures over the address list
- Clearnet domains mimicking wiki branding with different onion strings
- Urgency language pressuring immediate connection without verification
Research isolation
Analysts often use amnesic OS images (Tails, Whonix) dedicated to Tor sessions. Separate research profiles from daily browsing to reduce cross-context leaks. Do not reuse passwords or browser profiles between clearnet identity and Tor research containers.
Fingerprinting
Maximize Tor Browser security level during research. Avoid maximizing window size, disable unnecessary extensions, and verify WebRTC leak settings on mobile clients documented in the Tor Access article.