Continued cleanup; Added 5 FAQ entries. (f30e672dc) - tor-webwml.git

docs/en/faq.wml
@@ -27,11 +27,14 @@ proxies?</a></li>
     <li><a href="#SupportMail">How can I get support?</a></li>
     <li><a href="#Forum">Is there a Tor forum?</a></li>
     <li><a href="#WhySlow">Why is Tor so slow?</a></li>
-    <li><a href="#FileSharing">How can I share files anonymously through Tor?</a></li>
-    <li><a href="#OutboundPorts">Do I have to open all these outbound ports on my firewall?</a></li>
+    <li><a href="#FileSharing">How can I share files anonymously through Tor?
+    </a></li>
+    <li><a href="#OutboundPorts">Do I have to open all these outbound ports 
+    on my firewall?</a></li>
     <li><a href="#Funding">What would The Tor Project do with more
     funding?</a></li>
-    <li><a href="#IsItWorking">How can I tell if Tor is working, and that my connections really are anonymized?</a></li>
+    <li><a href="#IsItWorking">How can I tell if Tor is working, and that my 
+    connections really are anonymized?</a></li>
     <li><a href="#FTP">How do I use my browser for ftp with Tor?</a></li>
     <li><a href="#Metrics">How many people use Tor? How many relays or
     exit nodes are there?</a></li>
@@ -60,7 +63,8 @@ includes Tor?</a></li>
 
     <li><a href="#TBBFlash">Why can't I view videos on YouTube and other
     Flash-based sites?</a></li>
-    <li><a href="#Ubuntu">I'm using Ubuntu and I can't start Tor Browser</a></li>
+    <li><a href="#Ubuntu">I'm using Ubuntu and I can't start Tor Browser
+    </a></li>
     <li><a href="#TBBSocksPort">I want to
     run another application through the Tor launched by Tor Browser
     Bundle.</a></li>
@@ -73,13 +77,18 @@ allow JavaScript by default in the Tor Browser Bundle?  Isn't that
 unsafe?</a></li>
     <li><a href="#TBBOtherBrowser">I want to use Chrome/IE/Opera/etc
     with Tor.</a></li>
+    <li><a href="#TorbuttonOtherBrowser">Will Torbutton be available 
+    for other browsers?</a></li>
+    <li><a href="#NoDataScrubbing">Does Tor remove personal information 
+    from the data my application sends?</a></li>
     <li><a href="#TBBCloseBrowser">I want to leave Tor Browser Bundle
     running but close the browser.</a></li>
 
     <li><a href="#GoogleCAPTCHA">Google makes me solve a CAPTCHA or
 tells
     me I have spyware installed.</a></li>
-    <li><a href="#ForeignLanguages">Why does Google show up in foreign languages?</li></a>
+    <li><a href="#ForeignLanguages">Why does Google show up in foreign 
+    languages?</li></a>
     <li><a href="#GmailWarning">Gmail warns me that my account may have
     been compromised.</a></li>
     </ul>
@@ -101,10 +110,14 @@ country)
     <li><a href="#FirewallPorts">My firewall only allows a few outgoing
     ports.</a></li>
     <li><a href="#ExitPorts">Is there a list of default exit ports?</a></li>
-    <li><a href="#SocksAndDNS">How do I check if my application that uses SOCKS is leaking DNS requests?</a></li>
-    <li><a href="#DifferentComputer">I want to run my Tor client on a different computer than my applications.</a></li>
-    <li><a href="#ServerClient">Can I install Tor on a central server, and have my clients connect to it?</a></li>
-    <li><a href="#JoinTheNetwork">So I can just configure a nickname and ORPort and join the network?</a></li>
+    <li><a href="#SocksAndDNS">How do I check if my application that uses 
+    SOCKS is leaking DNS requests?</a></li>
+    <li><a href="#DifferentComputer">I want to run my Tor client on a 
+    different computer than my applications.</a></li>
+    <li><a href="#ServerClient">Can I install Tor on a central server, and 
+    have my clients connect to it?</a></li>
+    <li><a href="#JoinTheNetwork">So I can just configure a nickname and 
+    ORPort and join the network?</a></li>
     </ul>
 
     <p>Running a Tor relay:</p>
@@ -117,20 +130,29 @@ deal
     with abuse issues.</a></li>
     <li><a href="#RelayOrBridge">Should I be a normal relay or bridge
     relay?</a></li>
-    <li><a href="#UpgradeOrMove">I want to upgrade/move my relay. How do I keep the same key?</a></li>
+    <li><a href="#UpgradeOrMove">I want to upgrade/move my relay. How do I 
+    keep the same key?</a></li>
     <li><a href="#MultipleRelays">I want to run more than one
 relay.</a></li>
-    <li><a href="#NTService">How do I run my Tor relay as an NT service?</a></li>
-    <li><a href="#VirtualServer">Can I run a Tor relay from my virtual server account?</a></li>
+    <li><a href="#NTService">How do I run my Tor relay as an NT service?
+    </a></li>
+    <li><a href="#VirtualServer">Can I run a Tor relay from my virtual server 
+    account?</a></li>
     <li><a href="#WrongIP">My relay is picking the wrong IP address.</a></li>
     <li><a href="#BehindANAT">I'm behind a NAT/Firewall</a></li>
-    <li><a href="#RelayMemory">Why is my Tor relay using so much memory?</a></li>
-    <li><a href="#BetterAnonymity">Do I get better anonymity if I run a relay?</a></li>
+    <li><a href="#RelayMemory">Why is my Tor relay using so much memory?
+    </a></li>
+    <li><a href="#BetterAnonymity">Do I get better anonymity if I run a relay?
+    </a></li>
     <li><a href="#RelayDonations">Can I donate for a relay rather than
     run my own?</a></li>
     </ul>
 
-    <p>Running a Tor hidden service:</p>
+    <p>Tor hidden services:</p>
+    <ul>
+    <li><a href="#AccessHiddenServices">How do I access hidden services?</a></li>
+    <li><a href="#ProvideAHiddenService">How do I provide a hidden service</a></li>
+    </ul>
 
     <p>Anonymity and Security:</p>
     <ul>
@@ -138,11 +160,16 @@ relay.</a></li>
 uses.</a></li>
     <li><a href="#EntryGuards">What are Entry Guards?</a></li>
     <li><a href="#ChangePaths">How often does Tor change its paths?</a></li>
-    <li><a href="#CellSize">Tor uses hundreds of bytes for every IRC line. I can't afford that!</a></li>
-    <li><a href="#OutboundConnections">Why does netstat show these outbound connections?</a></li>
-    <li><a href="#PowerfulBlockers">What about powerful blocking mechanisms</a></li>
-    <li><a href="#RemotePhysicalDeviceFingerprinting">Does Tor resist "remote physical device fingerprinting"?</a></li>
-    <li><a href="#AttacksOnOnionRouting">What attcks remain against onion routing?</a></li>
+    <li><a href="#CellSize">Tor uses hundreds of bytes for every IRC line. I 
+    can't afford that!</a></li>
+    <li><a href="#OutboundConnections">Why does netstat show these outbound 
+    connections?</a></li>
+    <li><a href="#PowerfulBlockers">What about powerful blocking mechanisms
+    </a></li>
+    <li><a href="#RemotePhysicalDeviceFingerprinting">Does Tor resist 
+    "remote physical device fingerprinting"?</a></li>
+    <li><a href="#AttacksOnOnionRouting">What attacks remain against onion 
+    routing?</a></li>
     </ul>
 
     <p>Alternate designs that we don't do (yet):</p>
@@ -154,11 +181,16 @@ packets,
     not just TCP packets.</a></li>
     <li><a href="#HideExits">You should hide the list of Tor relays,
     so people can't block the exits.</a></li>
-    <li><a href="#ChoosePathLength">You should let people choose their path length.</a></li>
-    <li><a href="#SplitEachConnection">You should split each connection over many paths.</a></li>
-    <li><a href="#UnallocatedNetBlocks">Your default exit policy should block unallocated net blocks too.</a></li>
-    <li><a href="#BlockWebsites">Exit policies should be able to block websites, not just IP addresses.</a></li>
-    <li><a href="#BlockContent">You should change Tor to prevent users from posting certain content.</a></li>
+    <li><a href="#ChoosePathLength">You should let people choose their path 
+    length.</a></li>
+    <li><a href="#SplitEachConnection">You should split each connection over 
+    many paths.</a></li>
+    <li><a href="#UnallocatedNetBlocks">Your default exit policy should block 
+    unallocated net blocks too.</a></li>
+    <li><a href="#BlockWebsites">Exit policies should be able to block 
+    websites, not just IP addresses.</a></li>
+    <li><a href="#BlockContent">You should change Tor to prevent users from 
+    posting certain content.</a></li>
     <li><a href="#IPv6">Tor should support IPv6.</a></li>
     </ul>
 
@@ -302,7 +334,10 @@ encryption, what data you're sending to the destination.</dd>
 can I use with Tor?</a></h3>
 
     <p>
-    If you want to use Tor with a web browser, we provide the Tor Browser Bundle, which includes everything you need to browse the web safely using Tor. If you want to use another web browser with Tor, see <a href="#TBBOtherBrowser">Other web browsers</a>. 
+    If you want to use Tor with a web browser, we provide the Tor Browser 
+    Bundle, which includes everything you need to browse the web safely using 
+    Tor. If you want to use another web browser with Tor, see <a 
+    href="#TBBOtherBrowser">Other web browsers</a>. 
     </p>
     <p>
     There are plenty of other programs you can use with Tor,
@@ -608,10 +643,16 @@ money to the
     <hr>
 
     <a id="FileSharing"></a>
-    <h3><a class="anchor" href="#FileSharing">How can I share files anonymously through Tor?</a></h3>
+    <h3><a class="anchor" href="#FileSharing">How can I share files 
+    anonymously through Tor?</a></h3>
 
     <p>
-    File sharing (peer-to-peer/P2P) is widely unwanted in the Tor network, and exit nodes are configured to block file sharing traffic by default. Tor is not really designed for it, and file sharing through Tor slows down everyone's browsing. Also, Bittorrent over Tor <a href="https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea">is not anonymous</a>!
+    File sharing (peer-to-peer/P2P) is widely unwanted in the Tor network, 
+    and exit nodes are configured to block file sharing traffic by default. 
+    Tor is not really designed for it, and file sharing through Tor slows 
+    down everyone's browsing. Also, Bittorrent over Tor <a 
+    href="https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea">
+    is not anonymous</a>!
     </p>
 
     <hr>
@@ -746,37 +787,67 @@ executive
     <hr>
 
      <a id="OutboundPorts"></a>
-    <h3><a class="anchor" href="#OutboundPorts">Do I have to open all these outbound ports on my firewall?</a></h3>
+    <h3><a class="anchor" href="#OutboundPorts">Do I have to open all these 
+    outbound ports on my firewall?</a></h3>
 
     <p>
-    Tor may attempt to connect to any port that is advertised in the directory as an ORPort (for making Tor connections) or a DirPort (for fetching updates to the directory). There are a variety of these ports, but many of them are running on 80, 443, 9001, and 9030.
+    Tor may attempt to connect to any port that is advertised in the 
+    directory as an ORPort (for making Tor connections) or a DirPort (for 
+    fetching updates to the directory). There are a variety of these ports, 
+    but many of them are running on 80, 443, 9001, and 9030.
     </p>
     <p>
-So as a client, you could probably get away with opening only those four ports. Since Tor does all its connections in the background, it will retry ones that fail, and hopefully you'll never have to know that it failed, as long as it finds a working one often enough. However, to get the most diversity in your entry nodes -- and thus the most security -- as well as the most robustness in your connectivity, you'll want to let it connect to all of them.
+    So as a client, you could probably get away with opening only those four 
+    ports. Since Tor does all its connections in the background, it will retry 
+    ones that fail, and hopefully you'll never have to know that it failed, as 
+    long as it finds a working one often enough. However, to get the most 
+    diversity in your entry nodes -- and thus the most security -- as well as 
+    the most robustness in your connectivity, you'll want to let it connect 
+    to all of them.
     </p>
     <p>
-If you really need to connect to only a small set of ports, see the FAQ entry on firewalled ports.
+    If you really need to connect to only a small set of ports, see the FAQ 
+    entry on firewalled ports.
     </p>
     <p>
-Note that if you're running Tor as a relay, you must allow outgoing connections to every other relay and to anywhere your exit policy advertises that you allow. The cleanest way to do that is simply to allow all outgoing connections at your firewall. If you don't, clients will try to use these connections and things won't work. 
+    Note that if you're running Tor as a relay, you must allow outgoing 
+    connections to every other relay and to anywhere your exit policy 
+    advertises that you allow. The cleanest way to do that is simply to allow 
+    all outgoing connections at your firewall. If you don't, clients will try 
+    to use these connections and things won't work. 
     </p>
     
     <hr>
     
     <a id="IsItWorking"></a>
-    <h3><a class="anchor" href="#IsItWorking">How can I tell if Tor is working, and that my connections really are anonymized?</a></h3>
+    <h3><a class="anchor" href="#IsItWorking">How can I tell if Tor is 
+    working, and that my connections really are anonymized?</a></h3>
 
     <p>
-    There are sites you can visit that will tell you if you appear to be coming through the Tor network. Try the <a href="https://check.torproject.org">Tor Check</a> site and see whether it thinks you are using Tor or not.
+    There are sites you can visit that will tell you if you appear to be 
+    coming through the Tor network. Try the <a href="https://check.torproject.org">
+    Tor Check</a> site and see whether it thinks you are using Tor or not.
     </p>
     <p>
-If that site is down, you can still test, but it will involve more effort. Sites like <a href="http://ipid.shat.net">http://ipid.shat.net</a> and <a href="http://www.showmyip.com/">http://www.showmyip.com/</a> will tell you what your IP address appears to be, but you'll need to know your current IP address so you can compare and decide whether you're using Tor correctly.
+    If that site is down, you can still test, but it will involve more effort. 
+    Sites like <a href="http://ipid.shat.net">http://ipid.shat.net</a> and 
+    <a href="http://www.showmyip.com/">http://www.showmyip.com/</a> will tell 
+    you what your IP address appears to be, but you'll need to know your 
+    current IP address so you can compare and decide whether you're using Tor 
+    correctly.
     </p>
     <p>
-To learn your IP address on OS X, Linux, BSD, etc, run "ifconfig". On Windows, go to the Start menu, click Run and enter "cmd". At the command prompt, enter "ipconfig /a".
+    To learn your IP address on OS X, Linux, BSD, etc, run "ifconfig". On 
+    Windows, go to the Start menu, click Run and enter "cmd". At the command 
+    prompt, enter "ipconfig /a".
     </p>
     <p>
-If you are behind a NAT or firewall, though, your IP address will be within the range of 10.XXX.XXX.XXX, 192.168.XXX.XXX, or 172.16.XXX.XXX - 172.31.XXX.XXX, which is not your public IP address. In this case, you should check your IP address with one of the sites above without using Tor, and then check again using Tor to see whether your IP address has changed. 
+    If you are behind a NAT or firewall, though, your IP address will be 
+    within the range of 10.XXX.XXX.XXX, 192.168.XXX.XXX, or 172.16.XXX.XXX - 
+    172.31.XXX.XXX, which is not your public IP address. In this case, you 
+    should check your IP address with one of the sites above without using 
+    Tor, and then check again using Tor to see whether your IP address has 
+    changed. 
     </p>
     
     <hr>
@@ -785,7 +856,12 @@ If you are behind a NAT or firewall, though, your IP address will be within the
     <h3><a class="anchor" href="#FTP">How do I use my browser for ftp with Tor?
     </a></h3>
 
-    <p>Use the Tor Browser Bundle. If you want a separate application for an ftp client, we've heard good things about  FileZilla for Windows. You can configure it to point to Tor as a "socks4a" proxy on "localhost" port "9050". </p>
+    <p>
+    Use the Tor Browser Bundle. If you want a separate application for an 
+    ftp client, we've heard good things about  FileZilla for Windows. You can 
+    configure it to point to Tor as a "socks4a" proxy on "localhost" port 
+    "9050". 
+    </p>
     <hr>
     
     <a id="Metrics"></a>
@@ -965,13 +1041,14 @@ Plugins operate independently from Firefox and can perform
 activity on your computer that ruins your anonymity. This includes
 but is not limited to: <a href="http://decloak.net">completely disregarding
 proxy settings</a>, querying your <a
-href="http://forums.sun.com/thread.jspa?threadID=5162138&amp;messageID=9618376">local
-IP address</a>, and <a
+href="http://forums.sun.com/thread.jspa?threadID=5162138&amp;messageID=9618376">
+local IP address</a>, and <a
 href="http://epic.org/privacy/cookies/flash.html">storing their own
 cookies</a>. It is possible to use a LiveCD solution such as
-or <a href="https://tails.boum.org/">The Amnesic Incognito Live System</a> that creates a
-secure, transparent proxy to protect you from proxy bypass, however issues
-with local IP address discovery and Flash cookies still remain.  </p>
+or <a href="https://tails.boum.org/">The Amnesic Incognito Live System</a> 
+that creates a secure, transparent proxy to protect you from proxy bypass, 
+however issues with local IP address discovery and Flash cookies still remain. 
+</p>
 
 <p>
 <a href="https://www.youtube.com/html5">YouTube offers experimental HTML5 video
@@ -985,7 +1062,9 @@ find HTML5 videos.
 <h3><a class="anchor" href="#Ubuntu">
 I'm using Ubuntu and I can't start Tor Browser</a></h3>
 <p>
-Ubuntu prevents its users from executing shell scripts by click-clicking them, even when the file permissions are set correctly. For now you need to start the Tor Browser from the command line by running </p>
+Ubuntu prevents its users from executing shell scripts by clicking them, 
+even when the file permissions are set correctly. For now you need to 
+start the Tor Browser from the command line by running </p>
 <pre>
 ./start-tor-browser
 </pre>
@@ -1049,10 +1128,22 @@ configuration</a> of Tor and Privoxy.
 Firefox extensions?</a></h3>
 
 <p>
-The Tor Browser is free software, so there is nothing preventing you from modifying it any way you like. However, we do not recommend installing any additional Firefox add-ons with the Tor Browser Bundle. Add-ons can break your anonymity in a number of ways, including browser fingerprinting and bypassing proxy settings.
+The Tor Browser is free software, so there is nothing preventing you from 
+modifying it any way you like. However, we do not recommend installing any 
+additional Firefox add-ons with the Tor Browser Bundle. Add-ons can break 
+your anonymity in a number of ways, including browser fingerprinting and 
+bypassing proxy settings.
 </p>
 <p>
-Some people have suggested we include ad-blocking software or anti-tracking software with the Tor Browser Bundle. Right now, we do not think that's such a good idea. The Tor Browser Bundle aims to provide sufficient privacy that additional add-ons to stop ads and trackers are not necessary. Using add-ons like these may cause some sites to break, which <a href="https://www.torproject.org/projects/torbrowser/design/#philosophy">we don't want to do</a>. Additionally, maintaining a list of "bad" sites that should be black-listed provides another opportunity to uniquely fingerprint users. 
+Some people have suggested we include ad-blocking software or 
+anti-tracking software with the Tor Browser Bundle. Right now, we do not 
+think that's such a good idea. The Tor Browser Bundle aims to provide 
+sufficient privacy that additional add-ons to stop ads and trackers are 
+not necessary. Using add-ons like these may cause some sites to break, which 
+<a href="https://www.torproject.org/projects/torbrowser/design/#philosophy">
+we don't want to do</a>. Additionally, maintaining a list of "bad" sites that 
+should be black-listed provides another opportunity to uniquely fingerprint 
+users. 
 </p>
 
 <hr>
@@ -1077,8 +1168,8 @@ There's a tradeoff here. On the one hand, we should leave
 JavaScript enabled by default so websites work the way
 users expect. On the other hand, we should disable JavaScript
 by default to better protect against browser vulnerabilities (<a
-href="https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable">not
-just a theoretical concern!</a>). But there's a third issue: websites
+href="https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable">
+not just a theoretical concern!</a>). But there's a third issue: websites
 can easily determine whether you have allowed JavaScript for them,
 and if you disable JavaScript by default but then allow a few websites
 to run scripts (the way most people use NoScript), then your choice of
@@ -1131,6 +1222,38 @@ horizon.
 
 <hr>
 
+<a id="TorbuttonOtherBrowser"></a>
+<h3><a class="anchor" href="#TorbuttonOtherBrowser">
+Will Torbutton be available for other browsers?</a></h3>
+
+<p>
+ We don't support IE, Opera or Safari and never plan to. There are too many 
+ ways that your privacy can go wrong with those browsers, and because of 
+ their closed design it is really hard for us to do anything to change these 
+ privacy problems.
+</p>
+<p>
+We are working with the Chrome people to modify Chrome's internals so that 
+we can eventually support it. But for now, Firefox is the only safe choice. 
+</p>
+
+<hr>
+
+<a id="NoDataScrubbing"></a>
+<h3><a class="anchor" href="#NoDataScrubbing">
+Does Tor remove personal information from the data my application sends?
+</a></h3>
+<p>
+No, it doesn't. You need to use a separate program that understands your 
+application and protocol and knows how to clean or "scrub" the data it 
+sends. Privoxy is an example of this for web browsing. But note that even 
+Privoxy won't protect you completely: you may still fall victim to viruses, 
+Java Script attacks, etc; and Privoxy can't do anything about text that you 
+type into forms. Be careful and be smart. 
+</p>
+
+</hr>
+
 <a id="TBBCloseBrowser"></a>
 <h3><a class="anchor" href="#TBBCloseBrowser">I want to leave Tor
 Browser
@@ -1191,22 +1314,35 @@ DuckDuckGo, ixquick, or Bing.
 Why does Google show up in foreign languages?</a></h3>
 
 <p>
- Google uses "geolocation" to determine where in the world you are, so it can give you a personalized experience. This includes using the language it thinks you prefer, and it also includes giving you different results on your queries.
+ Google uses "geolocation" to determine where in the world you are, so it 
+ can give you a personalized experience. This includes using the language 
+ it thinks you prefer, and it also includes giving you different results 
+ on your queries.
 </p>
 <p>
-If you really want to see Google in English you can click the link that provides that. But we consider this a feature with Tor, not a bug --- the Internet is not flat, and it in fact does look different depending on where you are. This feature reminds people of this fact. The easy way to avoid this "feature" is to use <a href="http://google.com/ncr">http://google.com/ncr</a>.
+If you really want to see Google in English you can click the link that 
+provides that. But we consider this a feature with Tor, not a bug --- the 
+Internet is not flat, and it in fact does look different depending on 
+where you are. This feature reminds people of this fact. The easy way to 
+avoid this "feature" is to use 
+<a href="https://google.com/ncr">https://google.com/ncr</a>.
 </p>
 <p>
-Note that Google search URLs take name/value pairs as arguments and one of those names is "hl". If you set "hl" to "en" then Google will return search results in English regardless of what Google server you have been sent to. On a query this looks like: </p><pre>https://encrypted.google.com/search?q=online%20anonymity&hl=en
+Note that Google search URLs take name/value pairs as arguments and one 
+of those names is "hl". If you set "hl" to "en" then Google will return 
+search results in English regardless of what Google server you have been 
+sent to. On a query this looks like: 
+</p>
+<pre>https://encrypted.google.com/search?q=online%20anonymity&hl=en
 </pre>
 <p>
-Another method is to simply use your country code for accessing Google. This can be google.be, google.de, google.us and so on. 
+Another method is to simply use your country code for accessing Google. 
+This can be google.be, google.de, google.us and so on. 
 </p>
 <hr />
 <a id="GmailWarning"></a>
 <h3><a class="anchor" href="#GmailWarning">Gmail warns me that my
-account
-may have been compromised.</a></h3>
+account may have been compromised.</a></h3>
 
 <p>
 Sometimes, after you've used Gmail over Tor, Google presents a
@@ -1389,29 +1525,42 @@ and filename for your Tor log.
 <h3><a class="anchor" href="#LogLevel">What log level should I use?</a></h3>
 
 <p>
-There are five log levels (also called "log severities") you might see in Tor's logs:
+There are five log levels (also called "log severities") you might see in 
+Tor's logs:
 </p>
 
 <ul>
-    <li>"err": something bad just happened, and we can't recover. Tor will exit.</li>
-    <li>"warn": something bad happened, but we're still running. The bad thing might be a bug in the code, some other Tor process doing something unexpected, etc. The operator should examine the message and try to correct the problem.</li>
+    <li>"err": something bad just happened, and we can't recover. Tor will 
+    exit.</li>
+    <li>"warn": something bad happened, but we're still running. The bad 
+    thing might be a bug in the code, some other Tor process doing something 
+    unexpected, etc. The operator should examine the message and try to 
+    correct the problem.</li>
     <li>"notice": something the operator will want to know about.</li>
-    <li>"info": something happened (maybe bad, maybe ok), but there's nothing you need to (or can) do about it.</li>
+    <li>"info": something happened (maybe bad, maybe ok), but there's 
+    nothing you need to (or can) do about it.</li>
     <li>"debug": for everything louder than info. It is quite loud indeed.</li> 
 </ul>
 
 <p>
-Alas, some of the warn messages are hard for ordinary users to correct -- the developers are slowly making progress at making Tor automatically react correctly for each situation.
+Alas, some of the warn messages are hard for ordinary users to correct -- the 
+developers are slowly making progress at making Tor automatically react 
+correctly for each situation.
 </p>
 
 <p>
-We recommend running at the default, which is "notice". You will hear about important things, and you won't hear about unimportant things.
+We recommend running at the default, which is "notice". You will hear about 
+important things, and you won't hear about unimportant things.
 </p>
 
 <p>
-Tor relays in particular should avoid logging at info or debug in normal operation, since they might end up recording sensitive information in their logs. 
+Tor relays in particular should avoid logging at info or debug in normal 
+operation, since they might end up recording sensitive information in 
+their logs. 
 </p>
 
+<hr>
+
 <a id="DoesntWork"></a>
 <h3><a class="anchor" href="#DoesntWork">I installed Tor but it's not
 working.</a></h3>
@@ -1557,7 +1706,13 @@ versions.
     up your anonymity in ways we don't understand.
     </p>
     <p>
-    Note also that not every circuit is used to deliver traffic outside of the Tor network. It is normal to see non-exit circuits (such as those used to connect to hidden services, those that do directory fetches, those used for relay reachability self-tests, and so on) that end at a non-exit node. To keep a node from being used entirely, see <tt>ExcludeNodes</tt> and <tt>StrictNodes</tt> in the <a href="<page docs/tor-manual>">manual</a>.
+    Note also that not every circuit is used to deliver traffic outside of 
+    the Tor network. It is normal to see non-exit circuits (such as those 
+    used to connect to hidden services, those that do directory fetches, 
+    those used for relay reachability self-tests, and so on) that end at 
+    a non-exit node. To keep a node from being used entirely, see 
+    <tt>ExcludeNodes</tt> and <tt>StrictNodes</tt> in the 
+    <a href="<page docs/tor-manual>">manual</a>.
     </p>
     <p>
     Instead of <tt>$fingerprint</tt> you can also specify a <a
@@ -1612,9 +1767,13 @@ use the ReachableAddresses config options, e.g.:
 <hr>
 
     <a id="ExitPorts"></a>
-    <h3><a class="anchor" href="#ExitPorts">Is there a list of default exit ports?</a></h3>
+    <h3><a class="anchor" href="#ExitPorts">Is there a list of default exit 
+    ports?</a></h3>
     <p>
-The default open ports are listed below but keep in mind that, any port or ports can be opened by the relay operator by configuring it in torrc or modifying the source code. But the default according to src/or/policies.c from the source code release tor-0.2.4.16-rc is: 
+The default open ports are listed below but keep in mind that, any port or 
+ports can be opened by the relay operator by configuring it in torrc or 
+modifying the source code. But the default according to src/or/policies.c 
+from the source code release tor-0.2.4.16-rc is: 
     </p>
     <pre>
   reject 0.0.0.0/8
@@ -1636,7 +1795,45 @@ The default open ports are listed below but keep in mind that, any port or ports
   accept *:*
     </pre>
     <p>
-    A relay will block access to its own IP address, as well local network IP addresses. A relay always blocks itself by default. This prevents Tor users from accidentally accessing any of the exit operator's local services. 
+    A relay will block access to its own IP address, as well local network 
+    IP addresses. A relay always blocks itself by default. This prevents 
+    Tor users from accidentally accessing any of the exit operator's local 
+    services. 
+    </p>
+
+    <hr>
+
+    <a id="SocksAndDNS"></a>
+    <h3><a class="anchor" href="#SocksAndDNS">How do I check if my application that uses 
+    SOCKS is leaking DNS requests?</a></h3>
+
+    <p>
+    These are two steps you need to take here. The first is to make sure 
+    that it's using the correct variant of the SOCKS protocol, and the 
+    second is to make sure that there aren't other leaks. 
+    </p>
+
+    <p>
+    Step one: add "TestSocks 1" to your torrc file, and then watch your 
+    logs as you use your application. Tor will then log, for each SOCKS 
+    connection, whether it was using a 'good' variant or a 'bad' one. 
+    (If you want to automatically disable all 'bad' variants, set 
+    "SafeSocks 1" in your <a href="#torrc">torrc</a> file.) 
+    </p>
+
+    <p>
+    Step two: even if your application is using the correct variant of 
+    the SOCKS protocol, there is still a risk that it could be leaking 
+    DNS queries. This problem happens in Firefox extensions that resolve 
+    the destination hostname themselves, for example to show you its IP 
+    address, what country it's in, etc. These applications may use a safe 
+    SOCKS variant when actually making connections, but they still do DNS 
+    resolves locally. If you suspect your application might behave like 
+    this, you should use a network sniffer like <a 
+    href="https://www.wireshark.org/">Wireshark</a> and look for 
+    suspicious outbound DNS requests. I'm afraid the details of how to look 
+    for these problems are beyond the scope of a FAQ entry though -- find 
+    a friend to help if you have problems. 
     </p>
 
     <hr>
@@ -1693,7 +1890,6 @@ too.
 
     <hr>
 
-       <a id="RunARelayBut"></a>
     <a id="ExitPolicies"></a>
     <h3><a class="anchor" href="#ExitPolicies">I'd run a relay, but I
 don't want to deal with abuse issues.</a></h3>
@@ -1752,20 +1948,40 @@ users
     <hr>
 
     <a id="DifferentComputer"></a>
-    <h3><a class="anchor" href="#DifferentComputer">I want to run my Tor client on a different computer than my applications.</a></h3>
+    <h3><a class="anchor" href="#DifferentComputer">I want to run my 
+    Tor client on a different computer than my applications.</a></h3>
     <p>
-    By default, your Tor client only listens for applications that connect from localhost. Connections from other computers are refused. If you want to torify applications on different computers than the Tor client, you should edit your torrc to define SocksListenAddress 0.0.0.0 g and then restart (or hup) Tor. If you want to get more advanced, you can configure your Tor client on a firewall to bind to your internal IP but not your external IP.  
+    By default, your Tor client only listens for applications that 
+    connect from localhost. Connections from other computers are 
+    refused. If you want to torify applications on different computers 
+    than the Tor client, you should edit your torrc to define 
+    SocksListenAddress 0.0.0.0 g and then restart (or hup) Tor. If you 
+    want to get more advanced, you can configure your Tor client on a 
+    firewall to bind to your internal IP but not your external IP.  
     </p>
 
     <hr>
 
     <a id="ServerClient"></a>
-    <h3><a class="anchor" href="#ServerClient">Can I install Tor on a central server, and have my clients connect to it?</a></h3>
-    <p>
-     Yes. Tor can be configured as a client or a relay on another machine, and allow other machines to be able to connect to it for anonymity. This is most useful in an environment where many computers want a gateway of anonymity to the rest of the world. However, be forwarned that with this configuration, anyone within your private network (existing between you and the Tor client/relay) can see what traffic you are sending in clear text. The anonymity doesn't start until you get to the Tor relay. Because of this, if you are the controller of your domain and you know everything's locked down, you will be OK, but this configuration may not be suitable for large private networks where security is key all around.
-    </p>
-    <p>
-Configuration is simple, editing your torrc file's SocksListenAddress according to the following examples:
+    <h3><a class="anchor" href="#ServerClient">Can I install Tor on a 
+    central server, and have my clients connect to it?</a></h3>
+    <p>
+     Yes. Tor can be configured as a client or a relay on another 
+     machine, and allow other machines to be able to connect to it 
+     for anonymity. This is most useful in an environment where many 
+     computers want a gateway of anonymity to the rest of the world. 
+     However, be forwarned that with this configuration, anyone within 
+     your private network (existing between you and the Tor 
+     client/relay) can see what traffic you are sending in clear text. 
+     The anonymity doesn't start until you get to the Tor relay. 
+     Because of this, if you are the controller of your domain and you 
+     know everything's locked down, you will be OK, but this configuration 
+     may not be suitable for large private networks where security is 
+     key all around.
+    </p>
+    <p>
+Configuration is simple, editing your torrc file's SocksListenAddress 
+according to the following examples:
     </p>
     <pre>
 
@@ -1780,28 +1996,37 @@ Configuration is simple, editing your torrc file's SocksListenAddress according
   SocksListenAddress 0.0.0.0:9100
    </pre>
     <p>
-You can state multiple listen addresses, in the case that you are part of several networks or subnets.
+You can state multiple listen addresses, in the case that you are 
+part of several networks or subnets.
     </p>
     <pre>
   SocksListenAddress 192.168.x.x:9100 #eth0
   SocksListenAddress 10.x.x.x:9100 #eth1
     </pre>
     <p>
-After this, your clients on their respective networks/subnets would specify a socks proxy with the address and port you specified SocksListenAddress to be. 
+After this, your clients on their respective networks/subnets would specify 
+a socks proxy with the address and port you specified SocksListenAddress 
+to be. 
     </p>
     <p>
-Please note that the SocksPort configuration option gives the port ONLY for localhost (127.0.0.1). When setting up your SocksListenAddress(es), you need to give the port with the address, as shown above.
+Please note that the SocksPort configuration option gives the port ONLY for 
+localhost (127.0.0.1). When setting up your SocksListenAddress(es), you need 
+to give the port with the address, as shown above.
     <p>
-If you are interested in forcing all outgoing data through the central Tor client/relay, instead of the server only being an optional proxy, you may find the program iptables (for *nix) useful. 
+If you are interested in forcing all outgoing data through the central Tor 
+client/relay, instead of the server only being an optional proxy, you may find 
+the program iptables (for *nix) useful. 
     </p>
 
     <hr>
 
     <a id="JoinTheNetwork"></a>
-    <h3><a class="anchor" href="#JoinTheNetwork">So I can just configure a nickname and ORPort and join the network?</a></h3>
+    <h3><a class="anchor" href="#JoinTheNetwork">So I can just configure a 
+    nickname and ORPort and join the network?</a></h3>
 
     <p>
-     Yes. You can join the network and be a useful relay just by configuring your Tor to be a relay and making sure it's reachable from the outside.
+     Yes. You can join the network and be a useful relay just by configuring 
+     your Tor to be a relay and making sure it's reachable from the outside.
     </p>
     <p>
 30 Seconds to a Tor Relay:
@@ -1826,7 +2051,9 @@ ORPort 9001
 ContactInfo human@…
     </pre>
     <ul><li>
-    Start Tor. Watch the log file for a log entry that states: "Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor."
+    Start Tor. Watch the log file for a log entry that states: "Self-testing 
+    indicates your ORPort is reachable from the outside. Excellent. Publishing 
+    server descriptor."
     </li></ul>
 
     <hr />
@@ -1875,25 +2102,39 @@ lots
     <hr>
 
 <a id="UpgradeOrMove"></a>
-<h3><a class="anchor" href="#UpgradeOrMove">I want to upgrade/move my relay. How do I keep the same key?</a></h3>
+<h3><a class="anchor" href="#UpgradeOrMove">I want to upgrade/move my relay. 
+How do I keep the same key?</a></h3>
 
 <p>
- When upgrading your Tor relay, or running it on a different computer, the important part is to keep the same nickname (defined in your torrc file) and the same identity key (stored in "keys/secret_id_key" in your DataDirectory).
+ When upgrading your Tor relay, or running it on a different computer, 
+ the important part is to keep the same nickname (defined in your torrc 
+ file) and the same identity key (stored in "keys/secret_id_key" in 
+ your DataDirectory).
 </p>
 <p>
-This means that if you're upgrading your Tor relay and you keep the same torrc and the same DataDirectory, then the upgrade should just work and your relay will keep using the same key. If you need to pick a new DataDirectory, be sure to copy your old keys/secret_id_key over. 
+This means that if you're upgrading your Tor relay and you keep the same 
+torrc and the same DataDirectory, then the upgrade should just work and 
+your relay will keep using the same key. If you need to pick a new 
+DataDirectory, be sure to copy your old keys/secret_id_key over. 
 </p>
 
     <hr>
 
 <a id="NTService"></a>
-<h3><a class="anchor" href="#NTService">How do I run my Tor relay as an NT service?</a></h3>
+<h3><a class="anchor" href="#NTService">How do I run my Tor relay as an NT 
+service?</a></h3>
 
 <p>
- You can run Tor as a service on all versions of Windows except Windows 95/98/ME. This way you can run a Tor relay without needing to always have Vidalia running.
+ You can run Tor as a service on all versions of Windows except Windows 
+ 95/98/ME. This way you can run a Tor relay without needing to always have 
+ Vidalia running.
 </p>
 <p>
-If you've already configured your Tor to be a relay, please note that when you enable Tor as a service, it will use a different DatagDirectory, and thus will generate a different key. If you want to keep using the old key, see the Upgrading your Tor relay FAQ entry for how to restore the old identity key.
+If you've already configured your Tor to be a relay, please note that when 
+you enable Tor as a service, it will use a different DatagDirectory, and 
+thus will generate a different key. If you want to keep using the old key, 
+see the Upgrading your Tor relay FAQ entry for how to restore the old 
+identity key.
 </p>
 <p>
 To install Tor as a service, you can simply run:
@@ -1902,10 +2143,18 @@ To install Tor as a service, you can simply run:
 tor --service install
 </pre>
 <p>
-A service called Tor Win32 Service will be installed and started. This service will also automatically start every time Windows boots, unless you change the Start-up type. An easy way to check the status of Tor, start or stop the service, and change the start-up type is by running services.msc and finding the Tor service in the list of currently installed services.
+A service called Tor Win32 Service will be installed and started. This 
+service will also automatically start every time Windows boots, unless 
+you change the Start-up type. An easy way to check the status of Tor, 
+start or stop the service, and change the start-up type is by running 
+services.msc and finding the Tor service in the list of currently 
+installed services.
 </p>
 <p>
-Optionally, you can specify additional options for the Tor service using the -options argument. For example, if you want Tor to use C:\tor\torrc, instead of the default torrc, and open a control port on port 9151, you would run:
+Optionally, you can specify additional options for the Tor service using 
+the -options argument. For example, if you want Tor to use C:\tor\torrc, 
+instead of the default torrc, and open a control port on port 9151, you 
+would run:
 </p>
 <pre>
 tor --service install -options -f C:\tor\torrc ControlPort 9151
@@ -1929,16 +2178,27 @@ To remove the Tor service, you can run the following command:
 tor --service remove
 </pre>
 <p>
-If you are running Tor as a service and you want to uninstall Tor entirely, be sure to run the service removal command (shown above) first before running the uninstaller from "Add/Remove Programs". The uninstaller is currently not capable of removing the active service.
+If you are running Tor as a service and you want to uninstall Tor entirely, 
+be sure to run the service removal command (shown above) first before 
+running the uninstaller from "Add/Remove Programs". The uninstaller is 
+currently not capable of removing the active service.
 </p>
 
 <hr>
 
 <a id="VirtualServer"></a>
-<h3><a class="anchor" href="#VirtualServer">Can I run a Tor relay from my virtual server account?</a></h3>
+<h3><a class="anchor" href="#VirtualServer">Can I run a Tor relay from my 
+virtual server account?</a></h3>
 
 <p>
-Some ISPs are selling "vserver" accounts that provide what they call a virtual server -- you can't actually interact with the hardware, and they can artificially limit certain resources such as the number of file descriptors you can open at once. Competent vserver admins are able to configure your server to not hit these limits. For example, in SWSoft's Virtuozzo, investigate /proc/user_beancounters. Look for "failcnt" in tcpsndbuf, tcprecvbuf, numothersock, and othersockbuf. Ask for these to be increased accordingly. Some users have seen settings work well as follows: 
+Some ISPs are selling "vserver" accounts that provide what they call a 
+virtual server -- you can't actually interact with the hardware, and 
+they can artificially limit certain resources such as the number of file 
+descriptors you can open at once. Competent vserver admins are able to 
+configure your server to not hit these limits. For example, in SWSoft's 
+Virtuozzo, investigate /proc/user_beancounters. Look for "failcnt" in 
+tcpsndbuf, tcprecvbuf, numothersock, and othersockbuf. Ask for these to 
+be increased accordingly. Some users have seen settings work well as follows: 
 <p>
 <table border="1">
 <tr>
@@ -2046,13 +2306,23 @@ numothersock
  Xen, Virtual Box and VMware virtual servers have no such limits normally.
 </p>
 <p>
-If the vserver admin will not increase system limits another option is to reduce the memory allocated to the send and receive buffers on TCP connections Tor uses. An experimental feature to constrain socket buffers has recently been added. If your version of Tor supports it, set "ConstrainedSockets 1" in your configuration. See the tor man page for additional details about this option.
+If the vserver admin will not increase system limits another option is 
+to reduce the memory allocated to the send and receive buffers on TCP 
+connections Tor uses. An experimental feature to constrain socket buffers 
+has recently been added. If your version of Tor supports it, set 
+"ConstrainedSockets 1" in your configuration. See the tor man page for 
+additional details about this option.
 </p>
 <p>
-Unfortunately, since Tor currently requires you to be able to connect to all the other Tor relays, we need you to be able to use at least 1024 file descriptors. This means we can't make use of Tor relays that are crippled in this way.
+Unfortunately, since Tor currently requires you to be able to connect to 
+all the other Tor relays, we need you to be able to use at least 1024 file 
+descriptors. This means we can't make use of Tor relays that are crippled 
+in this way.
 </p>
 <p>
-We hope to fix this in the future, once we know how to build a Tor network with restricted topologies -- that is, where each node connects to only a few other nodes. But this is still a long way off.
+We hope to fix this in the future, once we know how to build a Tor network 
+with restricted topologies -- that is, where each node connects to only a 
+few other nodes. But this is still a long way off.
 </p>
 
 <hr>
@@ -2096,15 +2366,24 @@ the same geographic location.
     <hr>
 
     <a id="WrongIP"></a>
-    <h3><a class="anchor" href="#WrongIP">My relay is picking the wrong IP address.</a></h3>
+    <h3><a class="anchor" href="#WrongIP">My relay is picking the wrong 
+    IP address.</a></h3>
     <p>
- Tor guesses its IP address by asking the computer for its hostname, and then resolving that hostname. Often people have old entries in their /etc/hosts file that point to old IP addresses.
+ Tor guesses its IP address by asking the computer for its hostname, and 
+ then resolving that hostname. Often people have old entries in their 
+ /etc/hosts file that point to old IP addresses.
     </p>
     <p>
-If that doesn't fix it, you should use the "Address" config option to specify the IP you want it to pick. If your computer is behind a NAT and it only has an internal IP address, see the following FAQ entry on <a href="https://www.torproject.org/docs/faq.html.en#RelayFlexible">dynamic IP addresses</a>.
+If that doesn't fix it, you should use the "Address" config option to 
+specify the IP you want it to pick. If your computer is behind a NAT and 
+it only has an internal IP address, see the following FAQ entry on <a 
+href="https://www.torproject.org/docs/faq.html.en#RelayFlexible">dynamic 
+IP addresses</a>.
     </p>
     <p>
-Also, if you have many addresses, you might also want to set "OutboundBindAddress" so external connections come from the IP you intend to present to the world. 
+Also, if you have many addresses, you might also want to set 
+"OutboundBindAddress" so external connections come from the IP you intend 
+to present to the world. 
     </p>
 
     <hr>
@@ -2113,19 +2392,25 @@ Also, if you have many addresses, you might also want to set "OutboundBindAddres
     <h3><a class="anchor" href="#BehindANAT">I'm behind a NAT/Firewall.</a></h3>
 
     <p>
-See <a>​http://portforward.com/</a> for directions on how to port forward with your NAT/router device.
+See <a>​http://portforward.com/</a> for directions on how to port forward with 
+your NAT/router device.
 </p>
 <p>
-If your relay is running on a internal net you need to setup port forwarding. Forwarding TCP connections is system dependent but the firewalled-clients FAQ entry offers some examples on how to do this.
+If your relay is running on a internal net you need to setup port forwarding. 
+Forwarding TCP connections is system dependent but the firewalled-clients FAQ 
+entry offers some examples on how to do this.
 </p>
 <p>
-Also, here's an example of how you would do this on GNU/Linux if you're using iptables:
+Also, here's an example of how you would do this on GNU/Linux if you're using 
+iptables:
 </p>
 <pre>
 /sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 9001 -j ACCEPT
 </pre>
 <p>
-You may have to change "eth0" if you have a different external interface (the one connected to the Internet). Chances are you have only one (except the loopback) so it shouldn't be too hard to figure out. 
+You may have to change "eth0" if you have a different external interface 
+(the one connected to the Internet). Chances are you have only one (except 
+the loopback) so it shouldn't be too hard to figure out. 
     </p>
     <hr>
 
@@ -2188,22 +2473,39 @@ unusual
     <hr>
 
     <a id="BetterAnonymity"></a>
-    <h3><a class="anchor" href="#BetterAnonymity">Do I get better anonymity if I run a relay?</a></h3>
+    <h3><a class="anchor" href="#BetterAnonymity">Do I get better anonymity 
+    if I run a relay?</a></h3>
 
     <p>
 Yes, you do get better anonymity against some attacks.
     </p>
     <p>
-The simplest example is an attacker who owns a small number of Tor relays. He will see a connection from you, but he won't be able to know whether the connection originated at your computer or was relayed from somebody else.
+The simplest example is an attacker who owns a small number of Tor relays. 
+He will see a connection from you, but he won't be able to know whether 
+the connection originated at your computer or was relayed from somebody else.
     </p>
     <p>
-There are some cases where it doesn't seem to help: if an attacker can watch all of your incoming and outgoing traffic, then it's easy for him to learn which connections were relayed and which started at you. (In this case he still doesn't know your destinations unless he is watching them too, but you're no better off than if you were an ordinary client.)
+There are some cases where it doesn't seem to help: if an attacker can 
+watch all of your incoming and outgoing traffic, then it's easy for him 
+to learn which connections were relayed and which started at you. (In 
+this case he still doesn't know your destinations unless he is watching 
+them too, but you're no better off than if you were an ordinary client.)
     </p>
     <p>
-There are also some downsides to running a Tor relay. First, while we only have a few hundred relays, the fact that you're running one might signal to an attacker that you place a high value on your anonymity. Second, there are some more esoteric attacks that are not as well-understood or well-tested that involve making use of the knowledge that you're running a relay -- for example, an attacker may be able to "observe" whether you're sending traffic even if he can't actually watch your network, by relaying traffic through your Tor relay and noticing changes in traffic timing.
+There are also some downsides to running a Tor relay. First, while we 
+only have a few hundred relays, the fact that you're running one might 
+signal to an attacker that you place a high value on your anonymity. 
+Second, there are some more esoteric attacks that are not as 
+well-understood or well-tested that involve making use of the knowledge 
+that you're running a relay -- for example, an attacker may be able to 
+"observe" whether you're sending traffic even if he can't actually watch 
+your network, by relaying traffic through your Tor relay and noticing 
+changes in traffic timing.
     </p>
     <p>
-It is an open research question whether the benefits outweigh the risks. A lot of that depends on the attacks you are most worried about. For most users, we think it's a smart move. 
+It is an open research question whether the benefits outweigh the risks. 
+A lot of that depends on the attacks you are most worried about. For 
+most users, we think it's a smart move. 
     </p>
 
     <hr>
@@ -2251,6 +2553,69 @@ diversity,
 
     <hr>
 
+    <a id="AccessHiddenServices"></a>
+    <h3><a class="anchor" href="#AccessHiddenServices">How do I access 
+    hidden services?</a></h3>
+    
+    <p>
+    Tor hidden services are named with a special top-level domain (TLD) 
+    name in DNS: .onion. Since the .onion TLD is not recognized by the 
+    official root DNS servers on the Internet, your application will not 
+    get the response it needs to locate the service. Currently, the Tor 
+    directory server provides this look-up service; and thus the look-up 
+    request must get to the Tor network. 
+    </p>
+
+<p>
+ Therefore, your application <b>needs</b> to pass the .onion hostname to 
+ Tor directly. You can't try to resolve it to an IP address, since there 
+ <i>is</i> no corresponding IP address: the server is hidden, after all! 
+</p>
+    
+    <p>
+    So, how do you make your application pass the hostname directly to Tor? 
+    You can't use SOCKS 4, since SOCKS 4 proxies require an IP from the 
+    client (a web browser is an example of a SOCKS client). Even though 
+    SOCKS 5 can accept either an IP or a hostname, most applications 
+    supporting SOCKS 5 try to resolve the name before passing it to the 
+    SOCKS proxy. SOCKS 4a, however, always accepts a hostname: You'll need 
+    to use SOCKS 4a. 
+    </p>
+    
+    <p>
+    Some applications, such as the browsers Mozilla Firefox and Apple's 
+    Safari, support sending DNS queries to Tor's SOCKS 5 proxy. Most web 
+    browsers don't support SOCKS 4a very well, though. The workaround is 
+    to point your web browser at an HTTP proxy, and tell the HTTP proxy 
+    to speak to Tor with SOCKS 4a. We recommend Polipo as your HTTP proxy.
+    </p>
+    
+    <p>
+    For applications that do not support HTTP proxy, and so cannot use 
+    Polipo, <a href="http://www.freecap.ru/eng/">FreeCap</a> is an 
+    alternative. When using FreeCap set proxy protocol  to SOCKS 5 and under 
+    settings set DNS name resolving to remote. This 
+    will allow you to use almost any program with Tor without leaking DNS 
+    lookups and allow those same programs to access hidden services. 
+    </p>
+    
+    <p>
+    See also the <a href="#SocksAndDNS">question on DNS</a>. 
+    </p>    
+    
+    <hr>
+
+    <a id="ProvideAHiddenService"></a>
+    <h3><a class="anchor" href="#ProvideAHiddenService">How do I provide a 
+    hidden service?</a></h3>
+    
+    <p>
+    See the ​<a href="https://www.torproject.org/docs/tor-hidden-service.html.en">
+    official hidden service configuration instructions</a>.
+    </p>
+
+    <hr>
+    
     <a id="KeyManagement"></a>
     <h3><a class="anchor" href="#KeyManagement">Tell me about all the
 keys Tor uses.</a></h3>
@@ -2274,8 +2639,7 @@ encryption
     mean that only the exit relay can read
     the cells. Both sides discard the circuit key when the circuit ends,
     so logging traffic and then breaking into the relay to discover the
-key
-    won't work.
+    key won't work.
     </p>
 
     <p>
@@ -2410,71 +2774,135 @@ we move to a "directory guard" design as well.
     <a id="ChangePaths"></a>
     <h3><a class="anchor" href="#ChangePaths">How often does Tor change its paths?</a></h3>
     <p>
-     Tor will reuse the same circuit for new TCP streams for 10 minutes, as long as the circuit is working fine. (If the circuit fails, Tor will switch to a new circuit immediately.)
+     Tor will reuse the same circuit for new TCP streams for 10 minutes, 
+     as long as the circuit is working fine. (If the circuit fails, Tor 
+     will switch to a new circuit immediately.)
     </p>
     <p>
-But note that a single TCP stream (e.g. a long IRC connection) will stay on the same circuit forever -- we don't rotate individual streams from one circuit to the next. Otherwise an adversary with a partial view of the network would be given many chances over time to link you to your destination, rather than just one chance.
-    </p>
-
-    <a id="OutboundConnections"></a>
-    <h3><a class="anchor" href="#OutboundConnections">Why does netstat show these outbound connections?</a></h3>
-    <p>
-    Because that's how Tor works. It holds open a handful of connections so there will be one available when you need one. 
+But note that a single TCP stream (e.g. a long IRC connection) will stay on 
+the same circuit forever -- we don't rotate individual streams from one 
+circuit to the next. Otherwise an adversary with a partial view of the 
+network would be given many chances over time to link you to your 
+destination, rather than just one chance.
     </p>
 
     <hr>
 
-    <a id="PowerfulBlockers"></a>
-    <h3><a class="anchor" href="#PowerfulBlockers">What about powerful blocking mechanisms?</a></h3>
+    <a id="CellSize"></a>
+    <h3><a class="anchor" href="#CellSize">Tor uses hundreds of bytes for 
+    every IRC line. I can't afford that!</a></h3>
     <p>
- An adversary with a great deal of manpower and money, and severe real-world penalties to discourage people from trying to evade detection, is a difficult test for an anonymity and anti-censorship system.
+     Tor sends data in chunks of 512 bytes (called "cells"), to make it 
+     harder for intermediaries to guess exactly how many bytes you're 
+     communicating at each step. This is unlikely to change in the near 
+     future -- if this increased bandwidth use is prohibitive for you, I'm 
+     afraid Tor is not useful for you right now.
     </p>
     <p>
-The original Tor design was easy to block if the attacker controls Alice's connection to the Tor network --- by blocking the directory authorities, by blocking all the relay IP addresses in the directory, or by filtering based on the fingerprint of the Tor TLS handshake. After seeing these attacks and others first-hand, more effort was put into researching new circumvention techniques. Pluggable transports are protocols designed to allow users behind government firewalls to access the Tor network.
+The actual content of these fixed size cells is 
+<a href="https://gitweb.torproject.org/torspec.git/blob/HEAD:/tor-spec.txt">
+documented in the main Tor spec</a>, section 3.
     </p>
     <p>
-We've made quite a bit of progress on this problem lately. You can read more details on the <a href="https://www.torproject.org/docs/pluggable-transports.html.en">pluggable transports page</a>. You may also be interested in <a href="https://www.youtube.com/watch?v=GwMr8Xl7JMQ">Roger and Jake's ​talk at 28C3</a>, or <a href="https://www.youtube.com/watch?v=JZg1nqs793M">​Runa's talk at 44con</a>.
+We have been considering one day adding two classes of cells -- maybe a 64 
+byte cell and a 1024 byte cell. This would allow less overhead for 
+interactive streams while still allowing good throughput for bulk streams. 
+But since we want to do a lot of work on quality-of-service and better 
+queuing approaches first, you shouldn't expect this change anytime soon 
+(if ever). However if you are keen, there are a couple of 
+<a href="https://www.torproject.org/getinvolved/volunteer.html.en#Research">
+research ideas</a> that may involve changing the cell size. 
     </p>
 
     <hr>
 
-    <a id="RemotePhysicalDeviceFingerprinting"></a>
-    <h3><a class="anchor" href="#RemotePhysicalDeviceFingerprinting">Does Tor resist "remote physical device fingerprinting"?</a></h3>
+    <a id="OutboundConnections"></a>
+    <h3><a class="anchor" href="#OutboundConnections">Why does netstat show 
+    these outbound connections?</a></h3>
     <p>
- Yes, we resist all of these attacks as far as we know.
+    Because that's how Tor works. It holds open a handful of connections 
+    so there will be one available when you need one. 
     </p>
+
+    <hr>
+
+    <a id="PowerfulBlockers"></a>
+    <h3><a class="anchor" href="#PowerfulBlockers">What about powerful blocking 
+    mechanisms?</a></h3>
     <p>
-These attacks come from examining characteristics of the IP headers or TCP headers and looking for information leaks based on individual hardware signatures. One example is the ​<a href="http://www.caida.org/outreach/papers/2005/fingerprinting/">Oakland 2005 paper</a> that lets you learn if two packet streams originated from the same hardware, but only if you can see the original TCP timestamps.
+ An adversary with a great deal of manpower and money, and severe 
+ real-world penalties to discourage people from trying to evade detection, 
+ is a difficult test for an anonymity and anti-censorship system.
     </p>
     <p>
-Tor transports TCP streams, not IP packets, so we end up automatically scrubbing a lot of the potential information leaks. Because Tor relays use their own (new) IP and TCP headers at each hop, this information isn't relayed from hop to hop. Of course, this also means that we're limited in the protocols we can transport (only correctly-formed TCP, not all IP like ZKS's Freedom network could) -- but maybe that's a good thing at this stage. </p>
+The original Tor design was easy to block if the attacker controls Alice's 
+connection to the Tor network --- by blocking the directory authorities, by 
+blocking all the relay IP addresses in the directory, or by filtering based 
+on the fingerprint of the Tor TLS handshake. After seeing these attacks and 
+others first-hand, more effort was put into researching new circumvention 
+techniques. Pluggable transports are protocols designed to allow users behind 
+government firewalls to access the Tor network.
+    </p>
+    <p>
+We've made quite a bit of progress on this problem lately. You can read more 
+details on the <a href="https://www.torproject.org/docs/pluggable-transports.html.en">
+pluggable transports page</a>. You may also be interested in 
+<a href="https://www.youtube.com/watch?v=GwMr8Xl7JMQ">Roger and Jake's ​talk at 
+28C3</a>, or <a href="https://www.youtube.com/watch?v=JZg1nqs793M">​Runa's 
+talk at 44con</a>.
+    </p>
 
     <hr>
  
-<a id="AttacksOnOnionRouting"></a>
-    <h3><a class="anchor" href="#AttacksOnOnionRouting">What attacks remain against onion routing?</a></h3>
+    <a id="RemotePhysicalDeviceFingerprinting"></a>
+    <h3><a class="anchor" href="#RemotePhysicalDeviceFingerprinting">Does Tor 
+    resist "remote physical device fingerprinting"?</a></h3>
     <p>
-As mentioned above, it is possible for an observer who can view both you and either the destination website or your Tor exit node to correlate timings of your traffic as it enters the Tor network and also as it exits. Tor does not defend against such a threat model.
+ Yes, we resist all of these attacks as far as we know.
     </p>
     <p>
-In a more limited sense, note that if a censor or law enforcement agency has the ability to obtain specific observation of parts of the network, it is possible for them to verify a suspicion that you talk regularly to your friend by observing traffic at both ends and correlating the timing of only that traffic. Again, this is only useful to verify that parties already suspected of communicating with one another are doing so. In most countries, the suspicion required to obtain a warrant already carries more weight than timing correlation would provide.
+These attacks come from examining characteristics of the IP headers or TCP 
+headers and looking for information leaks based on individual hardware 
+signatures. One example is the 
+​<a href="http://www.caida.org/outreach/papers/2005/fingerprinting/">
+Oakland 2005 paper</a> that lets you learn if two packet streams originated 
+from the same hardware, but only if you can see the original TCP timestamps.
 </p>
 <p>
-Furthermore, since Tor reuses circuits for multiple TCP connections, it is possible to ​associate non anonymous and anonymous traffic at a given exit node, so be careful about what applications you run concurrently over Tor. Perhaps even run separate Tor clients for these applications. 
+Tor transports TCP streams, not IP packets, so we end up automatically 
+scrubbing a lot of the potential information leaks. Because Tor relays use 
+their own (new) IP and TCP headers at each hop, this information isn't 
+relayed from hop to hop. Of course, this also means that we're limited in 
+the protocols we can transport (only correctly-formed TCP, not all IP like 
+ZKS's Freedom network could) -- but maybe that's a good thing at this stage. 
 </p>
 
     <hr>
 
-    <a id="CellSize"></a>
-    <h3><a class="anchor" href="#CellSize">Tor uses hundreds of bytes for every IRC line. I can't afford that!</a></h3>
+<a id="AttacksOnOnionRouting"></a>
+    <h3><a class="anchor" href="#AttacksOnOnionRouting">What attacks remain 
+    against onion routing?</a></h3>
     <p>
-     Tor sends data in chunks of 512 bytes (called "cells"), to make it harder for intermediaries to guess exactly how many bytes you're communicating at each step. This is unlikely to change in the near future -- if this increased bandwidth use is prohibitive for you, I'm afraid Tor is not useful for you right now.
+As mentioned above, it is possible for an observer who can view both you and 
+either the destination website or your Tor exit node to correlate timings of 
+your traffic as it enters the Tor network and also as it exits. Tor does not 
+defend against such a threat model.
     </p>
     <p>
-The actual content of these fixed size cells is <a href="https://gitweb.torproject.org/torspec.git/blob/HEAD:/tor-spec.txt">documented in the main Tor spec</a>, section 3.
+In a more limited sense, note that if a censor or law enforcement agency has 
+the ability to obtain specific observation of parts of the network, it is 
+possible for them to verify a suspicion that you talk regularly to your friend 
+by observing traffic at both ends and correlating the timing of only that 
+traffic. Again, this is only useful to verify that parties already suspected 
+of communicating with one another are doing so. In most countries, the 
+suspicion required to obtain a warrant already carries more weight than 
+timing correlation would provide.
     </p>
     <p>
-We have been considering one day adding two classes of cells -- maybe a 64 byte cell and a 1024 byte cell. This would allow less overhead for interactive streams while still allowing good throughput for bulk streams. But since we want to do a lot of work on quality-of-service and better queuing approaches first, you shouldn't expect this change anytime soon (if ever). However if you are keen, there are a couple of <a href="https://www.torproject.org/getinvolved/volunteer.html.en#Research">research ideas</a> that may involve changing the cell size. 
+Furthermore, since Tor reuses circuits for multiple TCP connections, it is 
+possible to ​associate non anonymous and anonymous traffic at a given exit 
+node, so be careful about what applications you run concurrently over Tor. 
+Perhaps even run separate Tor clients for these applications. 
     </p>
 
     <hr>
@@ -2523,7 +2951,8 @@ though:
     <p>
     First, we need to make Tor stable as a relay on all common
     operating systems. The main remaining platform is Windows,
-    and we're mostly there. See Section 4.1 of <a href="https://www.torproject.org/press/2008-12-19-roadmap-press-release"
+    and we're mostly there. See Section 4.1 of <a 
+    href="https://www.torproject.org/press/2008-12-19-roadmap-press-release"
 >our
     development roadmap</a>.
     </p>
@@ -2695,74 +3124,137 @@ spend rethinking their overall approach to privacy and anonymity.
     <hr>
 
 <a id="ChoosePathLength"></a>
-<h3><a class="anchor" href="#ChoosePathLength">You should let people choose their path length.</a></h3>
+<h3><a class="anchor" href="#ChoosePathLength">You should let people choose 
+their path length.</a></h3>
 <p>
- Right now the path length is hard-coded at 3 plus the number of nodes in your path that are sensitive. That is, in normal cases it's 3, but for example if you're accessing a hidden service or a ".exit" address it could be 4.
+ Right now the path length is hard-coded at 3 plus the number of nodes in 
+ your path that are sensitive. That is, in normal cases it's 3, but for 
+ example if you're accessing a hidden service or a ".exit" address it could be 4.
 </p>
 <p>
- We don't want to encourage people to use paths longer than this -- it increases load on the network without (as far as we can tell) providing any more security. Remember that <a href="https://svn.torproject.org/svn/tor/trunk/doc/design-paper/tor-design.html#subsec:threat-model">the best way to attack Tor is to attack the endpoints and ignore the middle of the path</a>.
+ We don't want to encourage people to use paths longer than this -- it 
+ increases load on the network without (as far as we can tell) providing 
+ any more security. Remember that <a 
+ href="https://svn.torproject.org/svn/tor/trunk/doc/design-paper/tor-design.html#subsec:threat-model">
+ the best way to attack Tor is to attack the endpoints and ignore the middle 
+ of the path
+ </a>.
 </p>
 <p>
- And we don't want to encourage people to use paths of length 1 either. Currently there is no reason to suspect that investigating a single relay will yield user-destination pairs, but if many people are using only a single hop, we make it more likely that attackers will seize or break into relays in hopes of tracing users.
+ And we don't want to encourage people to use paths of length 1 either. 
+ Currently  there is no reason to suspect that investigating a single 
+ relay will yield  user-destination pairs, but if many people are using 
+ only a single hop, we make it more likely that attackers will seize or 
+ break into relays in hopes 
+ of tracing users.
 </p>
 <p>
- Now, there is a good argument for making the number of hops in a path unpredictable. For example, somebody who happens to control the last two hops in your path still doesn't know who you are, but they know for sure which entry node you used. Choosing path length from, say, a geometric distribution will turn this into a statistical attack, which seems to be an improvement. On the other hand, a longer path length is bad for usability. We're not sure of the right trade-offs here. Please write a research paper that tells us what to do. 
+ Now, there is a good argument for making the number of hops in a path 
+ unpredictable. For example, somebody who happens to control the last 
+ two hops in your path still doesn't know who you are, but they know 
+ for sure which entry node you used. Choosing path length from, say, 
+ a geometric distribution will turn this into a statistical attack, 
+ which seems to be an improvement. On the other hand, a longer path 
+ length is bad for usability. We're not sure of the right trade-offs 
+ here. Please write a research paper that tells us what to do. 
 </p>
 
     <hr>
 
 <a id="SplitEachConnection"></a>
-    <h3><a class="anchor" href="#SplitEachConnection">You should split each connection over many paths.</a></h3>
+    <h3><a class="anchor" href="#SplitEachConnection">You should split 
+    each connection over many paths.</a></h3>
 
     <p>
- We don't currently think this is a good idea. You see, the attacks we're worried about are at the endpoints: the adversary watches Alice (or the first hop in the path) and Bob (or the last hop in the path) and learns that they are communicating.
+ We don't currently think this is a good idea. You see, the attacks we're 
+ worried about are at the endpoints: the adversary watches Alice (or the 
+ first hop in the path) and Bob (or the last hop in the path) and learns 
+ that they are communicating.
     </p>
     <p>
-If we make the assumption that timing attacks work well on even a few packets end-to-end, then having *more* possible ways for the adversary to observe the connection seems to hurt anonymity, not help it.
+If we make the assumption that timing attacks work well on even a few packets 
+end-to-end, then having *more* possible ways for the adversary to observe the 
+connection seems to hurt anonymity, not help it.
     </p>
     <p>
-Now, it's possible that we could make ourselves more resistant to end-to-end attacks with a little bit of padding and by making each circuit send and receive a fixed number of cells. This approach is more well-understood in the context of high-latency systems. See e.g. <a href="http://freehaven.net/anonbib/#pet05-serjantov">Message Splitting Against the Partial Adversary by Andrei Serjantov and Steven J. Murdoch</a>.
+Now, it's possible that we could make ourselves more resistant to end-to-end 
+attacks with a little bit of padding and by making each circuit send and 
+receive a fixed number of cells. This approach is more well-understood in 
+the context of high-latency systems. See e.g. 
+<a href="http://freehaven.net/anonbib/#pet05-serjantov">
+Message Splitting Against the Partial Adversary by Andrei Serjantov and 
+Steven J. Murdoch</a>.
     </p>
     <p>
-But since we don't currently understand what network and padding parameters, if any, could provide increased end-to-end security, our current strategy is to minimize the number of places that the adversary could possibly see.
+But since we don't currently understand what network and padding 
+parameters, if any, could provide increased end-to-end security, our 
+current strategy is to minimize the number of places that the adversary 
+could possibly see.
     </p>
 
     <hr>
 
     <a id="UnallocatedNetBlocks"></a>
-    <h3><a class="anchor" href="#UnallocatedNetBlocks">Your default exit policy should block unallocated net blocks too.</a></h3>
+    <h3><a class="anchor" href="#UnallocatedNetBlocks">Your default exit 
+    policy should block unallocated net blocks too.</a></h3>
 
     <p>
- No, it shouldn't. The default exit policy blocks certain private net blocks, like 10.0.0.0/8, because they might actively be in use by Tor relays and we don't want to cause any surprises by bridging to internal networks. Some overzealous firewall configs suggest that you also block all the parts of the Internet that IANA has not currently allocated. First, this turns into a problem for them when those addresses *are* allocated. Second, why should we default-reject something that might one day be useful?
+ No, it shouldn't. The default exit policy blocks certain private net blocks, 
+ like 10.0.0.0/8, because they might actively be in use by Tor relays and we 
+ don't want to cause any surprises by bridging to internal networks. Some 
+ overzealous firewall configs suggest that you also block all the parts of 
+ the Internet that IANA has not currently allocated. First, this turns into 
+ a problem for them when those addresses *are* allocated. Second, why should 
+ we default-reject something that might one day be useful?
     </p>
     <p>
-Tor's default exit policy is chosen to be flexible and useful in the future: we allow everything except the specific addresses and ports that we anticipate will lead to problems. 
+Tor's default exit policy is chosen to be flexible and useful in the future: 
+we allow everything except the specific addresses and ports that we 
+anticipate will lead to problems. 
     </p>
 
     <hr>
 
     <a id="BlockWebsites"></a>
-    <h3><a class="anchor" href="#BlockWebsites">Exit policies should be able to block websites, not just IP addresses.</a></h3>
+    <h3><a class="anchor" href="#BlockWebsites">Exit policies should be 
+    able to block websites, not just IP addresses.</a></h3>
 
     <p>
- It would be nice to let relay operators say things like "reject www.slashdot.org" in their exit policies, rather than requiring them to learn all the IP address space that could be covered by the site (and then also blocking other sites at those IP addresses).
+ It would be nice to let relay operators say things like "reject 
+ www.slashdot.org" in their exit policies, rather than requiring 
+ them to learn all the IP address space that could be covered by the site 
+ (and then also blocking other sites at those IP addresses).
     </p>
     <p>
-There are two problems, though. First, users could still get around these blocks. For example, they could request the IP address rather than the hostname when they exit from the Tor network. This means operators would still need to learn all the IP addresses for the destinations in question.
+There are two problems, though. First, users could still get around these 
+blocks. For example, they could request the IP address rather than the 
+hostname when they exit from the Tor network. This means operators would 
+still need to learn all the IP addresses for the destinations in question.
     </p>
     <p>
-The second problem is that it would allow remote attackers to censor arbitrary sites. For example, if a Tor operator blocks www1.slashdot.org, and then some attacker poisons the Tor relay's DNS or otherwise changes that hostname to resolve to the IP address for a major news site, then suddenly that Tor relay is blocking the news site. 
+The second problem is that it would allow remote attackers to censor 
+arbitrary sites. For example, if a Tor operator blocks www1.slashdot.org, 
+and then some attacker poisons the Tor relay's DNS or otherwise changes 
+that hostname to resolve to the IP address for a major news site, then 
+suddenly that Tor relay is blocking the news site. 
     </p>
 
     <hr>
 
     <a id="BlockContent"></a>
-    <h3><a class="anchor" href="#BlockContent">You should change Tor to prevent users from posting certain content.</a></h3>
+    <h3><a class="anchor" href="#BlockContent">You should change Tor to 
+    prevent users from posting certain content.</a></h3>
 
-    <p> Tor only transports data, it does not inspect the contents of the connections which are sent over it. In general it's a very hard problem for a computer to determine what is objectionable content with good true positive/false positive rates and we are not interested in addressing this problem.
+    <p> Tor only transports data, it does not inspect the contents of the 
+    connections which are sent over it. In general it's a very hard problem 
+    for a computer to determine what is objectionable content with good true 
+    positive/false positive rates and we are not interested in addressing 
+    this problem.
     </p>
     <p>
-Further, and more importantly, which definition of "certain content" could we use? Every choice would lead to a quagmire of conflicting personal morals. The only solution is to have no opinion. 
+Further, and more importantly, which definition of "certain content" could we 
+use? Every choice would lead to a quagmire of conflicting personal morals. The 
+only solution is to have no opinion. 
     </p>
 
     <hr>
@@ -2771,19 +3263,29 @@ Further, and more importantly, which definition of "certain content" could we us
     <h3><a class="anchor" href="#IPv6">Tor should support IPv6.</a></h3>
 
     <p>
-     That's a great idea! There are two aspects for IPv6 support that Tor needs. First, Tor needs to support exit to hosts that only have IPv6 addresses. Second, Tor needs to support Tor relays that only have IPv6 addresses.
+     That's a great idea! There are two aspects for IPv6 support that Tor needs. 
+     First, Tor needs to support exit to hosts that only have IPv6 addresses. 
+     Second, Tor needs to support Tor relays that only have IPv6 addresses.
     </p>
     <p>
-The first is far easier: the protocol changes are relatively simple and isolated. It would be like another kind of exit policy.
+The first is far easier: the protocol changes are relatively simple and isolated. 
+It would be like another kind of exit policy.
     </p>
     <p>
-The second is a little harder: right now, we assume that (mostly) every Tor relay can connect to every other. This has problems of its own, and adding IPv6-address-only relays adds problems too: it means that only relays with IPv6 abilities can connect to IPv6-address-only relays. This makes it possible for the attacker to make some inferences about client paths that it would not be able to make otherwise.
+The second is a little harder: right now, we assume that (mostly) every 
+Tor relay can connect to every other. This has problems of its own, and 
+adding IPv6-address-only relays adds problems too: it means that only 
+relays with IPv6 abilities can connect to IPv6-address-only relays. This 
+makes it possible for the attacker to make some inferences about client 
+paths that it would not be able to make otherwise.
     </p>
     <p>
-There is an  IPv6 exit proposal to address the first step for anonymous access to IPv6 resources on the Internet.
+There is an  IPv6 exit proposal to address the first step for anonymous 
+access to IPv6 resources on the Internet.
     </p>
     <p>
-Full IPv6 support is definitely on our "someday" list; it will come along faster if somebody who wants it does some of the work.
+Full IPv6 support is definitely on our "someday" list; it will come along 
+faster if somebody who wants it does some of the work.
     </p>
 
     <hr>
