How to use Tor safely

Finding links without getting burned

Sources: Use trusted directories you already know. Avoid random lists posted on forums or social media.

• Check /pgp.txt: Real mirrors publish a fingerprint, domain list, and a PGP public key.
• Consistency matters: Styling, wording, and structure should match across mirrors.
• Uptime: Dead mirrors, broken assets, or erratic behavior are warning signs.
• No forced downloads: If a site forces you to download verification tools, skip it.

Watch out for clones of our services. here how to spot the real websites.

Ads: Every website and service we own will NEVER have any kind of Pop-up ads. ( only Banners in .gif format )because servers cost money.

• Check /pgp.txt: if a site from us feels off. add /pgp.txt behind our onion adress. it should go to a white page with all our links. the email address ( NOVOHC-499@proton.me ) plus pgp and fingerprint. and on all services Email and pgp need to be on the website on index order contact or FAQ of the websites.
• Consistency matters: Styling, wording, and structure should match across mirrors. we only use Blue and White on HackerX and Glow-Hosting. Glowlinks and every other related sites stays Golden grey and black.
• Uptime: Dead mirrors, broken assets, or erratic behavior are warning signs.
• No forced downloads: We will never force you downloads!!!

Using Tor Browser correctly

• Use Tor Browser only: Don’t use Chrome/Brave with extensions.
• JavaScript: Keep it disabled unless you trust the page. Avoid heavy, dynamic scripts.
• Logins: Don’t use real credentials. Separate identities for Tor.
• Downloads: Be cautious. If you must, verify hashes and signatures outside Tor in a safe environment.
• Bookmarks: Save verified onion mirrors. Don’t rely on memory or random link dumps.

PGP basics: what it is and why it matters

What PGP does: It encrypts messages for a recipient using their public key and lets you sign messages with your private key.

Why use it: Protects content, proves ownership of messages, and helps verify domains/updates when fingerprints match.

• Import keys: Import the public key block from a verified source. Check the fingerprint before trusting.
• Encrypt to recipient: Select their public key (not yours) when encrypting. If you can’t decrypt locally, that’s expected.
• Sign your messages: Signing proves it came from you. Others can verify using your public key.

Fingerprint format example:
3899 74AF 9925 E3D8 C665 3DA8 5F78 6DB7 2A46 205B

How to use PGP (quick steps)

• Get a client: Use Kleopatra (Windows) or GnuPG (cross‑platform).
• Create your key: Generate an OpenPGP key pair. Set a passphrase.
• Import recipient key: Paste the full public key block, verify fingerprint, then import.
• Encrypt: Write your message in GnuPG or Kleopatra it's notepad. In your client, select Encrypt and choose the recipient’s public key only. Optionally Sign, your message should now look like encrypted bullshit. thats good now the message is encrypted and can be send.
• Send The Message: after you have hit encrypt. copy the full block from the notepad and send it via your message platform "email, vendor portal, or for what you need the message for.
• receive: you got your first incoming pgp message?. good. now we do the Encrypt step sort of in reverse. you have your Private key already inside your client ( you also generate a key pair from there ). only thing you need to do is copy the encrypted message from your email for example. to the Notepad inside your client. NOT YOUR OS IT'S NOTEPAD.
Now you hit the Decrypt button and a window asking for your key phrase can pop up. after you fill in your password the encrypted message should be visible to read.
• Verify signatures: When receiving messages/files, verify the signature against the sender’s public key.

Avoiding scams

• Fake mirrors: Wrong fingerprints, missing /pgp.txt, or mismatched styling.
• External apps: “Install this tool to continue” is a red flag.
• Phishing: Forms asking for emails/passwords unrelated to the service.
• Too good to be true: Promises of instant access, lifetime deals, or unbelievable prices.

Rule of thumb: If anything feels off, stop. Verify fingerprints and mirror lists before proceeding.

Quick verification checklist

• Match fingerprint: The domain’s fingerprint should match across mirrors and announcements.
• Match content: Footer, styling, and structure should be consistent.
• PGP presence: A public key and signature examples should be easily accessible.
• Behavior: No forced downloads, no surprise redirects, no pop‑ups.

Contact

Encrypt your message with our public key if you need to reach us or submit a mirror.

PGP key and fingerprint: see pgp.txt