[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

How to elegantly mitigate tor exit node http downgrade

I heard recently there is a massive tor exit node http downgrade attack which malicious attackers control more theran twenty percent of tor exit node. I encountered this attack today and carelessly typed my sensitive credential into a http login page.I tried to mitigate the http downgrade attack but Qubes-whonix seems have some very weird mechanism makes doing it very difficult.

First I tried to ban all non-https connection in https everywhere, and it turned out work very well. The problem is I need to do this everytime in the disposable vm, which is pretty meaningless because I forget to do it most of the time.

I tried to do this modification in the template browser, so refuse to connect http sites will be a default behavior of all spawned disposable vms, but first problem is the “you cannot open torbrowser in the template”. I commented out in tb_allow_start_in_templatevm=true /etc/torbrowser/30_default, but torbrowser command in bash still refuses to start torbrowser and indicates “Neither /var/cache/tb-binary/.tb/tor-browser/Browser/start-tor-browser nor/var/cache/tb-binary/.tb/tor-browser/start-tor-browser nor /var/cache/tb-binary/.tb/tor-browser/start-tor-browser.desktop is executable.” I tried to launch torbrowser in root but it refuses to launch as root.

Fine, so I just chmod o+x the launcher,but use command torbrowser just comes with more permission problems. “Browser/Data/Browser/profile.default/user.js’: Permission denied
[ERROR] [torbrowser] /usr/bin/torbrowser script bug”
“touch: cannot touch ‘/var/cache/tb-binary/.tb/tor-browser/slider-question-done’: Permission denied
[ERROR] [torbrowser] /usr/bin/torbrowser script bug.”

After fixing these permission problems one by one running torbrowser comes with this bug “[ERROR] [torbrowser] Tor Browser ended with non-zero (error) exit code!
Tor Browser was started with:
/var/cache/tb-binary/.tb/tor-browser/Browser/start-tor-browser --allow-remote .
Tor Browser exited with code: 126”. Search this error code led to an ancient tor browser help ticket which is not helpful at all https://trac.torproject.org/projects/tor/ticket/6493.

At this poing I messed up my whonix workstation and I need to reinstall my whonix template.
Ok I just uses template revert and got my whonix template back, and we can continue now.

I tried to edit the dvm template and changed the settings in torbrowser gui, but it seems like the spawned disp vms do not inherit
settings from dvm torbrowser.

How would you do that with Tor Browser on Debian? -> Suggested to resolve as per https://www.whonix.org/wiki/Free_Support_Principle

As for DVM customization, that is documented here:
Tor Browser DisposableVM Template Customization

BTW, Tor Browser/Firefox already includes a feature to block all HTTP connections without relying on a browser extension. Go to about:config and set dom.security.https_only_mode to true. This might be a better option for you as you can simply set it in a user.js file.

2 Likes

Nice Patrick, it worked!

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]