In the past there is an option to uncomment a line in whonix ws template /etc/torbrowser.d/30_default.conf to make tor browser run at safest by default in disp vm, but now the layout of this config file seems changed. How can I make tor browser runs at safest by default right now?
It was deprecated because
So right now we have to change the browser setting everytime manually when a new disp vm is opened?
Tor Browser issue, Not whonix:
You could bend a TemplateVM which would be similar to this:
but it’s also discouraged.
So answer is: Possible but discouraged.
The generic answer I have seen is that this is not a Whonix issue but a Tor or Firefox issue.
That being said there has to be some resposibility shared within Whonix since Tor is the defacto browser provided by the Whonix system.
Instructions have been provided to change the Tor Browser configuration, but it would be better if some of the sharper people actually groomed the configuration with a more insightful eye.
Providing an indadequately configured browser by default would set up users to fail.
My concerns were piqued when reveiwing the NoScript settings and seeing the default rules pretty much accepting everything from a site along with:
- media.peerconnection set to true
- Location, camera, microphone, notifications, virtual reality all unblocked
The rationale being so ‘sites won’t get broken’.
The logic of this rationale escapes me since it exposes everyone to security attacks for the sake of the few who shouldn’t be on the internet.
The absence of add-ons that seem to be necessary to prevent tracking (at least per reviews): - privacy badger (EFF.org makes the installed HTTPS Everywhere)
- ublock origin
- disconnect
The last two add-ons light up like a christmas tree with trackers during general use of the Tor browser outside of whonix.
As I understand Tor has a fairly large attack surface to begin with and it’s based on firefox with its inadequacies.
There are a couple of user.js preference files that might help but appear to be usless if using a disposable vm.
The biggest place where the security gurus could help the peons is offer answers as to why the settings are as they are or why the addon is not used. For example, it may have something to do with bread crumbs left behind by these addons or settings. Or the act of blocking is actually used to track usage or meta-data.
Maybe an active forum to allow individuals to share their improvements or feedback on Tor browser security settings/addons in the Whonix world would help.
This isn’t intended to raise angst, and definitely not to wage a flame war. Just voicing frustration.
I’ve read that Tor is configured so that everyone looks the same in the network. Another theme that doesn’t make sense to me for the loose default security settings. As an alternative theme, why not default to a total lock down and let those who wish to understand the settings learn how to access sites.
That argument can be made but Whonix project isn’t economically capable to software fork Tor Browser.
(Please kindly do not accidentally substitute Tor for a question related to Tor Browser, as this causes confusion.)
Unfortunately, unlikely to happen. Somebody else should do it obviously generally doesn’t work. Computer security is generally messy:
Tor Browser, not Whonix issues.
Not on usability but to explain the background generally, equally valid, see:
Many people would prefer that.
Indeed.
Well, the options aren’t great or realistic.
- Sponsor/lobby The Tor Project
- Sponsor/do a software fork of Tor Browser.
- Find someone who can implement [Feature Request] Environment Variable to set security slider level (#25391) · Issues · The Tor Project / Applications / Tor Browser · GitLab - not a perfect/complete solution but a big step forward.
- Organize any of the above somehow.
I can only imagine your workload.
Maybe there’s a security pro out there who sees this thread and offers help.
I wish I had the wherewithal to pick up another sisyphean effort.
I can offer my configurations but even those are likely inadequate to someone in the know.