i know it is not safe to use iceweasel which is located inside the WS
but even tho , cant we put security enhancement or extra layer of protection before opening it like proxychains (or corridor? or …etc if possible) ?
so it will be like:-
GW (Tor) - WS (e.g proxychains + iceweasel)
so even if we assume proxychains r not sure of leaking and there is non better than it but still is considered an extra layer of protection then why we dont add it ? because even tho if it is leaking then it will leak Tor ip not the real ip.
wouldn’t this necessitate including a pre-configured proxy? That would mean that we need to find a proxy provider that is both free and also deemed safe. As that is in my eyes impossible to find, I don’t really see us beeing able to do much here, as it is already possible to use proxychains, when someone wants to, with a proper proxy.
proxychains can be used with Tor , and inside proxychains u can choose dynamic chain. which mean it will keep changing the Tor connection whenever the connection fail , also it work well with socks5 , and lastly it prevent DNS leakage = thats what i call it security enhancement when browsing iceweasel.
when you use proxychains with Tor, proxychains doesn’t have any effect on the way the Tor connection works, as it litterally only uses the connection by e.g. Vidalia or the Gateway to connect. As far as I’ve read the documentation, dynamic chaining only affects the chained proxys as they ar written in the document. If you add Tor to it, it can affect, where the Tor connection happens (so before or after another proxy) but nothing more.
Also, DNS leaks are automatically prevented when using Whonix, as far as I’m concerned.
As Ego explained, Iceweasel already only leaks Tor IP. You could run Netscape on the Workstation and it too would only leak Tor IP. For Whonix users, the advantage of TorBrowser is NoScript, HttpsEverywhere, amnesia (cookies, history, etc), fingerprint pseudonymity, etc.
Proxychains (the repository version) is hard-coded to route all DNS requests to Google DNS servers. If you prefer Google DNS to Tor DNS, then you could optionally just change the nameserver in your Workstation from Gateway IP to Google DNS IP. The newer Proxychains versions allow editing the DNS server and/or querying your own DNS server. But afaik, they are still static parameters, whereas Tor DNS is handled by each exit node so all of your requests are not sent to the same server (if that matters).
I see. Instead of just relying on Whonix to correctly route ws system
default traffic through Tor’s Dns- and TransPort would be pointing it to
a specific socks port. Either by proxy settings or a socksifier (such as
torsocks / uwt).
The problem is, that each extra configuration makes Whonix more mystic
and more difficult to understand by auditors. Generating lots of
questions why doing this etc. Involving extra files and complexity.
You can reach the same by disabling transparent proxying. Documented here:
Then manually configure iceweasel to use a SocksPort. (Documented as per Stream Isolation ) (Otherwise it could not
And I am certain, that there are no leaks of this kind due to Whonix’s
design. If you disagree, the answer again would be to disable
transparent proxying. Thereby turning Whonix-Gateway into a full
Less usable (no applications without proxy setup would work anymore),
but arguably better leak protection.
since this topic is about enhancing iceweasel inside the WS , i was thinking if we upgrade iceweasel and leave the default situation (that iceweasel not upgradeable by default) because it is something between Debian and Firefox. but according to security upgrading is essential no?