icewesel security enhancement inside the WS

TNT_BOM_BOM · January 8, 2016, 11:38pm

i know it is not safe to use iceweasel which is located inside the WS

but even tho , cant we put security enhancement or extra layer of protection before opening it like proxychains (or corridor? or …etc if possible) ?

so it will be like:-

GW (Tor) - WS (e.g proxychains + iceweasel)

so even if we assume proxychains r not sure of leaking and there is non better than it but still is considered an extra layer of protection then why we dont add it ? because even tho if it is leaking then it will leak Tor ip not the real ip.

Ego · January 9, 2016, 12:06am

Good day,

wouldn’t this necessitate including a pre-configured proxy? That would mean that we need to find a proxy provider that is both free and also deemed safe. As that is in my eyes impossible to find, I don’t really see us beeing able to do much here, as it is already possible to use proxychains, when someone wants to, with a proper proxy.

Have a nice day,

Ego

TNT_BOM_BOM · January 9, 2016, 2:27am

no , u dont need any proxy.

proxychains can be used with Tor , and inside proxychains u can choose dynamic chain. which mean it will keep changing the Tor connection whenever the connection fail , also it work well with socks5 , and lastly it prevent DNS leakage = thats what i call it security enhancement when browsing iceweasel.

Ego · January 9, 2016, 12:54pm

Good day,

when you use proxychains with Tor, proxychains doesn’t have any effect on the way the Tor connection works, as it litterally only uses the connection by e.g. Vidalia or the Gateway to connect. As far as I’ve read the documentation, dynamic chaining only affects the chained proxys as they ar written in the document. If you add Tor to it, it can affect, where the Tor connection happens (so before or after another proxy) but nothing more.

Also, DNS leaks are automatically prevented when using Whonix, as far as I’m concerned.

Have a nice day,

Ego

TNT_BOM_BOM · January 9, 2016, 10:48pm

hmm if it doesnt give any futher protection regarding surfing with proxychains well it seems not needable but

DNS leak prevention way 1 (whonix isolation) + DNS leak prevention way 2 (proxychains) = doesnt consider extra-layer of protection ?

entr0py · January 10, 2016, 7:22pm

As Ego explained, Iceweasel already only leaks Tor IP. You could run Netscape on the Workstation and it too would only leak Tor IP. For Whonix users, the advantage of TorBrowser is NoScript, HttpsEverywhere, amnesia (cookies, history, etc), fingerprint pseudonymity, etc.

Proxychains (the repository version) is hard-coded to route all DNS requests to Google DNS servers. If you prefer Google DNS to Tor DNS, then you could optionally just change the nameserver in your Workstation from Gateway IP to Google DNS IP. The newer Proxychains versions allow editing the DNS server and/or querying your own DNS server. But afaik, they are still static parameters, whereas Tor DNS is handled by each exit node so all of your requests are not sent to the same server (if that matters).

Patrick · January 10, 2016, 8:04pm

I see. Instead of just relying on Whonix to correctly route ws system
default traffic through Tor’s Dns- and TransPort would be pointing it to
a specific socks port. Either by proxy settings or a socksifier (such as
torsocks / uwt).

The problem is, that each extra configuration makes Whonix more mystic
and more difficult to understand by auditors. Generating lots of
questions why doing this etc. Involving extra files and complexity.

You can reach the same by disabling transparent proxying. Documented here:

https://www.whonix.org/wiki/Stream_Isolation#Better_Protection

Then manually configure iceweasel to use a SocksPort. (Documented as per
https://www.whonix.org/wiki/Stream_Isolation ) (Otherwise it could not
connect anymore.)

And I am certain, that there are no leaks of this kind due to Whonix’s
design. If you disagree, the answer again would be to disable
transparent proxying. Thereby turning Whonix-Gateway into a full
Isolationing Proxy.

https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IsolatingProxy

Less usable (no applications without proxy setup would work anymore),
but arguably better leak protection.

TNT_BOM_BOM · January 10, 2016, 9:02pm

aha ok, thnx for all your comments , really appreciative. now everything is clear

TNT_BOM_BOM · January 13, 2016, 6:18am

since this topic is about enhancing iceweasel inside the WS , i was thinking if we upgrade iceweasel and leave the default situation (that iceweasel not upgradeable by default) because it is something between Debian and Firefox. but according to security upgrading is essential no?

how to upgrade iceweasel to the latest version inside check http://mozilla.debian.net/

Patrick · January 13, 2016, 1:47pm

Iceweasel is upgraded normal through apt-get from Debian repositories.

TNT_BOM_BOM · January 14, 2016, 2:05am

but check iceweasel and check the latest iceweasel/firefox update they r not the same , iceweasel which is installed by default way to old for the new one.

38.x the default and the latest about 43.x = huge differences and enhancements.

Patrick · January 14, 2016, 2:24am

They’re still secure. Maintained by the Debian maintainers of iceweasel
and the Debian security team. This is how Debian stabilization and
maintenance works.