I’m a Qubes-Whonix user. I would like to be able to disable private browsing mode in some of my single-purpose VMs, so that I can quickly restore my previous session including tabs and cookies. By single-purpose VM, I mean I would only use that VM to visit one or two specific sites I visit frequently, and would only use one identity or set of credentials. I would of course leave private browsing mode enabled in VMs that I use for general everyday browsing or sites I don’t visit frequently.
I was wondering what risks might be associated with doing this. For sites where I’m signed in or otherwise identifiable, I don’t think it would create any new risks with regards to pseudonymity, because restoring a session is no less anonymous than signing into the same account every time. Since the VM would only be used for one or a small number of related sites, I don’t think it would create any cross-site fingerprinting risks, possibly except for one important caveat.
In theory, HTTP is a stateless protocol, so closing the browser and then restoring it with the same cookies would, theoretically, appear to the site the same as closing a tab and reopening it, or putting the computer to sleep and then resuming. However there are probably ways sites can differentiate between the two, especially if you’re also restoring tabs and not just cookies.
So I have a feeling this might create a cross-site, cross-VM fingerprint like “tor browser users who have disabled private browsing mode.” If so, this could potentially link your identity between different single-purpose VMs, if the sites collude or load assets from the same entity.
However, I’m wondering whether the risk really important enough to justify the inconvenience of private browsing, and also if there are any other risks I may not of thought of. I’m just looking for second opinions, so any input would be helpful.
Most of the threads in this subforum are not Whonix-specific as far as I can tell. Most are about either Tor Browser or the Tor client/network.
I didn’t think this was a “support” subforum, rather just for discussions and informal questions.
The subforum’s name is “General Tor and Anonymity Talk” and its subtitle reads “General topics about Tor and Anonymity that can be discussed independently from Whonix.”
If there are specific expectations for this subforum beyond what the title and subtitle imply, then they should be clearly listed in a place where users can easily find them before posting.
Feel free to close or delete this thread if appropriate.
Disabling such a core feature of Tor Browser is not a good idea. If you are visiting sites anonymously where you don’t access a registered account, you should use bookmarks instead. Otherwise you will stand out like a sore thumb every time you visit and will turn your traffic pattern pseudonymous.
Well, that’s basically the idea I’m getting at with this. In some cases you really only need pseudonymity for certain things, and anonymity for the rest.
I’ll try to explain better. Say, for example, forums.whonix.org. Every time I go there, I sign in to my account, so I’m never really anonymous anyway. So, if I create a VM just for that purpose and nothing else, call it “whonix-forums-ak88” or whatever, and turn off private browsing. It’s still isolated from my activity in other VMs, so the only risk I see is that if I were to also disable private browsing in another VM, say “github-alice123”, then both forums.whonix.org and github.com (specifically, any scripts loaded by both of them, e.g. jQuery) might be able to determine that both browsers were Tor Browser but with private browsing disabled (unusual), and therefore were likely the same person.
I’m not sure how easily or to what extent sites can differentiate between someone restoring a non-private browsing session (unusual) versus, say, just reloading a page after suspend/resume with the browser still open (not unusual). In both cases you’re establishing a brand new TCP connection, from a new Tor circuit, but continuing a pre-existing session by way of using pre-existing cookies.
Although, something else I just thought of while writing this is that long sessions are probably unusual among Tor Browser users. So a site probably wouldn’t even need to fingerprint the browser, because if you’re connecting to a site over Tor and still using a cookie from a month ago, then you probably already stick out like a sore thumb.
So, I’m thinking it probably wouldn’t be safe to do in any high-stakes situations; anonymity vs convenience tradeoff.
To add something to this conversation,
this may be a little inconvenient depending on your workload, and preferences but should be helpful in keeping your anonymity intact.
Try to use Tor browser for a single purpose only. If you need to do something specific, do it, and then close down. Open up and do something else. And so on and so on. This way there is no built up session history because it is erased every time Tor browser closes. Also, less chance of an error. We have all heard the scenario where for whatever reason, internet service is interrupted. If you are doing different things at the same time and if an attacker is passively monitoring, it would be easy to deduce that the two identities that suddenly left at the same time is the same person.
This topic was of interest to me recently based on a similar threat model.
The solution for me* was a whonix-ws appVM with Tor browser’s private browsing mode turned off. In my case, I also want cookies and login info to persist for a select few sites: The only ones to be visited in this browser.
I am not concerned about correlation or linking, but rather location privacy. I installed ublock origin, disconnect, and privacy badger knowing that they don’t offer much benefit either in my case but I don’t support the act of unnecessary data collection.
Other options for maintaining a long-term single identity were:
-SecBrowser in a VPN’d non-Whonix Qube
-FF ESR in a Whonix Qube (with the tor>vpn setup as described in the docs)
It is a matter of taste whether you want to be scrutinized by a tor exit node or a VPN gateway.
*This setup is far from recommended for typical use. My model was mainly added for posterity and informational purposes. If you are thinking about doing this without some experience in threat modelling you probably shouldn’t / need to ask more questions first. You will still easily encounter “captcha hell” or Wordfence blockers if you choose to go with this strategy.