[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Long Wiki Edits Thread


#171

Could you please move Local_Connections_Exception_Threat_Analysis to advanced as well?


#172

1) Security Slider

Right.

The Security Slider was positioned with Torbutton, since it seemed to be logical to put all those functions together e.g. New Identity, New Tor Circuit and so on.

Can move it though - no problem and remove any recommendation. Instead note something like:

“Users need to make a decision whether they prefer greater security and lower usability at higher levels, or vice-versa. While fingerprinting risks are greatly reduced at higher levels, some site functionality may also be lost.”

2) Start Tor Browser

Yes, the easiest solution is just to hide all the extra text with a “Expand on the Right” part.

3) Torrent over Tor & File Downloading

Yes, I was aware of the no IP leak in Whonix, but thought it best to encourage best practices.

Perhaps I’ll just note they are bad practices and paraphrase the quotes, while suggesting files be opened in offline VMs (which I think I mentioned elsewhere in the entry e.g. “Unsafe Tor Browser Actions” or similar.)

4) Local Connection

Yes, I’ll move that threat analysis to Advanced as well.

5) Onion Services

The DHT stuff was straight out of Tor docs, but I can double check.

Let me fix up 1-4, and double-check point 5 for accuracy. Shouldn’t take too long.


#173

1) DHT seems to be the case for .onion services, see:

https://www.torproject.org/docs/hidden-services.html.en


So, I think the .onion services technical template is good for sign off. I added a link in Tor Browser entry to the relevant hidden services wiki entry.

2) Security Slider

On second thought, it’s too hard to move it around logically with current TOC. So I just entered this line at the bottom of security vs usability trade-off part:

“Note: The Torbutton extension’s [[#Security_Slider|Security Slider]] (see below) also involves a security versus usability trade-off. Users need to decide whether they prefer greater security and lower usability at higher slider levels, or vice-versa. While fingerprinting risks are greatly reduced at higher levels, some site functionality may also be lost.”

3) Collapsed Tor Browser Start stuff

Done.

4) Tor Browser Downloads

Done. Reworded.

"The Tor Project explicitly warns users not to open documents handled by external applications, since in the normal case they may contain Internet resources that may be downloaded outside of Tor by the application that opens them. https://www.torproject.org/download/download

This warning is not strictly relevant to Whonix users since all traffic is forced over the Whonix-Gateway and the IP address will not be leaked. Despite this fact, for greater safety users should open files such as PDFs and word processing documents in offline VMs.

Malicious files or links to files pose a greater threat; potential compromise of the user’s system. Therefore users should heed the Whonix advice to [[DoNot#Do_not_Open_Random_Files_or_Links|not open random links or files]] in the Whonix-Workstation. Instead, in [[Qubes-Whonix]] it is preferable to [https://micahflee.com/2016/07/how-qubes-makes-handling-pdfs-way-safer/ sanitize the PDF] or open the file or link in a [[Qubes/DisposableVM|DisposableVM]]. [[Non-Qubes-Whonix]] users should only open the file in a separate, offline Whonix-Workstation."

5) Local Connections Threat Analysis

Done. Moved to Advanced Section.

So, right now the Advanced Tor Browser entry is not signed-off, which means anybody trying to use that documentation today sees a blank page.

Probably best to sign-off ASAP.


#174

TODO -> TO DO this change may be grammatically more correct, but then one cannot search the wiki for TODO. Therefore please leave that unchanged.


#175

‘’‘2. Add jessie-backports to sources.list’’’

Do we have a template for that?


Since the move, Local Connections Exception Threat Analysis is now a case of lost me at hello. Could you please link back to the Tor Browser page for context or write an introduction to which situation it applies?


#176

A post was merged into an existing topic: Needed Wiki Templates


#177

OK.

  • Fixed all the “To do” back to TODO.
  • Also fixed a bunch of internal references that were pointing to the wrong (non-existent) entry after the split (missed them earlier).
  • Also changed some remaining ugly (long) internal references into nice wording instead.
  • I’ve fixed the threat analysis thing.

So Tor Browser is done! Great, thanks! :slight_smile:


#178

[[Tor_Browser/Internal_Updater#cite_note-64|this footnote]]

That won’t work for long. Could you add an anchor please?


#179

It worked on my preview test i.e. took me to the right footnote.

Please remind me about the Anchor formatting if you want me to change it anyway.


#180

Footnotes aren’t stable. As soon as another footnote is added above, the number will change.

Please remind me about the Anchor formatting if you want me to change it anyway.

{{Anchor|anchor_name}}

Then you can use pagename#anchor_name.


#181

Right. Fixed. I used an easy work-around instead of anchoring (PTSD from last time I used/touched anchors).

Also fixed up a bunch of broken internal refs for Unsafe Tor Browser behavior and x1 in Custom Homepage. They now link properly.

OK, now I really think we’re done there. Party time. :+1:


#182

Do you want the license section on every (main) wiki documentation page? That is:

= License =

{{License_Amnesia|{{FULLPAGENAME}}}}

If so, I’ll fix that up (it’s not consistent now and often missing).

Also, decide whether you want references noted as:

== References ==

Or

== Footnotes ==

On each page, since it is inconsistent now on each page.

PS I removed the “Secure Back-ups” part from Security Guide, since that issue is now closed on github (Qubes), because scrypt has been implemented and solves this problem. See:


#183

torjunkie:

Do you want the license section on every (main) wiki documentation
page?

No, license is only required for pages originally forked from elsewhere.

{{License_Amnesia|{{FULLPAGENAME}}}}

That specifically is only for pages that originate from Tails.

If so, I’ll fix that up (it’s not consistent now and often missing).

Also, decide whether you want references noted as:

What you could do is compare with the original. Then if the original was
improved in meanwhile, backport the changes to Whonix. And if our page
doesn’t include anything from the original anymore, we could as well as
also remove it.

== References ==

Or

== Footnotes ==

It depends. Sometimes it’s just references. Sometimes it’s footnotes.
Got any example where that looks wrong?

PS I removed the “Secure Back-ups” part from Security Guide, since
that issue is now closed on github (Qubes), because scrypt has been
implemented and solves this problem. See:

https://github.com/QubesOS/qubes-issues/issues/971

Thanks for noticing. Has this fix been deployed to recent Qubes versions
(R3.2)?


#184

Ah right - understood. Don’t worry about the license or footnote vs references thing then. I think they’re all good.

Not sure about scrypt being updated in stock 3.2. The bug only just got closed, so maybe it hasn’t come down to stable repos yet, because that normally takes 7 or 10 days or so.

Computer Security Education is taking longer than thought -> been busy + added lots of material here and there to remove the “TODO” references, which are annoying from an editing perspective i.e. it’s just better to research it, and cross that off.

Plus, some of it is critical e.g. router stuff I just added, which most users (even experienced ones) overlook, despite it being one of the weakest links targeted by scumbag hackers.

Getting closer though, just a few bits left e.g Windows vs other distros, MAC address stuff (hopefully just editing for that) etc. Once that’s done, I can move onto Advanced Security Guide, which I’m sure will be a nightmare to edit. :wink:


#185

Could you please add a chapter Tor Browser Hardened to https://www.whonix.org/wiki/Tor_Browser/Advanced_Users?

(Would have been useful as reference here: TOR BROWSER BUGGGG in whonix)


#186

The relevant information is in the introduction to this entry here:

http://kkkkkkkkkk63ava6.onion/wiki/Tor_Browser/Advanced_Users#Introduction

The “hardened” Tor Browser has been deprecated and major features like Selfrando memory randomization are now part of the alpha series and planned for eventual mainline adoption. Consequently, The Tor Project recommends users seeking a higher security solution should default to the sandboxed Tor Browser: [25] [26]

While the Sandboxed Tor Browser is currently in an experimental state itself, we feel that it provides much better safeguards against exploitation than the features we shipped in the hardened series.

Do you still want a “Hardened Tor Browser” entry to point to this?


#187

Yes, I think that would be useful to have as reference. Perhaps not a separate headline, but an anchor and clickable link (for future copy and paste) (that leads to the sentence on hardened)?


#188

OK. I added this anchor to just above the relevant text:

{{Anchor|Tor Browser Hardened}}

Presumably a clickable link will be available once that is signed off.


#189

OK - 66 edits and a ton of research later, the Computer Security Education entry is now ready for review.

Most of the TODO’s have now been addressed.

Painful would be an understatement. I might tackle some smaller entries before the Advanced Security Guide section.

Moving on.


#190

Great work on the computer security guide!


Edit wish high priority:
For legal reasons etc… Hard terrain… Not sure I am getting paranoid here, but we shouldn’t call any names. Especially no powerful ones. Especially no legitimate ones.

Could you please look through the wiki for…

  • intelligence agencies
  • NSA
  • etc.

And rewrite them in generic terms? Call them adversary?

We’re pro privacy. We don’t want wifi sniffers in hotspots and other criminals to illegally eavesdrop our communications.

We can still link to articles mentioning any names. Would be hard to find articles in pure generic terms. As for the articles, we are just using them as references proving a claim. Then calling names is a only a by-product and not the point.


Lower priority bonus wishlist: Research Windows / MacOS RAM dumps. During application crashes, they might create a dump of the whole RAM (sometimes called coredump).

http://www.networkworld.com/article/2164903/windows/windows-how-to-solve-windows-8-crashes-in-less-than-a-minute.html

If you could explain that a bit (using that source or any other that more focuses on the outrageous privacy issues) (similar to the existing bullet points). Mention a RAM dump could contain anything done during that session (rather random depending on how the RAM is wiped [if at at all] and depending if it was overwrite. And of course all currently existing contents in RAM. Probably swap is included as well. Including all disk encryption passwords, opened documents contents, other password and whatnot. Very likely would even make security attacks easier since it might exact states about ALSR, seeds, and whatnot.


To make reviews faster and safer, could you please split future edits into parts:

  • a) language fixes
  • b) moving chapters around without changes
  • c) new content

By split, I mean only doing either a), b) or c), and then waiting for the review. That would make reading the diff a lot easier to read.