Cannot say much yet, since I don’t know how it will be implemented.
Low priority: Changing Icedove to Thunderbird everywhere on the wiki since Debian has sorted out the trademarking thing with Mozilla. So future users who have no idea about this don’t get confused. Or we can note that Icedove & Thunderbird are synonyms and leave it like that.
Not convinced this increases security. (Since malicious host modifications are far more dangerous.)
If anything, for https://www.whonix.org/wiki/Advanced_Security_Guide.
https://www.whonix.org/w/index.php?title=Computer_Security_Education&oldid=30618&diff=cur - Do you know about libreboot vs binary blobs? @HulaHoop
Libreboot is a de-blobbed Coreboot fork with the side effect that it has very limited hardware support. Similar to the linux-libre project which does the same with the upsteam kernel.
I don’t particularly like the FUD-esque way this edit implies. Is it possible that these blobs could be malicious? yes. Probable? no - because its an extremely stupid thing to do for every machine out there when it can be discovered by rival states and turned into a PR Nightmare for CPU companies.
However libreboot is important from a freedom POV where people want to run a libre stack from the bottom up and don’t want blobs that can evolve into DRM schemes from running on their machines.
onioncircuit is coming to Whonix14:
So we should add related information to:
Added some changes and reorganization of that page on top.
Do you think you could briefly explain please the “frozen” / stable / older nature of package versions in Debian stable?
Added a few lines to:
Actually I messed that up. The quote under https://www.whonix.org/wiki/Install_Software#Prefer_Packages_from_Debian_Stable_Repository already explains it.
Could you review https://www.whonix.org/w/index.php?title=I2P&oldid=30664&diff=cur please? @HulaHoop
OK, I think the last bit of editing I was due to start was:
- generating a strong encryption key pair for email purposes (the wiki guide is a bit weak there)
- adding maybe something to Tor Browser entry about not ignoring “Allow this website to extract canvas image data?” question that sometimes appears here and there
- finishing off edits on Advanced Security Guide (was about half way through) so all of that shit can be switched around between Security Guide, Advanced Security Guide and Comp Security Education as per phabricator entry
Won’t have nearly as much time to edit as before, but should be able to do a few hours here and there.
PS You should do a search and delete apt-pinning instructions across the entire documentation? If it is screwing up some configs, then it is dangerous advice.
PPS Safe to run Tor Browser 7.5a5? It works, and has content sandboxing set to level 2, which 7.06 doesn’t, so if that is okay, we can recommend it in the hardening checklist. (off topic: have you tried debian 9 for sys-net and sys-firewall?)
Sounds all good!
That apt pinning template is empty so shouldn’t mess up any instructions anywhere.
That was me but I forgot to login…
I think we need to flesh out the Firejail stuff a bit, so people use better options e.g.
Is it possible to run a video player like VLC or SMplayer by allowing it access to videos in filesystem, while blocking its access to the internet?
$ firejail --net=none vlc
If any problem is encountered, a solution is to replace “–net=none” with “–protocol=unix”, the effect will be the same as “–net=none”.
Is it possible to combine Firejail with TorBrowser, with the profiles you made for Firefox? (TorBrowser has full access to .gnupg folder contents of same user). It will useful if you will write a separate blog article post about this if it is difficult to do.
You can reuse an existing profile for another application. Actually, this is how I start tor:
$ firejail --profile=/etc/firejail/firefox.profile ./start-tor-browser
Now, we can’t do the above in Whonix for Tor Browser (the firefox-esr.profile doesn’t work), but I’ve gone through the man firejail entry, and tried to run Tor Browser with various security options.
Most of them don’t work in Whonix e.g. --apparmor --caps.drop=all --private --overlay-tmpfs etc probably due to the unique environment running.
But --seccomp works nicely, as does --debug so you can see what the program is doing.
Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: mount, umount2, ptrace, kexec_load, kexec_file_load, name_to_handle_at, open_by_han dle_at, create_module, init_module, finit_module, delete_module, iopl, ioperm, ioprio_set, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, io_destroy, io_getevents, io_submit, io_cancel, remap_file_pages, mbind, get_mempolicy, set_mempolicy, migrate_pages, move_pages, vmsplice, chroot, tuxcall, reboot, mfsservctl and get_kernel_syms.
System architecture is not strictly imposed. The filter is applied at run time only if the correct architecture was detected. For the case of I386 and AMD64 both 32-bit and 64-bit filters are installed.
So, using a layered security approach, surely we should recommend from the terminal for Firejail users:
firejail --debug --seccomp torbrowser
(it ends up using a default profile which isn’t too bad. Advanced users can build their own config)
This blacklists a lot of directories and processes - see man firejail for more information.
I thought the developer had released a tor browser .profile but I couldn’t find it, or at least it’s not part of the Debian 8 package that is installed.
PS Apparmor profile for Tor Browser in Whonix still unusable? Blank pages would only appear in recent times. Pity not to use it.
OK, forgot about that!
We should add a section to the Apparmor part explicitly outlining what users should do to maintain a functional browser, instead of saying something about it being an advanced user problem.
No easy instructions = lower user base = people are less secure.
How about (I’ve tried this, doesn’t work yet, probably because the apparmor profile has to be renamed to etc/apparmor.d/home.tor-browser.firefox ? Error is around apparmor trying to access (denied read, r) the actual profile itself)
== Maintain a Functional Tor Browser ==
Tor Browser upgrades frequently break the Whonix Apparmor profile used to contain it. Even when Apparmor related fixes are confirmed in Phabricator, most often the packages are not made available to Whonix stable or even the developer version. This means manual profile fixes are required until [[http://kkkkkkkkkk63ava6.onion/wiki/About#Whonix_Version|the next Whonix version is released]].
At the time of writing, Tor Browser is non-functional with the available profile in the repositories. Advanced users can follow these steps to rectify the problem.
- Open a terminal in the Whonix-Workstation TemplateVM.
Whonix-WS TemplateVM ->
- List the available Apparmor profiles.
- Edit the Tor Browser appamor profile.
Note: change the name of the file to match whatever version is installed on the system.
sudo nano /etc/apparmor.d/home.*.tor-browser_*Browser.firefox
- Navigate to the Whonix Github resource for Apparmor.
The latest git commits can be found [https://github.com/Whonix/apparmor-profile-torbrowser here].
Cut and paste the profile text into the old Tor Browser profile which is open in nano. Save and exit.
- Enforce the new profile if it was previously disabled.
Note: change the name of the file below to match the one installed on the system.
In the Whonix-Workstation TemplateVM, run.
sudo aa-enforce /etc/apparmor.d/home..tor-browser_.Browser.firefox
Shutdown any running instances of the the Whonix-Workstation AppVM and the Whonix-Workstation TemplateVM.
Restart the Whonix-Workstation AppVM and run Tor Browser.
If everything has been applied correctly, Tor Browser will have full functionality.
To check Apparmor is really running and enforced, in a terminal run.
The output should show the Tor Browser profile is loaded and in enforce mode.
Re: creating a strong key pair for email purposes.
I gather the following refs are pretty good, although some of the settings in the first one (Thunderbird) don’t marry up with Whonix recs, so could be tightened based on our wiki recommended settings:
Also, I don’t believe the GUI stuff in that guide is sufficient for creating a strong key pair (GPG auto creation defaults to 2048 bit key strength; we want 4096 bit).
Plus we can strengthen the hash preferences, create a safe master key pair (remove the original signing subkey) etc if it is manually created.
These guides below show how to create a 4096 bit key pair, with stronger settings. So, we’d probably outline the most relevant command line operations to create a strong key pair.
Then we need some clear instruction on how the manually generated key is used in Thunderbird i.e. importing step or other.
Also, pre-reqs before the user did any of this is I suppose are:
- already have created an anonymous email account with a non-backdoored, non-heavily attacked provider, which is based in a country not in the extensive ‘Eyes’ network, and supports desktop email and encryption add-ons. Easier said than done.
- separate Whonix-WS AppVM created just for email purposes.
- user already has enigmail installed (should be by default in Whonix)
The guide also needs to be clear on:
- removing private key off the template and storing in secure place so the user is not pwned.
- revocation certificate stuff.
- making a backup of the private key.
- keys that expire and not indefinite ones.
- all the keyserver crap (exporting public key) and doing it safely.
- using long form IDs for everything.
- making sure stuff is also signed appropriately for verification.
- a thousand other security things mentioned in those guides further above.
Basically, the finished product should look like what Patrick or HulaHoop would be happy with, if they were using it for email purposes - keys, key management, relevant Thunderbird settings & relevant VM settings.
I’ll test all relevant steps, because if there’s a config error to be found, I’m sure to run into it.
Did you know…?
You’re suggesting this? Not sure that is overkill / too difficult for most. Even for me it’s a PITA.
Renaming profile is not necessary. Wildcards are in place to support all Tor Browser versions. Just need directory to start with
tor-browser, which it should if downloaded from torproject.org.
Steps 5,6,7 are valid.
Alternatively, one just needs to close Browser and then reload the apparmor profile with:
sudo apparmor_parser --replace /etc/apparmor.d/home.*.tor-browser_*.Browser.firefox