Long Wiki Edits Thread

Right. Fixed it to:

Without this option set…

Also removed the fte line from the “complete torrc sample text” entry, since we don’t want to confuse users.

Agree that using “not” is sometimes confusing. It’s a bit difficult, like using double negatives in sentences to create a positive meaning e.g.

“There is no way you can do nothing about this” :slight_smile:

However, in this instance writing only “Without this option” (without stating the setting of the variable) is subtly vague i.e. does it mean:

a) Tor (in general) without the option?
b) The user not setting the option?

Thus, I added “set”.

I can add this stylistic stuff to the wiki editing guide when there is a wiki entry available (can I add those myself to the main wiki Table of Contents, or only those with approval power?).

1 Like

@HulaHoop @Patrick

Re: Template:FoxyProxy -> Tested the instructions using the add-on install method.

Everything is working with 7.0a2 hardened Tor Browser. I double-checked about:config & xpinstall.signatures.required is set to true, so everything is fine.

I also checked a website that normally blocks all Tor IPs and startpage proxies -> worked like a dream! Nice job.

Since this works, I didn’t bother with trying to install it form the Debian repos. I don’t think it’s worth noting in the template (edit-wise), unless the add-on steps break in the future (?). If you think otherwise, I can trial the Debian repo install method to see if it works/breaks, then add steps to the template.

The only problem is an AppArmor conflict. Ironically the proxy still works, but FYI the message is:

apparmor=“DENIED” operation=“open” profile="/home/**/tor-browser*/Browser/firefox" name="/run/user/1000/dconf/user" pid=XXXX comm=“firefox” requested_mask=“rwc” denied_mask=“rwc” fsuid=1000 ouid=1000

x 17 or so messages

So, I guess we can warn users that AppArmor MAY cause conflicts, but it appears to be working at the moment.

I’ll tidy up that FoxyProxy template for readability and note that it DOES work fine with 7.0a2.


http://kkkkkkkkkk63ava6.onion/wiki/Template:FoxyProxy → Fixed

I used pre instead of blockquote for The Tor Project warning around add-ons, since the blockquote text is “supersized” for some reason and looks like shit.

1 Like

One request: You’ve been already mostly doing this, but still… Please don’t mix language fix changes with general modifications (like adding new information) into the same edit. That makes review much harder since that may confuse the wiki diff. If it’s multiple edits, than that works better.

Re: foxyproxy

The potential fingerprinting harm to user anonymity depends on how many others are running Tor Browser in conjunction with FoxyProxy. This figure is likely to be negligible in size. Further, if Tor Browser is configured to use a non-Tor exit node, the user is placed within a very small subset of all Tor users. This applies to configurations such as Tor Browser and I2P, or Tor Browser and a socks5 webproxy.


From Combining Tunnels with Tor

When using a browser, worsens web fingerprint. It is unknown how anonymous it is to use user -> (proxy/VPN/SSH ->) Tor -> Proxy/VPN/SSH -> Tor Browser -> website. How many people show up with a proxy, VPN or SSH IP using Tor Browser? This setup is so special that probably only very few people are doing it. For this reason, recommend against. On the other hand, due to browser fingerprinting, it can’t be recommend using any browser other than Tor Browser either. [17]

Perhaps that should be turned into a template? And added to the foxyproxy template? Because if we mention fingerprinting issues with Tor Browser if foxyproxy gets installed, some users falsely conclude it would be a good idea to use Firefox instead then. Could extend the foxyproxy template with this information? “However, if you must, still use Tor Browser, using Firefox would be even worse.”

TOC editing is fine. However, we had to disable new page creation because that was being abused by automated spam bots.

Just now created empty page:
Documentation Guidelines

1 Like

re foxyproxy AppArmor:

Yes. Looks harmless. Could you please post this in the Whonix AppArmor sub forum or create a phabricator ticket for this so it can be tracked and fixed for Whonix 14?

re license template:

Just now created Template:License Amnesia - Whonix.

Used here: Configure (Private) (Obfuscated) Tor Bridges

The formatting looks awful. We cannot use <pre> tags, since these don’t support variables. Blockquote would be the proper tag.

blockquotes really need to be fixed… Created a separate thread for it:

Note, not all pages may use the Template:License_Amnesia. Only the pages that were originally forked from the Tails documentation.

Yes, Whonix remotely recent versions of Whonix… This is implemented for a long time now… Whonix does not automatically connect to the public Tor network. Whonix generates no networking traffic before Tor networking gets enabled. Only if users chose so in anon-connection-wizard (or manually enable Tor in torrc). That was the whole point of anon-connection-wizard btw. And the actual bridge wizard was never implemented, just a stub. However, iry is now working on that.

What do you mean by IPv6? None of that is mentioned on the bridges page.

And to perhaps preemptively answer a question :slight_smile: : yes, neither IPv6, nor IPv6 nor any traffic is generated by Whonix before enabling Tor.

1 Like

Yes, really. :slight_smile:

Both, Qubes-Whonix and Non-Qubes-Whonix.

All Qubes-Whonix versions were using the anon-connection-wizard.

IPv6 bridges can sadly not be used in Whonix yet. Ticket:
⚓ T509 Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables
At the moment they would just fail closed.
Yes, good observation, please document that.

1 Like

Was kinda working my way up from bottom to top. I should have reacted to all points that require an reaction. Should I have missed to reply to some point, please copy/paste or reference it. :slight_smile:

Finally added you here, @torjunkie :
Credits and other Sources

Please feel free to edit that one (your entry and generally).

(And that page would perhaps be cleaner if it was similar to Team | Qubes OS)


Thanks for all that info & various signoffs. :slight_smile:

Let me list my follow up items, since bits and pieces are done.

TO DO (updated):

1) Note IPv6 tor bridges are currently incompatible with Whonix in Bridges documentation i.e. shouldn’t be selected by the user

2) Finish documentation_guidelines entry & remove text from the template I edited the other day (Template: Design_Introduction) re: grammar and stylistic issues

3) Add text to FoxyProxy template re: “Using FF is even worse” around fingerprinting issues.

Also consider whether this text should be turned into a template (fingerprinting one)

4) Off topic: Test Nightly Tor Browser (ESR 52) for Whonix compatibility

5) Off topic: test wiki backup script and updates thereof

6) Finish second round of wiki template edits (1/2 done now)

No problem - totally understand re: diffs for sign off. I’ll be sure to separate just language edits versus additional sections in the future. I had noticed that before.

BTW I understand (and I know you know) there are a host of privacy issues with IPv6, so hopefully you will take your time re: implementing Whonix ticket T509? :wink:

E.g. →



I’ll get onto these issues tomorrow.

1 Like

Sweet! Thanks, I’ll see if I can live up to that.

Let me add on my list:

7) Edit Maintainers list to mimic Qubes Team webpage.

1 Like

I am trying to fix all it's -> its errors. Once that is done… Should I mass replace (automated, easy) all it's to it is then?

Right. Yes, I recommend removing contractions where possible for clarity and a more professional style. I’ve added that to the documentation guidelines.

1) Bridges IPv6 note → Fixed

2) Documentation Guidelines → Finished

3) Foxy Proxy (other browsers fingerprinting risk) → Fixed.

Edited the text here: Combining Tunnels with Tor and here: https://www.whonix.org/wiki/Template:FoxyProxy to read as follows:

When using a browser, connecting to Tor before a tunnel link worsens the web fingerprint. The anonymity effects of using the configuration: User → (Proxy / VPN / SSH ->) Tor → Proxy / VPN / SSH → Tor Browser → Website are unknown. How many people are likely to use a proxy, VPN or SSH IP in this manner? This setup is so specialized that probably very few are doing it, reducing the user pool to a small subset. Due to potential fingerprinting harm, it is recommended against. If proceeding despite the risk, the tunnel configuration should not be combined with any browser other than Tor Browser (e.g. Firefox, Chrome), due to an even greater browser fingerprinting risk.

So that it can be turned into a template as you suggested, and inserted into both entries accordingly.

BTW Blockquote now looks nice since fortasse fixed the text size!

1 Like

4) Latest nightly build.

Tested the latest version I could find on the Tor servers. It is from 2 weeks ago (3rd April) -> but it is still running 45.8 ESR. Hmm… I thought it was the 52 ESR version that was meant to be in Linus’ folder by this late stage.

Anyway, that nightly seems to work fine.

Couldn’t find a binary anywhere else for the 52 version. I’m not up for building anything, so we can just see how the Alpha series goes when it is released in a few days time. I think it will be based on 52.1

The stable will still be based on 45.9, so it shouldn’t bork for the majority of users I suppose.

PS I see you’ve been very busy with “find” & “replace” functions :smile:


A few things…

Error - Whonix is a little off now.

  • The previous version mentioned possible fingerprinting issues due to using FoxyProxy vs few users. The latest version omits that.
  • As per Login required - Whonix, the FoxyProxy addon is not always used for user -> Tor -> Proxy / VPN / SSH (actually nowhere), but only in context of connections to local web interfaces.
  • user -> Tor -> Proxy / VPN / SSH issue is already documented where appropriate at Combining Tunnels with Tor.
  • Using == inside the template has to be done with care, so it does not break any pages that use the template. It currently looks broken on the Invisible Internet Project (I2P) page.

I wonder if isn'tis not mass replacement would be a great idea? Then the not is easily mentally skipped while reading. And I think we should value success rates understanding the documentation over form.

1 Like

Always check the fingerprint for yourself.

I don’t think many users will understand that. What @HulaHoop probably meant to say is

yeah, you can see the fingerprint below, compare it, but also do your own research figuring out what the fingerprint is, don’t trust the wiki since it’s also only on a webserver over SSL or onion. (Not the same level of verification as gpg.) For best security, use the OpenPGP - Kicksecure.

Could you reword that please? And then move it to https://www.whonix.org/wiki/Template:Gpg_fingerprint_verification since we are going to need that a few different places in the wiki? @torjunkie

1 Like

Well, now you’ve opened a can of worms, you could probably do a mass find and replace for some or all of the following, depending on your level of energy:

  • isn’t -> is not
  • aren’t -> are not
  • don’t -> do not
  • doesn’t -> does not
  • haven’t -> have not
  • hasn’t -> has not
  • won’t -> will not
  • hadn’t -> had not
  • weren’t -> were not
  • wouldn’t -> would not
  • couldn’t -> could not
  • shouldn’t -> should not
  • can’t -> cannot
  • mustn’t -> must not
  • shan’t -> shall not
  • mightn’t -> might not
  • mustn’t -> must not
  • needn’t -> need not
  • oughtn’t -> ought not
  • daren’t -> dare not

Being careful not to overwrite instances in (block)quoted text throughout the wiki.

There are other contracted forms (believe it or not), but they probably aren’t in regular use in the wiki. Generally, formal language avoids contractions.

God English is a strange POS language. Did anyone tell you that editing is like diving down a rabbit hole? :wink:

RE: ProxyFoxy Template -> fixed (hopefully).

It seems to fit now with I2P and other entries in the wiki. Reverted most of the fingerprinting text.

I should have followed my own doc guidelines. ha.

Template:Gpg_fingerprint_verification -> Done. See what you think:

Before adding any foreign repository or software source, it is necessary to fetch the associated signing key (if available) and verify the fingerprint.

It is not safe to only rely on the Whonix wiki for confirmation of a key’s expected fingerprint. The reason is websites rely on fallible SSL or .onion architecture, which provides a lower verification standard than the OpenPGP implementation. Users should always check the fingerprint for themselves. In practice, this means:

  • Researching the expected key fingerprint from multiple, trusted Internet sources.
  • Explicitly checking the key fingerprint matches the expected output, before importing it or adding it to a trusted key-ring.

For the best possible security, users should always rely on the [[OpenPGP#The_OpenPGP_Web_of_Trust|OpenPGP Web of Trust]].

1 Like

A post was merged into an existing topic: Qubes DispVM technical discussion


re Template:FoxyProxy

So far it’s perfect. Except the following sentence looks confusing to me:

A website test can be performed with one or more sites that normally block Tor IP addresses

At least in the context of where the template is being used.