Also removed the fte line from the “complete torrc sample text” entry, since we don’t want to confuse users.
Agree that using “not” is sometimes confusing. It’s a bit difficult, like using double negatives in sentences to create a positive meaning e.g.
“There is no way you can do nothing about this”
However, in this instance writing only “Without this option” (without stating the setting of the variable) is subtly vague i.e. does it mean:
a) Tor (in general) without the option?
b) The user not setting the option?
Thus, I added “set”.
I can add this stylistic stuff to the wiki editing guide when there is a wiki entry available (can I add those myself to the main wiki Table of Contents, or only those with approval power?).
Re: Template:FoxyProxy → Tested the instructions using the add-on install method.
Everything is working with 7.0a2 hardened Tor Browser. I double-checked about:config & xpinstall.signatures.required is set to true, so everything is fine.
I also checked a website that normally blocks all Tor IPs and startpage proxies → worked like a dream! Nice job.
Since this works, I didn’t bother with trying to install it form the Debian repos. I don’t think it’s worth noting in the template (edit-wise), unless the add-on steps break in the future (?). If you think otherwise, I can trial the Debian repo install method to see if it works/breaks, then add steps to the template.
The only problem is an AppArmor conflict. Ironically the proxy still works, but FYI the message is:
I used pre instead of blockquote for The Tor Project warning around add-ons, since the blockquote text is “supersized” for some reason and looks like shit.
One request: You’ve been already mostly doing this, but still… Please don’t mix language fix changes with general modifications (like adding new information) into the same edit. That makes review much harder since that may confuse the wiki diff. If it’s multiple edits, than that works better.
Re: foxyproxy
The potential fingerprinting harm to user anonymity depends on how many others are running Tor Browser in conjunction with FoxyProxy. This figure is likely to be negligible in size. Further, if Tor Browser is configured to use a non-Tor exit node, the user is placed within a very small subset of all Tor users. This applies to configurations such as Tor Browser and I2P, or Tor Browser and a socks5 webproxy.
When using a browser, worsens web fingerprint. It is unknown how anonymous it is to use user -> (proxy/VPN/SSH ->) Tor -> Proxy/VPN/SSH -> Tor Browser -> website. How many people show up with a proxy, VPN or SSH IP using Tor Browser? This setup is so special that probably only very few people are doing it. For this reason, recommend against. On the other hand, due to browser fingerprinting, it can’t be recommend using any browser other than Tor Browser either. [17]
Perhaps that should be turned into a template? And added to the foxyproxy template? Because if we mention fingerprinting issues with Tor Browser if foxyproxy gets installed, some users falsely conclude it would be a good idea to use Firefox instead then. Could extend the foxyproxy template with this information? “However, if you must, still use Tor Browser, using Firefox would be even worse.”
TOC editing is fine. However, we had to disable new page creation because that was being abused by automated spam bots.
Yes. Looks harmless. Could you please post this in the Whonix AppArmor sub forum or create a phabricator ticket for this so it can be tracked and fixed for Whonix 14?
Note, not all pages may use the Template:License_Amnesia. Only the pages that were originally forked from the Tails documentation.
Yes, Whonix remotely recent versions of Whonix… This is implemented for a long time now… Whonix does not automatically connect to the public Tor network. Whonix generates no networking traffic before Tor networking gets enabled. Only if users chose so in anon-connection-wizard (or manually enable Tor in torrc). That was the whole point of anon-connection-wizard btw. And the actual bridge wizard was never implemented, just a stub. However, iry is now working on that.
What do you mean by IPv6? None of that is mentioned on the bridges page.
And to perhaps preemptively answer a question : yes, neither IPv6, nor IPv6 nor any traffic is generated by Whonix before enabling Tor.
Was kinda working my way up from bottom to top. I should have reacted to all points that require an reaction. Should I have missed to reply to some point, please copy/paste or reference it.
Let me list my follow up items, since bits and pieces are done.
TO DO (updated):
1) Note IPv6 tor bridges are currently incompatible with Whonix in Bridges documentation i.e. shouldn’t be selected by the user
2) Finish documentation_guidelines entry & remove text from the template I edited the other day (Template: Design_Introduction) re: grammar and stylistic issues
3) Add text to FoxyProxy template re: “Using FF is even worse” around fingerprinting issues.
Also consider whether this text should be turned into a template (fingerprinting one)
4) Off topic: Test Nightly Tor Browser (ESR 52) for Whonix compatibility
5) Off topic: test wiki backup script and updates thereof
6) Finish second round of wiki template edits (1/2 done now)
No problem - totally understand re: diffs for sign off. I’ll be sure to separate just language edits versus additional sections in the future. I had noticed that before.
BTW I understand (and I know you know) there are a host of privacy issues with IPv6, so hopefully you will take your time re: implementing Whonix ticket T509?
Right. Yes, I recommend removing contractions where possible for clarity and a more professional style. I’ve added that to the documentation guidelines.
When using a browser, connecting to Tor before a tunnel link worsens the web fingerprint. The anonymity effects of using the configuration: User → (Proxy / VPN / SSH ->) Tor → Proxy / VPN / SSH → Tor Browser → Website are unknown. How many people are likely to use a proxy, VPN or SSH IP in this manner? This setup is so specialized that probably very few are doing it, reducing the user pool to a small subset. Due to potential fingerprinting harm, it is recommended against. If proceeding despite the risk, the tunnel configuration should not be combined with any browser other than Tor Browser (e.g. Firefox, Chrome), due to an even greater browser fingerprinting risk.
So that it can be turned into a template as you suggested, and inserted into both entries accordingly.
BTW Blockquote now looks nice since fortasse fixed the text size!
Tested the latest version I could find on the Tor servers. It is from 2 weeks ago (3rd April) -> but it is still running 45.8 ESR. Hmm… I thought it was the 52 ESR version that was meant to be in Linus’ folder by this late stage.
Anyway, that nightly seems to work fine.
Couldn’t find a binary anywhere else for the 52 version. I’m not up for building anything, so we can just see how the Alpha series goes when it is released in a few days time. I think it will be based on 52.1
The stable will still be based on 45.9, so it shouldn’t bork for the majority of users I suppose.
PS I see you’ve been very busy with “find” & “replace” functions
The previous version mentioned possible fingerprinting issues due to using FoxyProxy vs few users. The latest version omits that.
As per Login required - Whonix, the FoxyProxy addon is not always used for user -> Tor -> Proxy / VPN / SSH (actually nowhere), but only in context of connections to local web interfaces.
user -> Tor -> Proxy / VPN / SSH issue is already documented where appropriate at Combining Tunnels with Tor.
Using == inside the template has to be done with care, so it does not break any pages that use the template. It currently looks broken on the Invisible Internet Project (I2P) page.
I wonder if isn't → is not mass replacement would be a great idea? Then the not is easily mentally skipped while reading. And I think we should value success rates understanding the documentation over form.
I don’t think many users will understand that. What @HulaHoop probably meant to say is
yeah, you can see the fingerprint below, compare it, but also do your own research figuring out what the fingerprint is, don’t trust the wiki since it’s also only on a webserver over SSL or onion. (Not the same level of verification as gpg.) For best security, use the OpenPGP - Kicksecure.
Well, now you’ve opened a can of worms, you could probably do a mass find and replace for some or all of the following, depending on your level of energy:
isn’t → is not
aren’t → are not
don’t → do not
doesn’t → does not
haven’t → have not
hasn’t → has not
won’t → will not
hadn’t → had not
weren’t → were not
wouldn’t → would not
couldn’t → could not
shouldn’t → should not
can’t → cannot
mustn’t → must not
shan’t → shall not
mightn’t → might not
mustn’t → must not
needn’t → need not
oughtn’t → ought not
daren’t → dare not
Being careful not to overwrite instances in (block)quoted text throughout the wiki.
There are other contracted forms (believe it or not), but they probably aren’t in regular use in the wiki. Generally, formal language avoids contractions.
God English is a strange POS language. Did anyone tell you that editing is like diving down a rabbit hole?
RE: ProxyFoxy Template → fixed (hopefully).
It seems to fit now with I2P and other entries in the wiki. Reverted most of the fingerprinting text.
I should have followed my own doc guidelines. ha.
Template:Gpg_fingerprint_verification → Done. See what you think:
Before adding any foreign repository or software source, it is necessary to fetch the associated signing key (if available) and verify the fingerprint.
It is not safe to only rely on the Whonix wiki for confirmation of a key’s expected fingerprint. The reason is websites rely on fallible SSL or .onion architecture, which provides a lower verification standard than the OpenPGP implementation. Users should always check the fingerprint for themselves. In practice, this means:
Researching the expected key fingerprint from multiple, trusted Internet sources.
Explicitly checking the key fingerprint matches the expected output, before importing it or adding it to a trusted key-ring.
For the best possible security, users should always rely on the [[OpenPGP#The_OpenPGP_Web_of_Trust|OpenPGP Web of Trust]].
