A post was split to a new topic: Tor Browser Hardening (hardened malloc, firejail, apparmor) vs Web Fingerprint
NoScript leaks browser locale if objects are blocked and JavaScript is allowed. Might be a good idea to add to the Tor Browser Wiki.
Created Templates for splitting SecBrowser. Will have the pages split tomorrow.
Template:SecBrowser Introduction
No modifications.
https://whonix.org/w/index.php?title=Template:SecBrowser_Introduction&stable=0
Template:SecBrowser Table Security Enhancements
Fixed “named” reference
Template:SecBrowser Privacy and Fingerprinting Resistance
Due to spacing the SecBrowser Trade mark “™” moved to the next line in the Table. Fixed by removing space.
Template:Install SecBrowser Introduction
No modifications.
https://whonix.org/wiki/Template:Install_SecBrowser_Introduction
Template:SecBrowser Settings
-
Removed mention of AppVM to make template usable for both Qubes and Debian host/VM pages.
-
Removed
gedit
for text editor in steps and replaced withnano
. -
Added “Note: The following examples make use of nano text editor. However, users should prefer an editor that is most familiar and easy to use.”
-
Changed "security slider set to ‘Standard’ " to "security slider set to ‘Safest’ " as per: https://github.com/Whonix/tb-updater/pull/10
-
A few minor Nits.
https://whonix.org/wiki/Template:SecBrowser_Settings
Template:SecBrowser Download Alpha Versions
No modifications.
https://whonix.org/wiki/Template:SecBrowser_Download_Alpha_Versions
Template:SecBrowser FAQ
-
Removed mention of Qubes
-
Question “Can I use SecBrowser ™ in a Whonix-Workstation VM (anon-whonix)?”
I added Whonix-Gateway in answer to make it usable for both Qubes and Debian host/VM pages.
https://whonix.org/wiki/Template:SecBrowser_FAQ
Template:SecBrowser Disclaimer
No modifications
Looks perfect so far!
Made some changes to the new SecBrowser Templates due to previous changes in configuration file location:
tb-updater
/usr/share/tb-updater/tb_without_tor_settings.js
was moved to
tb-starter
/usr/share/secbrowser/user.js
Changes to SecBrowser Settings :
https://www.whonix.org/w/index.php?title=Template:SecBrowser_Settings&stable=0
Changes to SecBrowser FAQ:
https://www.whonix.org/w/index.php?title=Template:SecBrowser_FAQ&diff=49710&oldid=49675
Split SecBrowser page into Qubes and Debian pages. The page titles are fairly simple. Tried a few different page titles for example; SecBrowser in Qubes: A Security hardnened non-anonmous Browser in Qubes but I don’t it looked that great.
https://whonix.org/w/index.php?title=SecBrowser_in_Debian&oldid=49714&diff=cur
https://whonix.org/w/index.php?title=SecBrowser_™_in_Qubes_OS&oldid=49712&diff=cur
https://github.com/Qubes-Community/Contents/pull/67
I’ll leave the older SecBrowser wiki page up for a little while until all PR are merged.
Just realized I left out " ™ " in SecBrowser in Debian page title. Fixed .
Usually I did not use TM in page names (links) since these look ugly when copied/pasted elsewhere.
Tittle can and should use it. Page name (link) (i.e. move page) not so much.
Can stay as is (rather minor thing) but I don’t think we should go ahead and change lots of links in Whonix wiki because of this.
Thanks - your seal of approval is always a good indicator for wiki editors
Also:
- Remailers entry -> Fixed
- Nym servers entry -> Fixed
Let’s also make the Signal entry in that section pretty (currently states “UNFINISHED” and “good enough”), and then only the Email entry needs updating for it all to be current.
I was looking around for where you got the Signal fingerprint from with no luck etc. Maybe you can give me a pointer.
Edit: can we claim ‘TM’ status on SecBrowser without actually doing some kind of legal paperwork or similar? I have no idea, but doubt you can just claim it.
Put exactly the following string
"DBA36B5181D0C816F630E889D980A17457F6FB06"
into exactly the following search engine:
The quotes help to make google search for that and really only that.
Also if you’re unsure, you can for any gpg keys always contact upstream. Mostly I do this by creating a bug ticket. Would be easy for signal since they use github.
Support: Professional Support
I.e. this was created for a customer a while ago. Other than that, I am not interested much in signal
in context of Whonix since it requires phone numbers for registration. Maybe this can be marked better and/or removed from Documentation index but I wouldn’t want to spend more time on it than necessary.
Same goes for:
(which is nonfreedom software)
Re: explicit search “ABCD” etc - yes aware of that function. Just nothing was coming up in non-Google engines - I see Google’s engine finds it straight away…
(I don’t remember the last time I used the Stasi engine, because they should be avoided like the plague - ironically years ago you rarely could search effectively with Tor Browser. They’ve probably found some way to try and tag Tor users, else why would they have liberalized their search engine parameters since they are so hostile to privacy and generally blow the government’s wang in all regards).
I might try and clean up the entry, but if the online info is scarce, then might just remove it from the ToC listing since registered phones is incompatible with Whonix intent.
Although, adding the ‘Xenial’ repo leads to a frankenstein version of Debian (Whonix) which has mixed sources - as you know this is generally recommended against.
In the long run, Signal should just bite the bullet and modify their software for a pure standalone desktop app with their solid E2E encryption, and no shitty, hopelessly insecure mobile required. I’m sure Moxie is more than capable…
Capable for sure, willing no. We might have had a forum thread on signal. It does other sketchy stuff too.
Updated Whonix Installer for Windows.
https://whonix.org/w/index.php?title=Contribute&oldid=46765&diff=cur
OK - just the email Mt Everest entry to update, and Section 10 will be finished. (these wiki approvers can’t keep up ). Then I’ll move on to the money section proper.
Lots of activity on the website and dev areas these days. Professional website appearance, solid wiki, good forum moderating etc. all adds up to a quality product and attracts quality human resources and contributions. Which also increases user base, # of Tor users and improves everyone’s overall anonymity. Good sign.
Esoteric, Non Anonymous Onion Encryption and NAT Traversal - Kicksecure candidate for Advanced Documentation.
Created a new Windows Quick Start page although its rather large so I’m not sure it meets the definition of “Quick Start”. Download links look good. There is a yet to be created download link that needs to be added by me.
https://whonix.org/w/index.php?title=Windows_Qubes_Start&oldid=50409&diff=cur
It meets quality standards as in good enough for a call for accepting wiki changes. Could even go to a call for testers. Some nits.
https://www.whonix.org/wiki/Windows_Qubes_Start - I guess Qubes has no place in page URL?
Perhaps move to https://www.whonix.org/wiki/Windows_Testers_Only_Version during testing?
That would match
- Whonix for Windows, macOS, Linux inside VirtualBox
- Whonix for VirtualBox - Testers Only Version
- Whonix for KVM
- KVM Testers Only Version - Whonix
And…
- ( Whonix for Windows, macOS, Linux inside VirtualBox )
- ( Whonix for Windows, macOS, Linux inside VirtualBox ) (I guess Whonix Windows Installer XFCE only as CLI would be far less requested by Windows users. These could be redirected to VirtualBox/XFCE instead. )
Whonix Windows Installer - Testers Only Version would e a bit weird, long?
Whonix for Windows, macOS, Linux inside VirtualBox currently redirects to Whonix for Windows, macOS, Linux inside VirtualBox. Not sure about if we want a redirect or two pages a long and a short version?
The initial version of the quick start guide looks more like the full verification instruction version.
Pages such as:
where dumbed down. Hidden by default download table, hidden and expandable by default verification instructions. OpenPGP/gpg verification for most users just is not realistic. I am not sure it can still be improved on Whonix side. We already support https (decent server TLS support), onion download (few will understand that). New users will just a swamped by the page length and length of instructions, just give up and use hidemyass (seen) or something similar instead. It’s important that new/first time users of Whonix (already complicated enough due to split-VM design and run in VM by default, Linux based…) have a quick path and feeling of success quickly.
Specifically on the Windows platform, the idea of a Whonix Windows Installer is to dumb down even further. However, by requiring to learn gpg verification and install other software before Whonix
OpenPGP/gpg verification: If you have a better idea in mind or ever see a better solution implemented anywhere, please open a new forum thread about this.
Import the Intevation CA Certificate
- Trust GeoTrust
- import a new certificate
- root of trust: as secure as SSL
Install SignTools
- root of trust: as secure as SSL
Download and Verify GPG4win
- root of trust: as secure as SSL
instructions on whonix.org on gpg verification in the first place
Well, an adversary capable of changing download for targeted users in first place could also prevent these from learning about gpg in the first place from the same website. Only prior knowledge on gpg and verification through OpenPGP web of trust would prevent installation of maliciously modified downloads.
I guess what we’re doing is increasing the awareness about software verification generally and for the next download rather than securing the actual initial download?
And at no point, the user has any path to verify gpg4win through the The OpenPGP Web of Trust. Not sure if worth we’ll being the first ones (?) to point that out and document?
Intevation, the company that hosts GnuPG does not maintain a secure TLS site for
gpg4win
.[3]
Well, if upstream is broken, there is little we can do.
gpg is a dinosaur, I am quite negative about it and would like to see it replaced with something of today’s knowledge on usability.
Machine
→Close
→Power Off
.
This is not good since this is a hard power off. Should only be used if Whonix hangs. Otherwise the usual shutdown mechanisms from inside the VM should be preferred.
Figure: Whonix user interface
Perhaps reduce size a bit? Looks much bigger than original on the actual screen? No new screenshot needed. Mediawiki allows somehow image resize, we are using that elsewhere in wiki somewhere.
Overall, amazing job on! Now have resurrected Whonix Windows Installer and better documentation. Yay!