New version of TBB no longer accepts FoxyProxy plugin.

entr0py · June 7, 2016, 7:14pm

Random Agent Spoofer spoofs resolution along with many other fingerprinting vectors (although for pseudonymity, we don’t care about vm-specific fingerprinting, just system-wide fingerprinting).

The obvious advantage of TBB is that you don’t need to manage multiple pseudonyms (something with which you are very familiar ). As you know, user error working with pseudonyms is very dangerous but helped by the fact that Qubes VMs are so inexpensive.

Assuming:

Virtualizer does its job
Whonix does its job
Iceweasel is no more bug-prone than TBB
Add-ons do their job

Managing a (manageable set of) pseudonyms should be a viable alternative to relying on a very thin anonymity set. But you should have the last word on that…

Add: Biggest danger is that a fingerprinting vector exists that you are not aware of. If you duplicate the setup across multiple pseudonyms, you could be linked by this unknown vector.

Patrick · June 7, 2016, 7:28pm

Don’t.

In case of Qubes, doesn’t do its job. One severe example:

github.com/QubesOS/qubes-issues

Ensure Tor Browser default screen resolution is uniform across Qubes Debian, Qubes Whonix, and baremetal Debian

opened 04:18PM - 19 Mar 16 UTC

adrelanos

T: enhancement C: gui-virtualization P: major privacy

**expected behavior** There should be no difference in Qubes Debian template vs… plain (non-Qubes) Debian. --- **test environment** - Debian jessie vs Qubes Debian jessie template - Whonix not involved at all (to prevent mixing this up with eventual Whonix specific issues) - same screen - same desktop resolution - tested with same version, **_6.0a4**_ **_hardened**_ [ tor-browser-linux64-6.0a4-hardened_ALL.tar.xz (gpg verification passed) ] --- **actual behavior - test results - plain (non-Qubes) Debian jessie** - small white border on the left and right - no white border on the bottom - ip-check.info screen resolution result A - looking acceptable --- **actual behavior - test results - Qubes Debian jessie template** - no white border on the left - big white border on the right and the bottom - different ip-check.info screen resolution result B - looking strange --- **Whonix forum discussion** https://forums.whonix.org/t/tor-browser-auto-resize-feature-functional-in-qubes --- **Impact** Anonymity / Whonix is affected by this bug. Fingerprinting issue. Puts Qubes(-Whonix) users in a different anonymity set than other users.

Ego · June 7, 2016, 7:31pm

Good day,

Thanks for pointing that out, to clarify, that was obviously only a very small scetch to illustrate the point.

But like mentioned, the resolution wouldn’t be readable without JavaScript.

I never said the FoxyProxy had malicious intentions. All Plugins, regardless of their intent and whether they are open source or not are said to be the easiest way to track someone:

In general, plugins and fonts are the most identifying metrics, followed by User Agent, HTTP Accept, and screen resolution, though all of the metrics are uniquely identifying in some cases.

Like I said, this isn’t unique to this plugin/addon, but to every plugin/addon used, as every plugin/addon makes you “trackable” simply by its existence. Even using a different version of an addon can increase your fingerprint, as explained here:

In the case of the algorithm we deployed, those events include upgrades to the browser, upgrading a plugin, disabling cookies, installing a new font or an external application which includes fonts, or connecting an external monitor which alters the screen resolution.

Source: https://panopticlick.eff.org/static/browser-uniqueness.pdf

Now, like said before, I’ve read a few times that the reason for this isn’t that the addons are “read” the way they are but, like mentioned before are simply used as a base for creating a string value by the browser itself. The reason for that is, if I recall logistics (less to send around) as well as identifiability. Once I’ve found a source for that specific “creation” part, in English, I’ll send it to you.

Have a nice day,

Ego

Patrick · June 7, 2016, 8:18pm

Ego:

But like mentioned, the resolution wouldn’t be readable without JavaScript.

ip-check.info can detect the resolution with noscript enabled. (IIRC
through CSS.)

Ego · June 7, 2016, 8:25pm

Good day,

Right, forgoth that. Sorry, shouldn’t have happened. Is rather embarrassing actually, since I should know that way better than most people, keeping in mind that’s what I currently use to determine whether the mobile mode is on or off on the “whonix-prototype-homepage”…

Have a nice day,

Ego

Patrick · June 7, 2016, 8:38pm

No problem at all.

t0rpedo · June 13, 2016, 4:01pm

The reason why I wanted to use a proxy is because some sites ban Tor IP at all cost. FoxyProxy was an easy approach that did just that but TBB is not accepting it now.

I’m not willing to use Ice Weasel or Firefox ESR + FoxyProxy because it was clearly documented in the wiki that they’re meant to be used in downloading TBB only.

Ego · June 13, 2016, 6:04pm

Good day,

May I recommend then, to try using Proxychains or some other alternative, as explained here: Combining Tunnels with Tor It sadly isn’t as simple though. In the meantime, I may look what setting in “about:config” they changed. If I can pinpoint it, it should be possible to reactivate the ability of using external plugins. Except obviously, if they compile FF without the necessary features now, which has happend before.

Have a nice day,

Ego

anon36816226 · June 13, 2016, 6:42pm

Hi,
Has anyone tried reproducing this with TBB 6.0.1 ?
I tried it today and Foxyproxy installs fine on TBB 6.0.1 (tested it on multiple VMs)
Maybe they changed it from 6.0 to 6.0.1 again ?
I think the about:config setting was :
xpinstall.signatures.required

Could anyone confirm this ?

HulaHoop · June 14, 2016, 4:14am

foxyproxy confirmed working for me here on 6.01

Patrick · January 5, 2017, 2:23am

Instructions did not work anymore with Tor Browser 6.0.8 (based on Mozilla Firefox 45.6.0). Foxyproxy did not enable itself because Firefox now requires signed add-ons.

Add-on signing in Firefox | Firefox Help

Updated these instructions to disable add-on verification. And a few other smaller changes.

Error - Whonix

Patrick · February 16, 2017, 9:37pm

https://www.whonix.org/wiki/Template:FoxyProxy no longer works for me with Tor Browser 7.0a1-hardened (based on Mozilla Firefox 45.7.0). Can you check please? @HulaHoop

What about installing foxyproxy using Tor Browser add-on manager rather than from Debian repository?

This also needs testing in combination with GitHub - Kicksecure/apparmor-profile-torbrowser: AppArmor profile for The Tor Browser Bundle (TBB) - https://www.whonix.org/wiki/AppArmor - for better security (hardening).. Recent fix. Can you install apparmor-profile-torbrowser from source please? (Or manually active the updated profile.)

anon36816226 · February 17, 2017, 5:41am

I will test this today if HulaHoop hasn’t checked it by then and report back

HulaHoop · February 17, 2017, 3:38pm

@goldstein Please do. I don’t have a 64bit build ready yet to check it out.

@Patrick Let me know when you’ve branched out a test release with GUI fixes so I can start looking at relevant tracker tasks.

Also what is your impression about hardened TBB usability (responsiveness/resource use)? Do you use it daily?

HulaHoop · February 17, 2017, 3:58pm

OK so I guess its now safe to recommend fetching the addon from Mozilla’s servers since they are now all signed. It will be as simple as pointing it to where the custom rules file is installed.

I wonder if TBB makes any attempt to check signatures though… I know for freedom reasons signed extension support is dropped out of the Tor fork. I may have to check that out.

https://wiki.mozilla.org/Add-ons/Extension_Signing

All Firefox extensions - for Desktop and Android - on AMO that have passed review are now signed.

Patrick · February 17, 2017, 4:41pm

Sure, will do. New build in process btw. There will be a new thread in the development sub forum.

Please move that into a separate thread.

Disabling that by default would be outrageous. I doubt that. Last time when I fixed the FoxyProxy template, I needed to disable it, because extensions installed as a deb package were ignored because of this.

HulaHoop · February 17, 2017, 11:45pm

I asked for more info about this.

https://lists.torproject.org/pipermail/tor-dev/2017-February/011923.html

Patrick · February 18, 2017, 2:08pm

Btw there is also tbb-dev.

The tbb-dev Archives

HulaHoop · February 18, 2017, 4:36pm

https://lists.torproject.org/pipermail/tbb-dev/2017-February/000464.html

anon36816226 · February 18, 2017, 7:23pm

I testet TBB hardened with foxyproxy and neither of the options seem to work , when i installed it via the Addon-manager it said i should restart TBB to enable it but after a restart it keeps saying this.

But in the Light of Hardened Tor Browser Bundle not as hardened you think. Soon becoming extinct
it’s not worth it to even continue testing…