SecBrowser: A Security-hardened, Non-anonymous Browser - DEPRECATED

Patrick · May 25, 2017, 9:34pm

There is no Tor over Tor in neither Non-Qubes-Whonix nor Qubes-Whonix. Tor Browser in Whonix-Workstation uses Tor running on Whonix-Gateway.

This is implemented through the package anon-ws-disable-stacked-tor.
( anon-ws-disable-stacked-tor )

From Whonix-Workstation you’ll never make a non-torified connection anyhow. You could use Tor’s TransPort rather than Tor’s SocksPort, but I don’t see the point.

Using Tor Browser from within Whonix-Workstation without any Tor access, using clearnet… Excuse me, why would that be useful? One could do that, but not without insecure modifications on Whonix-Gateway. Or one could use a Tor Browser without Tor from Whonix-Gateway, but what would that be useful for?

It might be interesting to document how to enable persistent storage of passwords and whatnot when using Tor Browser in Whonix. That would then fit here:
Tor Browser Advanced Topics

(However, then we should use wiki templates so we don’t have to duplicate the instructions. Minor thing. I can assist wtih this if you wish.)

Does this fully answer your question?

Sure. Would be useful, but rather low on my wishlist. (Higher priority on my wishlist is sandboxed Tor Browser, but it’s all up to you of course.)

A wiki page is a cool “first step”. Then some advanced users can benefit from it. We have a proof of concept and can demonstrate some interest. A super cool tool for us geeks.

As a “second step”… I however would also very much welcome if either The Tor Project would provide a Tor Browser without Tor (which really needs a good name then)… Perhaps SecureFox or so. (With the sandboxing available and preinstalled noscript and whatnot, it’s a focus on better security than Firefox and reduced tracking / better privacy. And/or a dedicated project with its own website, downloads, package repository and what not for SecureFox or HardFox or so.

I of course don’t expect you to do any of these steps. I appreciate however far you take it. And if you don’t do the second step, then that gets easier since a lot of the development work would be already done.

Would be cool if colors were somehow changed or so. I understand it’s a lot detail work and may not be simple.

anonymous1 · May 25, 2017, 10:32pm

Their reasons are valid, for Tor Browser. But it’s different in the case of a personal / non-anonymous browser. For example, cutting off ad revenues would encourage website owners to be more hostile towards Tor IPs, but not for non-anonymous individuals. Unlike Tor Browser, using adblockers improves privacy in a non-anonymous browser especially when javascript must be turned on. It would also reduce the attack surface

ubestemt · May 26, 2017, 10:49am

That reminds me: We probably should warn users against using Tor Browser without Tor in Whonix-Workstation, not because Tor could be bypassed, but because exit node stream isolation is untested in this case. Depends on whether you think any Whonix user would try that; I know it makes no sense to disable Tor in Whonix-Workstation.

Tor Browser without Tor from Whonix-Gateway: Same as Insecure Browser in Tails. (I don’t know how Whonix deals with wifi networks you need to sign on to, etc.)

To save passwords you would only need to disable private browsing mode and enable password manager. But I fear anything that involves disabling private browsing mode could potentially compromise one’s anonymity. How would you maintain control over exactly what information is kept?

In that case I would use a separate Tor Browser (with private browsing mode disabled) only for those websites where I allow certain information to be kept.

Speaking of which: Would the modifications for this be any different for Whonix’s Tor Browser compared with vanilla Tor Browser?

Patrick · May 26, 2017, 11:43am

( Tor Browser Essentials )

Good point. Added a warning box to the wiki page-

Would only be interesting for users using physical isolation that are using a captive portal. So far this never happened. Related documentation:

Since physical isolation support status…

Build Documentation: Physical Isolation

Imo very low priority.

Right. That’s a rabbit hole. Selective storage of passwords is a missing Tor Browser feature. One could say, out of scope for this project.

( Tor Browser Essentials )

Patrick · October 27, 2017, 11:48am

@ubestemt are you still around?

Patrick · December 7, 2017, 4:23pm

Could someone review these changes please?

Tor Browser without Tor: Difference between revisions - Whonix

0brand · December 8, 2017, 2:09am

Hi Patrick

I think it would be very easy for a user to make a mistake and shoot ones self in the foot.

User opens TBB with Tor disabled. A little while later user gets distracted or steps away from their laptop for a minute. User comes back to using TBB but forgets Tor is disabled ( easy to do, easy to confuse Whonix with non-Tor TBB AppVM ?? ) User logs into anonymous email over clearnet.

Patrick · December 8, 2017, 3:50pm

0brand:

Hi Patrick

I think it would be very easy for a user to make a mistake and shoot ones self in the foot.

User opens TBB with Tor disabled. A little while later user gets distracted or steps away from their laptop for a minute. User comes back to using TBB but forgets Tor is disabled ( easy to do, easy to confuse Whonix with non-Tor TBB AppVM ?? ) User logs into anonymous email over clearnet.

Do you comment on the last wiki edit specifically or do you discourage
having a Tor Browser without Tor wiki page generally?

0brand · December 9, 2017, 12:21am

HI Patrick

Sorry, should have been more specific. For starters, non-Tor TBB would be something I would be interested using. I think its a great idea. However, I know users can follow all the precautions in the Whonix Wiki and then make one mistake and none of that makes any difference. I think users would be more at risk doing that if they also use non-Tor TBB.

After reading through the Tor Browser without Tor Wiki and seeing all the warning, I wonder if that will be enough. This is partly because I’m a little cynical right now because I shot myself in the foot not to long ago, but mostly because I don’t want someone else to make a similar mistake.

I know complaining does no good if you don’t try to contribute to a solution, so I have been thinking of way to help mitigate the risk of something like that happening. The only thing that I could come up with that is easy to do is use 2 vault AppVMs , each has a separate password manger. One is for anonymous use, and is shut down before any clearnet AppVMs are started. The other is for clearnet use, and shutdown before Whonix starts.

The idea is not all that impressive, but had I done that, I would not have shot myself in the foot . Maybe could help others from doing the same?

Patrick · December 9, 2017, 10:53pm

Your suggested user behavior sounds good. Separate vault VMs, separate VMs for anonymous and non-anonymous use, certainly yes.

For Qubes-Whonix users: shutting down most if not all other non-anonymous VMs (besides sys-net / sys-firewall / sys-whonix) when do anonymous activities is a highly recommended behavior to avoid mess-up.
For Non-Qubes-Whonix: Perhaps maximize a Whonix-Workstation VM while using it.

We have this recommendation.
Do not Use Clearnet and Tor at the Same Time

Tips on Remaining Anonymous

But perhaps it could be expanded a bit? Do we have the practical steps to do that (shut down other VMs…) elaborated anywhere in the wiki? @torjunkie

torjunkie · December 10, 2017, 9:03am

Not explicitly that I’m aware of.

Anyway, the Tor Browser without Tor wiki entry is prety good, but could use a little polish.

0brand · December 17, 2017, 11:17pm

As it turns out, for Debian users torbrowser-launcher is only available through backports. This includes old stable “jessie” and current stable “stretch”.

https://wiki.debian.org/TorBrowser
https://tracker.debian.org/pkg/torbrowser-launcher

Should instructions on how to add backports to the sources.list be added to this wiki page, or maybe just add a link to Installing Fire Jail (has instructions for adding jessie backports to sources.list) with instructions to substitute torbrowser-launcher for firejail package?

0brand · December 22, 2017, 1:32am

Wanted to give some feedback on installing Tor without Tor Browser in Qubes 3.2. There were a few bumps in the road, mainly with a broken dependency and an issue with verifying Tor Browser after download. I’m not sure if anyone else will have these problems but I wanted to document how to resolve them if they are encountered. For this example I used a Debian 8 (Old Stable).

Step 1: Start a terminal in your deb-8 template.

[user@dom0~]$ qvm-run -a debian-8 gnome-terminal

Step 2: Package torbrowser-launcher is only available through jessie-backports so you must add it to your apt sources.list.

[user@debian-8 ~]$ sudo su -c "echo -e 'deb http://http.debian.net/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

Or alternatively use the .onion mirror.

[user@debian-8 ~]$ sudo su -c "echo -e 'deb http://vwakviie2ienjx6t.onion/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

Step 3: Update the package lists.

[user@debian-8 ~]$ sudo apt-get update

Step 4: Install package torbrowser-launcher.

[user@debian-8 ~]$ sudo apt-get -t jessie-backports install torbrowser-launcher

If you encounter broken dependencies you can use aptitude to try and fix the issue. The dependency problem that I encountered along with how it was fixed can be seen here Pastebin.

4b. Only necessary if you have a broken dependency.

[user@debian-8 ~]$ sudo aptitude -t jessie-backports install torbrowser-launcher

Step 5: Shutdown debian-8 template.

[user@debian-8 ~]$ sudo poweroff

Step 6: Create the AppVM that you will be downloading and using non-Tor Tor Browser in.

[user@dom0 ~]$ qvm-create appvm-name -t debian-8 -l red

Step 7: Start a terminal in your non-tor AppVM.

[user@dom0 ~]$ qvm-run -a appvm-name gnome-terminal

Step 8: Download and verify Tor Browser.

[user@appvm-name ~]$ sudo torbrowser-launcher

An issue may be encountered with not being able to verify Tor Browser after its been downloaded. This may be due to an outdated Tor Project signing key. A workaround can be found here on Stack Exchange.

Step 9: After Tor Browser is installed Tor must be disabled. Refer to the documentation for instructions.

https://whonix.org/wiki/Tor_Browser_without_Tor#Disabling_Tor

Related:

Fedora: Was able to install package torbrowser-launcher and install Tor Browser in a Fedora AppVM. The only problem encountered was with verifying Tor Browser as mentioned in step 8. This issue appears to be fairly common.

Debian 9: Installing torbrowser-launcher in a Debian 9 template was unsuccessful. Stretch-backports was added to the sources.list but the package could not be located.

Disposable VM: Installing Tor Browser in a DispVM and configuring for non-Tor use was pretty straight forward. After customizing your DispVM you can follow the instructions for installing Tor Browser ( step 8)

Patrick · September 9, 2018, 8:30am

We could use tb-updater in Debian templates instead due to its better Qubes integration. (To make sure new AppVMs are created with a copy of the latest Tor Browser version.)

With Whonix repository added, we could also make use of GitHub - Kicksecure/apparmor-profile-torbrowser: AppArmor profile for The Tor Browser Bundle (TBB) - https://www.whonix.org/wiki/AppArmor - for better security (hardening). (and unrelated, other apparmor packages by Whonix.

Related bug:

github.com/QubesOS/qubes-issues

gpg fails in debian-9 based TemplateVM through Qubes UpdatesProxy - gpg: keyserver receive failed: No keyserver available

opened 07:47AM - 09 Sep 18 UTC

closed 07:34PM - 23 Jun 21 UTC

adrelanos

T: bug R: duplicate C: templates

### Qubes OS version: R4 ### Affected component(s): debian-9 --- ###… Steps to reproduce the behavior: Simplified gpg command for easier testing. sudo http_proxy=http://127.0.0.1:8082/ gpg --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA The actual command of interest here would be something like the following. sudo http_proxy=http://127.0.0.1:8082/ apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA This is for the purpose of being able to have instructions on how one could easily add Whonix signing key to a Debian based TemplateVM or StandaloneVM so packages like tb-updater, apparmor-profiles-whonix, security-misc, etc. could be used there. ### Expected behavior: ``` sudo http_proxy=http://127.0.0.1:8082/ gpg --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA gpg: requesting key 2EEACCDA from hkp server ipv4.pool.sks-keyservers.net gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 2EEACCDA: public key "Patrick Schleizer <adrelanos@riseup.net>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) ``` ### Actual behavior: ``` sudo http_proxy=http://127.0.0.1:8082/ gpg --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA gpg: directory '/root/.gnupg' created gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: keyserver receive failed: No keyserver available ``` ### General notes: Maybe this isn't sane to begin with and there should be some sort of Qubes service (question popup) to fetch gpg keys in DispVMs to import apt signing keys in TemplateVMs?

That bug is related in context of apt signing key adding:

https://www.whonix.org/wiki/Template:Whonix-APT-Repository-Add

Could anyone please put “allow user-configured proxy settings, Disable TorLauncher extension, and Normalizing Tor Browser Behavior” into (a) file(s)? Then tb-updater could have a setting to do this automatically if desired so (in Debian template).

Patrick · September 11, 2018, 5:15pm

Did Tails manage to rebrand Tor Browser without recompiling it? Could quite likely be the case.

https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/usr/local/lib/tails-shell-library/chroot-browser.sh mentions branding. That source file regarding Tails Unsafe Browser and links to other related files can be found here:

https://tails.boum.org/contribute/design/Unsafe_Browser/

Patrick · September 11, 2018, 5:16pm

https://lists.torproject.org/pipermail/tbb-dev/2017-April/000509.html

anonym:

Patrick Schleizer:

How can one easily hack TBB to use clearnet? [1] (idea [2])

I believe all you need is:
pref("network.proxy.type", 0);
and possibly disabling Torbutton (which is a good idea any way since it will only add confusion in that setup).

How can one enable cookies to persist in TBB?

IIRC all you need is to disable Private Browsing mode:
pref("browser.privatebrowsing.autostart", false);
That has several other consequences, but at least some has individual prefs for toggling back to what the Private Browser mode does (I wouldn’t be surprised if Tor Browser already change many of these prefs like that).

How can one re-enable the Firefox password manager in TBB so one can
store passwords?

In addition to disabling Private Browsing mode you just have to enable the feature:
pref("signon.rememberSignons", true);
To archive that I’ve disabled private browser and tinkered with lots of
torbutton Firefox config settings to no avail. Could you please kindly
advice on how to archive that?

YMMV for the above prefs and their exact behavior, but I want to make a point that all you ask for can be achieved by setting a few prefs, so it’s only a matter of providing a profile with the necessary different defaults. I don’t think introducing more environment variables, like you suggest in [2], is an improvement over this.

For the record, providing a different “clearnet” profile for Tor Browser is how we implement Tails’ Unsafe Browser.

Cheers!

0brand · September 19, 2018, 12:43am

I work on it.

Patrick · January 30, 2019, 10:08am

Ping?

0brand · February 5, 2019, 3:38am

For some reason I had though someone else had done this. Don’t ask me why. I’ll get it done.

0brand · February 10, 2019, 2:16am

Qubes-Whonix
Debian 9
Tor Browser 8.0.5

The wiki instruction need to be modified. As it turns out, the about:config settings ( network.proxy.socks_remote_dns false , network.proxy.type 0) are not persistent across Tor Browser restarts. When browsing to a website after restarting Tor Browser this message will be received.

The proxy server is refusing connections

The only fix i’ve found is in the following thread (bottom of page). Disabling Torbutton and TorLauncher extensions in about:addons.

https://superuser.com/questions/1117383/can-i-use-tor-browser-without-using-tor-network

This has to be done before editing about:config setttings. Not sure why this works since both extensions are disabled in user.js? I’ll work on getting this figured out along with creating the file for tb-updater