SecBrowser: A Security-hardened, Non-anonymous Browser - DEPRECATED

Whonix ™ Packages for Debian Hosts and Whonix ™ Host Enhancements applies. Updated packages uploaded. Ready to test. Didn’t test myself yet.

Adding Whonix signing key to a Debian is rather inconvenient currently. Command

sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

is unreliable. Even in Debian based AppVMs and even in plain, non-Qubes Debian. Due to gpg bugs. (gpg fingerprint command obsolete - #11 by Patrick)

Making the command work in Qubes Debian Template is even harder since it has to go through Qubes UpdatsProxy. Didn’t we have a dedicated forum thread on this, I can’t find it anymore?

So in meanwhile one has to get Whonix signing key by file, qvm-copy, then use the file based method.

sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc

Note, not yet:

echo "deb http://deb.whonix.org stretch main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list

Only stretch-testers for now has updated packages:

echo "deb http://deb.whonix.org stretch-testers main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list

Thought I did. I’m using a new VM.

bash -x /usr/bin/torbrowser --clearnet
+ set -o pipefail
+ set -o errtrace
+ '[' -n '' ']'
++ basename /usr/bin/torbrowser
+ SCRIPTNAME=torbrowser
+ IDENTIFIER=torbrowser
+ ICON=/usr/share/icons/anon-icon-pack/tbupdate.ico
+ trap tb_error_handler ERR
+ main_function --clearnet
+ root_check --clearnet
++ id -u
+ '[' 1000 '!=' 0 ']'
+ true
+ tb_preparation --clearnet
++ whoami
+ who_ami=user
+ command -v qubesdb-read
+ '[' -n '' ']'
+ is_qubes=true
+ '[' -n '' ']'
++ qubesdb-read /name
+ qubes_vm_name=tb-starter
+ '[' -n '' ']'
++ qubesdb-read /qubes-vm-type
+ qubes_vm_type=AppVM
+ '[' AppVM = TemplateVM ']'
+ '[' -n '' ']'
+ tb_user_home=/home/user
+ echo /home/user
+ grep -q tor-browser
+ '[' -n '' ']'
+ tb_install_folder=tb
+ '[' -n '' ']'
+ tb_install_folder_dot=.tb
+ '[' -n '' ']'
+ tb_browser_name=tor-browser
+ '[' -n '' ']'
+ tb_settings_folder=torbrowser.d
+ '[' -n '' ']'
+ tb_name=tor
+ '[' -n '' ']'
+ tb_title='Tor Browser'
+ '[' -n '' ']'
+ tb_wiki=Tor_Browser
+ '[' -n '' ']'
+ tb_proxy_name=tor
+ '[' -n '' ']'
+ tb_bin=torbrowser
+ '[' -n '' ']'
+ tb_browser_runner=start-tor-browser
+ '[' -n torbrowser ']'
+ '[' -n '' ']'
+ tb_home_folder=/home/user/.tb
+ '[' -n '' ']'
+ tb_browser_folder=/home/user/.tb/tor-browser
+ '[' '' = '' ']'
+ '[' :0 = '' ']'
+ display=:0
+ output=/usr/lib/msgcollector/msgcollector
+ local my_tty
+ local my_tty_exit_code
+ my_tty_exit_code=0
++ tty
+ my_tty=/dev/pts/0
+ '[' '!' 0 = 0 ']'
+ '[' /dev/pts/0 = '' ']'
++ whoami
+ who_ami=user
+ output_opt_1='--icon /usr/share/icons/anon-icon-pack/tbupdate.ico'
+ output_opt_2='--parentpid 5414'
+ output_opt_3='--identifier torbrowser'
+ output_opt_4='--parenttty /dev/pts/0'
+ output_opt_5='--whoami user'
+ output_opts=("$output_opt_1" "$output_opt_2" "$output_opt_3" "$output_opt_4" "$output_opt_5")
+ TITLE='Tor Browser Starter (by Whonix developers)'
+ tb_set_links --clearnet
+ DOC_LINK=https://www.whonix.org/wiki/Documentation
+ CONTRIBUTE_LINK=https://www.whonix.org/wiki/Contribute
+ DONATE_LINK=https://www.whonix.org/wiki/Payments
+ FORUM_LINK=https://forums.whonix.org
+ MAILINGLIST_LINK=https://www.whonix.org/pipermail/whonix-devel/
+ IMPORTANTBLOG_LINK=https://forums.whonix.org/tags/important-news
+ FEATUREBLOG_LINK=https://forums.whonix.org/c/news
+ '[' '!' '' = '' ']'
+ '[' -f /usr/share/anon-ws-base-files/workstation ']'
+ '[' -f /usr/share/anon-gw-base-files/gateway ']'
+ true 'Not modifying which link to open.'
+ tb_config_folder_parser --clearnet
+ '[' -n torbrowser.d ']'
+ shopt -s nullglob
+ local i
+ for i in /etc/$tb_settings_folder/*.conf /rw/config/$tb_settings_folder/*.conf
+ bash -n /etc/torbrowser.d/30_default.conf
+ source /etc/torbrowser.d/30_default.conf
+ parse_cmd_options --clearnet
+ :
+ case $1 in
+ tb_clearnet=true
+ shift
+ :
+ case $1 in
+ break
+ local other_args
+ other_args=
+ '[' '' = '' ']'
+ have_other_args=false
+ '[' '' = '' ']'
+ LINK=
+ '[' '' = true ']'
+ tb_templatevm_check --clearnet
+ '[' true = false ']'
+ '[' '!' AppVM = TemplateVM ']'
+ true 'Not running in TemplateVM.'
+ return 0
+ tb_qubes_dvm_template --clearnet
+ echo tb-starter
+ grep -q --invert-match '\-dvm'
+ true 'INFO: not running inside Qubes DVM Template, ok.'
+ return 0
+ check_tb_updater_first_boot_done --clearnet
+ local systemctl_output
+ local wait_counter
+ wait_counter=0
+ true
++ systemctl --no-pager --no-block status tb-updater-first-boot.service
+ systemctl_output='● tb-updater-first-boot.service - Copy Tor Browser from /var/cache/tb-binary to user home at First Boot Service
   Loaded: loaded (/lib/systemd/system/tb-updater-first-boot.service; enabled; vendor preset: enabled)
   Active: active (exited) since Sat 2019-03-02 20:37:17 EST; 7min ago
     Docs: https://github.com/Whonix/tb-updater
  Process: 467 ExecStart=/usr/lib/tb-updater/first-boot-home-population (code=exited, status=0/SUCCESS)
 Main PID: 467 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   CGroup: /system.slice/tb-updater-first-boot.service'
+ break
+ maybe_install_tor_browser --clearnet
+ '[' -d /home/user/.tb/tor-browser ']'
+ return 0
+ tb_folder_change_directory --clearnet
+ local change_directory_exit_code=0
+ cd /home/user/.tb/tor-browser
+ '[' '!' 0 = 0 ']'
+ tb_detect_starter_bin --clearnet
+ '[' '!' '' = '' ']'
+ '[' -x /home/user/.tb/tor-browser/Browser/start-tor-browser ']'
+ tb_starter_bin=/home/user/.tb/tor-browser/Browser/start-tor-browser
+ tb_clearnet --clearnet
+ test -f /home/user/.tb/tor-browser/clearnet-marker
+ '[' '!' true = true ']'
+ '[' '!' true = true ']'
+ diff /usr/share/tb-updater/tb_without_tor_settings.js /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js
+ true 'our version exists'
+ test -f /home/user/.tb/tor-browser/clearnet-marker
+ TOR_SKIP_CONTROLPORTTEST=1
+ TOR_SKIP_LAUNCH=1
+ TOR_TRANSPROXY=1
+ export TOR_SKIP_CONTROLPORTTEST TOR_SKIP_LAUNCH TOR_TRANSPROXY
+ maybe_use_open_link_confirmation --clearnet
+ '[' '' = true ']'
+ tool=tb_start_tor_browser
+ '[' -x /usr/lib/open_link_confirmation ']'
+ '[' '!' '' = true ']'
+ tool=/usr/lib/open_link_confirmation
+ local temp
+ local tool_exit_code=0
+ '[' '' = '' ']'
+ temp='/usr/lib/open_link_confirmation --clearnet'
+ /usr/lib/open_link_confirmation --clearnet
+ set -e
+ main_function --clearnet
+ source_config --clearnet
+ shopt -s nullglob
+ local i
+ for i in /etc/open_link_confirm.d/*.conf /rw/config/open_link_confirm.d/*.conf
+ bash -n /etc/open_link_confirm.d/31_default.conf
+ source /etc/open_link_confirm.d/31_default.conf
++ link_confirmation_for_links=1
++ link_confirmation_for_files=1
+ preparation --clearnet
+ export OPEN_LINK_CONFIRMATION=true
+ OPEN_LINK_CONFIRMATION=true
+ '[' 1 = 0 ']'
+ input_object_original=--clearnet
+ trim=128
+ input_object_string_length=10
+ input_object_trimmed=--clearnet
++ /usr/lib/msgcollector/striphtml --clearnet
+ input_object_stripped_and_trimmed=--clearnet
+ '[' 10 -gt 128 ']'
+ '[' -f --clearnet ']'
+ is_file=0
+ type=link
+ command -v qubesdb-read
+ qubes_detected=true
++ qubesdb-read /type
+ qubes_type=StandaloneVM
+ '[' -f /var/run/qubes/this-is-templatevm ']'
+ '[' -f /usr/share/anon-gw-base-files/gateway ']'
+ workstation --clearnet
+ '[' 0 = 1 ']'
+ '[' -n '' ']'
+ open_in_tool_bin=x-www-browser
+ '[' -n '' ']'
+++ command -v x-www-browser
++ readlink -f /usr/bin/x-www-browser
+ open_in_tool_bin_name_readlink=/usr/bin/torbrowser
+ '[' -n '' ']'
+ open_in_tool_bin_name='x-www-browser (/usr/bin/torbrowser)'
+ '[' 'x-www-browser (/usr/bin/torbrowser)' = 'x-www-browser (/usr/bin/torbrowser)' ']'
+ open_in_tool_bin_name='Tor Browser'
+ '[' '!' -n '' ']'
+ '[' -n 'Tor Browser' ']'
+ '[' /usr/bin/torbrowser = /usr/lib/open_link_confirmation ']'
+ '[' --clearnet = '' ']'
+ '[' --clearnet = ' ' ']'
+ title='Confirm Open'
+ msg='<p>The following <b>link</b> will be opened in <u>Tor Browser</u>.</p>
<p>Be careful if <u>Tor Browser</u> is already running as your activities might get linked.</p>
<p><code><blockquote>--clearnet</blockquote></code></p>'
+ question='Continue?'
+ button=yesno
+ return 0
+ final --clearnet
+ local ask_for_confirmation=1
+ '[' 0 = 1 ']'
+ '[' 1 = 0 ']'
+ local ask_for_confirmation=1
+ '[' StandaloneVM = DispVM ']'
+ '[' 1 = 1 ']'
+ local answer
+ answer=0
++ /usr/lib/msgcollector/generic_gui_message warning 'Confirm Open' '<p>The following <b>link</b> will be opened in <u>Tor Browser</u>.</p>
<p>Be careful if <u>Tor Browser</u> is already running as your activities might get linked.</p>
<p><code><blockquote>--clearnet</blockquote></code></p>' 'Continue?' yesno
+ answer=16384
+ '[' '!' 16384 = 16384 ']'
+ command -v x-www-browser
+ local open_in_tool_exit_code
+ open_in_tool_exit_code=0
+ DE=generic
+ x-www-browser --clearnet
+ '[' '!' 0 = 0 ']'
+ exit 0
+ '[' '!' 0 = 0 ']'

tb-updater tested ok.

Also tested,

~/.tb/tor-browser/start-tor-browser.desktop --clearnet #(and without --clearnet)

and

~/.tb/tor-browser/Browser/start-tor-browser --clearnet #(and without --clearnet)

All fail with “The proxy server is refusing connections” when browsing to a website. This is expected?

TOR_TRANSPROXY=1 has to be prepended to the command for functional networking.

It could be very dangerous if a user misunderstood what this was used for. When people think of Whonix they think anonymity. Does everyone know what clearnet is?

• Whonix should be left out out completely in the description.
• –alias would be fine. Unfortunatly can’t think of anything better that clearnet.

Tested and worked ok fom me.

https://forums.whonix.org/t/gpg-recv-keys-fails/5607

Much of the discussion took place in Wiki edits thread. I could find those posts and move them to a new thread if you’d like.

I havn’t found very much info on .d syle drop-in folders with firefox. For a simple test, I created firefox.service and use a .d sytle folder to override the /usr/bin/firefox with /usr/bin/firefox -p. So its possible.

1. sudo nano /lib/systemd/system/firefox.service

add

[Unit]
Description=Firefox_Service
After=network.target
[Service]
Environment=DISPLAY=:0
ExecStart=/usr/bin/firefox
[Install]
WantedBy=graphical.target

2. sudo ln -s /lib/systemd/system/firefox.service firefox.service

3. Test firefox.service

sudo sytemctl start firefox.service

4. shutdown firefox

5. sudo mkdir /etc/systemd/system/firefox.service.d

6. sudo nano /etc/systemd/system/firefox.service.d/50_user.conf

Add

[Unit]
Description=Firefox_Service
After=network.target
[Service]
Environment=DISPLAY=:0
ExecStart=
ExecStart=/usr/bin/firefox -p
[Install]
WantedBy=graphical.target

7. Start firefox.sevice (Firefox profile conifguraton should override the normal /usr/bin/firefox)

sudo systemctl start firefox.service

Yes, because start-tor-browser (by Tor Project) doesn’t know about --clearnet. That is because only /usr/bin/torbrowser (by Whonix) had recently --clearnet implemented.

So only /usr/bin/torbrowser --clearnet makes sense.

/usr/bin/torbrowser --clearnet will set that automatically. (See also bash -x /usr/bin/torbrowser --clearnet)

I doubt that. Very Tor community specific. And ambiguous also. Has at least two meanings.

Frequently Asked Questions - Whonix FAQ

Yay.

Thanks for the offer, tough I think too much work and not much gain. So better safe the time.

Systemd method would start firefox as root as a service. But even systemd user services wouldn’t give us anything related to multiple user.js files.

Tor Browser 8.5 in Whonix no longer can save passwords (and it deleted all existing ones) - #4 by AnonymousUser allowed for savings passwords by default.

Untested.

Installed tb-updater with the latest commit and I was not able to set a master password which is required for Tor Browser to remember passwords.

Password Change Failed

Unable to change Master Password.

However, user names are remembered. Looks like one of our custom user.js prefs disables this function for Tor Browser without Tor.

I tested the instructions in Fedora-29. Interestingly, disabling private browsing mode is all that is needed to save passwords. Also torbrowser-launcher was removed from Debian testing (buster). So the only option is to install from Debian unstable (sid).

https://tracker.debian.org/pkg/torbrowser-launcher

For Qubes Documentation I’m going to include instructions to install from Debian sid and a separate instructions using tb-updater. And the current Whonix tutorials will be updated as well.

Would be ok but any reason to keep torbrowser-launcher?

For simplicity I would suggest tb-updater all the way.

Can we please make this page SecBrowser ™ has been deprecated! sound more exciting? That project did not catch on yet.

The security community is much bigger than the privacy/anonymity communities. If they know there was a hardened browser, a lot people would use it. Would be good to have help, attention and development support of the security community. Hardened Firefox should be a thing in the security community. But information spreads much less than one would expect nowadays. A public wiki page somewhere doesn’t necessarily lead to wide publication. It’s still like “a secret”.

To start this, is anyone up for aggregating primarily the security enhancements that Tor Browser implements? (Secondarily perhaps also privacy enhancements.) Perhaps a comparative table similar to sdwdate: Secure Distributed Web Date? Perhaps some libre licensed selfrandom images?

The Tor Browser doesn’t increase security from default Firefox except maybe changing the security sliders which can just be easily gotten on default Firefox. The sandboxed Tor Browser version has also been dead for a while now. I wouldn’t name it something related to security like that.

SecBrowser™ has been deprecated! mentions a few things.

Security enhancements:

• improved exploit protection through selfrando [4]
• disable WebRTC [5]
• security slider
• noscript installed by default
• reproducible builds

• To provide users with optional defense-in-depth against JavaScript and other potential exploit vectors, we also include NoScript.
  [6]

• We also modify several extension preferences from their defaults.
  [6]

• proxy and DNS configuration obedience
• Full RELRO [7]

Is there really no more to it? I haven’t reviewed all Tor Browser design docs yet or at least cannot recite that part. Anyone up to do that?

Does disabling WebRTC improve security? I know it leaks your IP but that’s more of an anonymity issue than a security one.

I never knew about the selfrando and relro. Those are interesting.

Not that I’m aware of. I’ve skimmed through the design doc before and never found anything that would improve security much,

There is this part but the only actual security feature would be the security slider that just changes a few about:config options.

madaidan via Whonix Forum:

Does disabling WebRTC improve security? I know it leaks your IP but that’s more of an anonymity issue than a security one.

The more gets disabled, the less attack surface.

There were a couple of vulns:

So why mention WebRTC specifically? There are plenty of things that get disabled in the Tor Browser that could be considered as reducing attack surface.

Those were fixed years ago and there are very little.

WebRTC was previously shown to leak sensitive info when VPNs are used. VPNs are very popular. This could perk the interest of those users. WebRTC disabled

Unfortunately perception sometimes trumps reality.

madaidan via Whonix Forum:

So why mention WebRTC specifically? There are plenty of things that get disabled in the Tor Browser that could be considered as reducing attack surface.

No specific reason. Documentation / lack of research issue.

Maybe it should be changed to “Reduced attack surface”?

Reducing attack surface is a part of security enhancement.

I know, I meant that the “disabled WebRTC” part should probably be changed to “reduced attack surface” in the wiki as it isn’t just WebRTC that is disabled.