SecBrowser: A Security-hardened, Non-anonymous Browser - DEPRECATED

I doubt this would be done just for Whonix devs/users. This would somehow have to benefit everyone.

Most requests are denied because they somehow degrade anonymity for everyone. Since they hardcoded these prefs(?) they don’t want Tor Browser users changing them around. Maybe the best approach is to upfront with them on the reason for doing this. Take Whonix out of the equation. While non for anonymity make sure they know Whonix devs have already completed a lot of work on this.

SecBrowser

  • Would be useful to everyone (everyone needs an security focused clearnet browser)
  • Not hurting anyones anonymity.
  • SecBrowser is Freedom Software
  • Nothing in production. Not yet anyways.
2 Likes

MIght be a good lead-in to ->ask Mozilla? :wink:

1 Like

SecBrowser!!

Its a good start. It will take some time to get it just right.

When SecBrowser is started, the about:tor tab opens and the focus is taken off the SecBrowser landing page. I restarted SecBrowser and the same thing happened.There has to be a way to fix this.

2 Likes

I have a new branding idea. Currently there is SecBrowser, Hardended Debian based OS and maybe more apps hardened by Whonix developers. We could use “Sec” as the brand for the OS and apps that are hardened. For example:

Sec
SecBrowser (Secure Browser)
SecLid (Secure Linux distribution)
SecEmc (Secure Email Client)
Sec™…

Not very good examples but just wanted to get the idea across.

2 Likes

Needs a bug report since feature
environment variable to skip TorButton control port verification

is broken.

Ive been experimenting with pass-qubes in SecBrowser. I don’t think it would be an worse for fingerprinting than the current method (passwords stored in SecBrowser) but would be less attack surface.

1 Like

Could a pass-qubes → pass-secbrowser tutorial be added to the SecBrowser for qubes Qubes? The only packages needed are;

The only issue I see is GitHub - kulinacs/pass-qubes: Qubes Split GPG integration for Pass does not have signed git tags. Since the rep needs little to no maintenance it could be forked to a “trusted” repo and git tags added?

1 Like

Yes.

Are there any specific colors that are thought as being related to secuirty. For example, purple is related to anonymity.

I’m trying to come up with a color scheme for the SecBrowser landing page.

1 Like

A post was split to a new topic: SecBrowser Welcome Page

Add content to first post of this thread. This is to avoid confusion when users click on one of the SecBrowser Welcome page links.

SecBrowser ™ is the fruit born from Tor Browser without Tor research and development.

2 Likes

Yes, we can always edit original posts add thread titles for improved expression, more up to date related to latest developments.

Configuring lock_pref() , lockPref() might be a workaround for these two issues. I think thats’ what TBB devs use to keep users from changing prefs such as the security slider default. it will likely break Tor Browser but cant hurt to try.

Another idea to block JavaScript by default at SecBrowser start might be QuickJS. Its mentioned in the Tor Project docs/FAQ. Not sure how easy it would be to install QuickJs by scipt when SecBrowser is configured the first time by tb-updater tb-starter.

There is also a very simple addon available at addons.mozilla.org called QuickJS, which provides a toolbar toggle for the javascript.enabled about:config control. There are no configuration options for the addon, it just switches the javascript.enabled entry between true and false and provides a button for it.

Actually it was originally GitHub - sleutho/QuickJS: Firefox extension to enable/disable JavaScript from the toolbar but its name was changed to JavaScript Switcher – Get this Extension for 🦊 Firefox (en-US)

1 Like

Yes but we yet have to post document prefs / settings to set security slider level

(this exact posting of mine: SecBrowser: A Security-hardened, Non-anonymous Browser - DEPRECATED - #99 by Patrick)

Also:

These two interactions with upstream need to be next.

2 Likes

From: gk
Why is it not enough to just set the desired slider level in a prefs file that you ship in the browser profile (anyway)?

I think using the prefs approach is the one you should pursue right now. Shipping an own profile with customizations won’t go away in the forseeable future.

If the above is true, maybe the security slider not honoring the custom profile pref is a bug? Or perhaps we are missing something (not setting the correct pref?).

Regardless thats’ the solution imo. Lets lead off by asking why the security slider is not honoring the pref that we set. No reason to say anything about Whonix or SecBrowser.

2 Likes

Yes. We need to ask for how to set the pref. We can say that we know
there will be no environment variable and have to go the profile route.
It could be in form of a bug report “setting this pref does not work as
expected” or as enhancement request “please document how to do…” or it
could be asked on the mailing list as a question. Dunno what’s best but
anything can work, I guess.

Not necessary. I got it!

I was using either to many user_prefs (
extensions.torbutton.security_custom) or they were in the wrong order when setting the security slider, which was breaking SecBrowser.
It looked sane but I should have added one at a time.

These prefs set the security slider to “Safest”

user_pref("extensions.torbutton.inserted_security_level", true);
user_pref("extensions.torbutton.security_slider", 1);

2 Likes

It might set the slider to highest but does it also do the action that
slider would apply when it is manually being set to highest? I.e. would
it actually disable scripts globally when started in this configuration?

Guess not. AFAICT there is no way to sync the slider with a pref. Bug report.

1 Like