Selfrando Hardened Tor Browser - Installing in Qubes-Whonix
Only works on 64 bit Linux systems.
Installation Rationale
See: Selfrando: Q and A with Georg Koppen | The Tor Project
“Selfrando randomizes Tor browser code to ensure that an attacker doesn’t know where the code is on your computer. This makes it much harder for someone to construct a reliable attack–and harder for them to use a flaw in your Tor Browser to de-anonymize you.”
Steps
- Using Tor in your anon-whonix appVM, navigate to the directory for the latest hardened browser release*:
*Note the builds are released every 3 days (currently) and are unsigned. The Tor browser sits in your /home directory which retains changes between sessions, so there is no need to install it in the Whonix-workstation template.
-
Click on the lock icon to check the certificate that you are really connected to torproject.org
-
Using Tor Browser, download this public key which signs all Tor browser nightly versions (as advised by gk)*:
Continuous-TBB-builds-4D0DB324.asc
*If you have very restrictive apparmor protections that prevent downloading or changing download destinations, then open a terminal instead and run curl -O URL-OF-FILE to retrieve it
- Click on the link to descend to the directory with the latest nightly hardened builds. At time of writing it was:
https://people.torproject.org/~linus/builds/tbb-nightly-hardened-2016-07-15/
- Download these files:
sha256sums-unsigned-build.txt
sha256sums-unsigned-build.txt.asc
tor-browser-linux64-tbb-nightly-hardened_ALL.tar.xz
The first is a text file stating the SHA256 sums of the build. The second is the detached GPG signature for that text file. The third is the tarball.
- To verify the SHA256 sum of the tarball, in Konsole type:
sha256sum tor-browser-linux64-tbb-nightly-hardened_ALL.tar.xz
Carefully check that the reported hash matches exactly the string given in the file named sha256sums-unsigned-build.txt
- To verify the authenticity of the reported hash value, in Konsole type:
gpg --import Continuous-TBB-builds-4D0DB324.asc
gpg --verify sha256sums-unsigned-build.txt.asc sha256sums-unsigned-build.txt
The first command imports the needed key into your keyring. The second verifies the detached signature sha256sums-unsigned-build.txt.asc. If all is good, you should see something like this:
gpg: Signature made Fri 15 Jul 2016 09:31:01 AM UTC
gpg: using RSA key 0xD1982B344D0DB324
gpg: Good signature from “Continuous TBB builds” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B06F C0C1 F35B 8462 A2DB 64DA D198 2B34 4D0D B324
- But we still don’t know that this key really belongs to Linus Nordberg, so check the key itself using (q to exit gpg):
gpg --edit-key 0xD1982B344D0DB324
check
You should see that the key is self-signed, which doesn’t help. If you already have a second key owned by Linus Nordberg you should also see
sig! 0x1E8BF34923291265 2015-10-20 Linus Nordberg
- If you don’t see output above, go to a key server and search for and then import into your keyring the key 0x1E8BF34923291265
In Konsole, type:
gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x1E8BF34923291265
Note: How can we help? | Tor Project | Support provides the list of all Tor signing keys for your reference. You can confirm Linus’ key is there as:
pub 4096R/23291265 2010-05-07
Key fingerprint = 8C4C D511 095E 982E B0EF BFA2 1E8B F349 2329 1265
uid Linus Nordberg linus@torproject.org
sub 4096R/B5F7D1B1 2016-04-14 [expires: 2017-04-14]
-
Run the step above again (gpg ‘check’), and you should now see GPG confirming that Linus signed the special key used only to sign the TBB hardened nightly builds. You can also check his key to see that it is indeed signed by many Tor Project employees and other people, at least one of whom you hopefully trust.
-
At this point you are ‘probably’ safe to unpack the tarball in the appropriate anon-whonix directory:
→ Extract the tarball under the /home directory
→ Use Dolphin to navigate to the hidden .tb directory (either show hidden files or cd .tb)
→ Rename current Tor Browser Folder as ‘Tor-browser Old’
→ Move your Selfrando Tor browser to the .tb directory -
Close old Tor-browser instance and start the new Selfrando Tor browser from the anon-whonix appVM menu
-
Immediately check you are connected to Tor. Update addons immediately and restart. Check the ‘Help → About Tor’ button now shows:
tbb-nightly-hardened (based on Mozilla Firefox 45.2.0)
Congratulations, you now have the most hardened Tor browser on the block running on your system!
Even those with 0-day Tor exploits will have difficulty hacking your ass, particularly if you also run apparmor profiles, seccomp restrictions and rarely run Javascript.
You’ll need around 3gb memory to run the browser though, due to numerous memory protections e.g. address sanitization etc.
Check back to the torproject every few days to repeat this process with the latest tarball. You will not have to import the keys again, but should repeat the process to ensure the build is not corrupt or back-doored.