Selfrando Tor Browser - How To: Installation Guide

Selfrando Hardened Tor Browser - Installing in Qubes-Whonix

Only works on 64 bit Linux systems.

Installation Rationale

See: Selfrando: Q and A with Georg Koppen | The Tor Project

“Selfrando randomizes Tor browser code to ensure that an attacker doesn’t know where the code is on your computer. This makes it much harder for someone to construct a reliable attack–and harder for them to use a flaw in your Tor Browser to de-anonymize you.”

Steps

  • Using Tor in your anon-whonix appVM, navigate to the directory for the latest hardened browser release*:

https://people.torproject.org/~linus/builds/

*Note the builds are released every 3 days (currently) and are unsigned. The Tor browser sits in your /home directory which retains changes between sessions, so there is no need to install it in the Whonix-workstation template.

  • Click on the lock icon to check the certificate that you are really connected to torproject.org

  • Using Tor Browser, download this public key which signs all Tor browser nightly versions (as advised by gk)*:

Continuous-TBB-builds-4D0DB324.asc

*If you have very restrictive apparmor protections that prevent downloading or changing download destinations, then open a terminal instead and run curl -O URL-OF-FILE to retrieve it

  • Click on the link to descend to the directory with the latest nightly hardened builds. At time of writing it was:

https://people.torproject.org/~linus/builds/tbb-nightly-hardened-2016-07-15/

  • Download these files:

sha256sums-unsigned-build.txt
sha256sums-unsigned-build.txt.asc
tor-browser-linux64-tbb-nightly-hardened_ALL.tar.xz

The first is a text file stating the SHA256 sums of the build. The second is the detached GPG signature for that text file. The third is the tarball.

  • To verify the SHA256 sum of the tarball, in Konsole type:

sha256sum tor-browser-linux64-tbb-nightly-hardened_ALL.tar.xz

Carefully check that the reported hash matches exactly the string given in the file named sha256sums-unsigned-build.txt

  • To verify the authenticity of the reported hash value, in Konsole type:

gpg --import Continuous-TBB-builds-4D0DB324.asc

gpg --verify sha256sums-unsigned-build.txt.asc sha256sums-unsigned-build.txt

The first command imports the needed key into your keyring. The second verifies the detached signature sha256sums-unsigned-build.txt.asc. If all is good, you should see something like this:

gpg: Signature made Fri 15 Jul 2016 09:31:01 AM UTC
gpg: using RSA key 0xD1982B344D0DB324
gpg: Good signature from “Continuous TBB builds” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B06F C0C1 F35B 8462 A2DB 64DA D198 2B34 4D0D B324

  • But we still don’t know that this key really belongs to Linus Nordberg, so check the key itself using (q to exit gpg):

gpg --edit-key 0xD1982B344D0DB324
check

You should see that the key is self-signed, which doesn’t help. If you already have a second key owned by Linus Nordberg you should also see

sig! 0x1E8BF34923291265 2015-10-20 Linus Nordberg

  • If you don’t see output above, go to a key server and search for and then import into your keyring the key 0x1E8BF34923291265

In Konsole, type:

gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys 0x1E8BF34923291265

Note: How can we help? | Tor Project | Support provides the list of all Tor signing keys for your reference. You can confirm Linus’ key is there as:

pub 4096R/23291265 2010-05-07
Key fingerprint = 8C4C D511 095E 982E B0EF BFA2 1E8B F349 2329 1265
uid Linus Nordberg linus@torproject.org
sub 4096R/B5F7D1B1 2016-04-14 [expires: 2017-04-14]

  • Run the step above again (gpg ‘check’), and you should now see GPG confirming that Linus signed the special key used only to sign the TBB hardened nightly builds. You can also check his key to see that it is indeed signed by many Tor Project employees and other people, at least one of whom you hopefully trust.

  • At this point you are ‘probably’ safe to unpack the tarball in the appropriate anon-whonix directory:
    → Extract the tarball under the /home directory
    → Use Dolphin to navigate to the hidden .tb directory (either show hidden files or cd .tb)
    → Rename current Tor Browser Folder as ‘Tor-browser Old’
    → Move your Selfrando Tor browser to the .tb directory

  • Close old Tor-browser instance and start the new Selfrando Tor browser from the anon-whonix appVM menu

  • Immediately check you are connected to Tor. Update addons immediately and restart. Check the ‘Help → About Tor’ button now shows:

tbb-nightly-hardened (based on Mozilla Firefox 45.2.0)

Congratulations, you now have the most hardened Tor browser on the block running on your system!

Even those with 0-day Tor exploits will have difficulty hacking your ass, particularly if you also run apparmor profiles, seccomp restrictions and rarely run Javascript.

You’ll need around 3gb memory to run the browser though, due to numerous memory protections e.g. address sanitization etc.

Check back to the torproject every few days to repeat this process with the latest tarball. You will not have to import the keys again, but should repeat the process to ensure the build is not corrupt or back-doored.

1 Like

Thanks torjunkie!

(Moved to Development. Not Qubes-Whonix specific, and too advanced for Support.)

With the upcoming transition to 64-bit guests this will become an option for all users.

@torjunkie How is the performance of hardened TBB? If its comparable to vanilla TBB performance we should switch to it by default.

It would be a bold decision to go with the unstable rather than stable version of TBB. More ArchLinux / Gentoo rather than Debian style. I think this should be optional and we should wait for the improvements to flow back into stable versions.

Hi HulaHoop,

The performance has been good - I see no difference to the standard Tor browser except it chews around 3gb of memory (or so). But for browsing and so on, it’s just like the vanilla version.

Thanks @torjunkie.

Thats good news. I remember the earliest hardened builds were unusable with videos on youtube. As for the RAM thing thats because they still use ASan despite it being resource hungry and of no security benefit at all (it increases attack surface actually):

From oss-security - Address Sanitizer local root

Thanks HulaHoop - interesting read.

BTW my advice above has now been superseded by Torproject’s decision to bake in Selfrando to the ‘hardened’ Tor Browser series.

So, paranoid 64bit Qubes-Whonix users (isn’t that most of us :grin: ) should just use tbb-downloader to install the “6.5a2-hardened (based on Mozilla Firefox 45.3.0)” browser, and keep it updated every 6 weeks or so.

The only caveat is that after FF releases new updates, there is a window of about 6-12 hours before torproject makes the ‘hardened’ browser available. Therefore, technically there is a small window when bad guys can know of vulnerabilities in the browser and hack away, before the hardened update is available for installation. So, maybe that is when you decide to hit the bar instead of the keyboard.

Usually the window for the standard Tor Browser is much smaller - an hour or so.