Sometimes it's good to be an average Joe

Using Windows-Workstation with Whonix-Gateway.
Firefox or Chrome.
With a proxy (using Foxyproxy or something similar).

So I’m more or less an average Joe.

But my WebRTC shows an internal IP of
Hey, that’s a Whonix user right there!

I could block it with Firefox settings or a Chrome extension, but what kind of average Joe does that?

Any ways to improve average Joe appearance?

What kind of average Joe uses a Windows VM with Chromium or Firefox with a proxy? I doubt your fingerprint will be the same as for the tor browser. If you are just worried about WebRTC then you can of course change the address of the interfaces on the gateway and workstation to something else. You maybe need to adjust some firewall rules, too.

1 Like

Of course I won’t have the Tor Browser fingerprint, I don’t want the Tor browser fingerprint. In this case I want a specific fingerprint any random user may have. Trackable throughout various sites. Javascript enabled, cookies get saved. And actually Chrome is way more common than FF, better for this purpose.

I’m not talking super smart analysis. What do websites see?

Operating system? Windows.
Browser? Chrome.
Transparent Proxy. Shouldn’t make a difference.
Standard security settings.

I don’t want to mess with the Gateway. It is possible to have the WebRTC show 192.168.X.X without changing anything in the Gateway?

Depends on your website. Take a look at Find and check IP address, browserleaks, panopticlick, Then you know to some extend what is possible.

What is that? I doesn’t seem to be javascript off. I made a test with chromium on linux (but not Whonix) and with javascript disabled it doesn’t show any ip from webrtc.

In case your main goal is to not look like a Whonix user then I’m not sure if any website does some kind of tracking like that. Whonix is not that famous yet :wink: If some website does it, I would not call it average. I don’t know how to spoof the WebRTC and doing a quick search turned up this :

Not sure if there is a specific switch for WebRTC on Chromium but disabling javascript or changing the ip of the interface would be the easiest option.

I understand you’re trying to be inconspicuous by being conspicuous but you’ll actually singling yourself out. An average Joe does not have a set up like yours. They use Tor Browser and that is what you should be using.

In stark contrast to regular browsers, Tor Browser is optimized for anonymity and has a plethora of privacy-enhancing patches and add-ons. [5] With Tor Browser, the user “blends in” and shares the Fingerprint of nearly three million other users, which is advantageous for privacy.

There is no such thing as “a little bit of anonymity” or slightly anonymous. You either are anonymous or your not .If you can be tracked you’re singling yourself out. You are now 1 individual not 1 in 3 million users that can be tracked across domains. Many of the big data collection companies would likely be able to profile you. Facebook , Google etc… these companies have “super smart analysis”

Obviously its your choice but if your doing this just to blend in better you may want to reassess your options.

By Standard security settings, or by “standard settings” in general, I mean default settings. Those that exist when the user downloads the browser and does not make any changes. I believe this is the most common. Agreed?
In those settings, Javascript will be active, no doubt. It’s even active with the default settings of Tor Browser…

Average Joe doesn’t use Tor browser. Average Joe doesn’t even know what is Tor, or maybe he heard about it but has no reason to think this is relevant for him. He uses Chrome or Firefox or IE or Safari.
Average Joe’s IP is certainly not a Tor exit node.

Average Joe does not think anonymity is very important. Most of the things he does online are not anonymous anyway, he willingly identifies himself even at places that don’t require real personal details. He shares a lot of his life to the public.
Average Joe could not even use his gmail or google translate or even yahoo or live email with Tor, without constantly getting elaborate captchas or phone verification requests again and again.
Average Joe probably cannot log into his bank account or make any credit card purchase or log in to many other places with the Tor Browser.

Of course. Average Joe is tracked and profiled, he may even think it is for his own benefit. Each Average Joe is unique in the eyes of FB, Google. But Average Joe isn’t me.

This isn’t partially anonymous vs. anonymous.
This is “an identity” vs “avoiding having an identity” (there are probably better terms for that conflict).

3 million is less than 0.1% of internet users. Still a small enough number for many places to either block access or make it difficult for you to access.
If it was, I don’t know, 300 million, they couldn’t afford giving such a hard time to Tor users.

Hi Chicken

Average Joe would is certainly all of these things but I don’t see the point in using Whonix configured in this manner regardless if using Tor Browser of not. It defeats the purpose and your not gaining anything. Many Tor users make use Firefox, Chrome etc. for normal browsing or when accessing banking websites etc. They know who the users is anyways so I guess it doesn’t matter. There are also many other sites that will block users if they show a Tor exit node IP. Unless its my bank or some important site I need to access I won’t even bother with them.

You are being tracked and profiled. You visit sites and forums that interest you. you buy stuff from e-commerce with your credit card etc. Average Joe is certainly you.

Why make it easy for them??

Joe can’t visit sites chicken is interested in, he has no idea who chicken is and what forums he visits. If he knew that, he wouldn’t be Joe. He would be chicken. And of course Joe can’t use chicken’s banking sites or credit cards.

Joe is a completely different identity and this setup is only used by Joe. Chicken will use the standard Whonix-Wrokstation for actions that don’t require identification and clearnet for actions that do.

Let’s take an imaginary example. Chicken is a member in the “Free the Eggs” organization. Most members of the organization are anonymous, but the organization itself, or its leadership, aren’t (kinda like Whonix when you think of it). The organization has an address, known representatives, bank accounts, credit cards and so on.
As part of his (volunteer) role, chicken helps to maintain the finances of the organization. He will need to use the credit cards and have access to bank accounts. Now the heads of the organization know chicken personally, but chicken would still like to maintain his anonymity from the public, Including his ISP and the services he uses.

How will chicken be able to do his work while maintaining anonymity? he needs to be Joe. But only when he’s working. His personal activities should be kept separate.

LOL. Thinking a handful of addons for a mainstream browser will save you in the age of high precision surveillance analytics and fingerprinting.

It seems parasitic power structures need Joe to survive. Enjoy being Joe but don’t expect us to agree with you.

Thank you for the constructive answer.

No problem amigo. Let us know if you have further questions.

  1. Why would you use windows instead of Whonix Workstation?
  2. How can an average joe create email addresses without phone verification in Whonix Workstation? I tried tutanota, and it sucks. Although yahoo japan mail and yandex allow me to create email addresses without phone verification, I’m not comfortable with yahoo japan and yandex. I hope gmail didn’t require phone verification.

I still need to test all this stuff. Linux by itself make you stand out to some extent. The signature of Tor-Browser shows Firefox with Windows 7 as far as I know, but I’m not sure if there are any traces of Linux left.

One thing that certainly affects how those sites treat you is the IP and especially the fact you’re changing IPs on each login. They are designed to recognize IP + OS + Browser + Cookies and trust you when you stick to the same settings, or suspect you otherwise.

Yandex will also start asking you for phone verification at some point if you change IPs. Outlook will allow you one month without phone verification or something similar. Gmail I believe will initially ask anyone for phone verification.

I’d say using a standard browser in Whonix-Workstation but with VPN after Tor solves 80%-90% of the issues (naturally you need to purchase that VPN anonymously). All those sites start to behave like really good boys when you have a constant, non Tor IP. And you get no issues even if you set firefox to “Never Remember History”. It’s still acceptable for them if cookies are cleared. Javascript is a must almost everywhere (even here).

The final 10%-20% are tricky. Those will be sites that have been heavily abused and have zero tolerance for anything fishy. They’re not going to take any anonymization monkey business from you. They are many things that easily give you away. Your time zone won’t match the VPN’s time zone unless it’s British so you need to change that. Linux traces perhaps. Maybe also WebRTC as I mentioned above. VPN servers are public knowledge and are sometime blacklisted too. That’s where proxies can be useful, of course if they’re not openly published and didn’t get abused. Now if the proxy has open ports 80 and 22 that’s isn’t exactly what you’d expect to see at a home user’s PC as well so another thing to worry about.

You can use proxies with Tor Browser, maybe that good as well. If you use Firefox in Whonix-Workstation it’s visible you’re a Linux user. Perhaps Windows isn’t required. Don’t think I’ll work with Windows more than I absolutely have to, I hate this thing.

Are you saying that I should purchase VPN anonymously and connect to VPN in Whonix Workstation to circumvent phone verification?
How can I purchase VPN anonymously? With bitcoins made anonymized through monero? I don’t know if I can anonymize bitcoins purchased on bitcoin exchanges through monero.

I not saying you should, I’m saying that’s a way that works for me.

Regarding bitcoin and anonymity - don’t purchase anything on an exchange. Don’t open an account on an exchange that needs your details. Get your bitcoins elsewhere. And if you want to anonymize them, change to monero and back to bitcoin. Not the same amount. Not at the same time. Not at the same service.

I don’t know a way to avoid phone verification other than connecting to VPN in Whonix Workstation.

Other than cryptocurrency exchanges, I only know local bitcoin exchanges. As far as I know, I would have to meet a person on street and exchange bitcoin with money. This reminds me of street drug dealers.

Do you know a more efficient way to buy bitcoin anonymously than local bitcoin exchange?

You could also use a proxy instead of a VPN, same principle.

You don’t have to meet anyone on the street although that’s also an option. In localbitcoins and paxful you have many ways to purchase bitcoin, for example a cash deposit to a bank account. No ID required. There are also Bitcoin ATMs. Depends on your country, you may be able to buy Debit / Gift card in a retail shop without an ID and use that.

When you’re talking VPN fees, they are pretty low. It’s not like you’re taking your nest egg and converting it into bitcoin. With such small amounts, even cash by mail can be a working method.

By the way some VPN providers also accept cash by mail so you won’t even need to buy bitcoin at all.