Hi. I suggest to built-it “Non-Tor” browser in Whonix-Workstation. Generally, for the daily activities, a user should use Tor Browser which is provided through tb-updater package. But sometimes, we need something like Tor Browser, but “Tor Button”-free in order to use VPN extensions or proxies with it to get access to websites which block Tor Exit nodes. The default browser for that purposes is Firefox ESR but before using it, you should remove Pocket extension, disable WebRTC and so on.
Is there a way to provide something like Tor Browser but for other than pure Tor activities? Thank you!
We used to ship a plain browser firefox when it was iceweasel. Ended up being removed because it can encourage clueless users to shoot themselves in the foot and it increased image size.
We can’t reinvent a second Tor Browser effort to strip the bloat and privacy anti-features of FF. You’ll have to live with it and make a tradeoff.
Can theoretically GNU IceCat browser be used for Whonix non-TorExitNode purposes? It seems that GNU IceCat is hightly debloated and privacy oriented rebuild of FF.
So, now I have a suggestion about including GNU IceCat into Whonix-Workstation repository.
Q: Why do we need it?
A: Because some websites blocks Tor Exit Nodes and therefore you need to use an additional Proxy/VPN after Tor (User → Tor > VPN/Proxy) in order to get Tor-unfriendly sites work. But if you install VPN addons right into your Tor Browser, you can be fingerprinted so it is strongly recommended to use some kind of other browser for Tor-banned sites. We can use Firefox-ESR but it still has many suspicious features like Pocket, Firefox Accounts, Screenshots and so on. In order to get privacy-oriented, “Non-Tor” browser in Whonix-Workstation, we can use GNU IceCat
Encrypted Media Extensions (EME) is not implemented: Whereas Firefox are being created such that they support Digital Restrictions Management (DRM) systems through their implementation of the Encrypted Media Extension (EME), GNU IceCat doesn’t include an EME implementation as it opposes efforts to popularize and ease the dissemination of DRM technology.
Widevine Content Decryption Module provided by Google Inc. is not installed in about:addons > Plugins
The Play DRM-controlled content option (used to download and enable Widevine Content Decryption Module provided by Google Inc.) has been removed from about:preferences > Content
“Accept third-party cookies: Never”
WebRTC is enabled like in Firefox but prevent leaking the LAN ip. (Test WebRTC)
The proprietary web chat IRC client Mibbit has been removed.
Telemetry is disabled.
DuckDuckGo is the default search engine, which means that you can run “!Bangs” keywords in the location bar to use any search engine.
Privacy protection features
LibreJS: GNU LibreJS aims to address the JavaScript problem described in Richard Stallman’s article The JavaScript Trap.
Https-Everywhere: Extension that encrypts your communications with many major websites, making your browsing more secure.
SpyBlock: Blocks privacy trackers while in normal browsing mode, and all third party requests when in private browsing mode. Based on Adblock Plus.
AboutIceCat: Adds a custom “about:icecat” homepage with links to information about the free software and privacy features in IceCat, and checkboxes to enable and disable the ones more prone to break websites.
Fingerprinting countermeasures: Fingerprinting is a series of techniques allowing to uniquely identify a browser based on specific characterisics of that particular instance (like what fonts are available in that machine). Unlike cookies, the user cannot opt-out of being tracked this way; so the browser has to avoid giving away these kinds of hints.
Philosophy:
“We will always make IceCat block non-free JavaScript by default. If you want to permit nonfree software to run, you can easily disable LibreJS.” - Richard Stallman
The thing about IceCat is that it lags behind the FF versions and therefore there’s a bigger delay for receiving security updates at least on Android was the case. (EDIT: Seems the last stable release was out almost 2 years ago).While proprietary blobs and DRM friendly components are stripped, the browser isn’t magically more secure and you may run into a lot of breakage because of non-free JS incompatibility.
When using a browser, connecting to Tor before a tunnel link worsens the web fingerprint. The anonymity effects of using the configuration: User → (Proxy / VPN / SSH →) Tor → Proxy / VPN / SSH → Tor Browser → Website are unknown. This setup is so specialized that very few people are likely to configure it, reducing the Tor Browser user pool to a far smaller subset. Due to potential fingerprinting harm it is recommended against.
If proceeding despite the risk, the tunnel configuration should not be combined with any browser other than Tor Browser (like Firefox or Chrome). This would further exacerbate the browser fingerprinting risk. [33]
Does setting option privacy.resistFingerprinting from false to true in Firefox ESR about:config page prevents from fingerprinting when using “non-Tor” browser in Whonix-Workstation?
Then why won’t you allow Whonix-Workstation users to install two separate copies of Tor Browser? One for standard Tor activities and the second one for "non-Tor’ activities, e.g. for sites that block Tor Exit Nodes, for example for ISP > Tor > Proxy > Internet scheme?
I understand. But Tor Browser in Whonix-Workstation doesn’t do bootstraping because is’s already done in Whonix-Gateway but using tb-updater I cannot install two separate instances of TB. So Firefox ESR is the only way to use scheme ISP > Tor > Proxy > Internet. Can you upgrade tb-updater package in order to allow people to download and install two separate instances of TB?
Yes, it’s a feature request. I’m glad you are going to do something in order to help people to gain websites that blocks Tor Exit nodes. So, we really need some kind of browser which will be compatible with ISP > Tor > VPN/Proxy > Website scheme. As for now, I have three recommendations for this:
Firefox ESR with some FF antifeatures disabled (such as Pocket, FX Accounts, Screenshots, WebRTC and so on);
Tor Browser without Tor itself and configured to be used with Proxies;
IceCat browser, which is more hardened and privacy oriented version of Firefox from GNU, but it doesn’t have binary builds, only sources.
I would be happy if you choose something from that and intergate it to Whonix-Workstation release. Thank you!
I’d like Whonix Workstation to have preinstalled support of safe non-tor browser too. Sometimes it is really needed to connect to sites which blocks Tor exit node using ISP > Tor > Proxy > Website approach. More and more sites block Tor exit nodes.
On some sites, you cannot sign up because when you sign up using Tor exit node, the website protection mechanism detects an attempt to sign up using Tor exit node as suspicious activity and freezes the account.
So, using Tor before proxy is really needed for some sites.
I use Waterfox Current myself (never tried Waterfox Classic). They have recently introduced support for both Google Chrome and Opera web browser extensions. This graphic is taken from their Wiki with more browser details:
Well, I have some progress in reducing fingerprinting of Firefox ESR browser under Whonix-Workstation OS when ISP > Tor > Proxy/VPN > Website scheme is used.
In Firefox privacy preferences. Type about:preferences#privacy in address bar and press enter. Then:
To delete all cookies, history, cache and site data when Firefox is closed: in History section, select Always use private browsing mode
Disable ‘anonymous’ Firefox Data Collection and Use: deselect all in that section.
In Firefox search preferences. Type about:preferences#search in address bar and press enter. Then:
In Search Suggestions section: deselect Provide search suggestions
In Firefox config. Type about:config in address bar and press enter. Then, search for strings and set values:
Not all fonts installed on your computer are available to webpages
The browser window prefers to be set to a specific size
Your browser reports a specific, common version number and operating system
Your keyboard layout and language is disguised
Your webcam and microphone capabilities are disguised
The Media Statistics Web API reports misleading information
Any Site-Specific Zoom settings are not applied
The WebSpeech, Gamepad, Sensors, and Performance Web APIs are disabled
P.S. This Firefox ESR modifications will NOT replace Tor Browser security patches and capabilities but just make your browsing experience a bit private. Strange traffic from Firefox ESR to Cloudflare, Amazon and Great Britain servers is still detected so it seems like Firefox ESR has built-it spyware. Although it is still anonymous as all traffic from Whonix-Workstation is send through Tor network, fingerprinting capabilities are still big without usage of original Tor Browser.
