Suggestion: "Non-Tor" browser in Whonix-Workstation

Hi. I suggest to built-it “Non-Tor” browser in Whonix-Workstation. Generally, for the daily activities, a user should use Tor Browser which is provided through tb-updater package. But sometimes, we need something like Tor Browser, but “Tor Button”-free in order to use VPN extensions or proxies with it to get access to websites which block Tor Exit nodes. The default browser for that purposes is Firefox ESR but before using it, you should remove Pocket extension, disable WebRTC and so on.

Is there a way to provide something like Tor Browser but for other than pure Tor activities? Thank you!

We used to ship a plain browser firefox when it was iceweasel. Ended up being removed because it can encourage clueless users to shoot themselves in the foot and it increased image size.

We can’t reinvent a second Tor Browser effort to strip the bloat and privacy anti-features of FF. You’ll have to live with it and make a tradeoff.

Can theoretically GNU IceCat browser be used for Whonix non-TorExitNode purposes? It seems that GNU IceCat is hightly debloated and privacy oriented rebuild of FF.

So, now I have a suggestion about including GNU IceCat into Whonix-Workstation repository.

Q: Why do we need it?
A: Because some websites blocks Tor Exit Nodes and therefore you need to use an additional Proxy/VPN after Tor (User → Tor > VPN/Proxy) in order to get Tor-unfriendly sites work. But if you install VPN addons right into your Tor Browser, you can be fingerprinted so it is strongly recommended to use some kind of other browser for Tor-banned sites. We can use Firefox-ESR but it still has many suspicious features like Pocket, Firefox Accounts, Screenshots and so on. In order to get privacy-oriented, “Non-Tor” browser in Whonix-Workstation, we can use GNU IceCat

Q: What is the difference between Firefox ESR and GNU IceCat?

  • Encrypted Media Extensions (EME) is not implemented: Whereas Firefox are being created such that they support Digital Restrictions Management (DRM) systems through their implementation of the Encrypted Media Extension (EME), GNU IceCat doesn’t include an EME implementation as it opposes efforts to popularize and ease the dissemination of DRM technology.
    • Widevine Content Decryption Module provided by Google Inc. is not installed in about:addons > Plugins
    • The Play DRM-controlled content option (used to download and enable Widevine Content Decryption Module provided by Google Inc.) has been removed from about:preferences > Content
  • “Accept third-party cookies: Never”
  • WebRTC is enabled like in Firefox but prevent leaking the LAN ip. (Test WebRTC)
  • The proprietary web chat IRC client Mibbit has been removed.
  • Telemetry is disabled.
  • DuckDuckGo is the default search engine, which means that you can run “!Bangs” keywords in the location bar to use any search engine.

Privacy protection features

  • LibreJS: GNU LibreJS aims to address the JavaScript problem described in Richard Stallman’s article The JavaScript Trap.
  • Https-Everywhere: Extension that encrypts your communications with many major websites, making your browsing more secure.
  • SpyBlock: Blocks privacy trackers while in normal browsing mode, and all third party requests when in private browsing mode. Based on Adblock Plus.
  • AboutIceCat: Adds a custom “about:icecat” homepage with links to information about the free software and privacy features in IceCat, and checkboxes to enable and disable the ones more prone to break websites.
  • Fingerprinting countermeasures: Fingerprinting is a series of techniques allowing to uniquely identify a browser based on specific characterisics of that particular instance (like what fonts are available in that machine). Unlike cookies, the user cannot opt-out of being tracked this way; so the browser has to avoid giving away these kinds of hints.


“We will always make IceCat block non-free JavaScript by default. If you want to permit nonfree software to run, you can easily disable LibreJS.” - Richard Stallman

You can either download prebuilt binaries (tar.gz) from:

Or build it from sources:

The thing about IceCat is that it lags behind the FF versions and therefore there’s a bigger delay for receiving security updates at least on Android was the case. (EDIT: Seems the last stable release was out almost 2 years ago).While proprietary blobs and DRM friendly components are stripped, the browser isn’t magically more secure and you may run into a lot of breakage because of non-free JS incompatibility.

1 Like

Quote Connecting to Tor before a Tunnel-link (Proxy/VPN/SSH):

  • When using a browser, connecting to Tor before a tunnel link worsens the web fingerprint. The anonymity effects of using the configuration: User → (Proxy / VPN / SSH →) TorProxy / VPN / SSHTor BrowserWebsite are unknown. This setup is so specialized that very few people are likely to configure it, reducing the Tor Browser user pool to a far smaller subset. Due to potential fingerprinting harm it is recommended against.
  • If proceeding despite the risk, the tunnel configuration should not be combined with any browser other than Tor Browser (like Firefox or Chrome). This would further exacerbate the browser fingerprinting risk. [33]

[33] vpn after whonix (inside workstation) Not work anymore with TBB - #5 by Patrick

Does setting option privacy.resistFingerprinting from false to true in Firefox ESR about:config page prevents from fingerprinting when using “non-Tor” browser in Whonix-Workstation?

It’s impossible to trivially replicate Tor Browser’s privacy features just by switching a few settings in another browser.

Then why won’t you allow Whonix-Workstation users to install two separate copies of Tor Browser? One for standard Tor activities and the second one for "non-Tor’ activities, e.g. for sites that block Tor Exit Nodes, for example for ISP > Tor > Proxy > Internet scheme?

It’s not forbidden. It’s allowed. As per:
No Intentional User Freedom Restrictions

I understand. But Tor Browser in Whonix-Workstation doesn’t do bootstraping because is’s already done in Whonix-Gateway but using tb-updater I cannot install two separate instances of TB. So Firefox ESR is the only way to use scheme ISP > Tor > Proxy > Internet. Can you upgrade tb-updater package in order to allow people to download and install two separate instances of TB?

I think we have a wiki page on running multiple TBBs at the same time. You gotta find it.

Also much better than using the same VM for it:
Multiple Whonix-Workstation ™

As for a browser configuration that is compatible with VPNs, proxies:

Thank you for the feature request.

Bug Reports, Software Development and Feature Requests

Sometimes I am sometimes contemplating a optional configuration package which would simplify that.

Yes, it’s a feature request. I’m glad you are going to do something in order to help people to gain websites that blocks Tor Exit nodes. So, we really need some kind of browser which will be compatible with ISP > Tor > VPN/Proxy > Website scheme. As for now, I have three recommendations for this:

  1. Firefox ESR with some FF antifeatures disabled (such as Pocket, FX Accounts, Screenshots, WebRTC and so on);
  2. Tor Browser without Tor itself and configured to be used with Proxies;
  3. IceCat browser, which is more hardened and privacy oriented version of Firefox from GNU, but it doesn’t have binary builds, only sources.

I would be happy if you choose something from that and intergate it to Whonix-Workstation release. Thank you!

I’d like Whonix Workstation to have preinstalled support of safe non-tor browser too. Sometimes it is really needed to connect to sites which blocks Tor exit node using ISP > Tor > Proxy > Website approach. More and more sites block Tor exit nodes.

On some sites, you cannot sign up because when you sign up using Tor exit node, the website protection mechanism detects an attempt to sign up using Tor exit node as suspicious activity and freezes the account.

So, using Tor before proxy is really needed for some sites.

I use Waterfox Current myself (never tried Waterfox Classic). They have recently introduced support for both Google Chrome and Opera web browser extensions. This graphic is taken from their Wiki with more browser details:

Do you use it with Whonix-Workstation using ISP > Tor > Proxy/VPN > Website approach?

Any progress in that? “Non-Tor” browser in Whonix-Workstation is still needed for those sites which blocks Tor exit nodes.

No progress.

Well, I have some progress in reducing fingerprinting of Firefox ESR browser under Whonix-Workstation OS when ISP > Tor > Proxy/VPN > Website scheme is used.

In Firefox privacy preferences. Type about:preferences#privacy in address bar and press enter. Then:

  1. To delete all cookies, history, cache and site data when Firefox is closed: in History section, select Always use private browsing mode
  2. Disable ‘anonymous’ Firefox Data Collection and Use: deselect all in that section.

In Firefox search preferences. Type about:preferences#search in address bar and press enter. Then:

  1. In Search Suggestions section: deselect Provide search suggestions

In Firefox config. Type about:config in address bar and press enter. Then, search for strings and set values:

  1. Disable WebRTC plug-in: media.peerconnection.enabledfalse
  2. Disable Pocket extension: extensions.pocket.enabledfalse
  3. Disable Firefox Screenshots extension: extensions.screenshots.disabledtrue
  4. Disable Firefox Accounts Sync module: identity.fxaccounts.enabledfalse
  5. Turn on fingerpring resist feature: privacy.resistFingerprintingtrue

What does Firefox fingerprinting protection do? Took from Firefox's protection against fingerprinting | Firefox Help

  1. Your timezone is reported to be UTC
  2. Not all fonts installed on your computer are available to webpages
  3. The browser window prefers to be set to a specific size
  4. Your browser reports a specific, common version number and operating system
  5. Your keyboard layout and language is disguised
  6. Your webcam and microphone capabilities are disguised
  7. The Media Statistics Web API reports misleading information
  8. Any Site-Specific Zoom settings are not applied
  9. The WebSpeech, Gamepad, Sensors, and Performance Web APIs are disabled

P.S. This Firefox ESR modifications will NOT replace Tor Browser security patches and capabilities but just make your browsing experience a bit private. Strange traffic from Firefox ESR to Cloudflare, Amazon and Great Britain servers is still detected so it seems like Firefox ESR has built-it spyware. Although it is still anonymous as all traffic from Whonix-Workstation is send through Tor network, fingerprinting capabilities are still big without usage of original Tor Browser.