[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

TODO research and document - How to use Tor Browser for security not anonymity? How to use TBB using clearnet?

Would be ok but any reason to keep torbrowser-launcher?

For simplicity I would suggest tb-updater all the way.

2 Likes

Can we please make this page https://www.whonix.org/wiki/Tor_Browser_without_Tor sound more exciting? That project did not catch on yet.

The security community is much bigger than the privacy/anonymity communities. If they know there was a hardened browser, a lot people would use it. Would be good to have help, attention and development support of the security community. Hardened Firefox should be a thing in the security community. But information spreads much less than one would expect nowadays. A public wiki page somewhere doesn’t necessarily lead to wide publication. It’s still like “a secret”.

To start this, is anyone up for aggregating primarily the security enhancements that Tor Browser implements? (Secondarily perhaps also privacy enhancements.) Perhaps a comparative table similar to https://www.whonix.org/wiki/Sdwdate#sdwdate_vs_ntp? Perhaps some libre licensed selfrandom images?

2 Likes

The Tor Browser doesn’t increase security from default Firefox except maybe changing the security sliders which can just be easily gotten on default Firefox. The sandboxed Tor Browser version has also been dead for a while now. I wouldn’t name it something related to security like that.

https://www.whonix.org/wiki/Tor_Browser_without_Tor mentions a few things.

Security enhancements:

  • improved exploit protection through selfrando [4]
  • disable WebRTC [5]
  • security slider
  • noscript installed by default
  • reproducible builds
  • To provide users with optional defense-in-depth against JavaScript and other potential exploit vectors, we also include NoScript.
    [6]

  • We also modify several extension preferences from their defaults.
    [6]

  • proxy and DNS configuration obedience
  • Full RELRO [7]

Is there really no more to it? I haven’t reviewed all Tor Browser design docs yet or at least cannot recite that part. Anyone up to do that?

1 Like

Does disabling WebRTC improve security? I know it leaks your IP but that’s more of an anonymity issue than a security one.

I never knew about the selfrando and relro. Those are interesting.

Not that I’m aware of. I’ve skimmed through the design doc before and never found anything that would improve security much,

There is this part but the only actual security feature would be the security slider that just changes a few about:config options.

madaidan via Whonix Forum:

Does disabling WebRTC improve security? I know it leaks your IP but that’s more of an anonymity issue than a security one.

The more gets disabled, the less attack surface.

There were a couple of vulns:
https://www.cvedetails.com/product/33499/Webrtc-Project-Webrtc.html?vendor_id=15802

1 Like

So why mention WebRTC specifically? There are plenty of things that get disabled in the Tor Browser that could be considered as reducing attack surface.

Those were fixed years ago and there are very little.

1 Like

WebRTC was previously shown to leak sensitive info when VPNs are used. VPNs are very popular. This could perk the interest of those users. WebRTC disabled

Unfortunately perception sometimes trumps reality.

1 Like

madaidan via Whonix Forum:

So why mention WebRTC specifically? There are plenty of things that get disabled in the Tor Browser that could be considered as reducing attack surface.

No specific reason. Documentation / lack of research issue.

1 Like

Maybe it should be changed to “Reduced attack surface”?

Reducing attack surface is a part of security enhancement.

I know, I meant that the “disabled WebRTC” part should probably be changed to “reduced attack surface” in the wiki as it isn’t just WebRTC that is disabled.

That’s ok, also to other examples would be useful generally.

We need a start menu icon for SecBrowser.

"SecBrowser" has some google search results for SecBrowser.apk. It’s still enough time to rename. Better to avoid confusion. What about…

  • Sec1Browser
  • 1st Security Browser
  • Supreme Security Browser
  • securetty browser
  • securettyb
  • securer

?

Since securer is into the business of tweaking settings while not having anonymity as a goal (which Tor Browser is for), why not set the security slider setting to maximum by default?

1 Like

Done.

1 Like

Reverted, since does not work unfortunately. After first browser start, noscript by default still allows everything.

Help welcome.