SecBrowser: A Security-hardened, Non-anonymous Browser - DEPRECATED

There is no Tor over Tor in neither Non-Qubes-Whonix nor Qubes-Whonix. Tor Browser in Whonix-Workstation uses Tor running on Whonix-Gateway.

This is implemented through the package anon-ws-disable-stacked-tor.
( anon-ws-disable-stacked-tor )

From Whonix-Workstation you’ll never make a non-torified connection anyhow. You could use Tor’s TransPort rather than Tor’s SocksPort, but I don’t see the point.

Using Tor Browser from within Whonix-Workstation without any Tor access, using clearnet… Excuse me, why would that be useful? One could do that, but not without insecure modifications on Whonix-Gateway. Or one could use a Tor Browser without Tor from Whonix-Gateway, but what would that be useful for?

It might be interesting to document how to enable persistent storage of passwords and whatnot when using Tor Browser in Whonix. That would then fit here:
Tor Browser Advanced Topics

(However, then we should use wiki templates so we don’t have to duplicate the instructions. Minor thing. I can assist wtih this if you wish.)

Does this fully answer your question? :slight_smile:

Sure. Would be useful, but rather low on my wishlist. (Higher priority on my wishlist is sandboxed Tor Browser, but it’s all up to you of course.)

A wiki page is a cool “first step”. Then some advanced users can benefit from it. We have a proof of concept and can demonstrate some interest. A super cool tool for us geeks.

As a “second step”… I however would also very much welcome if either The Tor Project would provide a Tor Browser without Tor (which really needs a good name then)… Perhaps SecureFox or so. (With the sandboxing available and preinstalled noscript and whatnot, it’s a focus on better security than Firefox and reduced tracking / better privacy. And/or a dedicated project with its own website, downloads, package repository and what not for SecureFox or HardFox or so.

I of course don’t expect you to do any of these steps. I appreciate however far you take it. And if you don’t do the second step, then that gets easier since a lot of the development work would be already done.

Would be cool if colors were somehow changed or so. I understand it’s a lot detail work and may not be simple.

Their reasons are valid, for Tor Browser. But it’s different in the case of a personal / non-anonymous browser. For example, cutting off ad revenues would encourage website owners to be more hostile towards Tor IPs, but not for non-anonymous individuals. Unlike Tor Browser, using adblockers improves privacy in a non-anonymous browser especially when javascript must be turned on. It would also reduce the attack surface

That reminds me: We probably should warn users against using Tor Browser without Tor in Whonix-Workstation, not because Tor could be bypassed, but because exit node stream isolation is untested in this case. Depends on whether you think any Whonix user would try that; I know it makes no sense to disable Tor in Whonix-Workstation.

Tor Browser without Tor from Whonix-Gateway: Same as Insecure Browser in Tails. (I don’t know how Whonix deals with wifi networks you need to sign on to, etc.)

To save passwords you would only need to disable private browsing mode and enable password manager. But I fear anything that involves disabling private browsing mode could potentially compromise one’s anonymity. How would you maintain control over exactly what information is kept?

In that case I would use a separate Tor Browser (with private browsing mode disabled) only for those websites where I allow certain information to be kept.

Speaking of which: Would the modifications for this be any different for Whonix’s Tor Browser compared with vanilla Tor Browser?

( Tor Browser Essentials )

Good point. Added a warning box to the wiki page-

Would only be interesting for users using physical isolation that are using a captive portal. So far this never happened. Related documentation:

Since physical isolation support status…

Build Documentation: Physical Isolation

Imo very low priority.

Right. That’s a rabbit hole. Selective storage of passwords is a missing Tor Browser feature. One could say, out of scope for this project.

( Tor Browser Essentials )

@ubestemt are you still around?

Could someone review these changes please?

Tor Browser without Tor: Difference between revisions - Whonix

Hi Patrick

I think it would be very easy for a user to make a mistake and shoot ones self in the foot.

User opens TBB with Tor disabled. A little while later user gets distracted or steps away from their laptop for a minute. User comes back to using TBB but forgets Tor is disabled ( easy to do, easy to confuse Whonix with non-Tor TBB AppVM ?? ) User logs into anonymous email over clearnet.

0brand:

Hi Patrick

I think it would be very easy for a user to make a mistake and shoot ones self in the foot.

User opens TBB with Tor disabled. A little while later user gets distracted or steps away from their laptop for a minute. User comes back to using TBB but forgets Tor is disabled ( easy to do, easy to confuse Whonix with non-Tor TBB AppVM ?? ) User logs into anonymous email over clearnet.

Do you comment on the last wiki edit specifically or do you discourage
having a Tor Browser without Tor wiki page generally?

HI Patrick

Sorry, should have been more specific. For starters, non-Tor TBB would be something I would be interested using. I think its a great idea. However, I know users can follow all the precautions in the Whonix Wiki and then make one mistake and none of that makes any difference. I think users would be more at risk doing that if they also use non-Tor TBB.

After reading through the Tor Browser without Tor Wiki and seeing all the warning, I wonder if that will be enough. This is partly because I’m a little cynical right now because I shot myself in the foot not to long ago, but mostly because I don’t want someone else to make a similar mistake.

I know complaining does no good if you don’t try to contribute to a solution, so I have been thinking of way to help mitigate the risk of something like that happening. The only thing that I could come up with that is easy to do is use 2 vault AppVMs , each has a separate password manger. One is for anonymous use, and is shut down before any clearnet AppVMs are started. The other is for clearnet use, and shutdown before Whonix starts.

The idea is not all that impressive, but had I done that, I would not have shot myself in the foot . Maybe could help others from doing the same?

1 Like

Your suggested user behavior sounds good. Separate vault VMs, separate VMs for anonymous and non-anonymous use, certainly yes.

  • For Qubes-Whonix users: shutting down most if not all other non-anonymous VMs (besides sys-net / sys-firewall / sys-whonix) when do anonymous activities is a highly recommended behavior to avoid mess-up.
  • For Non-Qubes-Whonix: Perhaps maximize a Whonix-Workstation VM while using it.

We have this recommendation.
Do not Use Clearnet and Tor at the Same Time

Tips on Remaining Anonymous

But perhaps it could be expanded a bit? Do we have the practical steps to do that (shut down other VMs…) elaborated anywhere in the wiki? @torjunkie

1 Like

Not explicitly that I’m aware of.

Anyway, the Tor Browser without Tor wiki entry is prety good, but could use a little polish.

1 Like

As it turns out, for Debian users torbrowser-launcher is only available through backports. This includes old stable “jessie” and current stable “stretch”.

https://wiki.debian.org/TorBrowser
https://tracker.debian.org/pkg/torbrowser-launcher

Should instructions on how to add backports to the sources.list be added to this wiki page, or maybe just add a link to Installing Fire Jail (has instructions for adding jessie backports to sources.list) with instructions to substitute torbrowser-launcher for firejail package?

1 Like

Wanted to give some feedback on installing Tor without Tor Browser in Qubes 3.2. There were a few bumps in the road, mainly with a broken dependency and an issue with verifying Tor Browser after download. I’m not sure if anyone else will have these problems but I wanted to document how to resolve them if they are encountered. For this example I used a Debian 8 (Old Stable).

Step 1: Start a terminal in your deb-8 template.

[user@dom0~]$ qvm-run -a debian-8 gnome-terminal

Step 2: Package torbrowser-launcher is only available through jessie-backports so you must add it to your apt sources.list.

[user@debian-8 ~]$ sudo su -c "echo -e 'deb http://http.debian.net/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

Or alternatively use the .onion mirror.

[user@debian-8 ~]$ sudo su -c "echo -e 'deb http://vwakviie2ienjx6t.onion/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

Step 3: Update the package lists.

[user@debian-8 ~]$ sudo apt-get update

Step 4: Install package torbrowser-launcher.

[user@debian-8 ~]$ sudo apt-get -t jessie-backports install torbrowser-launcher

If you encounter broken dependencies you can use aptitude to try and fix the issue. The dependency problem that I encountered along with how it was fixed can be seen here Pastebin.

4b. Only necessary if you have a broken dependency.

[user@debian-8 ~]$ sudo aptitude -t jessie-backports install torbrowser-launcher

Step 5: Shutdown debian-8 template.

[user@debian-8 ~]$ sudo poweroff

Step 6: Create the AppVM that you will be downloading and using non-Tor Tor Browser in.

[user@dom0 ~]$ qvm-create appvm-name -t debian-8 -l red

Step 7: Start a terminal in your non-tor AppVM.

[user@dom0 ~]$ qvm-run -a appvm-name gnome-terminal

Step 8: Download and verify Tor Browser.

[user@appvm-name ~]$ sudo torbrowser-launcher

An issue may be encountered with not being able to verify Tor Browser after its been downloaded. This may be due to an outdated Tor Project signing key. A workaround can be found here on Stack Exchange.

Step 9: After Tor Browser is installed Tor must be disabled. Refer to the documentation for instructions.

https://whonix.org/wiki/Tor_Browser_without_Tor#Disabling_Tor


Related:

Fedora: Was able to install package torbrowser-launcher and install Tor Browser in a Fedora AppVM. The only problem encountered was with verifying Tor Browser as mentioned in step 8. This issue appears to be fairly common.

Debian 9: Installing torbrowser-launcher in a Debian 9 template was unsuccessful. Stretch-backports was added to the sources.list but the package could not be located.

Disposable VM: Installing Tor Browser in a DispVM and configuring for non-Tor use was pretty straight forward. After customizing your DispVM you can follow the instructions for installing Tor Browser ( step 8)

2 Likes

We could use tb-updater in Debian templates instead due to its better Qubes integration. (To make sure new AppVMs are created with a copy of the latest Tor Browser version.)

With Whonix repository added, we could also make use of GitHub - Kicksecure/apparmor-profile-torbrowser: AppArmor profile for The Tor Browser Bundle (TBB) - https://www.whonix.org/wiki/AppArmor - for better security (hardening). (and unrelated, other apparmor packages by Whonix.


Related bug:

That bug is related in context of apt signing key adding:

https://www.whonix.org/wiki/Template:Whonix-APT-Repository-Add


Could anyone please put “allow user-configured proxy settings, Disable TorLauncher extension, and Normalizing Tor Browser Behavior” into (a) file(s)? Then tb-updater could have a setting to do this automatically if desired so (in Debian template).

Did Tails manage to rebrand Tor Browser without recompiling it? Could quite likely be the case.

https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/usr/local/lib/tails-shell-library/chroot-browser.sh mentions branding. That source file regarding Tails Unsafe Browser and links to other related files can be found here:

https://tails.boum.org/contribute/design/Unsafe_Browser/

https://lists.torproject.org/pipermail/tbb-dev/2017-April/000509.html

anonym:

Patrick Schleizer:

  1. How can one easily hack TBB to use clearnet? [1] (idea [2])

I believe all you need is:

pref("network.proxy.type", 0);

and possibly disabling Torbutton (which is a good idea any way since it will only add confusion in that setup).

  1. How can one enable cookies to persist in TBB?

IIRC all you need is to disable Private Browsing mode:

pref("browser.privatebrowsing.autostart", false);

That has several other consequences, but at least some has individual prefs for toggling back to what the Private Browser mode does (I wouldn’t be surprised if Tor Browser already change many of these prefs like that).

  1. How can one re-enable the Firefox password manager in TBB so one can
    store passwords?

In addition to disabling Private Browsing mode you just have to enable the feature:

pref("signon.rememberSignons", true);

To archive that I’ve disabled private browser and tinkered with lots of
torbutton Firefox config settings to no avail. Could you please kindly
advice on how to archive that?

YMMV for the above prefs and their exact behavior, but I want to make a point that all you ask for can be achieved by setting a few prefs, so it’s only a matter of providing a profile with the necessary different defaults. I don’t think introducing more environment variables, like you suggest in [2], is an improvement over this.

For the record, providing a different “clearnet” profile for Tor Browser is how we implement Tails’ Unsafe Browser.

Cheers!

3 Likes

I work on it. :slight_smile:

2 Likes

Ping?

2 Likes

For some reason I had though someone else had done this. Don’t ask me why. I’ll get it done.

1 Like

Qubes-Whonix
Debian 9
Tor Browser 8.0.5

The wiki instruction need to be modified. As it turns out, the about:config settings ( network.proxy.socks_remote_dns false , network.proxy.type 0) are not persistent across Tor Browser restarts. When browsing to a website after restarting Tor Browser this message will be received.

The proxy server is refusing connections

The only fix i’ve found is in the following thread (bottom of page). Disabling Torbutton and TorLauncher extensions in about:addons.

https://superuser.com/questions/1117383/can-i-use-tor-browser-without-using-tor-network

This has to be done before editing about:config setttings. Not sure why this works since both extensions are disabled in user.js? I’ll work on getting this figured out along with creating the file for tb-updater

1 Like