[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

TODO research and document - How to use Tor Browser for security not anonymity? How to use TBB using clearnet?


#61

https://www.whonix.org/wiki/Whonix_Packages_for_Debian_Hosts applies. Updated packages uploaded. Ready to test. Didn’t test myself yet.


Adding Whonix signing key to a Debian is rather inconvenient currently. Command

sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA

is unreliable. Even in Debian based AppVMs and even in plain, non-Qubes Debian. Due to gpg bugs. (gpg fingerprint command obsolete)

Making the command work in Qubes Debian Template is even harder since it has to go through Qubes UpdatsProxy. Didn’t we have a dedicated forum thread on this, I can’t find it anymore?

So in meanwhile one has to get Whonix signing key by file, qvm-copy, then use the file based method.

sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc

Note, not yet:

echo "deb http://deb.whonix.org stretch main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list

Only stretch-testers for now has updated packages:

echo "deb http://deb.whonix.org stretch-testers main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list

#62

Thought I did. I’m using a new VM.

bash -x /usr/bin/torbrowser --clearnet
+ set -o pipefail
+ set -o errtrace
+ '[' -n '' ']'
++ basename /usr/bin/torbrowser
+ SCRIPTNAME=torbrowser
+ IDENTIFIER=torbrowser
+ ICON=/usr/share/icons/anon-icon-pack/tbupdate.ico
+ trap tb_error_handler ERR
+ main_function --clearnet
+ root_check --clearnet
++ id -u
+ '[' 1000 '!=' 0 ']'
+ true
+ tb_preparation --clearnet
++ whoami
+ who_ami=user
+ command -v qubesdb-read
+ '[' -n '' ']'
+ is_qubes=true
+ '[' -n '' ']'
++ qubesdb-read /name
+ qubes_vm_name=tb-starter
+ '[' -n '' ']'
++ qubesdb-read /qubes-vm-type
+ qubes_vm_type=AppVM
+ '[' AppVM = TemplateVM ']'
+ '[' -n '' ']'
+ tb_user_home=/home/user
+ echo /home/user
+ grep -q tor-browser
+ '[' -n '' ']'
+ tb_install_folder=tb
+ '[' -n '' ']'
+ tb_install_folder_dot=.tb
+ '[' -n '' ']'
+ tb_browser_name=tor-browser
+ '[' -n '' ']'
+ tb_settings_folder=torbrowser.d
+ '[' -n '' ']'
+ tb_name=tor
+ '[' -n '' ']'
+ tb_title='Tor Browser'
+ '[' -n '' ']'
+ tb_wiki=Tor_Browser
+ '[' -n '' ']'
+ tb_proxy_name=tor
+ '[' -n '' ']'
+ tb_bin=torbrowser
+ '[' -n '' ']'
+ tb_browser_runner=start-tor-browser
+ '[' -n torbrowser ']'
+ '[' -n '' ']'
+ tb_home_folder=/home/user/.tb
+ '[' -n '' ']'
+ tb_browser_folder=/home/user/.tb/tor-browser
+ '[' '' = '' ']'
+ '[' :0 = '' ']'
+ display=:0
+ output=/usr/lib/msgcollector/msgcollector
+ local my_tty
+ local my_tty_exit_code
+ my_tty_exit_code=0
++ tty
+ my_tty=/dev/pts/0
+ '[' '!' 0 = 0 ']'
+ '[' /dev/pts/0 = '' ']'
++ whoami
+ who_ami=user
+ output_opt_1='--icon /usr/share/icons/anon-icon-pack/tbupdate.ico'
+ output_opt_2='--parentpid 5414'
+ output_opt_3='--identifier torbrowser'
+ output_opt_4='--parenttty /dev/pts/0'
+ output_opt_5='--whoami user'
+ output_opts=("$output_opt_1" "$output_opt_2" "$output_opt_3" "$output_opt_4" "$output_opt_5")
+ TITLE='Tor Browser Starter (by Whonix developers)'
+ tb_set_links --clearnet
+ DOC_LINK=https://www.whonix.org/wiki/Documentation
+ CONTRIBUTE_LINK=https://www.whonix.org/wiki/Contribute
+ DONATE_LINK=https://www.whonix.org/wiki/Payments
+ FORUM_LINK=https://forums.whonix.org
+ MAILINGLIST_LINK=https://www.whonix.org/pipermail/whonix-devel/
+ IMPORTANTBLOG_LINK=https://forums.whonix.org/tags/important-news
+ FEATUREBLOG_LINK=https://forums.whonix.org/c/news
+ '[' '!' '' = '' ']'
+ '[' -f /usr/share/anon-ws-base-files/workstation ']'
+ '[' -f /usr/share/anon-gw-base-files/gateway ']'
+ true 'Not modifying which link to open.'
+ tb_config_folder_parser --clearnet
+ '[' -n torbrowser.d ']'
+ shopt -s nullglob
+ local i
+ for i in /etc/$tb_settings_folder/*.conf /rw/config/$tb_settings_folder/*.conf
+ bash -n /etc/torbrowser.d/30_default.conf
+ source /etc/torbrowser.d/30_default.conf
+ parse_cmd_options --clearnet
+ :
+ case $1 in
+ tb_clearnet=true
+ shift
+ :
+ case $1 in
+ break
+ local other_args
+ other_args=
+ '[' '' = '' ']'
+ have_other_args=false
+ '[' '' = '' ']'
+ LINK=
+ '[' '' = true ']'
+ tb_templatevm_check --clearnet
+ '[' true = false ']'
+ '[' '!' AppVM = TemplateVM ']'
+ true 'Not running in TemplateVM.'
+ return 0
+ tb_qubes_dvm_template --clearnet
+ echo tb-starter
+ grep -q --invert-match '\-dvm'
+ true 'INFO: not running inside Qubes DVM Template, ok.'
+ return 0
+ check_tb_updater_first_boot_done --clearnet
+ local systemctl_output
+ local wait_counter
+ wait_counter=0
+ true
++ systemctl --no-pager --no-block status tb-updater-first-boot.service
+ systemctl_output='● tb-updater-first-boot.service - Copy Tor Browser from /var/cache/tb-binary to user home at First Boot Service
   Loaded: loaded (/lib/systemd/system/tb-updater-first-boot.service; enabled; vendor preset: enabled)
   Active: active (exited) since Sat 2019-03-02 20:37:17 EST; 7min ago
     Docs: https://github.com/Whonix/tb-updater
  Process: 467 ExecStart=/usr/lib/tb-updater/first-boot-home-population (code=exited, status=0/SUCCESS)
 Main PID: 467 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   CGroup: /system.slice/tb-updater-first-boot.service'
+ break
+ maybe_install_tor_browser --clearnet
+ '[' -d /home/user/.tb/tor-browser ']'
+ return 0
+ tb_folder_change_directory --clearnet
+ local change_directory_exit_code=0
+ cd /home/user/.tb/tor-browser
+ '[' '!' 0 = 0 ']'
+ tb_detect_starter_bin --clearnet
+ '[' '!' '' = '' ']'
+ '[' -x /home/user/.tb/tor-browser/Browser/start-tor-browser ']'
+ tb_starter_bin=/home/user/.tb/tor-browser/Browser/start-tor-browser
+ tb_clearnet --clearnet
+ test -f /home/user/.tb/tor-browser/clearnet-marker
+ '[' '!' true = true ']'
+ '[' '!' true = true ']'
+ diff /usr/share/tb-updater/tb_without_tor_settings.js /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js
+ true 'our version exists'
+ test -f /home/user/.tb/tor-browser/clearnet-marker
+ TOR_SKIP_CONTROLPORTTEST=1
+ TOR_SKIP_LAUNCH=1
+ TOR_TRANSPROXY=1
+ export TOR_SKIP_CONTROLPORTTEST TOR_SKIP_LAUNCH TOR_TRANSPROXY
+ maybe_use_open_link_confirmation --clearnet
+ '[' '' = true ']'
+ tool=tb_start_tor_browser
+ '[' -x /usr/lib/open_link_confirmation ']'
+ '[' '!' '' = true ']'
+ tool=/usr/lib/open_link_confirmation
+ local temp
+ local tool_exit_code=0
+ '[' '' = '' ']'
+ temp='/usr/lib/open_link_confirmation --clearnet'
+ /usr/lib/open_link_confirmation --clearnet
+ set -e
+ main_function --clearnet
+ source_config --clearnet
+ shopt -s nullglob
+ local i
+ for i in /etc/open_link_confirm.d/*.conf /rw/config/open_link_confirm.d/*.conf
+ bash -n /etc/open_link_confirm.d/31_default.conf
+ source /etc/open_link_confirm.d/31_default.conf
++ link_confirmation_for_links=1
++ link_confirmation_for_files=1
+ preparation --clearnet
+ export OPEN_LINK_CONFIRMATION=true
+ OPEN_LINK_CONFIRMATION=true
+ '[' 1 = 0 ']'
+ input_object_original=--clearnet
+ trim=128
+ input_object_string_length=10
+ input_object_trimmed=--clearnet
++ /usr/lib/msgcollector/striphtml --clearnet
+ input_object_stripped_and_trimmed=--clearnet
+ '[' 10 -gt 128 ']'
+ '[' -f --clearnet ']'
+ is_file=0
+ type=link
+ command -v qubesdb-read
+ qubes_detected=true
++ qubesdb-read /type
+ qubes_type=StandaloneVM
+ '[' -f /var/run/qubes/this-is-templatevm ']'
+ '[' -f /usr/share/anon-gw-base-files/gateway ']'
+ workstation --clearnet
+ '[' 0 = 1 ']'
+ '[' -n '' ']'
+ open_in_tool_bin=x-www-browser
+ '[' -n '' ']'
+++ command -v x-www-browser
++ readlink -f /usr/bin/x-www-browser
+ open_in_tool_bin_name_readlink=/usr/bin/torbrowser
+ '[' -n '' ']'
+ open_in_tool_bin_name='x-www-browser (/usr/bin/torbrowser)'
+ '[' 'x-www-browser (/usr/bin/torbrowser)' = 'x-www-browser (/usr/bin/torbrowser)' ']'
+ open_in_tool_bin_name='Tor Browser'
+ '[' '!' -n '' ']'
+ '[' -n 'Tor Browser' ']'
+ '[' /usr/bin/torbrowser = /usr/lib/open_link_confirmation ']'
+ '[' --clearnet = '' ']'
+ '[' --clearnet = ' ' ']'
+ title='Confirm Open'
+ msg='<p>The following <b>link</b> will be opened in <u>Tor Browser</u>.</p>
<p>Be careful if <u>Tor Browser</u> is already running as your activities might get linked.</p>
<p><code><blockquote>--clearnet</blockquote></code></p>'
+ question='Continue?'
+ button=yesno
+ return 0
+ final --clearnet
+ local ask_for_confirmation=1
+ '[' 0 = 1 ']'
+ '[' 1 = 0 ']'
+ local ask_for_confirmation=1
+ '[' StandaloneVM = DispVM ']'
+ '[' 1 = 1 ']'
+ local answer
+ answer=0
++ /usr/lib/msgcollector/generic_gui_message warning 'Confirm Open' '<p>The following <b>link</b> will be opened in <u>Tor Browser</u>.</p>
<p>Be careful if <u>Tor Browser</u> is already running as your activities might get linked.</p>
<p><code><blockquote>--clearnet</blockquote></code></p>' 'Continue?' yesno
+ answer=16384
+ '[' '!' 16384 = 16384 ']'
+ command -v x-www-browser
+ local open_in_tool_exit_code
+ open_in_tool_exit_code=0
+ DE=generic
+ x-www-browser --clearnet
+ '[' '!' 0 = 0 ']'
+ exit 0
+ '[' '!' 0 = 0 ']'

tb-updater tested ok.


Also tested,

~/.tb/tor-browser/start-tor-browser.desktop --clearnet #(and without --clearnet)

and

~/.tb/tor-browser/Browser/start-tor-browser --clearnet #(and without --clearnet)

All fail with “The proxy server is refusing connections” when browsing to a website. This is expected?

TOR_TRANSPROXY=1 has to be prepended to the command for functional networking.

It could be very dangerous if a user misunderstood what this was used for. When people think of Whonix they think anonymity. Does everyone know what clearnet is?

  • Whonix should be left out out completely in the description.
  • –alias would be fine. Unfortunatly can’t think of anything better that clearnet.

Tested and worked ok fom me.

https://forums.whonix.org/t/gpg-recv-keys-fails/5607

Much of the discussion took place in Wiki edits thread. I could find those posts and move them to a new thread if you’d like.


#63

I havn’t found very much info on .d syle drop-in folders with firefox. For a simple test, I created firefox.service and use a .d sytle folder to override the /usr/bin/firefox with /usr/bin/firefox -p. So its possible.

1. sudo nano /lib/systemd/system/firefox.service

add

[Unit]
Description=Firefox_Service
After=network.target
[Service]
Environment=DISPLAY=:0
ExecStart=/usr/bin/firefox
[Install]
WantedBy=graphical.target

2. sudo ln -s /lib/systemd/system/firefox.service firefox.service

3. Test firefox.service

sudo sytemctl start firefox.service

4. shutdown firefox

5. sudo mkdir /etc/systemd/system/firefox.service.d

6. sudo nano /etc/systemd/system/firefox.service.d/50_user.conf

Add

[Unit]
Description=Firefox_Service
After=network.target
[Service]
Environment=DISPLAY=:0
ExecStart=
ExecStart=/usr/bin/firefox -p
[Install]
WantedBy=graphical.target

7. Start firefox.sevice (Firefox profile conifguraton should override the normal /usr/bin/firefox)

sudo systemctl start firefox.service


#64

Yes, because start-tor-browser (by Tor Project) doesn’t know about --clearnet. That is because only /usr/bin/torbrowser (by Whonix) had recently --clearnet implemented.

So only /usr/bin/torbrowser --clearnet makes sense.

/usr/bin/torbrowser --clearnet will set that automatically. (See also bash -x /usr/bin/torbrowser --clearnet)

I doubt that. Very Tor community specific. And ambiguous also. Has at least two meanings.

https://www.whonix.org/wiki/FAQ#What_is_Clearnet.3F

Yay. :slight_smile:

Thanks for the offer, tough I think too much work and not much gain. So better safe the time.


Systemd method would start firefox as root as a service. But even systemd user services wouldn’t give us anything related to multiple user.js files.