Hi entr0py,
That is a valid viewpoint. In making any decision, let’s review the differences as it stands right now.
Tor Browser
The main differences between the hardened Tor browser and the standard Tor browser are:
https://lists.torproject.org/pipermail/tbb-dev/2016-June/000382.html
David Fifield:
I wanted to know what exactly is different in the hardened series.
The master…hardened-builds diff has many spurious changes and is not
that clear:
builders/tor-browser-bundle - Old (2013-2017) build scripts for the Tor Browser Bundle based on gitian-builder
The best I can tell, the differences are:
- ASan
- –enable-expensive-hardening for tor (enables -fsanitize=address,
-fsanitize=undefined, and -fno-omit-frame-pointer)
- selfrando
This is correct. Additionally, we compile the browser part with -fwrapv. Note, selfrando is not in the alpha series available yet only in nightly builds. This will change with the next release, though.
Georg
And what is -fwrapv?
-fwrapv
This option instructs the compiler to assume that signed arithmetic overflow of addition, subtraction and multiplication wraps around using twos-complement representation. This flag enables some optimizations and disables others. The options -ftrapv and -fwrapv override each other, so using -ftrapv -fwrapv on the command-line results in -fwrapv being effective. Note that only active options override, so using -ftrapv -fwrapv -fno-wrapv on the command-line results in -ftrapv being effective.
So, with respect to the hardened browser, you get the benefits of (an experimental build) providing:
I. Selfrando - providing significant protection against de-anonymization exploits (see paper below)
II. ASAN - address sanitizer to help detect use-after-free and out-of-bounds memory errors in C/C++ programs
https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer
Downsides:
- Potentially more fingerprintable
- Greater memory use
- Potentially less stable experience
Tor Process
With respect to the tor process, it is true the hardened-series is currently defaulting to an alpha version - 0.2.9.5-alpha, instead of the stable version 0.2.8.9
That comes with the usual Tor Project rider:
Please note: This is an alpha release. You should only try this one if you are interested in tracking Tor development, testing new features, making sure that Tor still builds on unusual platforms, or generally trying to hunt down bugs. If you want a stable experience, please stick to the stable releases.
Personally, I would err on the side of less caution i.e. sacrificing potential stability to have huge gains in security. Also, the Tor devs themselves state they think they have squashed almost all the main bugs in the 0.2.9 series.
The call can only be made by the core Whonix developers who are over-worked, underpaid and generally unappreciated. But, I do note the Whonix website already states something like:
Whonix is experimental software. Do not rely on it for strong anonymity.