Sandboxing Tor Browser in Non-Qubes-Whonix
Warning: These instructions are extremely alpha. They currently only work reliably with the 32-bit version of Whonix. Testers or advanced users only!
A sandbox is a secure environment in which you can run the Tor Browser and mitigate exploit vectors which would otherwise deanonymize you or infect your computer. In essence, the Tor Browser is run in a limited awareness container that is prevented from interacting with the rest of your computer.
Sandboxing reduces the opportunities for an attacker to easily identify real IP and MAC addresses, install malware, browse your files or otherwise deanonymize you. A spate of recent attacks on the Tor Browser in the wild suggest this is a prudent approach for cautious users, or those facing significant risks.
The Tor Browser sandbox is compatible with either the "release", "alpha" or "hardened" Tor Browser series. However, the sandboxed "hardened" Tor Browser is the least-tested combination by Tor developers.
Sandboxing Effects on Tor Browser Functionality
While sandboxing improves security, some functionality is lost either by design or inadvertently. In addition, some functions like sound must be optionally configured. As of December 2016, broken items include:
- Foreign language support;
- The meek pluggable transport; and
- Manual checks for Tor Browser updates.
The Tor Browser sandbox is unlikely to ever support:
- The FTE pluggable transport;
- Hardware-accelerated 3d rendering;
- Printing, except to a file;
- Connections outside of the Tor network; and
- Compatibility of the "hardened" Tor Browser with a grsec kernel (due to ASAN/Pax conflicts).
Audio support, the Tor ciruit display and installing or updating Tor Browser addons also require manual configuration changes.
Tor Browser Sandbox Dependencies
In order to install and run the sandbox, two things are required:
- Several dependencies available in Debian Jessie backports; and
- A newer (Whonix-14-developers-only) version of the control-port-filter-python for Tor cookie control protocol authentification.
Installing sandboxed-tor-browser Dependencies
(1) Boot your Whonix-Workstation TemplateVM
(2) Enable jessie-backports
sudo su -c "echo -e 'deb http://http.debian.net/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"
OR to use the .onion mirror
sudo su -c "echo -e 'deb http://vwakviie2ienjx6t.onion/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"
(3) Use apt-pinning before installing dependencies
Open /etc/apt/preferences.d/debian-pinning.pref in an editor with root rights.
If you are using a graphical Whonix, run:
kdesudo kwrite /etc/apt/preferences.d/debian-pinning.pref
If you are using a terminal-only Whonix, run:
sudo nano /etc/apt/preferences.d/debian-pinning.pref
Pin: release a=stable
Pin: release a=jessie-backports
Pin: release a=testing
Pin: release a=unstable
Pin: release a=experimental
(4) Update your package lists and install sandboxed-tor-browser dependencies
sudo apt-get update
sudo apt-get -t jessie-backports install golang bubblewrap libseccomp2 libseccomp-dev
(5) Install additional dependencies
sudo apt-get install gnome-themes-standard gnome-themes-standard-data
Installing the Whonix-14 tor-controlport-filter
Note: This process must be repeated on both the Whonix-Gateway and Whonix-Workstation.
(1) Upgrade to the Whonix-14 work in progress
sudo whonix_repository --baseuri https://deb.whonix.org --enable --repository developers
find . /var/lib/apt | grep -i inrelease | xargs cat
apt-get --yes dist-upgrade
apt-get --yes autoremove
(2) Test the tor-controlport-filter is working
In the Whonix-Gateway run:
nc 10.152.152.10 9051
Type "something". You should see the reply:
510 Command filtered
In the Whonix-Workstation run:
nc 127.0.0.1 9151
Type "something". On the gateway you should see some tor-controlport-filter by Tails debug output.
Downloading the Tor Browser Sandbox
(1) Download the sandboxed-tor-browser binaries and signing key from the Tor Project
In the Whonix-Workstation VM run:
(2) Download the Tor Project signing key and verify the zip file
gpg --recv-keys "EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290"
gpg --verify sandbox-0.0.2-linux64.zip.asc
(3) Unzip the sandbox
Using the sandboxed-tor-browser
To start the sandbox, simply run:
And select the Tor Browser version you are currently using in your Whonix-Workstation configuration.
- sandboxed-tor-browser is also a Tor Browser downloader similar to tb-updated / torbrowser-launcher;
- Whonix network settings are auto-detected as system Tor and there is no need to configure settings manually; and
- If you wish to check the sandboxed-tor-browser is correctly using the system Tor process anyhow, in a terminal run:
env | grep TOR
The output should show:
is set as an environment variable.
Sandboxing Tor Browser in Qubes-Whonix
The Tor Browser alpha sandbox is currently blocked in both the Qubes Debian and Qubes-Whonix Templates due to problems with bubblewrap.
A recommended interim solution is to use Firejail in Qubes-Whonix to better contain the Tor Browser application.
 These steps can be modified slightly to work in a (non-Qubes) Debian Jessie VirtualBox VM
 https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Sandbox/Linux Some of these bugs will be fixed at a later date.
 The Tor circuit in Tor Browser is disabled by default in Whonix anyhow
 For safe mixing and matching of packages from different Debian repository branches without breaking your base distribution
 Apparmor and grsec have been ruled out as blockers. Upgrading to Debian Stretch in the TemplateVM in Qubes does not work, nor does changing the Debian VM dom0 kernel via pvgrub
 To do: insert wiki reference to Firejail entry when complete