Xombrero - the right browser choice against tor blocks and some disclosures ther

General Tor and Anonymity Talk
1

SECTION I
I have not yet checked xombrero’s code for google, yahoo and other malware infections. You can do it easily: cd into xomrero src code folder and issue:
grep -rli goog
grep -rli yah
And manually remove those words from source text files in a text editor.
Or you may at once substitute those words by a funny staff issuing:
grep -ri -l google * | xargs sed -i ‘s/google/gotohell/g’
Now remove all injected ip addresses:
grep -ri -l * | xargs | sed -r ‘s/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/gotohell.cccoc/g’
Check again if the malicious staff remains by grep -lri google.
Now you can compile and install the cleaned xombrero.
SECTION II
After installation you may witness the dusgusting bug: you are typing urls into the address bar but nothing is being typed in. it’s because it uses white letters on the white background. That idiotic bug which can be fixed even by a schoolmate has not been fixed in the repositories. So you must say thank you to me for fixing those annoying drawbacks. You need to open one text file, delete its content and paste instead the following content:

/*

  • Copyright (c) 2012 Josh Rickmar jrick@devio.us
  • Permission to use, copy, modify, and distribute this software for any
  • purpose with or without fee is hereby granted, provided that the above
  • copyright notice and this permission notice appear in all copies.
  • THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  • WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  • MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  • ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  • WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  • ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  • OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
    */

@define-color red #cc0000;
@define-color yellow #f5fedd;
@define-color green #c2ffa2;
@define-color blue #ddf6ff;
@define-color ct_bg #111110;
@define-color ct_inactive #000000;
@define-color ct_active #111111;
@define-color ct_separator #555555;
@define-color white #ffffff;

  • {
    border-width: 1px;
    padding: 0;
    margin: 0;
    -GtkScrolledWindow-scrollbar-spacing: 0;
    -GtkWidget-line-width: 0;
    }

.button,
GtkSpinner {
-GtkWidget-focus-padding: 0;
-GtkWidget-line-width: 0;
}

.button :insensitive,
GtkMenu :insensitive {
background-color: rgba(0,0,0,0); /* transparent */
}

.entry {
padding: 2px;
color: @ct_active;
}

#vbox > .entry,
#statusbar * {
border-width: 2px;
}

#statusbar > GtkEventBox {
background-image: none;
background-color: @white;
}

#statusbar > GtkEventBox .entry {
background-image: none;
background-color: rgba(0, 0, 0, 0);
}

GtkEventBox#red,
.entry#red {
background-image: none;
background-color: @red;
}

GtkEventBox#yellow,
.entry#yellow {
background-image: none;
background-color: @yellow;
}

GtkEventBox#green,
.entry#green {
background-image: none;
background-color: @green;
}

GtkEventBox#blue,
.entry#blue {
background-image: none;
background-color: @blue;
}

.entry:selected,
.entry:selected#red,
.entry:selected#yellow,
.entry:selected#green,
.entry:selected#ct_inactive,
.entry.progressbar,
.entry.progressbar#red,
.entry.progressbar#yellow,
.entry.progressbar#green,
.entry.progressbar#ct_inactive,
#statusbar .entry:selected,
#statusbar .entry:selected#red,
#statusbar .entry:selected#yellow,
#statusbar .entry:selected#green,
#statusbar .entry:selected#blue,
#statusbar .entry.progressbar,
#statusbar .entry.progressbar#red,
#statusbar .entry.progressbar#yellow,
#statusbar .entry.progressbar#green,
#statusbar .entry.progressbar#blue {
background-image: none;
background-color: @green;
color: @ct_inactive;
}

.button#Back,
.button#Forward,
.button#Home,
.button#Stop,
.button#JS-Toggle,
.button#Close {
border-width: 2;
}

.menuitem {
padding: 3px;
}

.notebook tab {
background-color: shade(@bg_color, 0.85);
color: @fg_color;
padding: 0px;
}

.notebook tab:active {
background-color: @bg_color;
}

GtkScrollbar#hidden {
border-width: 0px;
-GtkRange-slider-width: 0px;
-GtkRange-trough-border: 0px;
}

/* compact tabs */

#tab_bar {
background-color: @ct_separator;
}

#compact_tab {
background-color: @ct_bg;
}

#compact_tab GtkLabel {
-GtkLabel-width-chars: 1;
color: @ct_inactive;
padding: 4px;
}

#compact_tab GtkLabel#active {
color: @ct_active;
}

SECTION 3 CONFIGURING IT

You must create a file or open the existing one if it exists and replace its content by the following. Issue
your_text_editor_launch_command ~/.xombrero.conf
Delete all content and paste as follows:

Browser mode, MUST be the first entry in this file

browser_mode = whitelist
gui_mode=classic
#tab_style = normal
userstyle_global = 1
fancy_bar = 1
show_statusbar = 1
cmd_font = serif normal 10
statusbar_font = serif normal 10
tabbar_font = serif normal 10
tab_style = normal
single_instance = 1
enable_socket = 1
warn_cert_changes = 1
do_not_track = 0

where you want to save downloads

download_dir = ~/

Proxy settings (if you use privoxy. If you want to connect directly to tor layer previous installed system-wide you must change by http_proxy = socks5://127.0.0.1:9050)

http_proxy = http://127.0.0.1:8118
#http_proxy = socks5://127.0.0.1:9050
http_proxy_starts_enabled = 1

Homepage

home = https://your_desired_home_page.org

Disable F2 so as not to toggle proxy settings by accident

keybinding = tabnew,F2

Work directory (mount /tmp as tmpfs)

work_dir = ~/.xombrero

Download directory

download_mode = ask
download_notifications = 1
enable_autoscroll = 1
user_agent = Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
http_accept = text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
referer = never
mime_type = application/pdf,mupdf
gnutls_priority_string = NORMAL:!ARCFOUR-128
mime_type = application/x-shockwave-flash,donothing
#keybinding = command_mode,!C-bracketleft

Aliases allow to put abbreviations instead of full urls. For example if you type

###d nobama

it will make a search for nobama keyword inside duckduckgo.com search engine. Define your own aliases.

alias = i, Startpage - Private Search Engine. No Tracking. No Search History.
alias = d, %s at DuckDuckGo
alias = s, Startpage Search Results

popfree.gq is a beautiful way to avoid exit node bans The following command will ### get you to www.torrentfunk.com/ This site hates tor users and blocks them out

only by ips but also by fingerprint. However they have not yet blocked xombrero’s ## fingerprint and won’t because we will fool them by additional means if they do it.

alias = t, http://popfree.gq/index.php?q=aHR0cDovL3d3dy50b3JyZW50ZnVuay5jb20v
alias = c, https://check.torproject.org
alias = c1, http://ip-check.info

Find the string ‘Proxy settings’ in the above and either activate privoxy or direct connection to tor. Presence of # charater deactivates the string. Absense - activates.
Find the string ‘home’ and put the appropriate address.
Find the string ‘download_dir’ and put the appropriate folder you wish to use.

Now save and close the text editor. You are ready to use xombrero.

SECTION IV USE
ctrl+t opens new tabs
ctrl+w closes the current tab
F6 focuses on address bar
Don’t forget to use aliases to speed up work because xombrero lacks bookmarks feature.
You may activate history if you want. For this you must put the correspoding string into ~/.xombrero.conf Read the manual to find out the needed string by issuing
man xombrero
If you compiled xombrero with EXAMPLES feature you may access the example of a configuration file:
less /usr/share/doc/xombrero-*/examples/xombrero.conf.bz2

SECTION V HOW WE WILL AVOID EXIT NODES BLOCKS
Xombrero was developed with the possibility in mind to overcome annoying hardships employed by the radical IT professionals who disrespect our free will. That’s why we are going to smash them down in out special way.
Read what gentoo writes about xombrero:

“The principal difference between xombrero and other full-featured browsers is that the sophisticated security features are designed in, rather than added through an add-on after-the-fact. With a strong accent on staying out of the way, it doesn’t decide for you what search engine you want to use or what certificate authority you want to trust. Heavy vim users will also find its vim-like keybindings convenient, as it is easy to surf the web completely from keyboard.”

TRUTH #1 HOW DO THEY BLOCK ACCESS TO SITES FOR TOR USERS

There have been a lot of bla-bla-bla about banning to ips of tor exit nodes. But actually they do it the opposite way. Instead of pluging themselves into the hassle for monitoring all new tor exid node ip addresses appearing every due to the efforts of goodwillers they extensively EMPLOY BLOCKING BY BROWSER FINGERPRINT.
It means that they, being aware of the TBB fingerprint, just block your access to sites if their software recognizes TBB’s fingerprint. We have noticed the following IMPORTANT FACTS:
a) even if, via using privoxy, you modify some headers of the Fifefox-bin started from TBB bundle without starting TOR module, the fingerpring will be recogznized. There is no way to fool them using mozilla’s products.
If you visit ip-check.info you may see in the results the signature of your browser in the field next to ‘Signature’. THIS IS THE THING THEY MONITOR TO RECOGNIZE THE FINGERPRINT. This thing defines the order in which the headers are sent. It means that even if you spood the headers by another ones, for example, change user-agent by another user-agent, they will still recognize you since the headers will be sent in the same sequence. That’s where xombrero COMES IN HANDY. It has another sequence of header transmission which allows to AVOID TOR BLOCKS. You can perfectly visit any sites, blocking mozilla’s products fingerprints, with TOR ips and you won’t be blocked which is contradictive to the reported bla-bla-bla about exit node bans.

ADDITIONAL PROTECTION AGAINST FINGERPRINTING VIA XOMBRERO

Xombrero allows to rotate http-headers and user-agents. Just put new strings with new user-agents and http-headers into ~/.xombrero.conf And with each new url opening or reloading another value will be used.

But what if they add the header transmission sequence of xombrero to their database of their fascist software?

Here we can employ enother counter-measure, namely the proxy program squid which allows to change the sequence of headers transmission as well as spoof or remove any headers. According to privoxy’s config files it also has the possibility to change header transmission sequence but since xombrero’s fingerprint is still not blocked we have not tested that feature. If they commence blocking it will will employ the chain xombrero + privoxy + squid + tor —> internet to totally make their effors useless.

SSL CERTIFICATES WITH XOMBRERO

There have been a lot of bla-bla-bla talks about false https certificates and redirections to malicious copies of sites. Well, i have not ever witnessed such rhino droppings I must confess. Probably they have better ways to get info from your computer via hardware means if they really need it. And they need it only if you are an important person. You become an important person only:
I if you kill one of their slaves
II if you imagine yourself to be a Robin Hood and takes the money from them without their permission
III you work in governmental organizion and have a high position

Then why do they block non-important tor users? It’s because they don’t like the idea that we can visit the sites they don’t want us to visit. Anonymity does not play any role here. If you use tor you just add additional work for them to identify or monitor you. And they don’t like it. But all this explains why they don’t need spoofing https certificate and building clones of sites. These things are excessive. However you can employ xombrero’s feature to remember certicates if you are an artistic person and like different colors. How to do it:
I) visit any https website
II) press shift+; to enter the command mode
III) type ‘cert save’
IV) press Esc
You will see that the address bar has turned tender blue color assigned by me. Now you can relax and dream about blue skies, free air and maybe sea breeze.

PS Don’t hope that repositories will be fixed to supply a good bugless copy of xombrero to you
Back up your xombrero and this manual for future use.

NEVER UPGRADE YOUR BROWSER, JUST SPOOF NEW HEADERS AND SEQUENCE OF HEADERS. NEVER TRUST TO BLA-BLA TALKS ABOUT NEW HIGHER LEVERL OF SECURITY AND PROTECTION IN NEW VERSIONS OF ANY SOFTWARE - IT MAY BE ON THE OPPOSITE - THE NEW VERSION MAY HAVE FIXES FOR THE BUILT-IN TRACKING MEANS TO CONTINUE TO WORK WITH YOUR UPDATED SYSTEM-WIDE LIBS.
USE THE BROWSER WITH THE LEAST NUMBER OF USERS SPOOFING HEADER THING VIA PRIVOXY, SQUID AND OTHER THINGS.

THINGS TO DO

STUDY CHANGING OF HEADER TRANSMISSION SEQUENCES AND AMEND THIS MANUAL.

2

I You are wrong. Xombrero fully supports bookmarks but they are called favourites instead of bookmarks. alt-f
II Source code contains some google and yahoo entries but they seem non-harmful.
III You can toogle both javascript and cookies by F4 by default. If you forget to switch them off, don’t bother because they are session-like and will be deleted on restart of xombrero.
IV you may assign keys to toggle only cookies or js. and keys to see their containers for checking.

Xombrero is a full-featured browser without builtin tracking. The only one which is usable comfortably. If you press f or shift-f all links are assigned a number. Then press the needed number to follow the link. And forget about the mouse.

BUGS: only mozilla user-agents are supported. You cannot pretend to be a search engine bot.
Drawbacks: it leaks fonts. It may be fixed via privoxy or squid. Accept-lang header is missing.