Tor Browser

From Whonix
Revision as of 05:59, 16 June 2018 by 127.0.0.1 (Remove sandboxed Tor Browser recommendation)
Jump to navigation Jump to search

Introduction

Warning: Only Tor Browser is recommended for use in Whonix when browsing the Internet. [1]


Tor Browserarchive.org iconarchive.today icon [2] is a forkarchive.org iconarchive.today icon of the Mozilla Firefoxarchive.org iconarchive.today icon web browser. It is developed by The Tor Projectarchive.org iconarchive.today icon and optimizedarchive.org iconarchive.today icon and designedarchive.org iconarchive.today icon for Tor, anonymity and security. Many users will have browsed with Firefox and be familiar with the user interface that resembles those found in other popular, modern browsers. [3]

Users are encouraged to read this entire wiki entry so Tor Browser is used effectively and safely on the Whonix platform. Advanced users may also be interested in the Tor Browser Adversary Model.

Anonymity vs Pseudonymity

Warning: Using regular browsers is pseudonymous rather than anonymous.


If browsers other than Tor Browser are used in Whonix, the user's IP address and Domain Name Service (DNS) requests [4] are still protected. However, users do not profit from Tor Browser's protocol level cleanup in this scenario. Features like proxy obedience, state separation, network isolation, anonymity set preservation and a host of others are simply unsupported by other browsers.

In stark contrast to regular browsers, Tor Browser is optimized for anonymity and has a plethora of privacy-enhancing patchesarchive.org iconarchive.today icon and add-ons. [5] With Tor Browser, the user "blends in" and shares the Fingerprint of nearly three million other usersarchive.org iconarchive.today icon, which is advantageous for privacy.

Encryption

HTTPS Encryption

It is important to understand the difference between HTTP and HTTPS: [6]

HTTPS (also called HTTP over Transport Layer Security (TLS), HTTP over SSL, and HTTP Secure) is a communications protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security, or its predecessor, Secure Sockets Layer. The main motivation for HTTPS is authentication of the visited website and protection of the privacy and integrity of the exchanged data.

HTTPS Advantages

HTTPS advantages include: [7]

  • Authentication of the website and web server the user is communicating with.
  • Protection against man-in-the-middle attacks.
  • Bidirectional encryption of communications between a client and server. This protects against eavesdropping and tampering with / forging of communication contents.
  • A reasonable user expectation that the website being communicated with is genuine. [8]


In the context of Tor Browser, this means users should prefer HTTPS instead of HTTP so communication is encrypted while browsing the Internet. While traffic is encrypted throughout the Tor network, the exit relay (third of three servers) can see traffic sent into Tor if it is plain HTTP. If HTTPS is used, the exit relay will only know the destination address. [9]

As an example, the screenshot below is how the browser looks when visiting the Whonix website. [10]

Figure: A Secure Connection to www.whonix.org

Take notice of the small area on the left-hand side of the address bar. Indicators of an encrypted connection are www.whonix.org is highlighted with a padlock and "Secure Connection" in green writing, and the URL begins with https:// instead of http://.

Info Try to only use services providing HTTPS when sensitive information is sent or received. Otherwise, passwords, financial / personal information or other sensitive data can be easily stolen or intercepted by eavesdroppers. HTTP webpage contents can also be modified on its way to your browser for malicious purposes.

HTTP / HTTPS Connections with and without Tor

The following figures from EFF provide an overview of HTTP / HTTPS connections with and without Tor, and what information is visible to various third parties. The descriptors are as follows: [11]

Potentially visible data includes: the site you are visiting (SITE.COM), your username and password (USER/PW), the data you are transmitting (DATA), your IP address (LOCATION), and whether or not you are using Tor (TOR).

Figure: Tor and HTTPS

Figure: Tor and No HTTPS

Figure: No Tor and HTTPS

Figure: No Tor and No HTTPS

Onion Services Encryption

Whenever possible, users are encouraged to stay within the Tor network for communications and web browsing via available .onion addresses. These services are commonly referred to as onion services (formerly "hidden services"), even when their location is publicly known. [12]

Onion Services Advantages

URLs ending in the .onion extension provide a superior level of security and privacy, since the user's connection forms a completely end-to-end encrypted tunnel that uses a random rendezvous point within the Tor network (HTTPS is not required). These connections also incorporate perfect forward secrecy (PFS)archive.org iconarchive.today icon. PFS means the compromise of long-term keys does not compromise past session keys. As a consequence, past encrypted communications and sessions cannot be retrieved and decrypted if long-term secrets keys or passwords are compromised in the future by adversaries. [13]

Other primary benefits of onion services include: [14]

  • Prevention of passive surveillance by network observers and the Tor exit node that is possible when using plain Tor + HTTPS. Adversaries cannot (easily) determine which destination the users are connecting from/to.
  • Onion services establish "rendezvous points" in the Tor network for web services whereby neither the hosting service or the user know each other's network identity.
  • Onion services can be combined with SSL/TLS to provide additional protection. Only a handful of services currently provide this service, including DuckDuckGo: https://3g2upl4pq6kufc4m.oniononion icon and ProtonMail: https://protonirockerxow.oniononion icon. [15] [16]
  • Onion services do not use the insecure DNS system. Strong authentication comes from the self-authenticating address: the address itself forms a cryptographic proof of the .onion's identity. [17] [18]


Users who want to learn more about how onion services work should read the technical description.

Tor Browser Add-Ons

HTTPS Everywhere

HTTPS Everywhere logo

HTTPS Everywherearchive.org iconarchive.today icon is a Firefox extension shipped in Tor Browser and produced as a collaboration between The Tor Projectarchive.org iconarchive.today icon and the Electronic Frontier Foundationarchive.org iconarchive.today icon. It helps to encrypt user communications with a number of major sites.

Many sites on the Internet offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, sites may default to unencrypted HTTP or fill encrypted pages with links that return to the unencrypted version of site. The HTTPS Everywhere extension addresses these problems by rewriting all site requests to HTTPS.

To learn more about HTTPS Everywhere, visit:

NoScript

NoScript logo

NoScript is a free, open source extension that comes bundled with Tor Browser and other Mozilla-based web browsers. NoScript can provide significant protection for users, depending on its configuration: [19]

NoScript allows executable web content based on JavaScript, Java, Flash, Silverlight, and other plugins only if the site hosting is considered trusted by its user and has been previously added to a whitelist. NoScript also offers specific countermeasures against security exploits. ... This is based on the assumption that malicious websites can use these technologies in harmful ways.

NoScript protects against cross-site scriptingarchive.org iconarchive.today icon, which otherwise enables attackers to inject malicious client-side scripts into web pages being viewed, bypassing the same-origin policyarchive.org iconarchive.today icon. The same-origin policy refers to web browsers usually only allowing scripts in the first web page to access data in a second web page if they have the same origin (URL scheme, hostname and port number).

Anti-clickjackingarchive.org iconarchive.today icon is also available to protect against hidden or disguised user interface elements masquerading as trusted web page buttons, links and so on (this is disabled by default in Tor Browser). Clickjacking can maliciously activate microphones or webcams, or trick users into interacting with hidden elements to steal important financial, personal or other data.

Security vs Usability Trade-off

In the stock Tor Browser configuration, JavaScript is enabled by default for greater usability. The Tor Project FAQ provides a summary of the reasoning for this decision: [20]

We configure NoScript to allow JavaScript by default in Tor Browser because many websites will not work with JavaScript disabled. Most users would give up on Tor entirely if a website they want to use requires JavaScript, because they would not know how to allow a website to use JavaScript (or that enabling JavaScript might make a website work).


There's a trade-off here. On the one hand, we should leave JavaScript enabled by default so websites work the way users expect. On the other hand, we should disable JavaScript by default to better protect against browser vulnerabilities (not just a theoretical concern!archive.org iconarchive.today icon). But there's a third issue: websites can easily determine whether you have allowed JavaScript for them, and if you disable JavaScript by default but then allow a few websites to run scripts (the way most people use NoScript), then your choice of whitelisted websites acts as a sort of cookie that makes you recognizable (and distinguishable), thus harming your anonymity.

The take-home message is disabling all JavaScript with white-list based, pre-emptive script-blocking may better protect against vulnerabilities (many attacks are based on scripting), [21] but it reduces usability on many sites and acts as a fingerprinting mechanism based on the select sites where it is enabled. [22] On the other hand, allowing JavaScript by default increases usability and the risk of exploitation, but the user also has a fingerprint more in common with the larger pool of users. [23] [24]

Developers are unaware of any JavaScript vulnerabilities that could compromise Whonix anonymity. That said, users should refrain from changing NoScript settings in Tor Browser, unless they are aware of the potential impacts. Users can enable/disable JavaScript, Java and/or plugin execution by left-clicking on the NoScript status bar icon, or via the the contextual menu. [25] Permissions can be selected either temporarily or on a permanent basis. "Temporarily allow" will only enable scripts for that site until the browser session is closed, or until permission is manually revoked.

Info The Torbutton extension's Security Slider (see further below) also involves a security versus usability trade-off. Users need to decide whether they prefer greater security and lower usability at higher slider levels, or vice-versa. While fingerprinting risks are greatly reduced at higher levels, some site functionality may also be lost.


For further information, refer to the NoScript websitearchive.org iconarchive.today icon and features overviewarchive.org iconarchive.today icon, or the Torbutton design documentarchive.org iconarchive.today icon.

Non-default Add-ons

As Tor Browser is based on Firefox, any browser add-on that is compatible with Firefox can also be installed in Tor Browser. In this context, add-ons is the collective name for extensions, themes and plugins: [26]

  • Extensions add new features to Firefox or modify existing ones, like video downloaders, ad blockers and so on.
  • Themes change the appearance of the browser, such as buttons, menus and the background image.
  • Plugins add support for Internet content and often include patented formats like Flash and Silverlight which are used for video, audio, online games and more.

[27]

Non-default Add-on Risks

The Tor Project explicitly warns against using non-default add-ons with Tor Browser: [28]

However, the only add-ons that have been tested for use with Tor Browser are those included by default. Installing any other browser add-ons may break functionality in Tor Browser or cause more serious problems that affect your privacy and security. It is strongly discouraged to install additional add-ons, and the Tor Project will not offer support for these configurations.

....

Video websites, such as Vimeo make use of the Flash Player plugin to display video content. Unfortunately, this software operates independently of Tor Browser and cannot easily be made to obey Tor Browser’s proxy settings. It can therefore reveal your real location and IP address to the website operators, or to an outside observer. For this reason, Flash is disabled by default in Tor Browser, and enabling it is not recommended.

Recommendations

Warning: Users should generally avoid Java, JavaScript, Flash, themes, browser plugins and other non-default add-ons in Tor Browser.


The problem with non-default add-ons is they are often non-free software, and can lead to linkability to the same pseudonym. Moreover, they worsen fingerprinting and open up attack vectors in the form of remote exploits.

This advice holds true even though Whonix is configured to prevent these applications (along with malware) from leaking the user's real external IP address, even if they are misconfigured (see Features). Users should first consider the various alternatives to plugins, such as HTML5 or online media converters. [29]

If this advice is to be disregarded, first read Browser Plugins before proceeding.

Torbutton

Tor alone is not enough to protect your anonymity and privacy while browsing the Internet. All modern web browsers support JavaScriptarchive.org iconarchive.today icon, Adobe Flasharchive.org iconarchive.today icon, cookiesarchive.org iconarchive.today icon and other features which are capable of defeating the anonymity [30] provided by the Tor network.

In Tor Browser, these features are handled from inside the browser, because it is a modified (patched) version of Firefoxarchive.org iconarchive.today icon and it contains an extension called Torbuttonarchive.org iconarchive.today icon:

Torbutton is the component in Tor Browser that takes care of application-level security and privacy concerns in Firefox. To keep you safe, Torbutton disables many types of active content.

[31]

Users are also encouraged to learn more about fingerprinting and data collection techniques. Advanced users who are interested in a detailed description of the Torbutton design and the functions described below can learn more here.

New Identity Function

The "New Identity" menu option sends the protocol command "signal newnym" to Tor's ControlPort. This clears the browser state, closes tabs, and obtains a fresh Tor circuit for future requests. [32]

Warning: The New Identity feature will likely create a new Tor exit relay and a new IP address, but this is not guaranteed.


Sometimes Tor only replaces the middle relay while using the same Tor exit relay. This is by design and the Tor default. Further, "signal newnym" does not interfere with long-lived connections like an IRC connection.

New Identity is not yet perfect and there are open bugs; this is not a Whonix-specific issue. [33] For greater security, it is better to completely close Tor Browser and restart it. In Qubes-Whonix, the safest option is using a Whonix-Workstation Qubes/DisposableVM and closing it and recreating a new one after critical activities.

This is how to use the New Identity feature in Torbutton.

Click Torbutton -> Click "New Identity"

Please read New Identity and Tor circuits and the New Identity design to learn more about this option and its limitations.

New Tor Circuit Function

The "New Tor Circuit for this Site" Torbutton feature causes a new circuit to be created for the current Tor Browser tab, including other open tabs or windows from the same website. [34]

Warning: This feature does not attempt to clear Tor browsing session data or unlink activity, unlike the "New Identity" feature.


If it is really necessary to separate contextual identities, it is always safer to close and then restart Tor Browser.

Potential use cases for this feature include: [35]

  • The Tor exit relay is located in a country which negatively affects the presentation of the website due to language localization.
  • The site is censored due to the current Tor exit relay in use (caused by Tor IP address blacklisting).
  • To bypass Google CAPTCHAarchive.org iconarchive.today icon or reCAPTHAarchive.org iconarchive.today icon systems protecting sites from abuse if these are showing unsolvable captcha or no captcha at all.
  • Connections to websites become unresponsive or slow.
  • To change the Tor exit relay IP address without losing all open tabs.


To use it:

Click Torbutton -> Click "New Tor Circuit for this Site"

Advanced users who want to learn more about this function should refer to the New Tor Circuit design entry.

Security Slider

Tor Browser includes a “Security Slider” that lets the user disable certain web features that can be used to compromise security and anonymity. Currently there are three levels: "Safest", "Safer" and "Standard". Users have to make a trade-off between security, usability and privacy. At the higher levels the slider will prevent some sites from working properly. [36]

To use this feature:

Click Torbutton -> Click "Security Settings..." -> Select desired security level

To learn more about the exact effect of each setting level, users should refer to the Security Slider design entry.

Check for Tor Browser Update

Torbutton will notify the user if a Tor Browser update is available. See Tor Browser Internal Updater for further information and screenshots of this process. Note that there are multiple methods of updating Tor Browser. To use the Torbutton menu option:

Click Torbutton -> Click "Check for Tor Browser Update..."

Disabled Torbutton Functions

Users who are interested in why Torbutton's "Open Networking Settings" and "Tor Circuit View" features have been disabled in Whonix can learn more here.

Tor Browser: How-To

Start Tor Browser

From the Menu

Start Tor Browser.

If you are using Qubes-Whonix.

Qubes Start Menu -> Whonix-Workstation AppVM (commonly called anon-whonix) -> Tor Browser

If you are using Non-Qubes-Whonix.

Start Menu -> Tor Browser

From the Command Line or Debugging Mode

To start Tor Browser from the command line or in debugging mode, please press Expand on the right.

Template:Open a Whonix-Workstation Terminal

The user has two options. To start Tor Browser "normally" from the terminal. [37]

torbrowser

Or to generate debugging output if problems are experienced with Tor Browser (also see Debugging).

Change into the Tor Browser folder.

cd ~/.tb/tor-browser/Browser

Start Tor Browser in debugging mode.

./start-tor-browser --debug

Note: Tor Browser can also be started manually without the --debug argument.

Successful Tor Browser Connection

If Tor Browser successfully launches and connects to the Tor network, check.torproject.org should show the following message.

Figure: Successful Tor Browser Connection

File Downloads

Warnings

Whonix protects against the threats outlined below, such as files that inadvertently or maliciously attempt to reveal the real IP address of the user, or third-party, external applications that can leak information outside of Tor. Despite this protection, it is recommended to always follow best safety practices.

Do not Open Documents Downloaded via Tor while Online

The Tor Project explicitly warns against opening documents handled by external applications. The reason is documents commonly contain Internet resources that may be downloaded outside of Tor by the application that opens them. [38]

This warning is not strictly relevant to the Whonix population since all traffic is forced over Whonix-Gateway and the IP address will not leak. Nevertheless, for better safety files like PDFs and word processing documents should only be opened in offline VMs.

Malicious files or links to files pose a greater threat and can potentially compromise your system. Therefore, follow the wiki advice and avoid opening random links or files in Whonix-Workstation. Instead:

Platform specific.

Do not Torrent over Tor

See File Sharing.

Secure Downloads

Template:Secure tor browser downloads

Template:Tor Browser Downloads

Browser Language

As of April 2017, Tor Browser binaries with additional language packs support sixteen languages. For instructions on changing Tor Browser's interface to a language other than English, see Tor Browser Language. [39]

Local Connections

Sometimes a user needs to access the local application interface on 127.0.01 in order to run specific applications like I2P. [40] Due to potential fingerprinting and information leakage risks, this behavior is no longer possible in Tor Browser unless an exception is configured. [41] [42]

To configure an exception for local connections in Tor Browser: [43]

Preferences -> Advanced -> Network | Connection Settings... -> No Proxy for: "127.0.0.1" -> click "OK"

The configured exception means a small trade-off in privacy, but it is much safer than using another browser (see Local Connections Exception Threat Analysis).

Info Web HTTP(S)/SOCKS proxies have different instructions and will not work with these steps, see Tor Browser Proxy Configuration.


Recommendations

For better anonymity:

  • Browse with JavaScript disabled in Tor Browser and enable it only when needed. Disabled JavaScript mitigates these browser fingerprinting issues completely.
  • Set passwords for web interfaces listening on the localhost.
  • Run sensitive daemons with local WebGUIs on a separate, dedicated Whonix-Workstation and virtual network instance. TODO: expand or link how to do that

Bypass Tor Censorship

Info This section outlines how to bypass Tor blocks by destination websites. Users who are blocked from connecting to the Tor network at the ISP level instead require bridges or other circumvention tools.


A number of websites or services actively block Tor usersarchive.org iconarchive.today icon via:

  • A DNS query-based list used to tag IP addresses.
  • Blocking software like Akamaiarchive.org iconarchive.today icon and Cloudflarearchive.org iconarchive.today icon.
  • Other individual blocks.


There are various ad-hoc methods available to try and circumvent blocks. In most cases it is unnecessary to create a tunnel which pairs Whonix with other protocols (such as a VPN) in order to access the content.

The following services fetch content via other websites, which is a privacy trade-off. Further, only some services are effective with embedded, non-static content or support specific file types like PDF, .exe and mp3. [44]

Table: Tor Censorship Circumvention Options [45]

Service URL Comment Non-static Embedded Content PDF, .exe, mp3
The Internet Archive's WaybackMachine web.archive.org/save/_embed/<URL> Archive.org respects robots.txt restrictions, works best with JS enabled No Yes
Archive.fo archive.fo/?run=1&url=<URL> And their official onion service: archivecaslytosk.onion/?run=1&url=<URL> Ideal for news sites, doesn't require JS No No
Google Cache webcache.googleusercontent.com/search?q=cache:<URL without "http://"> Google sometimes blocks these requests No - static only No
Startpage.com (1) Find the URL by searching, (2) Click on the proxy option Not always efficacious No No
Searx.me (1) Find the URL by searching, (2) Click on the proxied option Not always efficacious No No
Hypothes.is via.hypothes.is/<URL> Behind Cloudflare Yes Yes
Online Proxies hide.me/en/proxy, www.proxysite.com/, www.proxysite.club/ [46] - Yes Yes

Other Relevant Services

The Tor Project notes: [47]

To avoid captchas that are sometimes required when visiting YouTube, use hooktube.com/ (behind Cloudflare).


imgur.com blocks Tor uploads, to upload images on an imgur domain go to a stackexchange website (for example tor.stackexchange.com), click on Ask a Question, use the image upload tooltip to upload the image, the resulting url will have a i.stack.imgur.com/... form.

Harden Tor Browser

Users can further protect their anonymity and increase their safety via: AppArmor, Tor Browser settings, sandboxing, multiple Tor Browser instances, and operation of Whonix-Workstation DisposableVMs (Qubes-Whonix) or multiple Whonix-Workstations.

Tor Browser provides reasonable security in its stock configuration. However, mitigating the risk of Tor Browser security breaches makes sense, because it is an untrusted application with a huge attack surface; it is frequently attacked successfully in the wild by adversaries.

Tor Browser Series and Settings

Tor Browser Settings

Follow these recommendations and routinely: use onion services for search queries and browsing (where possible), run the Security Slider in the highest position, disable Javascript by default, and enable ClearClick protections in NoScript.

Tor Browser Series

For greater security, consider using the alpha seriesarchive.org iconarchive.today icon of Tor Browser. This incorporates Selfrandoarchive.org iconarchive.today icon load-time memory randomization protection and other security features. Both the alpha and main series of Tor Browser now benefit from Mozilla's content level sandboxing, as well as being multi-process (e10s) compatible.

Multiple Tor Browser Instances and Whonix-Workstations

Multiple Tor Browsers Instances

To better separate different contextual identities, users should consider starting multiple Tor Browser instances and running them through different SocksPorts. This method is less secure than the method outlined below.

Multiple Whonix-Workstations

For tasks requiring different identities and/or additional software, users should compartmentalize their activities and use two or more Whonix-Workstation VMs. In this way, an exploit in Tor Browser in one Whonix-Workstation cannot simultaneously read the user's identity in another VM (for example, an IRC account). [48] This method is less secure than using a Whonix-Workstation DisposableVM with Tor Browser (see below).

Sandboxing and DisposableVMs

Sandboxing

The Tor Project's official sandboxed Tor Browser cannot be used until Whonix 14 is released. However, it is no longer recommended since The Tor Project has officially abandoned its development. [49] Firejail can be used as an alternative sandboxing measure to restrict the Tor Browser process.

Whonix-Workstation DisposableVMs

One of the safest configurations is to assume future compromise and run all instances of Tor Browser in an uncustomized Whonix-Workstation DisposableVM in Qubes-Whonix. This way, the user can routinely create fresh instances of the Whonix-Workstation and Tor Browser for discrete Internet activities, while ensuring that previous, potentially compromised versions of Tor Browser and Whonix-Workstation are destroyed. [50]

AppArmor Confinement

AppArmor can help protect the user's system and data. It confines programs according to a set of rules that specify what files a given program can access, and with what privileges. This also provides some protection against zero-day attacks, and exploits via unknown application flaws.

To mitigate the threat of specific attacks against Tor Browser, Whonix's Tor Browser AppArmor profile can be easily applied.

Info If AppArmor is applied, Tor Browser can only read and write to a limited number of folders. Permission denied errors are quite common, for example when trying to download files directly to the home folder.


The workaround for denied errors is saving files from Tor Browser to the ~/Downloads folder that is located within the home folder. In order to upload files with Tor Browser, first copy them to that folder.

Update the package lists.

sudo apt-get update

Install the apparmor-profile-torbrowser package.

sudo apt-get install apparmor-profile-torbrowser

Update Tor Browser

Users have three options for updating Tor Browser in Whonix:


The first two methods are suitable for the majority of users in most cases. Manual updates are only required if the Whonix Tor Browser update script ever breaks. Users should never continue using an outdated version of Tor Browser, otherwise serious security flaws may lead to a compromise of privacy and anonymity. [53]

Info Users are recommended to subscribe to The Tor Project blogarchive.org iconarchive.today icon to stay informed about recent updates.

Tor Browser Downloader by Whonix

Installation Process

Note: Tor Browser Downloader (Whonix) is really just a downloader, not a updater. This means it is incapable of retaining user data, for example bookmarks and passwords. In order to keep user data, use the Tor Browser Internal Updater method instead.

To use Tor Browser Downloader (Whonix), follow these instructions.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Workstation AppVM (commonly named anon-whonix) -> Tor Browser Downloader (Whonix)

If you are using a graphical Whonix-Workstation, complete the following steps:

Start Menu -> Applications -> System -> Tor Browser Downloader (Whonix)

If you are using a terminal-only Whonix-Gateway, complete the following steps: update-torbrowser

There are several steps in this process. First, the downloader will show it is checking for updates.

Figure: Checking for Updates

Tor Browser Downloader (Whonix) checking for updates.


Next, the downloader will ask the user to select the preferred Tor Browser version and confirm installation. Note the warning in the confirmation box stating the existing Tor Browser user profile (including bookmarks and passwords) will be lost during this process.

Figure: Download Confirmation

Tor Browser Downloader (Whonix) Download Confirmation


After the user has assented to the download process, a progress indicator will be displayed by the downloader. This process can be lengthy depending on the speed of the Tor network connection.

Figure: Downloading Tor Browser

Tor Browser Downloader (Whonix) Downloading Tor Browser.


Once the download has finished, the downloader will provide verification (or not) of the cryptographic signature associated with the Tor Browser binary, highlighting the key used to sign it and the date. The downloader will then ask for confirmation to install the package. See Installation Confirmation Notification for steps on securely determining if a user was likely the target of an attack.

Figure: Tor Browser Installation Confirmation

Tor Browser Downloader (Whonix) Installation Confirmation.


If the user confirms the installation process, the downloader will extract Tor Browser.

Figure: Extracting Tor Browser

Tor Browser Downloader (Whonix) Extracting.


In the final step, the downloader will ask the user whether or not they wish to launch the upgraded Tor Browser.

Figure: Finalized Tor Browser Installation

Tor Browser Downloader (Whonix) Finished Installing Tor Browser.


(Also available as CLI versionarchive.org iconarchive.today icon.)

Download Confirmation Notification

Info This step is designed to keep users safe.


Currently, there is no reliable and secure way for a program to determine the latest stable version of Tor Browser with reasonable certainty. [54] [55] When the version format changes, the automated parser of version information could falsely suggest:

  • An earlier stable version that is still considered secure.
  • An alpha series release.
  • A beta Tor Browser build.
  • A release candidate or nightly Tor Browser build.


Alternatively, the user could be targeted by a denial of service, indefinite freeze or rollback (downgrade) attack. [56] [57]

Therefore, the intelligence of the user is utilized as a sanity check. The Download Confirmation Notification enables users to detect such situations and abort the procedure. In this instance, users should rotate their Tor circuits and attempt the download process again.

Version numbers that are visible under Online versions come from an online resource. The Tor Browser RecommendedTBBVersionsarchive.org iconarchive.today icon versions file is provided by The Tor Project, and is parsed by Whonix's Tor Browser Downloader. The Whonix downloader will indicate to the user that no upgrade is required if the installed Tor Browser version matches the up-to-date online version.

TODO: expand.

Installation Confirmation Notification

Info This step is also designed to protect users.


Currently, there is no reliable and secure way for a program to determine (with reasonable certainty) if the Tor Browser download was targeted by an indefinite freeze or rollback attack. [58] [59]

When verifying cryptographic signatures, the user should consider several important aspects:

  • The signature should be made by a trusted key.
  • Trusted keys will have signed other files in the past. The user should also check they received the right file and not just any file that was signed by a trusted key.
  • Even if the right type of file is received, [60] the user should check it has a current signature attached and not a historical one. This step counters the threat of indefinite freeze and rollback attacks.


By the time the users sees the Installation Confirmation Notification, the verification of the signature (and hash) has already succeeded. However, the intelligence of the user is required to make sure they have not been targeted by an indefinite freeze or downgrade attack. In the figure below, the signature creation dates should be carefully examined.

Previous Signature Creation Date: When Tor Browser was previously installed by tb-updater, the creation date of the accompanying signature that signed Tor Browser will have been stored. The Previous Signature Creation Date field displays that date.

Last Signature Creation Date: This field shows the user the date of signature creation for the file which was just downloaded.

Figure: Tor Browser Installation Confirmation

torbrowser-updater_signature_verification_screen.

[61] [62]

Users should note that Tor Browser local version number detection is not currently implementedarchive.org iconarchive.today icon in Whonix.

TODO: expand.

In Qubes-Whonix

Do not run Tor Browser in TemplateVMs (whonix-ws) or DVM Templates (whonix-ws-14-dvm)!

In Qubes-Whonix, Tor Browser Downloader by Whonix is also run automatically during updates to Whonix Workstation TemplateVMs (whonix-ws). Running the Tor Browser Downloader inside TemplateVM (whonix-ws) ensures that new AppVMs are created with a copy of the latest version of Tor Browser.

Do not run Tor Browser Downloader by Whonix in DVM Templates (whonix-ws-14-dvm)! The TemplateVMs (whonix-ws) or whonix-ws based AppVM (anon-whonix) is the right place to run Tor Browser Downloader by Whonix.

See tb-update in Qubes Template VM for technical details.

Tor Browser Internal Updater

Since Tor Browser v5.0, upgrades have been possible from within the browser: [63]

Starting with this release, Tor Browser will now also download and apply upgrades in the background, to ensure that users upgrade quicker and with less interaction. This behavior is governed by the about:config pref app.update.auto, but we do not recommend disabling it unless you really know what you're doing.

When a new Tor Browser version become available, the user will be prompted to update: the Torbutton icon will display a yellow triangle, and sometimes a written Internal Updater Notification / Updater Wizard will appear when Tor Browser opens. To update automatically, users can either:

  • Use the Internal Updater Notification (Click "Update Tor Browser") or Updater Wizard (Click "Download & Install").
  • Or update via the Torbutton extension (Click Torbutton -> Click "Check for Tor Browser Update...").


A screenshot of Tor Browser's Internal Updater Notification:

Figure: Tor Browser Internal Updater Notification


A screenshot of Tor Browser's Internal Updater Wizard:

Figure: Tor Browser Internal Updater Wizard


A screenshot of Torbutton's warning symbol (a yellow triangle and exclamation mark) indicating an update is available:

Figure: Torbutton Update Warning

Tor Browser Manual Update

A future update of Tor Browser by The Tor Project might make Whonix's Tor Browser Updater or Tor Browser running in Whonix-Workstation unusable. In case Tor Browser (Updater) inside Whonix-Workstation breaks, Whonix news will be published within a few days with instructions on how to fix the issue. If this does not occur, the Whonix developers are not aware of the issue.

Info If the Tor Browser update script is ever broken, it is advisable to update manually.

Unsafe Tor Browser Habits

It is important to develop a set of safe habits when communicating, browsing or downloading with Tor Browser. Even the world's premier anonymity software cannot protect users if they shoot themselves in the foot.

The following is an inexhaustive list of unsafe behaviors. Users are encouraged to also read the Whonix Do Not entry, along with documentationarchive.org iconarchive.today icon available from The Tor Project before using Tor Browser for serious activities necessitating anonymity.

When using Tor Browser, users should not:

Add-ons


Anonymity Modes


Bridges


Browser Settings


Communications


File Downloads


HTML5 Canvas Image Data


Identities


JavaScript


Logins


Local Connections


Networking


Other Browsers


Personal Websites and Links


Phone Verification


Proxy Settings


Qubes-Whonix


Server Connections


Torbutton


Updates


User Mentality

  • Believe they are invincible running Tor Browser (irrespective of the platform), due to significant adversary capabilities and interest in unmasking or infecting Tor users.

Whonix Tor Browser Differences

The regular Tor Browser Bundle and Whonix Tor Browser slightly differ. The reason is Tor Browser must be adjusted by Whonix to work behind Whonix-Gateway. Despite environmental variable adjustments, the network and browser fingerprint remain the same.

The main Whonix Tor Browser differences can be summarized as follows:

  • The default landing page upon Tor Browser start is set to use a local Whonix resource. [66]
  • The Tor Circuit View and Open Network Settings functions have been disabled in Torbutton. The former is unsupported for security reasons, [67] while the latter would have no effect since Tor must be configured in the Whonix-Gateway.
  • Tor Browser is installed by default in the Qubes-Whonix Whonix-Workstation, but not in Non-Qubes-Whonix for licensing reasons. This will change in Whonix 14. [68] [69]


Whonix does not:

Tor Browser Functionality on Different Platforms

Info It is not valid to make a comparisonarchive.org iconarchive.today icon between the Windows version of TBB and the Whonix Tor Browser concerning functionality, for instance, why the warning message doesn't appear in Whonix when maximizing the browser window. [71]


The reason is this comparison includes a host of platform-specific differences which confound the result. For example, a more valid comparison would be the differences between:

  • TBB on (non-Qubes) Debian vs Tor Browser on Non-Qubes-Whonix.
  • TBB on (non-Qubes) Debian vs Tor Browser on Qubes-Whonix.


Similarly, if a user wanted to help with TBB (non-Whonix) development, then these comparisons would be useful:

  • TBB on (non-Qubes) Debian vs TBB on Windows.
  • TBB on different Linux distributions.
  • TBB on different Windows platforms.

Glossary and Key Terminology

Glossary

Users should familiarize themselves with terms regularly used by The Tor Project and Whonix. One useful resource is the v1.0 Tor glossaryarchive.org iconarchive.today icon which is now available on The Tor Project community wiki page.

Key Terminology

Tor vs Tor Browser

Tor is an anonymizer developed by The Tor Project. Tor Browser is a web browser developed by the Tor Project which is optimized for privacy. Please do not confuse Tor with Tor Browser when conversing about Whonix topics.

Tor Browser Transparent Proxying

The Tor Browser "transparent proxying" feature [72] and/or the environment variable TOR_TRANSPROXY=1 often cause confusion. It was an unfortunate naming decision by The Tor Project. This feature actually removes proxy settings. With no proxy set, the user's system reverts to its default configuration. The effect of this decision is that Tor Browser will work identically to an unconfigured Firefox browser.

This is potentially dangerous when done outside of Whonix because Tor Browser's transparent proxying feature could result in clearnet traffic; for instance if the user does not have a gateway with transparent torification features (like Whonix-Gateway). For Whonix users, even with the transparent proxying feature set, Whonix-Gateway will "torrify" traffic and force it through Tor. Similarly, if a user has transparent proxying set and happens to use a JonDo-Gateway, traffic will be forced through JonDo.

One downside of the transparent proxying feature is that even when it is used inside Whonix, it breaks Tor Browser's top level isolation for each separate tabarchive.org iconarchive.today icon.

Transparent proxying should not be confused with:


TODO: expand.

Advanced Users

Users should refer to this documentation if any of the following advanced topics are relevant or of interest:

  • Sandboxed Tor Browser.
  • Tor Browser without Tor.
  • Setting a custom homepage.
  • A custom Whonix configuration or Workstation is being used.
  • Changes to proxy settings are required.
  • The difference between tor-launcher and tor-browser launcher.
  • Qubes-Whonix is being used or the user wants to run the Split Tor Browser.
  • Tor Browser debugging is required.

Footnotes / References

  1. For a comprehensive list of reasons, readers are encouraged to review some or all of the references in this section.
  2. https://tb-manual.torproject.org/linux/en-US/archive.org iconarchive.today icon
  3. A good overview of the browser component is provided by The Tor Project design documentarchive.org iconarchive.today icon.

    The Tor Browser is based on Mozilla's Extended Support Release (ESR) Firefox branch. We have a series of patches against this browser to enhance privacy and security. Browser behavior is additionally augmented through the Torbutton extension, though we are in the process of moving this functionality into direct Firefox patches. We also change a number of Firefox preferences from their defaults.


    Tor process management and configuration is accomplished through the Tor Launcher addon, which provides the initial Tor configuration splash screen and bootstrap progress bar. Tor Launcher is also compatible with Thunderbird, Instantbird, and XULRunner.

    To help protect against potential Tor Exit Node eavesdroppers, we include HTTPS-Everywhere. To provide users with optional defense-in-depth against JavaScript and other potential exploit vectors, we also include NoScript. We also modify several extension preferences from their defaults.

    To provide censorship circumvention in areas where the public Tor network is blocked either by IP, or by protocol fingerprint, we include several Pluggable Transports in the distribution. As of this writing, we include Obfs3proxy, Obfs4proxy, Scramblesuit, meek, and FTE.

  4. DNS is a distributed database which keeps track of computer's names and their corresponding IP addresses on the Internet https://web.stanford.edu/class/msande91si/www-spr04/readings/week1/InternetWhitepaper.htmarchive.org iconarchive.today icon. DNS servers enable the browser to know where resources are located on the Internet, and the corresponding IP address for fetching these.
  5. See below for a further description of these features.
  6. https://en.wikipedia.org/wiki/HTTPSarchive.org iconarchive.today icon
  7. https://en.wikipedia.org/wiki/HTTPSarchive.org iconarchive.today icon
  8. HTTPS is not foolproof due to reliance on the Certificate Authority (CA) system that issues digital certificates (private keys) for websites. As a trusted third party, this trust can be abused or the CAs can be subject to adversary attacks.
  9. https://www.torproject.org/docs/faq#AmITotallyAnonymousarchive.org iconarchive.today icon
  10. https://www.whonix.orgarchive.org iconarchive.today icon
  11. https://www.eff.org/pages/tor-and-httpsarchive.org iconarchive.today icon
  12. https://riseup.net/en/security/network-security/tor/onionservices-best-practicesarchive.org iconarchive.today icon
  13. This does not however defend against improved cryptanalysis that breaks underlying ciphers being used, for example by the emergence of quantum computers. Only post-quantum ciphers resistant to these attacks will prevail.
  14. https://www.torproject.org/docs/hidden-services.html.enarchive.org iconarchive.today icon
  15. Extra layers of encryption are not really necessary, since a completely encrypted tunnel is already formed (but it certainly doesn't hurt). Until recently, these certificates would not validate because of the *.onion hostname.
  16. https://riseup.net/en/security/network-security/tor/onionservices-best-practicesarchive.org iconarchive.today icon
  17. https://blog.torproject.org/blog/cooking-onions-names-your-onionsarchive.org iconarchive.today icon
  18. This is why onion addresses appear absurdly long and random.
  19. https://en.wikipedia.org/wiki/NoScriptarchive.org iconarchive.today icon
  20. https://www.torproject.org/docs/faq#TBBJavaScriptEnabledarchive.org iconarchive.today icon
  21. Javascript has previously been used in Windows to deanonymize Tor users with a zero-day exploitarchive.org iconarchive.today icon which revealed the computer's MAC address to the attackers.
  22. https://en.wikipedia.org/wiki/NoScriptarchive.org iconarchive.today icon
  23. Having a large user base is important for strong anonymity, as Roger Dingledine explains here.archive.org iconarchive.today icon
  24. Another related discussion justifying JavaScript's enabling by default was held on tor-talk, "Tor Browser disabling Javascript anonymity set reduction". https://lists.torproject.org/pipermail/tor-talk/2012-May/024227.htmlarchive.org iconarchive.today icon
  25. https://noscript.net/archive.org iconarchive.today icon
  26. https://tb-manual.torproject.org/en-US/plugins.htmlarchive.org iconarchive.today icon
  27. https://support.mozilla.org/en-US/kb/find-and-install-add-ons-add-features-to-firefox?redirectlocale=en-US&redirectslug=Customizing+Firefox+with+add-onsarchive.org iconarchive.today icon
  28. https://tb-manual.torproject.org/en-US/plugins.htmlarchive.org iconarchive.today icon
  29. For example, most videosarchive.org iconarchive.today icon can now be viewed in HTML5 which Tor Browser supports and prefers.
  30. DoNot#Do_not_confuse_Anonymity_with_Pseudonymity.
  31. https://www.torproject.org/docs/torbutton/torbutton-faq.html.enarchive.org iconarchive.today icon
  32. https://blog.torproject.org/blog/torbutton-141-releasedarchive.org iconarchive.today icon
  33. See tbb-linkabilityarchive.org iconarchive.today icon and tbb-fingerprintingarchive.org iconarchive.today icon.
  34. https://trac.torproject.org/projects/tor/ticket/9442archive.org iconarchive.today icon
  35. https://tails.boum.org/doc/anonymous_internet/Tor_Browser/index.en.htmlarchive.org iconarchive.today icon
  36. https://tb-manual.torproject.org/en-US/security-slider.htmlarchive.org iconarchive.today icon
  37. /usr/bin/torbrowser simply navigates to the Tor Browser folder and runs ./start-tor-browser. The former has more features like reporting error conditions or the absence of a Tor Browser folder, generation of non-zero exit code failures, and more.
  38. https://www.torproject.org/download/archive.org iconarchive.today icon
  39. Language packs might be another fingerprinting vector, but this issue requires further investigation.
  40. Since it uses predetermined ports on the localhost.
  41. https://trac.torproject.org/projects/tor/ticket/10419archive.org iconarchive.today icon
  42. https://trac.torproject.org/projects/tor/ticket/11493archive.org iconarchive.today icon
  43. Alternatively, the user can remove Tor Browser's proxy settings, but this method is still vulnerable to the same fingerprinting issues as configuring an exception. There are also other factors which will worsen the user's fingerprint, such as the breaking of both stream isolation and the tab isolation by socks user name in Tor Browser.
  44. https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor#Ad-hocSolutionsforaccessingblockedcontentonTorarchive.org iconarchive.today icon
  45. This information has been sourced directly from The Tor Project wikiarchive.org iconarchive.today icon.
  46. See also: hidester.com/proxy and youtubeunblocks.com/
  47. https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor#Otherrelevantservicesarchive.org iconarchive.today icon
  48. This does not protect against the sudden loss of networking, which could reveal to the attacker that two activities / accounts suddenly going off-line are probably related.
  49. https://trac.torproject.org/projects/tor/ticket/25540archive.org iconarchive.today icon
  50. This does not protect against potential infection of dom0 or the Whonix-Workstation DisposableVM-Template by advanced adversaries. Traces of user activity may also be left on storage media or in RAM.
  51. This does not yet notice upgradesarchive.org iconarchive.today icon done by Tor Browser's Internal Updater.
  52. Since v5.0, Tor Browser is configured to update itselfarchive.org iconarchive.today icon.
  53. https://tb-manual.torproject.org/en-US/updating.htmlarchive.org iconarchive.today icon
  54. Finalize RecommendedTBBVersions formatarchive.org iconarchive.today icon
  55. Counter downgrade / stale mirror attacks on RecommendedTBBVersions - sign / verify tbb versions filearchive.org iconarchive.today icon
  56. For a definition of these attacks, see the threat modelarchive.org iconarchive.today icon of TUFarchive.org iconarchive.today icon (The Update Frameworkarchive.org iconarchive.today icon) (warchive.org iconarchive.today icon).
  57. Adversaries capable of breaking SSL could mount these attacks by replacing RecommendedTBBVersionsarchive.org iconarchive.today icon with invalid, frozen or outdated version information.
  58. Unfortunately, Tor Browser signatures do not yet provide expiration dates in a manner similar to Debian's valid-untilarchive.org iconarchive.today icon field.
  59. Rollback attacks are possible because the user's computer clock could be wrong, so there is no solid basis for comparison.
  60. That is, a browser and not a messenger or other application.
  61. GnuPG (OpenPGP) common misconceptions.
  62. The name of the file is stored in the hash file and verified to match the downloaded file name and hash.
  63. https://blog.torproject.org/blog/tor-browser-50-releasedarchive.org iconarchive.today icon
  64. http://forums.whonix.org/t/should-still-recommend-against-maximizing-tor-browser-windowarchive.org iconarchive.today icon
  65. https://www.torproject.org/docs/faq.html.en#AmITotallyAnonymousarchive.org iconarchive.today icon
  66. The default Tor Browser Bundle uses about:tor as the landing page. See: https://trac.torproject.org/projects/tor/ticket/13835archive.org iconarchive.today icon
  67. This is so Whonix-Workstation does not have access to the information about which Tor middle relay or Tor entry guard [or bridge] are being used. See also: Dev/Control_Port_Filter_Proxy#Indicator_for_current_Circuit_Status_and_Exit_IP
  68. Licensing reasons:
  69. In Whonix-Workstation, rinetd listens on 127.0.0.1 9150 and 9151 (Tor Browser's default ports) and forwards them to Whonix-Gateway 10.152.152.10 9150 (where a Tor SocksPort is listening) and 9151 (where Control Port Filter Proxy is listening). Tor does not get started by the tor-launcherarchive.org iconarchive.today icon Firefox add-on because the TOR_SKIP_LAUNCHarchive.org iconarchive.today icon environment variable has been set set to 1. See also Dev/anon-ws-disable-stacked-tor.
  70. No changes have been made to Whonix code to prevent such a warning.
  71. https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxyarchive.org iconarchive.today icon

License

Whonix Tor Browser wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Tor Browser wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

Documentation Previous page: Geo-blocking Index page: Documentation Next page: Tor Browser/Advanced Users

Notification image

We believe security software like Whonix needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 14 year success story and maybe DONATE!