a browser is not a safe environment to type

A browser is no safe environment to write stuff such as for example forum posts or e-mails, webmail or IMAP.

  • You could accidentally paste things you don’t want to paste for example into the search or url bar, which could trigger a search for text that you did not intend to sent into the public internet.
  • With JavaScript enabled, while you type, the server already knows what you type as you type..
    • It reveals, how fast you type, how long your breaks are, which mistakes you make and how you correct them while writing the draft, also which type of local keyboard you are using.
    • It should be assumed, that such data is already being collected and analyzed.
  • Since there is stylometry which works with less data (final text only), it is save to assume, that data is more than unique enough to pose a serious risk for de-anonymization or at least anonymity set reduction. An adversary having this data from a user having typed over clearnet, then comparing with a user having typed over Tor, may be able compare those. Even if it was not a 100% hit, reaching higher probabilities this is already fatal.
  • Write the text in an offline text editor such as KWrite and copy and paste the text into the web interface once you are done.

For more information on pitfalls of anonymous typing, see:

Patrick started developing Whonix, the Anonymous Operating System in 2012, when quickly others joined efforts. He collected experiences working pseudonymous on Whonix for two years, enjoys collaboratively working on privacy preserving software.

Posted in General Security News, Whonix Important News, Whonix Wiki Updates

Start the discussion at forums.whonix.org