Jump to: navigation, search

Browser Plugins

This page contains changes which are not marked for translation.

Other languages:
English • ‎español
Flash Leak Test SocksPort and TransPort
Flash Leak Test both TransPort


We explain the risks of browser plugins (flash etc.), discuss some alternatives and finally explain how to use browser plugins anyway in the best possible secure manner.

Tor Browser[edit]

For information about Tor Browser in general, see Tor Browser.

Warning not to use them[edit]

Quoted the Whonix Features page [1]: "Java / JavaScript / flash / browser plugins / Malware [2] / misconfigured applications cannot leak your real external IP." "This is still not recommended as they may decrease anonymity (e.g. flash cookies) and often have security vulnerabilities. Some popular plugins are closed source. See Whonix Security in real world."

Although it's not recommended, we don't want to withhold the knowledge from you how to use browser plugins.

IP leaks are not easily possible.[3]

The concern against browser plugins can be broken down to:

1. Non-Free Software. See our warning Box above.

2. Linkability: browser plugins use can be probably correlated to the same pseudonym. [4]

3. Fingerprinting: browser plugins can probably leak lots of information about your (virtual) operating system (Whonix-Workstation)

4. Security: some plugins have a history for remote exploits. More precise: the risk for your virtual operating system to get infected by trojan horses etc. is higher.

But anyway, of course you should look for alternatives first (see below), but if you insist on using browser plugins, an isolating/transparent proxy like Whonix is probably your best bet. [4]

Avoiding browser plugins[edit]

Avoiding browser plugins and flash is better than using them.

Note that there are alternatives to browser plugins. Most of the workarounds aren't a 100% complete, perfect drop in replacement, but perhaps it works sufficient for you (for example, if you only need youtube). Alternatives are html5, gnash, flash video replacer, flash video download or using a flash video download and convert online service. There are also applications worth checking, such as youtuberipper, ClipGrab, minitube, Totem with totem-plugins-extra, etc. Discussing the flash alternatives in details is beyond the scope of Whonix.

Also the Tails folks prepared a good list of Flash alternatives, see Tails Flash support.

If you still want to use browser plugins or flash, read below.

How to use Flash - EASY[edit]

If you insist on using browser plugins anyway (read warnings above), you can install new software [5] in Whonix-Workstation. Your best bet may be using the Tor Browser. JDownloader is a Libre alternative to Flash for downloading videos for local viewing.[6]

Your IP/location will still be hidden. Consider the plugin usage pseudonymous rather than anonymous. This is the EASY chapter, which does not include all security considerations. For those, read the whole page.

If you are using any plugins such as Flash, it will be probably known to the exit relay, exit relay's ISP and website, that you are a Whonix user.

[7] [8] [9]

Install Flash.

sudo apt-get install flashplugin-nonfree

(2) Additionally, it might make sense to install Firefox (Tor Browser) Add-On BetterPrivacy BetterPrivacy, which can be setup to delete Flash Cookies.

(3) Activate browser plugins in Tor Browser.

To activate browser plugins in Tor Browser [10] right click on Tor Button -> Preferences... -> Security Settings -> uncheck: Disable Plugins during Tor usage. You have to restart Tor Browser.

(4) Updating Flash

Each time there is a new version of flash, you should update.

sudo update-flashplugin-nonfree --install --verbose

How to use other browser plugins[edit]

Note that Tor Browser developers added a patch [11], which blocks all plugins except flash. To use other plugins, read the more advanced guide below.

How to use browser plugins - Advanced[edit]

If you don't like to use Tor Browser, you could install the mainstream Firefox, Chromium, Flash etc. For a discussion whether this is good or bad for anonymity, see the "More Security" section below.


## In Debian, Firefox is called Iceweasel.

sudo apt-get install iceweasel

Or Chromium.

sudo apt-get install chromium-browser chromium-browser-l10n

How to use browser plugins - More Security[edit]

Read the EASY chapter above first[edit]

Read the EASY chapter above first

Deactivate unneeded browser plugins[edit]

It's recommended to activate only plugins, you really use. On most browsers their is a pseudo URL 'about:plugins' to check which are activated. Go to Tor Browser -> Tools -> Plugins and deactivate all plugins, which you don't need, or even better, uninstall them.

Separate Tor Browser or Separate Whonix-Workstation dedicated to browser plugins[edit]

For best security use More than one Tor Browser behind an transparent or isolating proxy or even better, multiple VM snapshots or Multiple Whonix-Workstations.

SocksPort vs TransPort[edit]

Using the easy instructions above will cause Tor Browser to go through SocksPort and browser plugins such as Flash to go through TransPort. It may or may not make sense to either force both through a SocksPort (difficult) or to force both through the TransPort, see footnotes.




Download Flash directly from Adobe[edit]

If you insist on using it... For better security [12] or if Flash from the Debian repository does not work for you, Flash can be downloaded directly from Adobe.

(1) Go to https://get.adobe.com/flashplayer/otherversions/

(2) choose Linux (32-bit)

(3) choose 11.2 for other Linux (.tar.gz) 32-bit

(4) click on the Download now button

(5) you will see

An external application is needed to handle:



Verify, that you'll download from https.

(6) Download.

(7) Unpack.

(8) Follow the Installation instructions in the readme.txt.


  1. Features
  2. https://en.wikipedia.org/wiki/Malware
  3. Read Attack on Whonix and/or Design for details on how much effort would be needed.
  4. 4.0 4.1 For an overview about Flash Tracking Techniques and why Whonix users are much better off than users who run Tor and proxifiers and/or custom firewall rules, see chapter Flash / Browser Plugin Security
  5. Read Software Installation on Whonix-Workstation
  6. https://labs.riseup.net/code/issues/5363
  7. 7.0 7.1 Most "plugins over Tor" users probably use Mozilla Firefox and Flash on Microsoft Windows with a socksifier. They can be easily browser fingerprinted and probably even linked, see TorifyHOWTO/WebBrowsers and Tor Button FAQ.
  8. 8.0 8.1 That is because very few people use Tor Browser with plugins, which are routed through Tor. Also because Tor Browser was at Whonix build time manually configured to use a Tor's SocksPort (for stream isolation), while user-installed plugins will will be automatically routed Tor's TransPort. The SocksPort and the TransPort will go through different circuits and most times through different exit relays. That probably differs from the rest of the "Plugins over Tor" users group. For demonstration, see screenshot:
    Flash Leak Test SocksPort and TransPort
    you'll see, that the Tor Browser and Flash have different Tor exit IP's. It's questionable if that particular difference could and should be fixed and if situation had improved afterwards. Cite error: Invalid <ref> tag; name "five" defined multiple times with different content
  9. 9.0 9.1 See Change/Remove Proxy Settings for how to route Tor Browser through Tor's TransPort. Then both, Tor Browser and plugins would go through Tor's TransPort. This has been tested, see screenshot
    Flash leak test both transport.png
    . The question would be, if that would actually improve the situation talked about in earlier footnotes. There are probably only a very few using Tor Browser and plugins through the same circuit. (In a earlier footnote, it was mentioned, that they are still using Mozilla Firefox, even though that's even more discouraged.)
  10. Note that Tor Button in Tor Browser disables all plugins by the default settings. That decision is made by the Tor Browser developers, not by the Whonix developers. (Of course, the Whonix developers second their decision.)
  11. https://gitweb.torproject.org/torbrowser.git/tree/src/current-patches/firefox/0005-Block-all-plugins-except-flash.patch
  12. http://lists.debian.org/debian-security/2012/12/msg00025.html


Thanks to JonDos (Permission). (w) (w) [1] The "Restrict Flash Settings" chapter of the Whonix BrowserPlugins wiki page contains content from the JonDonym documentation How to anonymize Flash videos and applets page.

Random News:

Don't mind having your name connected to Whonix? Follow us. Twitter / Facebook / g+

Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.
  1. Broken link: https://anonymous-proxy-servers.net/forum/viewtopic.php?p=31220#p31220