- 1 Introduction
- 2 Tor Browser
- 3 Warning not to use them
- 4 Avoiding browser plugins
- 5 How to use Flash - EASY
- 6 How to use other browser plugins
- 7 How to use browser plugins - Advanced
- 8 How to use browser plugins - More Security
- 9 Footnotes
- 10 License
We explain the risks of browser plugins (flash etc.), discuss some alternatives and finally explain how to use browser plugins anyway in the best possible secure manner.
For information about Tor Browser in general, see Tor Browser.
Warning not to use them
Although it is not recommended, we don't want to withhold the knowledge from you how to use browser plugins.
IP leaks are not easily possible.
The concern against browser plugins can be broken down to:
1. Non-Free Software. See our warning Box above.
3. Fingerprinting: browser plugins can probably leak lots of information about your (virtual) operating system (Whonix-Workstation ™)
4. Security: some plugins have a history for remote exploits. More precise: the risk for your virtual operating system to get infected by trojan horses etc. is higher.
But anyway, of course you should look for alternatives first (see below), but if you insist on using browser plugins, an isolating/transparent proxy like Whonix ™ is probably your best bet. 
Avoiding browser plugins
Avoiding browser plugins and flash is better than using them.
Note that there are alternatives to browser plugins. Most of the workarounds aren't a 100% complete, perfect drop in replacement, but perhaps it works sufficient for you (for example, if you only need youtube). Alternatives are html5, gnash, flash video replacer, flash video download or using a flash video download and convert online service. There are also applications worth checking, such as youtuberipper, ClipGrab, minitube, Totem with totem-plugins-extra, etc. Discussing the flash alternatives in details is beyond the scope of Whonix ™.
If you still want to use browser plugins or flash, read below.
How to use Flash - EASY
If you insist on using browser plugins anyway (read warnings above), you can install new software  in Whonix-Workstation ™. Your best bet may be using the Tor Browser. JDownloader is a Libre alternative to Flash for downloading videos for local viewing.
Your IP/location will still be hidden. Consider the plugin usage pseudonymous rather than anonymous. This is the EASY chapter, which does not include all security considerations. For those, read the whole page.
If you are using any plugins such as Flash, it will be probably known to the exit relay, exit relay's ISP and website, that you are a Whonix ™ user.
(3) Activate browser plugins in Tor Browser.
To activate browser plugins in Tor Browser  right click on Tor Button → Preferences... → Security Settings → uncheck: Disable Plugins during Tor usage. You have to restart Tor Browser.
(4) Updating Flash
Each time there is a new version of flash, you should update.
sudo update-flashplugin-nonfree --install --verbose
How to use other browser plugins
Note that Tor Browser developers added a patch , which blocks all plugins except flash. To use other plugins, read the more advanced guide below.
How to use browser plugins - Advanced
If you don't like to use Tor Browser, you could install the mainstream Firefox, Chromium, Flash etc. For a discussion whether this is good or bad for anonymity, see the "More Security" section below.
How to use browser plugins - More Security
Read the EASY chapter above first
Read the EASY chapter above first
Deactivate unneeded browser plugins
It is recommended to activate only plugins, you really use. On most browsers their is a pseudo URL 'about:plugins' to check which are activated. Go to Tor Browser → Tools → Plugins and deactivate all plugins, which you don't need, or even better, uninstall them.
Separate Tor Browser or Separate Whonix-Workstation ™ dedicated to browser plugins
For best security use More than one Tor Browser behind an transparent or isolating proxy [archive] or even better, multiple VM snapshots or Multiple Whonix-Workstation ™.
SocksPort vs TransPort
Using the easy instructions above will cause Tor Browser to go through SocksPort and browser plugins such as Flash to go through TransPort. It may or may not make sense to either force both through a SocksPort (difficult) or to force both through the TransPort, see footnotes.
Download Flash directly from Adobe
If you insist on using it... For better security  or if Flash from the Debian repository does not work for you, Flash can be downloaded directly from Adobe.
(2) choose Linux (64-bit)
(3) choose 11.2 for other Linux (.tar.gz) 64-bit
(4) click on the Download now button
(5) you will see
An external application is needed to handle: https://fpdownload.macromedia.com/get/flashplayer/pdc/188.8.131.520/install_flash_player_11_linux.i386.tar.gz [...]
Verify, that you'll download from https.
(8) Follow the Installation instructions in the readme.txt.
- https://en.wikipedia.org/wiki/Malware [archive]
- Read Attack on Whonix ™ and/or Design for details on how much effort would be needed.
- For an overview about Flash Tracking Techniques and why Whonix ™ users are much better off than users who run Tor and proxifiers and/or custom firewall rules, see chapter Flash / Browser Plugin Security
- Read Install_Software
- https://labs.riseup.net/code/issues/5363 [archive]
- Most "plugins over Tor" users probably use Mozilla Firefox and Flash on Microsoft Windows with a socksifier. They can be easily browser fingerprinted and probably even linked, see TorifyHOWTO/WebBrowsers [archive] and Tor Button FAQ [archive].
- That is because very few people use Tor Browser with plugins, which are routed through Tor. Also because Tor Browser was at Whonix ™ build time manually configured to use a Tor's SocksPort (for stream isolation), while user-installed plugins will will be automatically routed Tor's TransPort. The SocksPort and the TransPort will go through different circuits and most times through different exit relays. That probably differs from the rest of the "Plugins over Tor" users group. For demonstration, see screenshot: Cite error: Invalid
<ref>tag; name "five" defined multiple times with different content
- See Change/Remove Proxy Settings for how to route Tor Browser through Tor's TransPort. Then both, Tor Browser and plugins would go through Tor's TransPort. This has been tested, see screenshot
- Note that Tor Button in Tor Browser disables all plugins by the default settings. That decision is made by the Tor Browser developers, not by the Whonix ™ developers. (Of course, the Whonix ™ developers second their decision.)
- https://gitweb.torproject.org/torbrowser.git/tree/src/current-patches/firefox/0005-Block-all-plugins-except-flash.patch [archive]
- https://wiki.debian.org/Firefox [archive]
- It is also possible to install the latest Firefox version [archive] on Debian.
- http://lists.debian.org/debian-security/2012/12/msg00025.html [archive]
Gratitude is expressed to JonDos [archive] for permission [archive] to use material from their website. (w [archive]) (w [archive])  The "Restrict Flash Settings" chapter of the Whonix ™ BrowserPlugins wiki page contains content from the JonDonym documentation How to anonymize Flash videos and applets [archive] page.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)