Browser Plugins

From Whonix



We explain the risks of browser plugins (flash etc.), discuss some alternatives and finally explain how to use browser plugins anyway in the best possible secure manner.

Tor Browser[edit]

For information about Tor Browser in general, see Tor Browser.

Warning not to use them[edit]

warning against non-Free browser plugins Some popular plugins are non-Free, Closed Source software! See Warning, Avoid non-Free Software. Check if your browser plugin is Free Software before using it.

Quoted the Whonix ™ Features page [1]: "Java / JavaScript / flash / browser plugins / Malware [2] / misconfigured applications cannot leak your real external IP." "This is still not recommended as they may decrease anonymity (e.g. flash cookies) and often have security vulnerabilities. Some popular plugins are closed source. See Security in real world."

Although it is not recommended, we don't want to withhold the knowledge from you how to use browser plugins.

IP leaks are not easily possible.[3]

The concern against browser plugins can be broken down to:

1. Non-Free Software. See our warning box above.

2. Linkability: browser plugins use can be probably correlated to the same pseudonym. [4]

3. Fingerprinting: browser plugins can probably leak lots of information about your (virtual) operating system (Whonix-Workstation ™)

4. Security: some plugins have a history for remote exploits. More precise: the risk for your virtual operating system to get infected by trojan horses etc. is higher.

But anyway, of course you should look for alternatives first (see below), but if you insist on using browser plugins, an isolating/transparent proxy like Whonix ™ is probably your best bet. [4]

Avoiding browser plugins[edit]

Avoiding browser plugins and flash is better than using them.

Note that there are alternatives to browser plugins. Most of the workarounds aren't a 100% complete, perfect drop in replacement, but perhaps it works sufficient for you (for example, if you only need youtube). Alternatives are html5, gnash, flash video replacer, flash video download or using a flash video download and convert online service. There are also applications worth checking, such as youtuberipper, ClipGrab, minitube, Totem with totem-plugins-extra, etc. Discussing the flash alternatives in details is beyond the scope of Whonix ™.

Also the Tails folks prepared a good list of Flash alternatives, see Tails Flash support [archive].

If you still want to use browser plugins or flash, read below.

How to use Flash - EASY[edit]

warning against non-Free browser plugins Adobe Flash is non-Free, Closed Source software!
Make sure you have read our Browser_Plugins#Warning_not_to_use_them Warning not to use them above first!

If you insist on using browser plugins anyway (read warnings above), you can install new software [5] in Whonix-Workstation ™. Your best bet may be using the Tor Browser. JDownloader is a Libre alternative to Flash for downloading videos for local viewing.[6]

Your IP/location will still be hidden. Consider the plugin usage pseudonymous rather than anonymous. This is the EASY chapter, which does not include all security considerations. For those, read the whole page.

If you are using any plugins such as Flash, it will be probably known to the exit relay, exit relay's ISP and website, that you are a Whonix ™ user.




Install Flash.

Install flashplugin-nonfree.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the flashplugin-nonfree package.

Using apt-get command line parameter --no-install-recommends is in most cases optional.

sudo apt-get install --no-install-recommends flashplugin-nonfree

The procedure of installing flashplugin-nonfree is complete.

(2) Additionally, it might make sense to install Firefox (Tor Browser) Add-On BetterPrivacy BetterPrivacy [archive], which can be setup to delete Flash Cookies.

(3) Activate browser plugins in Tor Browser.

To activate browser plugins in Tor Browser [10] right click on Tor Button → Preferences... → Security Settings → uncheck: Disable Plugins during Tor usage. You have to restart Tor Browser.

(4) Updating Flash

Each time there is a new version of flash, you should update.

sudo update-flashplugin-nonfree --install --verbose

How to use other browser plugins[edit]

Note that Tor Browser developers added a patch [11], which blocks all plugins except flash. To use other plugins, read the more advanced guide below.

How to use browser plugins - Advanced[edit]

If you don't like to use Tor Browser, you could install the mainstream Firefox, Chromium, Flash etc. For a discussion whether this is good or bad for anonymity, see the "More Security" section below.

Firefox. [12] [13]

Install firefox-esr.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the firefox-esr package.

Using apt-get command line parameter --no-install-recommends is in most cases optional.

sudo apt-get install --no-install-recommends firefox-esr

The procedure of installing firefox-esr is complete.

Or Chromium.

Install chromium-browser chromium-browser-l10n.

1. Update the package lists.

sudo apt-get update

2. Upgrade the system.

sudo apt-get dist-upgrade

3. Install the chromium-browser chromium-browser-l10n package.

Using apt-get command line parameter --no-install-recommends is in most cases optional.

sudo apt-get install --no-install-recommends chromium-browser chromium-browser-l10n

The procedure of installing chromium-browser chromium-browser-l10n is complete.

How to use browser plugins - More Security[edit]

Read the EASY chapter above first[edit]

Read the EASY chapter above first

Deactivate unneeded browser plugins[edit]

It is recommended to activate only plugins, you really use. On most browsers their is a pseudo URL 'about:plugins' to check which are activated. Go to Tor Browser → Tools → Plugins and deactivate all plugins, which you don't need, or even better, uninstall them.

Separate Tor Browser or Separate Whonix-Workstation ™ dedicated to browser plugins[edit]

For best security use More than one Tor Browser behind an transparent or isolating proxy [archive] or even better, multiple VM snapshots or Multiple Whonix-Workstation ™.

SocksPort vs TransPort[edit]

Using the easy instructions above will cause Tor Browser to go through SocksPort and browser plugins such as Flash to go through TransPort. It may or may not make sense to either force both through a SocksPort (difficult) or to force both through the TransPort, see footnotes.




Download Flash directly from Adobe[edit]

warning against non-Free browser plugins Adobe Flash is non-Free, Closed Source software!
Make sure you have read our Browser_Plugins#Warning_not_to_use_them Warning not to use them above first!

If you insist on using it... For better security [14] or if Flash from the Debian repository does not work for you, Flash can be downloaded directly from Adobe.

(1) Go to [archive]

(2) choose Linux (64-bit)

(3) choose 11.2 for other Linux (.tar.gz) 64-bit

(4) click on the Download now button

(5) you will see

An external application is needed to handle:


Verify, that you'll download from https.

(6) Download.

(7) Unpack.

(8) Follow the Installation instructions in the readme.txt.


  1. Features
  2. [archive]
  3. Read Attack on Whonix ™ and/or Design for details on how much effort would be needed.
  4. 4.0 4.1 For an overview about Flash Tracking Techniques and why Whonix ™ users are much better off than users who run Tor and proxifiers and/or custom firewall rules, see chapter Flash / Browser Plugin Security
  5. Read Install_Software
  6. [archive]
  7. 7.0 7.1 Most "plugins over Tor" users probably use Mozilla Firefox and Flash on Microsoft Windows with a socksifier. They can be easily browser fingerprinted and probably even linked, see TorifyHOWTO/WebBrowsers [archive] and Tor Button FAQ [archive].
  8. 8.0 8.1 That is because very few people use Tor Browser with plugins, which are routed through Tor. Also because Tor Browser was at Whonix ™ build time manually configured to use a Tor's SocksPort (for stream isolation), while user-installed plugins will will be automatically routed Tor's TransPort. The SocksPort and the TransPort will go through different circuits and most times through different exit relays. That probably differs from the rest of the "Plugins over Tor" users group. For demonstration, see screenshot:
    Flash Leak Test SocksPort and TransPort
    you'll see, that the Tor Browser and Flash have different Tor exit IP's. It is questionable if that particular difference could and should be fixed and if situation had improved afterwards. Cite error: Invalid <ref> tag; name "five" defined multiple times with different content
  9. 9.0 9.1 See Change/Remove Proxy Settings for how to route Tor Browser through Tor's TransPort. Then both, Tor Browser and plugins would go through Tor's TransPort. This has been tested, see screenshot
    Flash leak test both transport.png
    . The question would be, if that would actually improve the situation talked about in earlier footnotes. There are probably only a very few using Tor Browser and plugins through the same circuit. (In a earlier footnote, it was mentioned, that they are still using Mozilla Firefox, even though that's even more discouraged.)
  10. Note that Tor Button in Tor Browser disables all plugins by the default settings. That decision is made by the Tor Browser developers, not by the Whonix ™ developers. (Of course, the Whonix ™ developers second their decision.)
  11. [archive]
  12. [archive]
  13. It is also possible to install the latest Firefox version [archive] on Debian.
  14. [archive]


Gratitude is expressed to JonDos [archive] for permission [archive] to use material from their website. (w [archive]) (w [archive]) [1] The "Restrict Flash Settings" chapter of the Whonix ™ BrowserPlugins wiki page contains content from the JonDonym documentation How to anonymize Flash videos and applets [archive] page.

Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Browser Plugins&body= link= Plugins link= Plugins link= Plugins%20 Plugins

Want to help create awesome, up-to-date screenshots for the Whonix ™ wiki? Help is most welcome!

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.