SecBrowser ™ in Qubes OS: A Security-hardened, Non-anonymous Browser

From Whonix

< SecBrowser
SecBrowser ™ Icon


SecBrowser ™ is a security-focused browser that provides better protection from exploits, thereby reducing the risk of infection from malicious, arbitrary code. A built-in security slider provides enhanced usability, as website features which increase the attack surface (like JavaScript) can be easily disabled. Since many of the features that are commonly exploited in browsers are disabled by default, SecBrowser ™'s attack surface is greatly reduced. Without any customization, SecBrowser ™’s default configuration offers better security than Firefox.[1] It also provides better protections from online tracking, fingerprinting and the linkability of activities across different websites.

SecBrowser ™ is a derivative of the Tor Browser Bundle (which itself is a derivative of Mozilla Firefox) but without Tor. This means unlike Tor Browser, SecBrowser ™ does not route traffic over the Tor network, which in common parlance is referred to as "clearnet" traffic. Even without the aid of the Tor network, SecBrowser ™ still benefits from the numerous patches [archive] that Tor developers have merged into the code base. Even with developer skills, these enhancements would be arduous and time-consuming to duplicate in other browsers, with the outcome unlikely to match SecBrowser's ™ many security benefits. While browser extensions can be installed to mitigate specific attack vectors, this ad hoc approach is insufficient. SecBrowser ™ leverages the experience and knowledge of skilled Tor Project developers, and the battle-tested Tor Browser.

Security Enhancements[edit]

Table: SecBrowser ™ Security and Privacy Benefits

Feature Description
Security Slider Enables improved security by disabling certain web features that can be used as attack vectors.[2]
Default Tor Browser Add-ons
  • HTTPS Everywhere: This browser extension encrypts communications with many major websites, making your browsing more secure.[3]
  • NoScript: NoScript can provide significant protection with the correct configuration.[4] NoScript blocks active (executable) web content and protects against cross-site scripting [archive] (XSS). "The add-on also offers specific countermeasures against security exploits".
Firejail (Linux only) Firejail will be used as a sandboxing measure to restrict the SecBrowser process. [5]
Homograph Attack Protection Fixes the internationalized domain name (IDN) homograph attack vulnerability [archive] present in standard Firefox and Tor Browser releases. [6] [7]
Reproducible Builds Build security is achieved through a reproducible build process that enables anyone to produce byte-for-byte identical binaries to the ones the Tor Project releases.[8][9]
WebRTC Disabled by Default WebRTC can compromise the security of VPN tunnels, by exposing the external (real) IP address of a user.[10][11]

Privacy and Fingerprinting Resistance[edit]

Research from a pool of 500,000 Internet users has shown that the vast majority (84%) have unique browser configurations and version information which makes them trackable across the Internet. When Java or Flash is installed, this figures rises to 94%.[12] SecBrowser ™ shares the fingerprint with around three million [archive] other Tor Browser users, which allows people who use SecBrowser ™ to "blend in" with the larger population and better protect their privacy.

The EFF has found [archive] that while most browsers are uniquely fingerprintable, resistance is afforded via four methods:

  • Disabling JavaScript with tools like NoScript.
  • Use of Torbutton, which is bundled with SecBrowser ™ and enabled by default.
  • Use of mobile devices like Android and iPhone.
  • Corporate desktop machines which are clones of one another.

With JavaScript disabled, SecBrowser ™ provides significant resistance to browser fingerprinting.[13]

  • The User Agent is uniform for all Torbutton users.
  • Plugins are blocked.
  • The screen resolution is rounded down to 50 pixel multiples.
  • The timezone is set to GMT.
  • DOM Storage is cleared and disabled.

The EFF's Panopticlick [archive] fingerprint test shows that SecBrowser ™ resists fingerprinting.

Note: Because tracking techniques are complex, Panopticlick does not measure all forms of tracking and protection.

  • SecBrowser ™ conveys 6.26 bits of identifying information.
  • One in 76.46 browsers have the same fingerprint.
  • Browsers that convey lower bits of identification are better at resisting fingerprinting.[14]

When Tor Browser's and SecBrowser ™'s HTTP headers are compared using Fingerprint central's test suite [archive] the results are near identical.

Table: Tor Browser vs SecBrowser ™ HTTP headers comparison.

Percentage (%) out of 1652 with fingerprints tags [Firefox,Windows]:

Name Value TorBrowser SecBrowser™
% %
User-Agent Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0 2.48 2.42
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 97.15 97.15
Host 90.44 90.43
Content-Length 100.00 100.00
Accepted-Language en-US,en;q=0.5 32.63 32.95
Referer [archive] 69.37 69.35
Upgrade-Insecure-Requests 1 83.05 83.04
Accepting-Encoding gzip, deflate, br 82.14 82.13
Content-Type 100.00 100.00
Connection close 100.00 100.00

Install SecBrowser ™[edit]

Info Note: These instructions are only for Qubes' Debian VMs running buster or later versions!

SecBrowser ™ can be installed using tb-updater [archive] which is a package developed and maintained by Whonix developers. When run, tb-updater seamlessly automates the download and verification of SecBrowser ™ (from The Tor Project's website). One of the many benefits of tb-updater is the ability to disable Tor is prebuilt into the software. This improves usability and is convenient since a security-focused clearnet browser (SecBrowser ™), is readily available. To start SecBrowser ™ users can choose between the start menu, command line or create a desktop starter.[15] Unlike other manual methods of disabling Tor, this greatly simplifies the procedure and lessens the chance of a configuration error.

New Qubes TemplateBasedVMs: Latest Tor Browser Version[edit]

Optional. It is possible to have a copy of the latest Tor Browser version made available to all freshly created AppVMs and DispVMs based upon the TemplateVM. Run the following command in the TemplateVM. [16]

sudo touch /etc/secbrowser-qubes

This setting utilizes the same mechanism used by Whonix to download Tor Browser in the Whonix-Workstation TemplateVM. See also: tb-updater in Qubes TemplateVM. When using this setting, when the tb-updater package is updated, download-secbrowser runs automatically.

Package Installation[edit]

The first step to install tb-updater is to add the Whonix repository. [17]

1. Download the Whonix signing key.

In an AppVM or DispVM, run.

curl --tlsv1.2 --proto =https --max-time 180 --output ~/patrick.asc

2. Copy the patrick.asc text file to the Debian TemplateVM.

qvm-copy patrick.asc

3. Change directory into the Qubes incoming files folder.

name-of-appvm needs to be replaced with the name of the AppVM where this file originated from.

In the TemplateVM.

cd ~/QubesIncoming/name-of-appvm

4. Display the key's fingerprint.

In the TemplateVM.

gpg --keyid-format long --import --import-options show-only --with-fingerprint patrick.asc

5. Compare the fingerprint displayed in the terminal to the one listed here.

6. In the Debian TemplateVM, import the Whonix signing key.

sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add patrick.asc

7. In the Debian TemplateVM, add the Whonix APT repository to Debian APT sources.

echo "deb buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list

In the Debian TemplateVM, update the packages lists.

sudo apt-get update


sudo apt-get install --no-install-recommends secbrowser

Download SecBrowser ™[edit]

Manually In TemplateVM[edit]

If tb-updater has not been updated yet, Qubes users can run the following command in Qubes TemplateVM.

sudo download-secbrowser

You will be presented with QUESTION: Download now? followed by choice of 3 options. Example: n/9.0.2/9.5a3 (Version is at the time of writing this documentation.) The default is n which stands for "no" if you just press the Enter key. Otherwise type in the full version number to indicate your choice of either the stable release (i.e. 9.0.2) or the alpha release (9.5a3).

When the download completes & is verified successfully, you will be prompted whether to Install now?. Type in y to proceed.

Power off the TemplateVM after installation so these changes can propagate to newly started TemplateBasedVMs.

In AppVM[edit]

SecBrowser ™ can be installed simply by running download-secbrowser in the Debian TemplateVM.

In the Debian TemplateVM, run.


Tor Browser Internal Updater[edit]

It is still possible to use the Tor Browser Internal Updater in TemplateBasedVMs.

Start SecBrowser ™[edit]

SecBrowser ™ can be started from Qubes start menu.

Alternatively, run this command in a AppVM or DispVM terminal.


Alternatively, run this command in a dom0 terminal.

qvm-run <appvm_name> secbrowser

SecBrowser Settings and Configuration[edit]

TemplateVM vs AppVM[edit]

If users edit the TemplateVM to modify SecBrowser ™ behavior, all AppVMs created thereafter will inherit those changes. However, AppVMs created prior to the aforementioned edits will not benefit from any changes to the SecBrowser ™ configuration file in the TemplateVM.

While SecBrowser ™ has numerous security enhancements they can come at a cost of decreased usability. Since it is also highly configurable, security settings and behavior can be customized according to personal requirements.

Note: The following configuration steps are run the Debian AppVM.

Security Slider[edit]

SecBrowser ™ has a “Security Slider” in the shield menu. This can increase security [archive] by disabling certain web features that are possible attack vectors. By default, the Security Slider is set to “Safest” which is the highest security level. This security level will prevent some web pages from functioning properly, so security needs must be weighed against the degree of usability that is required.

Private Browsing Mode[edit]

In the default configuration Tor Browser has private browsing mode enabled. This setting prevents browsing and download history as well as cookies from remaining persistent across SecBrowser ™ restarts. However, tb-starter includes a custom user_pref that disables private browsing mode when SecBrowser ™ is used.

When private browsing mode is disabled SecBrowser ™'s built-in "long-term linkability" protections are deactivated. This means users are vulnerable to attacks which can link activities between earlier and later browsing sessions. If privacy is paramount users can enable private browsing mode by commenting out the corresponding user preference.

1. Open the user.js configuration file in an editor.

nano ~/.secbrowser/secbrowser/Browser/TorBrowser/Data/Browser/profile.default/user.js

2. Next, comment out "//" user_pref("browser.privatebrowsing.autostart", false);.

Check the text block is identical to the one below.

// Normalize SecBrowser ™ behavior
user_pref("extensions.torbutton.noscript_persist", true);
//user_pref("browser.privatebrowsing.autostart", false);

If you prefer to keep private browsing mode disabled, it may be advantageous to install one or more anti-tracking browser extensions. The extensions Disconnect [archive], Privacy Badger [archive] and uBlock Origin [archive] are all open-source and are generally recommended. Research which one(s) may be most suitable in the circumstances; their use cases are different.

Persistent NoScript Settings[edit]

tb-starter includes a user_pref that allows custom NoScript settings to persist across browser sessions. This is also a security vs usability trade-off.[18] If the SecBrowser ™ “Security Slider” setting is changed afterwards, all NoScript preferences are overridden and all custom, per-site settings are lost. This holds true regardless of whether the security setting was increased or decreased.

If the persistent NoScript setting is undesirable, this can easily be disabled by commenting out the corresponding user_pref.

1. Open the user.js configuration file in an editor.

nano ~/.secbrowser/secbrowser/Browser/TorBrowser/Data/Browser/profile.default/user.js

2. Next, comment out "//" user_pref("extensions.torbutton.noscript_persist", true);

Check the text block is identical to the one below.

// Normalize SecBrowser ™ behavior
//user_pref("extensions.torbutton.noscript_persist", true);
user_pref("browser.privatebrowsing.autostart", false);

Remember Logins and Passwords for Sites[edit]

To increase usability, SecBrowser ™ can (by default) save site login information such as user names or passwords. This usability improvement was implemented by setting signon.rememberSignons to true, which allows this information to be saved across browser sessions.

If you prefer to disable this feature open user.js in an editor and comment out the corresponding user_pref.

1. Open the user.js configuration file in an editor.

nano ~/.secbrowser/secbrowser/Browser/TorBrowser/Data/Browser/profile.default/user.js

2. Next, comment out "//" user_pref("signon.rememberSignons", true);

Check the text block is identical to the one below.

// Save passwords.
//user_pref("signon.rememberSignons", true);


SecBrowser ™ no longer opens with a red background and a message stating "Something Went Wrong!" Tor is not working in this browser. [19] This warning was disabled by toggling the user preference extensions.torbutton.test_enabled to false. [20]

Download Alpha Versions[edit]

1. Create a /etc/secbrowser.d folder.

sudo mkdir /etc/secbrowser.d

2. Open /etc/secbrowser.d/50_user.conf in an editor with root rights.

sudo nano /etc/secbrowser.d/50_user.conf

3. Add the following setting.


4. Save the file.

The procedure is complete.


Whonix developers focus their efforts on advanced anonymity with Tor being a core component. Why develop a package that disables Tor?

Package tb-upater was developed with design goals focused on securely downloading and verifying Tor Browser. However, requirements for a new operating system under development -- a security focused OS based on Hardened Debian [archive] (Kicksecure) -- called for a security hardened clearnet browser. SecBrowser ™ (Tor Browser without Tor) met those requirements. Hence, the secbrowser wrapper that disables Tor was integrated into tb-updater and tb-starter.

What is Clearnet?

This term has two meanings:

  1. Connecting to the regular Internet without the use of Tor or other anonymity networks; and/or
  2. Connecting to regular servers which are not onion services, irrespective of whether Tor is used or not.

How does SecBrowser ™ disable Tor?

SecBrowser ™ supports custom user preferences "user_pref" which can be used to change browser configuration and behavior. In tb-starter the user preferences that disable Tor are located in /usr/share/secbrowser/user.js .[21][22] When SecBrowser ™ starts this file is copied over to the corresponding SecBrowser ™ profile where the custom user_pref(s) are parsed.[23]

Tor is disabled by setting the following three preferences to false.

user_pref("extensions.torbutton.startup", false);
user_pref("extensions.torlauncher.start_tor", false);
user_pref("network.proxy.socks_remote_dns", false);

SecBrowser ™ also sets various environment variables [archive] when started by its /usr/bin/secbrowser [archive] wrapper.

Can I use SecBrowser ™ in a Whonix-Workstation VM (anon-whonix)?

VMs behind Whonix-Gateway (sys-whonix) are always routed through Tor, meaning traffic would still be torified. However, this is strongly recommended against because using SecBrowser ™ will break Tor Browser's per tab stream isolation.

Can I use SecBrowser ™ in a VM torified by something other than Whonix to avoid Tor over Tor?

This is strongly recommended against because using SecBrowser ™ will break Tor Browser's per tab stream isolation. A complete implementation compatible with Tor Browser's per tab stream isolation would be much better.

Does the SecBrowser ™ option alter any other browser behavior?

No, the only changes to SecBrowser ™ are to the preferences previously shown.

Can I add my own custom preferences to change SecBrowser ™ behavior?

Yes, but this could degrade security and privacy. See: SecBrowser ™ Settings.

I have an idea to improve SecBrowser ™'s security. Can I submit a patch?

Many security enhancements, such as (in theory) adding compile time hardening options, need to be submitted upstream to The Tor Project. Patches to tb-updater, tb-starter or this wiki entry are always welcome!

Non-Affiliation with The Tor Project[edit]

SecBrowser ™ is a derivative of Tor® Browser, produced independently from the Tor® anonymity software and carries no guarantee from The Tor® Project [archive] about quality, suitability or anything else.


  1. [archive]
  2. [archive]
  3. [archive]
  4. [archive]
  5. [archive]
  6. For further information, see: very hard to notice Phishing Scam - Firefox / Tor Browser URL not showing real Domain Name - Homograph attack (Punycode) [archive]. Without this change, URLs can be spoofed so users are deceived about what remote server they are communicating with, via substitution of characters that look alike ('homographs').
  7. [archive]
  8. [archive]
  9. [archive]
  10. [archive]
  11. [archive]
  12. [archive]
  13. [archive]
  14. [archive]
  15. [archive]
  16. [archive]
  17. However, as outlined in this Qubes issue [archive], downloading GPG keys with APT will fail in TemplateVMs. To work around this issue the signing key can be downloaded in an AppVM and copied over to the Debian TemplateVM in a text file.
  18. See: NoScript Custom Setting Persistence.
  19. This notice is related to Tor Browser (with Tor) and can be safely ignored.
  20. [archive]
  21. [archive]
  22. [archive]
  23. [archive]

text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg Diaspora.png Gnusocial.png Mewe.png 500px-Tumblr Wordmark.svg.png Iconfinder youtube 317714.png 200px-Minds logo.svg.png 200px-Mastodon Logotype (Simple).svg.png 200px-LinkedIn Logo 2013.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Love Whonix and want to help spread the word? You can start by telling your friends or posting news [archive] about Whonix on your website, blog or social media.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.