Actions

SecBrowser ™ in macOS: A Security-hardened, Non-anonymous Browser

From Whonix

< SecBrowser
SecBrowser ™ Icon



SecBrowser ™ in macOS is currently Unsupported.

SecBrowser ™ can be manually configured in macOS in a similar fashion to SecBrowser ™ in Microsoft Windows.

SecBrowser ™ in macOS Maintainer Wanted!

Introduction[edit]

SecBrowser ™ is a security-focused browser that provides better protection from exploits, thereby reducing the risk of infection from malicious, arbitrary code. A built-in security slider provides enhanced usability, as website features which increase the attack surface (like JavaScript) can be easily disabled. Since many of the features that are commonly exploited in browsers are disabled by default, SecBrowser ™'s attack surface is greatly reduced. Without any customization, SecBrowser ™’s default configuration offers better security than Firefox, Google Chrome or Microsoft Edge.[1] It also provides better protections from online tracking, fingerprinting and the linkability of activities across different websites.

SecBrowser ™ is a derivative of the Tor Browser Bundle (which itself is a derivative of Mozilla Firefox) but without Tor. This means unlike Tor Browser, SecBrowser ™ does not route traffic over the Tor network, which in common parlance is referred to as "clearnet" traffic. Even without the aid of the Tor network, SecBrowser ™ still benefits from the numerous patches [archive] that Tor developers have merged into the code base. Even with developer skills, these enhancements would be arduous and time-consuming to duplicate in other browsers, with the outcome unlikely to match SecBrowser ™'s many security benefits. While browser extensions can be installed to mitigate specific attack vectors, this ad hoc approach is insufficient. SecBrowser ™ leverages the experience and knowledge of skilled Tor Project developers, and the battle-tested Tor Browser.

Security Enhancements[edit]

Table: SecBrowser ™ Security and Privacy Benefits

Feature Description
Security Slider Enables improved security by disabling certain web features that can be used as attack vectors.[2]
Default Tor Browser Add-ons
  • HTTPS Everywhere: This browser extension encrypts communications with many major websites, making your browsing more secure.[3]
  • NoScript: NoScript can provide significant protection with the correct configuration.[4] NoScript blocks active (executable) web content and protects against cross-site scripting [archive] (XSS). "The add-on also offers specific countermeasures against security exploits".
Firejail (Linux only) Firejail will be used as a sandboxing measure to restrict the SecBrowser process. [5]
Homograph Attack Protection Fixes the internationalized domain name (IDN) homograph attack vulnerability [archive] present in standard Firefox and Tor Browser releases. [6] [7]
Reproducible Builds Build security is achieved through a reproducible build process that enables anyone to produce byte-for-byte identical binaries to the ones the Tor Project releases.[8][9]
WebRTC Disabled by Default WebRTC can compromise the security of VPN tunnels, by exposing the external (real) IP address of a user.[10][11]

Privacy and Fingerprinting Resistance[edit]

Research from a pool of 500,000 Internet users has shown that the vast majority (84%) have unique browser configurations and version information which makes them trackable across the Internet. When Java or Flash is installed, this figures rises to 94%.[12] SecBrowser ™ shares the fingerprint with around three million [archive] other Tor Browser users, which allows people who use SecBrowser ™ to "blend in" with the larger population and better protect their privacy.

The EFF has found [archive] that while most browsers are uniquely fingerprintable, resistance is afforded via four methods:

  • Disabling JavaScript with tools like NoScript.
  • Use of Torbutton, which is bundled with SecBrowser ™ and enabled by default.
  • Use of mobile devices like Android and iPhone.
  • Corporate desktop machines which are clones of one another.

With JavaScript disabled, SecBrowser ™ provides significant resistance to browser fingerprinting.[13]

  • The User Agent is uniform for all Torbutton users.
  • Plugins are blocked.
  • The screen resolution is rounded down to 50 pixel multiples.
  • The timezone is set to GMT.
  • DOM Storage is cleared and disabled.

The EFF's Panopticlick [archive] fingerprint test shows that SecBrowser ™ resists fingerprinting.

Note: Because tracking techniques are complex, Panopticlick does not measure all forms of tracking and protection.

  • SecBrowser ™ conveys 6.26 bits of identifying information.
  • One in 76.46 browsers have the same fingerprint.
  • Browsers that convey lower bits of identification are better at resisting fingerprinting.[14]

When Tor Browser's and SecBrowser ™'s HTTP headers are compared using Fingerprint central's test suite [archive] the results are near identical.

Table: Tor Browser vs SecBrowser ™ HTTP headers comparison.

Percentage (%) out of 1652 with fingerprints tags [Firefox,Windows]:

Name Value TorBrowser SecBrowser™
% %
User-Agent Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0 2.48 2.42
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 97.15 97.15
Host fpcentral.irisa.fr 90.44 90.43
Content-Length 100.00 100.00
Accepted-Language en-US,en;q=0.5 32.63 32.95
Referer https://fpcentral.irisa.fr/ [archive] 69.37 69.35
Upgrade-Insecure-Requests 1 83.05 83.04
Accepting-Encoding gzip, deflate, br 82.14 82.13
Content-Type 100.00 100.00
Connection close 100.00 100.00

Non-Affiliation with The Tor Project[edit]

SecBrowser ™ is a derivative of Tor® Browser, produced independently from the Tor® anonymity software and carries no guarantee from The Tor® Project [archive] about quality, suitability or anything else.

Footnotes[edit]



Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

Interested in becoming an author for the Whonix News Blog [archive] or writing about anonymity, privacy and security? Please get in touch!

https [archive] | (forcing) onion [archive]

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.