Secure Command Line / Tor Browser Downloads

From Whonix


Frequently users will want to download files from the Internet in order to achieve desired aims. Secure downloading of files is a complex subject and the potential security implications are often poorly understood.

Downloads with scurl - SSL Command Line Downloader[edit]


Info Note: This is for advanced users. In all cases avoid downloading files over plain HTTP.

When using the command line to download files or webpages, resorting to the simple wget command is ill-advised because it is buggy [archive]. For example, if users do not force a request to use SSL encryption, wget can fail silently [archive]. Even when SSL is enforced with a command line option, this can break interoperability with some sites [archive] that use self-signed, expired or invalid certificates. Users could potentially ignore certificate verification warnings and proceed with downloads where the site's authenticity is in question.

To provide greater security when downloading, scurl [archive] comes pre-installed in Whonix ™ and provides a simple wrapper around curl [archive]:

  • /usr/bin/scurl [archive] simply adds --tlsv1.2 --proto =https to all curl instances to enforce strong encryption.
  • scurl-download [archive] additionally adds --location to follow redirects as well as --remote-name to use the filename suggested by the server. [1]

Stream Isolation is enforced in Whonix ™, because /usr/bin/curl is a uwt wrapper symlinked to /usr/lib/whonix/uwtwrapper, which will ultimately run /usr/bin/curl.real.

scurl is not vulnerable to SSLstrip [archive]. This is a man-in-the-middle attack which forces a user's browser to communicate with the adversary in plain-text over HTTP (poisoning the download). At present, scurl is available in Whonix ™ and the command will generally not work in other distributions.

How-to: Invoke scurl-download[edit]

Note: In the examples below, the file will be saved in the user's current working directory. If the file should be saved elsewhere, change the current working directory before running scurl.

To invoke scurl-download to download a file, simply run (replace the https:// example with the actual file location).


This will download tor-browser-linux64-9.5_en-US.tar.xz to the current working directory.

Figure: scurl Command in Whonix ™


To invoke scurl-download to download a web page, run (replace the https:// example with the actual webpage).


All other curl/Linux features continue to work, such as storing the input inside of a file (change index.html to the desired file name).

scurl > index.html

scurl Errors[edit]

As expected, attempting scurl with plain HTTP will fail.


This will result in the following output.

curl: (1) Protocol http not supported or disabled in libcurl

Similarly, scurl fails with the following attempt.


Returning the following output.

curl: (1) Protocol http not supported or disabled in libcurl

Running scurl against a self-signed or invalid SSL certificate also fails.


This results in an error, for example.

curl: (60) SSL certificate problem: self signed certificate
More details here:

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file is not adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Secure Downloads with Tor Browser[edit]

Preventing SSLStrip Attacks[edit]

Info If clicking or pasting a download link, make sure it is https://. The s in https:// stands for "secure".

Users often mistakenly believe that a secure, green padlock and a https:// URL makes any download from that particular website secure. This is not the case because the website might be redirecting to http. In fact, an SSLstrip attack [archive] might succeed if a link is pasted or typed into the address bar without the https:// component (e.g. instead of [archive]). [2]

In this instance, it is impossible to confirm if the file is being downloaded over https://. Potentially, a SSLstrip attack might have made the download take place over plain http. The reason is a padlock is not visible; it just appears empty.

To avoid this risk and similar threats, always explicitly type or paste https:// in the URL / address bar. The SSL certificate button or padlock will not appear in this instance, but that is nothing to be concerned about. Unfortunately, few users follow this sage advice; instead most mistakenly believe pasting or typing into the address bar is safe.

Other Precautions[edit]

For even greater safety, download files from onion services (.onion addresses) whenever possible. Improved security is provided by onion service downloads, since the connection is encrypted end-to-end (with PFS), targeting of individuals is difficult, and adversaries cannot easily determine where the user is connecting to or from.

Also, if files are already available in repositories, then prefer mechanisms which simplify and automate software upgrades and installations (like apt-get functions), rather than download Internet resources. Avoid installing unsigned software and be sure to always verify key fingerprints and digital signatures of signed software from the Internet, before importing keys or completing installations. For more on this topic, see: Installing Software Best Practices.

Finally, consider using Multiple Whonix-Workstation ™s when downloading and installing additional software, to better compartmentalize user activities and minimize the threat of misbehaving applications.

Outside of Whonix[edit]


curl --tlsv1.2 --proto =https --location --remote-name-all --remote-header-name


  1. write output to a local file with the same name as the remote file retrieved [archive]. Only the file part of the remote file is used and the path is cut off.
  2. And that website does not:

text=Jobs in USA
Jobs in USA

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Iconfinder news 18421.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg Reddit.jpg Diaspora.png Gnusocial.png Mewe.png 500px-Tumblr Wordmark.svg.png Iconfinder youtube 317714.png 200px-Minds logo.svg.png 200px-Mastodon Logotype (Simple).svg.png 200px-LinkedIn Logo 2013.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

Please consider a recurring donation [archive]!

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.