Some Whonix users will want to download files from the Internet in order to achieve desired aims. Secure downloading of files is a complex subject and the potential security implications are poorly understood by most users.
Downloads with scurl - SSL Command Line Downloader
Note: This is for advanced users. In all cases, users should avoid downloading files over plain HTTP.
When using the command line to download files or webpages, resorting to the simple
wget command is ill-advised, because it is buggy. For example, if users do not force a request to use SSL encryption,
wget can fail silently. Even when SSL is enforced with a command line option, this can break interoperability with some sites that use self-signed, expired or invalid certificates. Users could potentially ignore certificate verification warnings and proceed with downloads where the site's authenticity is in question.
To provide greater security when downloading, scurl comes pre-installed in Whonix and provides a simple wrapper around curl. simply adds
--tlsv1.2 --proto =https to all curl instances to enforce strong encryption. It also has Stream Isolation in Whonix, because is a symlinked to , which will ultimately run . 
scurl is not vulnerable to SSLstrip. This is a man-in-the-middle attack which forces a user's browser to communicate with the adversary in plain-text over HTTP (poisoning the download). At present, scurl is available in Whonix and the command will generally not work in other distributions.
How-to: Invoke scurl
Note: In the examples below, the file will be saved in the user's current working directory. If the file should be saved elsewhere, change the current working directory before running scurl.
Also, if the
--remote-name parameter is used, scurl will write output to a local file with the same name as the remote file retrieved. Only the file part of the remote file is used and the path is cut off.
To invoke scurl to download a file, simply run (replace the https:// example with the actual file location).
scurl --remote-name https://dist.torproject.org/torbrowser/7.5.6/tor-browser-linux64-7.5.6_en-US.tar.xz
This will download tor-browser-linux64-7.5.6_en-US.tar.xz to the user's current working directory.
To invoke scurl to download a web page, run (replace the https:// example with the actual webpage).
All other curl/Linux features continue to work, such as storing the input inside of a file (change index.html to the desired file name).
scurl https://check.torproject.org > index.html
As expected, attempting scurl with plain HTTP will fail.
This will result in the following output.
curl: (1) Protocol http not supported or disabled in libcurl
Similarly, scurl fails with the following attempt.
Returning the following output.
curl: (1) Protocol http not supported or disabled in libcurl
Running scurl against a self-signed or invalid SSL certificate also fails.
This results in an error, for example.
curl: (60) SSL certificate problem: self signed certificate More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file is not adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
Secure Downloads with Tor Browser
Preventing SSLStrip Attacks
|If you click or paste a download link, make sure it is |
Users often mistakenly believe that a secure, green padlock and a
https:// URL makes any download from that particular website secure. This is not the case. The website might be redirecting to
In fact, the user may be vulnerable to an attempted SSLstrip attack if a link is pasted or typed into the address bar without the
https:// component (e.g.
torproject.org instead of
In this instance, the user cannot actually confirm if the file is being downloaded over
https://. Potentially, a SSLstrip attack might have made the download take place over plain
http. The reason is the user cannot see a padlock; it just appears empty.
To avoid the risk of an SSLstrip attack or similar threats, users should always explicitly type or paste
https:// in the URL / address bar. The SSL certificate button or padlock will not appear in this instance, but that is nothing to be concerned about. Unfortunately, few users follow this sage advice; instead most mistakenly believe pasting or typing www.torproject.org into the address bar is safe.
For even greater safety, where possible download files from onion services (.onion addresses). Greater security is provided by onion service downloads, since: the connection is encrypted end-to-end (with PFS), targeting of individuals is difficult, and adversaries cannot easily determine where the user is connecting to or from.
Also, if files are already available in repositories, then users should prefer mechanisms which simplify and automate software upgrades and installations (like apt-get functions), rather than download Internet resources. Avoid installing unsigned software and be sure to always verify key fingerprints and digital signatures of signed software from the Internet, before importing keys or completing installations.
Finally, consider using multiple Whonix-Workstations when downloading and installing additional software, to better compartmentalize user activities and minimize the threat of misbehaving applications.
- In Whonix 14 it will also use:
--remote-nameto simplify naming conventions for downloaded files.
- And that website does not:
- Use HTTP Strict Transport Security (HSTS). See also: https://security.stackexchange.com/questions/91092/how-does-bypassing-hsts-with-sslstrip-work-exactly. Without HSTS, sites with non-encrypted resources or sub-domains are vulnerable to SSLstrip.
- Have a HTTPS Everywhere rule in effect.
- Use HSTS preloading.
- Use HTTP Public Key Pinning. See also: https://news.netcraft.com/archives/2016/03/22/secure-websites-shun-http-public-key-pinning.html. HPKP limits trust to a handful of Certificate Authorities, but is not used by many websites due to the risk of site breakage if keys are not managed vigilantly.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.