Tor Browser Basics
Tor Browser [archive]  is a fork [archive] of the Mozilla Firefox ESR [archive] web browser. It is developed by The Tor Project [archive] and optimized [archive] and designed [archive] for Tor, anonymity and security.  Most will have browsed with Firefox and be familiar with the user interface that resembles those found in other popular, modern browsers. 
It is strongly encouraged to read this entire chapter so Tor Browser is used effectively and safely on the Whonix ™ platform. Advanced users may also be interested in the Tor Browser Adversary Model. Regularly consult the Tor Project blog [archive] to stay in tune with Tor / Tor Browser news and the latest release information. The Tor Browser release schedule for each platform can also be found here [archive].
Anonymity vs Pseudonymity
If browsers other than Tor Browser are used in Whonix ™, the IP address and Domain Name Service (DNS) requests  are still protected. However, only Tor Browser provides protocol level cleanup, which includes unique features like proxy obedience, state separation, network isolation, and anonymity set preservation.
In stark contrast to regular browsers, Tor Browser is optimized for anonymity and has a plethora of privacy-enhancing patches [archive] and add-ons.  By sharing the Fingerprint with around two million other people [archive],  Tor Browser users "blend in" with the larger population and better protect their privacy.
It is important to understand the difference between HTTP and HTTPS: 
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol [archive] (HTTP). It is used for secure communication [archive] over a computer network [archive], and is widely used on the Internet. In HTTPS, the communication protocol [archive] is encrypted [archive] using Transport Layer Security [archive] (TLS), or, formerly, its predecessor, Secure Sockets Layer (SSL). The protocol is therefore also often referred to as HTTP over TLS, or HTTP over SSL.
The principal motivation for HTTPS is authentication [archive] of the accessed website [archive] and protection of the privacy [archive] and integrity [archive] of the exchanged data while in transit. ...
HTTPS advantages include: 
- Authentication of the website and web server that is being communicated with.
- Protection against Man-in-the-middle Attacks.
- Bidirectional encryption of communications between a client and server. This protects against eavesdropping and tampering with / forging of communication contents.
- A reasonable expectation that the website being communicated with is genuine. 
In the Tor Browser context, this means HTTPS should be preferred over HTTP so communication is encrypted while browsing the Internet. While traffic is encrypted throughout the Tor network, the exit relay (third of three servers) can see traffic sent into Tor if it is plain HTTP. If HTTPS is used, the exit relay will only know the destination address. 
As an example, the screenshot below captures the browser appearance when visiting the Whonix ™ website. 
Figure: A Secure Connection to www.whonix.org
Take note of the small, left-hand area of the address bar. Indicators of an encrypted connection are
www.whonix.org is highlighted with a padlock and "Secure Connection" in green writing, and the URL begins with https:// instead of http://
HTTP / HTTPS Connections with and without Tor
The following figures from EFF provide an overview of HTTP / HTTPS connections with and without Tor, and what information is visible to various third parties. The descriptors are as follows: 
Potentially visible data includes: the site you are visiting (SITE.COM), your username and password (USER/PW), the data you are transmitting (DATA), your IP address (LOCATION), and whether or not you are using Tor (TOR).
Figure: Tor and HTTPS
Figure: Tor and No HTTPS
Figure: No Tor and HTTPS
Figure: No Tor and No HTTPS
Onion Services Encryption
Whenever possible, utilize Onion Services (
.onion addresses) so communications and web browsing stay within the Tor network. These resources are still commonly referred to as "hidden services", even when their location is publicly known. 
Onion Services Advantages
URLs ending in the
.onion extension provide a superior level of security and privacy, since the connection forms a tunnel which is encrypted (end-to-end) using a random rendezvous point within the Tor network; HTTPS is not required. These connections also incorporate perfect forward secrecy (PFS) [archive]. PFS means the compromise of long-term keys does not compromise past session keys. As a consequence, past encrypted communications and sessions cannot be retrieved and decrypted if long-term secrets keys or passwords are compromised in the future by adversaries. 
Onion services provide several other benefits: 
- Passive surveillance by both network observers and the Tor exit node is prevented, unlike the plain Tor + HTTPS configuration. Adversaries cannot easily determine which destination is being connected from/to.
- Onion services establish "rendezvous points" in the Tor network for web services, meaning neither the hosting service nor the user can discover the other's network identity.
- Onion services can be combined with SSL/TLS to provide additional protection. Only a handful of sites currently provide this service with v3 onions, such as DuckDuckGo: https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ [archive]   
- Onion services do not use the insecure DNS system. Strong authentication comes from the self-authenticating address: the address itself forms a cryptographic proof of the
.onion's identity.  
To learn more about how onion services work, refer to the technical description.
Tor Browser Add-Ons
Any default add-ons that are installed in Tor Browser should not be removed or disabled in the
HTTPS Everywhere [archive] is a Firefox extension shipped in Tor Browser and produced as a collaboration between The Tor Project [archive] and the Electronic Frontier Foundation [archive]. It helps to encrypt communications with a number of major sites.
Many sites on the Internet offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, sites may default to unencrypted HTTP or fill encrypted pages with links that return to the unencrypted version of site. The HTTPS Everywhere extension addresses these problems by rewriting all site requests to HTTPS.
To learn more about HTTPS Everywhere, visit:
NoScript is a free, open source extension that comes bundled with Tor Browser and other Mozilla-based web browsers. NoScript can provide significant protection with the correct configuration: 
NoScript protects against cross-site scripting [archive] (XSS), whereby attackers inject malicious client-side scripts into destination web pages, bypassing the same-origin policy [archive].  The same-origin policy refers to web browser enforcement of permissions -- scripts in the first web page are usually only allowed to access data in a second web page if they have the same origin (URL scheme, hostname and port number). 
Security vs Usability Trade-off
- Whonix ™ is not a "secure browser" project - the focus is on creating a stable, reliable anonymity distribution which aligns with best practice security and privacy principles, informed by educated researchers in the field.
- Possible fingerprinting or security issues with default settings in Tor Browser are the domain of core Tor developers.
- Whonix ™ has limited manpower, meaning the resources do not exist to create a more secure browser, even if it was desirable. 
- Tor Browser is not significantly modified for the same reasons Whonix ™ does not modify or attempt to improve Tor. 
- Having Whonix ™ share the fingerprint of other Tor Browser users is good for anonymity.
NoScript Custom Setting Persistence
It is possible to save custom NoScript settings between browser restarts with a preference.  This preference is disabled by default, which means custom NoScript settings will not persist across successive Tor Browser sessions.
This preference sacrifices privacy for convenience and is therefore not recommended. While frequently visited sites do not require the constant enabling/disabling of scripts across separate Tor Browser sessions, a number of anonymity risks are introduced: 
- Disk hygiene: Tor Browser is designed to prevent the persistent storage of history records and other on-disk information. This preference violates that design principle by allowing the storage of NoScript per-site permissions, thereby increasing the chance an adversary can extract valuable information from that data.
- Long-term fingerprinting vectors: Persistent per-site settings allow a website to profile Tor Browser users, particularly if first-party isolation [archive] is not enforced. For example, consider the negative anonymity impact of whitelisting Google or Facebook, since their advertisements and tracking widgets are ubiquitous.
- Expert opinion: Experienced Tor developers have confirmed that enabling this preference is dangerous and caution should be exercised. 
Persistent NoScript Settings
If this is acceptable, in the Tor Browser address bar:
"Choose" I accept the risk!→
"Toggle" to true
This preference will be overridden and all custom per-site settings lost, if:
- The security slider setting is changed afterwards; or 
extensions.torbutton.noscript_persistis again set to
false,  since NoScript settings are reset after Tor Browser syncs with the Security Slider position.
As Tor Browser is based on Firefox, any browser add-on that is compatible with Firefox can also be installed in Tor Browser. In this context, add-ons are the collective name given to extensions, themes and plugins: 
- Extensions add new features to Firefox or modify existing ones, like video downloaders, ad blockers and so on.
- Themes change the appearance of the browser, such as buttons, menus and the background image.
- Plugins add support for Internet content and often include patented formats like Flash and Silverlight which are used for video, audio, online games and more. 
Non-default Add-on Risks
The Tor Project explicitly warns against using non-default add-ons with Tor Browser: 
However, the only add-ons that have been tested for use with Tor Browser are those included by default. Installing any other browser add-ons may break functionality in Tor Browser or cause more serious problems that affect your privacy and security. It is strongly discouraged to install additional add-ons, and the Tor Project will not offer support for these configurations.
Video websites, such as Vimeo make use of the Flash Player plugin to display video content. Unfortunately, this software operates independently of Tor Browser and cannot easily be made to obey Tor Browser’s proxy settings. It can therefore reveal your real location and IP address to the website operators, or to an outside observer. For this reason, Flash is disabled by default in Tor Browser, and enabling it is not recommended.
The problem with non-default add-ons is that they are often comprised of non-free software, which can lead to the linkage of activities conducted under one pseudonym. They also worsen fingerprinting and open up attack vectors in the form of remote exploits.
This advice holds true even though Whonix ™ is configured to prevent these applications (along with malware) from leaking the real external IP address, even if they are misconfigured (see Features). Before installing non-default add-ons, first consider the various alternatives such as HTML5 or online media converters. 
In Tor Browser, these features are handled from inside the browser, because it is a modified (patched) version of Firefox [archive] and it contains direct patches (based on the former Torbutton extension [archive]) that take care of application-level security and privacy concerns in Firefox. This means many types of active content are disabled. 
It is recommended to learn more about Fingerprinting and Data Collection Techniques to better understand the potential threats. Advanced users can also review detailed information about the former Torbutton design and its various functions here.
New Identity Function
The "New Identity" menu option sends the protocol command "signal newnym" to Tor's ControlPort. This clears the browser state, closes tabs, and obtains a fresh Tor circuit for future requests. 
Sometimes Tor only replaces the middle relay while using the same Tor exit relay; this is by design and the Tor default. Further, "signal newnym" does not interfere with long-lived connections such as an IRC connection.
New Identity is not yet perfect and there are open bugs; this is not a Whonix ™-specific issue.  For greater security, it is better to completely close Tor Browser and restart it. In Qubes-Whonix ™, the safest option when performing sensitive activities is using a Whonix-Workstation ™ DisposableVM. To completely separate distinct activities, shut down the DispVM and create a new one between sessions.
There are two ways to use the New Identity feature:
Left-click the Hamburger Icon→
Select "New Identity"
Left-click the 'broom' icon in the URL bar
New Tor Circuit Function
The "New Tor Circuit for this Site" feature creates a new circuit for the current Tor Browser tab, including other open tabs or windows from the same website.  If it is really necessary to separate contextual identities, it is always safer to close and then restart Tor Browser.
There are several, potential use cases for this feature: 
- The Tor exit relay is located in a country which negatively affects the presentation of the website due to language localization.
- The site is censored due to the current Tor exit relay in use (caused by Tor IP address blacklisting).
- To bypass Google CAPTCHA [archive] or reCAPTHA [archive] systems protecting sites from abuse if these are showing unsolvable captcha or no captcha at all.
- Connections to websites become unresponsive or slow.
- To change the Tor exit relay IP address without losing all open tabs.
To use it:
Left-click the Hamburger Icon →
Select "New Tor Circuit for this Site"
Advanced users who want to learn more about this function should refer to the New Tor Circuit Design entry.
Check for Tor Browser Update
Notifications will automatically appear if a Tor Browser update is available; see Tor Browser Internal Updater for further information and screenshots of this process. Note that multiple methods exist for updating Tor Browser.
To manually check for Tor Browser updates:
Enter about:preferences in the URL bar →
Scroll down to "Tor Browser Updates" →
Click "Check for updates"
Readers who are interested in why the "Open Networking Settings" and "Tor Circuit View" features have been disabled in Whonix ™ can learn more here.
Tor Browser: How-To
Tor Browser includes a “Security Slider” that allows the disabling of certain web features that can be used to compromise security and anonymity. At present there are three levels: "Safest", "Safer" and "Standard". It is necessary to make a trade-off between security, usability and privacy. At the higher levels the slider will prevent some sites from working properly.  Note that as of Tor Browser release v8.5, the security slider function has shifted to the taskbar.  
To use this feature:
Click Security Level button (taskbar 'shield') →
Click "Advanced Security Settings..." →
Select desired security level
To learn more about the exact effect of each setting level, refer to the Security Slider design entry. For information on related Tor plans for redesigning browser security controls, see here [archive].
Start Tor Browser
From the Menu
Start Tor Browser.
Using Tor Browser Starter by Whonix ™. 
From the Command Line
Using Tor Browser Starter by Whonix ™.
From the command line, Tor Browser can either be started normally, in verbose mode or in debugging mode (see next sections).
Open a terminal.
To start Tor Browser "normally" in a terminal, run.
In Verbose Mode
Using Tor Browser Starter by Whonix ™.
This will show verbose output messages which might be useful for the user to identify eventual issues issue. In doubt, Support might help interpreting these messages. Verbose mode is not useful unless there are actual issue or for purpose of curiosity. In the latter case, please se support request policy.
Open a terminal.
To start Tor Browser Starter by Whonix ™ in verbose mode in a terminal, run.
bash -x torbrowser
In Debugging Mode
If Tor Browser problems emerge, launch it from the command line in debugging mode for detailed output. This will show verbose output messages which might be useful for the user to identify the issue. In doubt, Support might help interpreting these messages.
Starting Tor Browser directly without Tor Browser Starter by Whonix ™.
Open a terminal.
To start Tor Browser in debugging mode, run. 
Successful Tor Browser Connection
Figure: Successful Tor Network Check in Whonix ™
Whonix ™ protects against the threats outlined below, such as files that inadvertently or maliciously attempt to reveal the real IP address of the user, or third-party, external applications that can leak information outside of Tor. Despite this protection, it is recommended to always follow best safety practices.
Do not Open Documents Downloaded via Tor while Online
The Tor Project explicitly warns against opening documents handled by external applications. The reason is documents commonly contain Internet resources that may be downloaded outside of Tor by the application that opens them. 
This warning is not strictly relevant to the Whonix ™ population since all traffic is forced over Whonix-Gateway ™ and the IP address will not leak. Nevertheless, for better safety files like PDFs and word processing documents should only be opened in offline VMs.
Malicious files or links to files pose a greater threat and can potentially compromise your system. Therefore, follow the wiki advice and avoid opening random links or files in Whonix-Workstation ™. Instead:
- Qubes-Whonix ™: It is preferable to sanitize the PDF [archive] or open the file or link in a DisposableVM.
- Non-Qubes-Whonix ™: The file should only be opened in a separate, offline Whonix-Workstation ™.
Do not Torrent over Tor
See File Sharing.
Preventing SSLStrip Attacks
A common misconception is that a secure, green padlock and a
https:// URL makes any download from that particular website secure. This is not the case because the website might be redirecting to
http. In fact, an SSLstrip attack [archive] might succeed if a link is pasted or typed into the address bar without the
https:// component (e.g.
torproject.org instead of
https://torproject.org [archive]) -- the reason is a padlock is not visible; it just appears empty. 
To avoid this risk and similar threats, always explicitly type or paste
https:// in the URL / address bar. The SSL certificate button or padlock will not appear, but that is nothing to be concerned about. Unfortunately, few people follow this sage advice; instead most mistakenly believe pasting or typing www.torproject.org into the address bar is safe.
For improved safety when downloading files or installing software, follow the advice below.
Table: Software and File Download Advice
|File Source and Verification||
|Multiple Whonix-Workstation ™||Consider using Multiple Whonix-Workstation ™ when downloading and installing additional software. It is safer to compartmentalize discrete activities and minimize the threat of misbehaving applications.|
|Onion Service Downloads||Files should be downloaded from Onion Services (via .onion addresses) whenever possible. Onion service downloads improve security for several reasons: |
For those who regularly download Internet files, Tor Browser's default download folder is inconvenient. For example, if the sample image below was downloaded with Tor Browser, the download path is
/home/user/.tb/tor-browser/Browser/Downloads by default. It is time-consuming to navigate to this folder so far down the directory tree.
Figure: Default Tor Browser Download Folder
To make things simpler, the following steps change Tor Browser preferences so files are saved directly inside
To access files that were stored inside the "wrong" download folder, please press Expand on the right.
Prioritize Onion Connections
The release of Tor Browser v9.5 provides a new Onion Location function: 
Website publishers now can advertise their onion service to Tor users by adding an HTTP header. When visiting a website that has both an .onion address and Onion Location enabled via Tor Browser, users will be prompted about the onion service version of the site and will be asked to opt-in to upgrade to the onion service on their first use.
This feature has been implemented across the entire
whonix.org ecosystem, including the homepage, wiki, forums, phabricator and repository. 
Figure: Onion Location Indicator for Whonix ™ Forums
Once the "Always Prioritize Onions" option is set in Tor Browser, the relevant onion resource will always be preferred in the future. If you want to only upgrade to the onion resource one time, click "Not Now" and then press the "Onion Available" button one more time. This browser feature is located in
about:preferences#privacy and can be changed at any time. 
Figure: Prioritize the Onion Site
Figure: Prioritized Whonix ™ Onion Forums
Security impact: none. 
For security improvement it might help to force connections to onions for websites that are reachable over clearnet and onion. This is currently only documented for Forcing .onion on Whonix.org but undocumented for arbitrary websites. Doing so would be possible as per Free Support Principle.
In 2020, the stable and experimental Tor Browser binaries with additional language packs support 32 languages. Recent additions include: Catalan, Irish, Indonesian, Icelandic, Norwegian, Danish, Hebrew, Swedish, Traditional Chinese, Macedonian and Romanian.    For instructions on changing the Tor Browser interface to a language other than English, see Tor Browser Language. 
Sometimes it is necessary to access the local application interface on
127.0.0.1 in order to run specific applications like I2P.  Due to potential fingerprinting and information leakage risks, this behavior is no longer possible in Tor Browser unless an exception is configured.  
To configure an exception for local connections in Tor Browser: 
General Tab →
Network Proxy | Settings... →
No Proxy for: "127.0.0.1" →
The configured exception means a small trade-off in privacy, but it is much safer than using another browser (see Local Connections Exception Threat Analysis).
For better anonymity:
- Set passwords for web interfaces listening on the localhost.
- Run sensitive daemons with local WebGUIs on a separate, dedicated Whonix-Workstation ™ and virtual network instance. TODO: expand or link how to do that
Bypass Tor Censorship
- A DNS query-based list used to tag IP addresses.
- Blocking software like Akamai [archive] and Cloudflare [archive].
- Other individual blocks.
There are various ad-hoc methods available to try and circumvent blocks. In most cases it is unnecessary to create a tunnel which pairs Whonix ™ with other protocols (such as a VPN) in order to access the content.
The following services fetch content via other websites, which is a privacy trade-off. Further, only some services are effective with embedded, non-static content or support specific file types like PDF, .exe and mp3. 
Table: Tor Censorship Circumvention Options 
|Service||URL||Comment||Non-static Embedded Content||PDF, .exe, mp3|
|The Internet Archive's WaybackMachine||web.archive.org/save/_embed/<URL>||Archive.org respects robots.txt restrictions, works best with JS enabled||No||Yes|
|Archive.is||archive.is/?run=1&url=<URL>||Ideal for news sites, doesn't require JS||No||No|
|Google Cache||webcache.googleusercontent.com/search?q=cache:<URL without "http://">||Google sometimes blocks these requests||No - static only||No|
||Not always efficacious||No||No|
||Not always efficacious||No||No|
|Online Proxies||hide.me/en/proxy, www.proxysite.com, hidester.com/proxy||-||Yes||Yes|
The Tor community also recommends: 
To avoid captchas that are sometimes required when visiting YouTube, use hooktube.com/ (behind Cloudflare).
imgur.com blocks Tor uploads, to upload images on an imgur domain go to a stackexchange website (for example tor.stackexchange.com), click on Ask a Question, use the image upload tooltip to upload the image, the resulting url will have a i.stack.imgur.com/... form.
Harden Tor Browser
Anonymity and safety can be materially improved via: AppArmor, Firejail confinement, Tor Browser settings, sandboxing, multiple Tor Browser instances, and operation of Whonix-Workstation ™ DisposableVMs (Qubes-Whonix ™) or multiple Whonix-Workstation ™.
Tor Browser provides reasonable security in its stock configuration. However, mitigating the risk of Tor Browser security breaches makes sense, because it is an untrusted application with a huge attack surface; it is frequently attacked successfully in the wild by adversaries.
Table: Tor Browser Hardening Options
sudo apt-get update
sudo apt-get install apparmor-profile-torbrowser
|Firejail Confinement||Firejail can be used as an alternative sandboxing measure to restrict the Tor Browser process. The Tor Browser Starter by Whonix developers in Whonix testers repository includes a “hardening” option that permits certain features to be enabled that on the upside increase security, but on the downside might decrease anonymity. 
It is necessary to make a trade-off between security, usability and privacy. With “hardening” enabled, certain website features might be non-functional or Tor Browser may no longer start after an upgrade. Also, the fingerprint seen by websites ('web fingerprint') might reveal subtle differences between Tor Browser instances that have enabled this feature compared to the default configuration. The population of Linux Tor Browser users who regularly utilize Firejail is likely to be tiny. At the time of writing (2019) there were no reports confirming a detectable fingerprint, but there is also no known research being undertaken in this area.    This issue is not within the control of the Whonix ™ project.
To use this feature, apply the following instructions.
|Multiple Tor Browser Instances and Whonix-Workstation ™||
|Sandboxing and DisposableVMs||
|Tor Browser Series and Settings||
Update Tor Browser
Unfortunately, updating Tor Browser is more complex than regular system updates due to technical limitations outside of Whonix's control.  However, the following instructions will keep Tor Browser up-to-date at all times.
There are three options for updating Tor Browser in Whonix ™:
- The Whonix ™ Tor Browser Downloader. 
- Tor Browser's Internal Updater. 
- Tor Browser manual updates.
The first two methods are suitable in most circumstances. Manual updates are only required if the Whonix ™ Tor Browser update script ever breaks. Never continue to use an outdated version of Tor Browser, otherwise serious security flaws may degrade anonymity or result in a VM compromise. 
Tor Browser Downloader by Whonix ™
Manual Download Version Choice
If the online detected version (for example
INFO: Online detected version: 10.0.7) is different from the version number intended for download, it is possible to manually choose the download version on the command line. This can be useful when a new version of Tor Browser has been released but the version file  has not been updated yet by The Tor Project. The version file which is used to programmatically detect the latest Tor Browser version is usually updated a few days after new releases. 
It is possible to download over onion rather than clearnet.
To permanently set downloads over onion, apply the following instructions.
Alternatively, the following command could be used to download over onion only once.
It is possible to configure the downloading of alpha rather than stable Tor Browser versions. Becoming a tester is a helpful way to contribute to Whonix ™.
To permanently enable downloading alpha versions, apply the following instructions.
Alternatively, the following command could be used to download the alpha version only once.
Note: Tor Browser Downloader (Whonix ™) is really just a downloader, not an updater. This means it is incapable of retaining user data such as bookmarks and passwords. In order to preserve data, use the Internal Updater method instead.
To use Tor Browser Downloader (Whonix ™), follow these instructions in Whonix-Workstation ™.
Download Confirmation Notification
This step is designed to keep Whonix ™ users safe, since at present there is no reliable and secure way for a program to determine the latest stable version of Tor Browser with reasonable certainty.   When the version format changes, the automated parser of version information could falsely suggest:
- An earlier stable version that is still considered secure.
- An alpha series release.
- A beta Tor Browser build.
- A release candidate or nightly Tor Browser build.
To counter these threats, user intelligence is utilized as a sanity check. The Download Confirmation Notification provides a way to detect such situations and abort the procedure. In this instance, it is recommended to rotate the Tor circuits and attempt the download process again.
Version numbers that are visible under Online versions come from an online resource. The Tor Browser RecommendedTBBVersions [archive] versions file is provided by The Tor Project, and is parsed by Whonix ™ Tor Browser Downloader. The Whonix ™ downloader will indicate that no upgrade is required if the installed Tor Browser version matches the up-to-date online version.
Installation Confirmation Notification
This step is also designed to protect users, since at present there is no reliable and secure way for a program to determine (with reasonable certainty) if the Tor Browser download was targeted by an indefinite freeze or rollback attack.  
When verifying cryptographic signatures, several important aspects must be considered:
- The signature should be made by a trusted key.
- Trusted keys will have signed other files in the past. It is also necessary to check if the right file was received, and not just any file that was signed by a trusted key.
- Even if the correct file type is received,  it is necessary to check it has a current signature attached and not a historical one. This step counters the threat of indefinite freeze and rollback attacks.
By the time the Installation Confirmation Notification is visible, the verification of the signature (and hash) will have already succeeded. However, the signature creation dates in the figure below must be carefully examined to confirm that an indefinite freeze or downgrade attack did not occur.
Previous Signature Creation Date: When Tor Browser was previously installed by tb-updater, the creation date of the accompanying signature that signed Tor Browser will have been stored. The Previous Signature Creation Date field displays that date.
Last Signature Creation Date: This field displays the date of signature creation for the downloaded file.
Figure: Tor Browser Installation Confirmation
In Qubes-Whonix ™
Unfortunately, updating Tor Browser is more complex than regular system updates due to technical limitations outside of Whonix's control.  Apply the following instructions to keep Tor Browser up-to-date at all times.
New AppVMs and DisposableVMs
In Qubes-Whonix ™, Tor Browser Downloader by Whonix (
update-torbrowser) automatically runs when the Whonix-Workstation ™ TemplateVM (
tb-updater is updated. Therefore, running Tor Browser Downloader by Whonix inside the TemplateVM (
whonix-ws-15) ensures that new AppVMs and DispVMs are created with a copy of the latest Tor Browser version.
If the Tor Browser Downloader by Whonix package
tb-updater has not been updated yet, it is advised to manually run it in the Whonix-Workstation ™ TemplateVM (
whonix-ws-15). For instructions, see Tor Browser Downloader by Whonix ™.
For further information on installing, updating and using Tor Browser in Qubes DispVMs, see: How to use DisposableVMs in Qubes-Whonix ™.
Follow these steps to update Tor Browser in an existing Whonix-Workstation ™ AppVM such as
- Start Tor Browser:
Qubes Start Menu→
Whonix-Workstation ™ AppVM (commonly called anon-whonix)→
- Use Tor Browser Internal Updater.
Tor Browser Downloader (by Whonix ™ developers):
Tor Browser Downloader (by Whonix ™ developers) is useful to run in:
Whonix-Workstation ™ TemplateVM(
whonix-ws-15): to ensure that new AppVMs and DispVMs are created with a copy of the latest Tor Browser version.
Whonix-Workstation ™ AppVM(
anon-whonix): to re-install the latest Tor Browser version in existing Whonix-Workstation ™ AppVMs.
Tor Browser Downloader (by Whonix ™ developers) less useful to run in:
- DispVMs: because upgrades won't persist
Tor Browser Downloader (by Whonix ™ developers) should not be run in:
- DisposableVM Template (
Tor Browser is useful to run in:
Whonix-Workstation ™ AppVM(
Tor Browser should not be run in:
Whonix-Workstation ™ TemplateVM(
- DisposableVM Template (
Tor Browser Downloader (by Whonix ™ Developers):
- Can only automate what is supported by upstream, The Tor Project anyhow.
- Is fully optional. A usability feature. It does not do anything that could not also be done manually by the user.
First, exercise: verify Tor Browser according to upstream instructions [archive]. Unrelated to Whonix ™. If that is not possible, if that includes "key expired" then nothing that can be fixed in Whonix ™.
Tor Browser Internal Updater
Tor Browser upgrades are possible from within the browser.  When a new Tor Browser version is available but the browser has not completed an automatic upgrade in the background (the default), a warning prompt appears recommending a manual upgrade. To upgrade, either:
Enter about:preferences in the URL bar→
Scroll down to "Tor Browser Updates"→
Click "Check for updates"; or
About Tor Browser→
Wait until the download finishes→
Restart to update Tor Browser
Figure: Tor Browser Update Notification
Using Tor Browser Internal Updater automatically makes use of its built-in software signatures verification feature.  Manual software resignation verification is not required when using this update method.
Tor Browser Manual Update
Modern Tor Browser releases are generally easy to install and update on well-supported platforms like Whonix ™, leading most to have a comfortable and reliable experience over long periods. However, if/when Tor Browser "breaks", some might find it difficult to perform a manual installation. 
Whonix ™ Bugs
Sometimes Tor Browser Downloader inside Whonix-Workstation ™ breaks because torproject.org changes the way Tor Browser can be downloaded or verified. This program is maintained by the Whonix ™ contributors and The Tor Project is not responsible for necessary fixes. Generally, Whonix ™ news [archive] will be published within a few days with working instructions on how to fix the problem. If this does not happen, then Whonix ™ developers are unaware of the issue.
Any bugs should be discussed in the Whonix ™ User Help Forum [archive] or Bug Tracker [archive]. To date, no bugs were ever discovered in Tor Browser that were directly related to Whonix ™ code and which might cause serious problems such as website pages failing to load.
The manual Tor Browser download procedure assumes basic knowledge of:
- Software Verification: The Tor Browser package must be verified with PGP, using the associated file signature and Tor signing keys (relevant links are provided). 
- Troubleshooting: If Tor Browser problems occur in Whonix ™ such as webpages failing to resolve, then:
- The same tests should be performed on the host (Non-Qubes-Whonix) or in a non-Whonix ™ VM (Qubes-Whonix ™); see Non-Whonix ™ Tor Browser. This step helps to determine whether the problem is related to Whonix ™ or not.
- It is also sensible to search for the problem on torproject.org's bug tracker [archive] and report a bug upstream if it has not been notified yet. In that case, when upstream (TPO) fixes the issue, the issue will most likely also get fixed in Whonix ™.
Unsafe Tor Browser Habits
It is important to develop a set of safe habits when communicating, browsing or downloading with Tor Browser. Even the world's premier anonymity software cannot protect people if they shoot themselves in the foot.
The following is an inexhaustive list of unsafe behaviors. It is recommended to also read the Whonix ™ Tips on Remaining Anonymous entry, along with Tor Project documentation [archive] before using Tor Browser for serious activities necessitating anonymity.
Table: Unsafe Tor Browser Habits
|Category||Unsafe Configuration or Behavior|
|Add-ons||Add non-default add-ons to Tor Browser. |
Configure persistent, customized NoScript settings.
Remove or disable default add-ons in Tor Browser.
|Anonymity Modes||Mix modes of anonymity. |
Fail to compartmentalize Tor Browser activities.
|Bookmarks||Use the bookmarking feature in Tor Browser; bookmarks can be used as a tracker if the page is special/unique to you.  |
|Bridges||Expect that Tor relay bridges will absolutely disguise all use of Tor / Tor Browser.|
|Browser Settings||Change browser settings if the implications are unknown.  |
Maximize or change [archive]  the default window size setting  -- Letterboxing [archive] which was introduced in Tor Browser version 9 does not change this recommendation. 
|Communications||Send "anonymous" communications or other data over unencrypted channels using plain HTTP [archive].|
|File Downloads||Torrent over Tor. |
Open documents or other files downloaded by Tor while online.
Open random files or links.
Paste or type download links into the address bar without
Download and install unsigned software from the Internet.
Download and install signed software or import keys without first verifying key fingerprints and digital signatures.
|HTML5 Canvas Image Data||Allow extraction of canvas image data by websites.|
|Identities||Disclose identifying data. |
Maintain long term identities.
Use different online identities at the same time.
|Logins||Login to Google, Facebook or other corporate accounts with a real name or pseudonym.  |
Login to accounts that have ever been used without Tor.
Generally login to banking, financial, personal or other important accounts.
|Local Connections||Configure a local connection exception for applications, unless aware of the risks.|
|Multiple Tab Isolation||Do not assume that different tabs in Tor Browser are completely isolated and recognized as different pseudonyms by destination websites. Tor Browser has some first party isolation that isolates local storage such as cookies per-website. However, there are certain side channel attacks that can be used to bypass this.  FingerprintJS (Browser Tests) demonstrates its capability of linking two different tabs in Tor Browser to the same identifier. A malicious or compromised website may also be able to exploit a vulnerability in the browser to see your activities in website y since Firefox's sandbox does not isolate websites from each other yet.  Better use Multiple Whonix-Workstation ™.|
|Networking||Configure Tor Browser so that it leads to a Tor over Tor scenario.|
|Other Browsers||Use browsers other than Tor Browser with Tor. |
Use a clearnet browser and Tor Browser at the same time.
|Passwords and Usernames||Save passwords and usernames with the Tor Browser Password Manager [archive] feature.    |
|Personal Websites and Links||Visit personal websites over Tor. |
Be the first person to spread a personal link.
|Phone Verification||Use (mobile) phone verification.|
|Proxy Settings||Change or remove default proxy settings if unaware of the implications.|
|Qubes-Whonix ™||Launch Tor Browser in a TemplateVM (|
Launch Tor Browser Downloader in a DisposableVM Template (
|Server Connections||Connect to a server anonymously and non-anonymously at the same time.|
|Tor Browser Functions||Use the "New Identity" and "New Tor Circuit for this Site" functions and expect complete anonymity in the following browsing session.|
|Updates||Ignore download and/or installation confirmation notifications or warnings when updating Tor Browser. |
Use an outdated version of Tor Browser.
|User Mentality||Feel invincible running Tor Browser (irrespective of the platform), due to significant adversary capabilities and interest in unmasking or infecting Tor users.|
|Virtual Machine (VM) Multiple Purpose Use||Do not re-use the same VM for browsing and other applications.
Consider using Multiple Whonix-Workstation ™ if installing additional software. It is safer to compartmentalize discrete activities to minimize the threat of VM Fingerprinting. This protects from the schemeflood vulnerability [archive], which could be used for browser fingerprinting / identity correlation among VM / browser restarts. See also schemeflood.com (Browser Test).
Whonix ™ Tor Browser Differences
Does Whonix ™ Change Default Tor Browser Settings?
I've been looking for how to fix some bad default settings in the whonix tor browser. Namely, they removed NoScript from the toolbar, so that the NoScript cannot be used as intended.
As noted in the Whonix ™ Tor Browser Differences entry, Whonix ™ does not:
- change Tor Browser's internal updater checking mechanism;
- change or remove proxy settings by default; or
- modify Tor Browser's startup script, default settings and so on.
NoScript and HTTPS Everywhere are still present in the URL bar if you upgraded from an older version. They are not present if you did a new install with a recent version.
Tor Browser Bundle versus Whonix Tor Browser
The regular Tor Browser Bundle and Whonix ™ Tor Browser slightly differ. The reason is Tor Browser must be adjusted by Whonix ™ to work behind Whonix-Gateway ™. Despite environmental variable adjustments, the network and browser fingerprint remain the same.
The main Whonix ™ Tor Browser differences can be summarized as follows: 
- tor-launcher (Tor connection wizard) will not be shown in Whonix-Workstation ™ Tor Browser. Instead, Anon Connection Wizard is available in Whonix-Gateway ™.
- The Tor Circuit View and Open Network Settings functions have been disabled. The former is unsupported for security reasons,  while the latter would have no effect since Tor must be configured in Whonix-Gateway ™.
- The default landing page after Tor Browser starts is set to a local Whonix ™ resource. 
- Tor over Tor scenarios are prevented in Whonix-Workstation ™. 
- Extracted to folder
Whonix ™ does not:
- Change Tor Browser's Internal Updater checking mechanism.
- Modify Tor Browser's startup script, default settings and so on. 
- Change or remove proxy settings by default.
Tor Browser Functionality on Different Platforms
The reason is this comparison includes a host of platform-specific differences which confound the result. For example, a more valid comparison would examine the differences between:
- TBB in Debian (real Debian, not in Qubes) versus Tor Browser in Non-Qubes-Whonix ™.
- TBB in a Qubes AppVM based on a Debian TemplateVM versus Tor Browser in Qubes-Whonix ™.
Similarly, these comparisons would be helpful in order to help with TBB (non-Whonix ™) development:
- TBB in Debian (real Debian, not in Qubes) vs TBB in Windows.
- TBB in different Linux distributions.
- TBB in different Windows platforms.
Tor Browser Crash Errors
Occasionally, Tor Browser might crash. Either:
- At browser startup. For example, after a new Tor Browser update is released, errors might occur upon launch.  
- At browser runtime. 
ERROR: Tor Browser ended with non-zero (error) exit code! Tor Browser was started with: /home/user/.tb/tor-browser/Browser/start-tor-browser --allow-remote /usr/share/homepage/whonix-welcome-page/whonix.html Tor Browser exited with code: 1 To see this for yourself, you could try: Start Menu -> System -> Xfce Terminal Then run: torbrowser
Even though this is happening inside Whonix ™, the cause is most often unrelated to Whonix ™ code. Tor Browser is developed by The Tor Project [archive], which is an independent entity. The is the norm in Linux distributions. To learn more about such relationships see Linux User Experience versus Commercial Operating Systems.
Whonix ™ does integration work to get Tor Browser into the platform. To use a simple analogy, Whonix ™ stays "on the outside". Very few internal modifications are made to Tor Browser as described in the Whonix ™ Tor Browser Differences chapter.
To remedy this kind of issue, there are three promising approaches.
Delete and Reinstall Tor Browser
If browser settings like bookmarks, saved passwords and so on are not too important, Tor Browser can be completely deleted and reinstalled. Tor Browser usually functions normally after this procedure. The easiest method is using Tor Browser Downloader by Whonix ™ for this process.
Attempt to Debug the Issue
Advanced users can try to start Tor Browser without the help of
/usr/bin/torbrowser by Whonix ™, thereby bypassing that part of Whonix ™ Tor Browser integration. Tor Browser resides in folder
~/.tb/tor-browser. Therefore Tor Browser can be launched in Debugging Mode, which is a Tor Browser (not Whonix ™) feature.
Additionally, the whole
~/.tb/tor-browser folder could be copied to a Debian
buster machine or better yet, a virtual machine. For better security, a virtual machine might even be non-networked before attempts are made to launch Tor Browser. This error is likely to be reproducible outside Whonix ™ and this step will provide confirmation.
During debug attempts, do not use
/usr/bin/torbrowser or the Tor Browser start menu entry because these are provided by Whonix ™ and are not the cause here. On the other hand, The Tor Project is responsible for errors that emerge when Tor Browser is started manually or in debug mode.
Be aware the Tor Bug Tracker [archive] already has various, existing bug reports related to incremental updates via the Tor Browser internal updater. These are most likely related to Tor Browser launch failures:
- https://trac.torproject.org/projects/tor/ticket/29771 [archive]
- https://trac.torproject.org/projects/tor/ticket/16028 [archive]
- https://trac.torproject.org/projects/tor/query?component=Applications%2FTor+Browser&summary=~incremental&max=500&order=priority [archive]
- https://trac.torproject.org/projects/tor/query?component=Applications%2FTor+Browser&summary=~update&max=500&order=priority [archive]
Backup and Restore Browser Settings
Steps to perform a backup and restore of browser settings (like bookmarks) is currently undocumented in the Whonix ™ wiki. However, any online instructions for this process in Tor Browser or even Firefox should equally apply in Whonix ™. The only difference is the Whonix ™ Tor Browser folder location:
Close Tor Browser
If you see the following error message but there is no Tor Browser window open.
Tor Browser is already running, but is not responding. To use Tor Browser, you must first close the existing Tor Browser process, restart your device, or use a different profile.
This probably means that Tor Browser is still/already running in the background but without a visible desktop environment window. Tor Browser is probably frozen, hanging due to a Tor Browser software issue.
To force kill Tor Browser, run the following command.
Chapter Tor Browser Crash Errors applies.
Why do I have White Bars around my Tor Browser Content?
Ever since 9 update I have had white bars at the bottom and top of my browser. Even with using the TBB on non-whonix I still have them. Am I the only one & am I exposed?
Tor Browser in its default mode is starting with a content window rounded to a multiple of 200px x 100px to prevent fingerprinting the screen dimensions. The strategy here is to put all users in a couple of buckets to make it harder to single them out. That worked so far until users started to resize their windows (e.g. by maximizing them or going into fullscreen mode). Tor Browser 9 ships with a fingerprinting defense for those scenarios as well, which is called Letterboxing [archive], a technique developed by Mozilla and presented earlier this year [archive]. It works by adding white margins to a browser window so that the window is as close as possible to the desired size while users are still in a couple of screen size buckets that prevent singling them out with the help of screen dimensions.
Tor Browser Consumes 100% CPU after Clock Sync or Suspend/Resume
An upstream bug [archive] in Tor Browser causes the
firefox.real process to consume excessive CPU whenever the connection to Tor's
ControlPort is broken, which continues until Tor Browser is restarted. This is known to occur when the sdwdate clock synchronization daemon is restarted in Whonix-Gateway, whether manually via the sdwdate-gui time synchronization systray, or automatically via post-resume hooks. For details, refer to the related forum discussion [archive]. (original report on Qubes issue tracker [archive])
As a workaround:
about:configin the Tor Browser URL bar.
- Search for and set
- Restart Tor Browser.
Tip: If something does not work, do not arbitrarily try to use sudo / root without indication that this would be appropriate. That only risks messing up user home folder permissions. See Inappropriate Use of Root Rights.
Attempt to fix:
Open a terminal.
Run the following command to reset permissions of user
user's home folder
/home/user back to owner
user and group
sudo chown --recursive user:user /home/user
Attempt to debug:
- Start Tor Browser Start by Whonix ™ in In Verbose Mode. This will show verbose output messages which might be useful for the user to identify the issue. In doubt, Support might help interpreting these messages.
Glossary and Key Terminology
It is recommended to become familiar with terms regularly used by The Tor Project and Whonix ™. One useful resource is the v1.0 Tor glossary [archive] which is now available on The Tor Project community wiki page.
Tor vs Tor Browser
Tor is an anonymizer developed by The Tor Project. Tor Browser is a web browser developed by the Tor Project which is optimized for privacy. Please do not confuse Tor with Tor Browser when conversing about Whonix ™ topics.
Tor Browser Transparent Proxying
The Tor Browser "transparent proxying" feature  and/or the environment variable
TOR_TRANSPROXY=1 often cause confusion. It was an unfortunate naming decision by The Tor Project. This feature actually removes proxy settings. With no proxy set, the user's system reverts to its default configuration. The effect of this decision is that Tor Browser networking will work in a similar fashion to an unconfigured Firefox browser.
This is potentially dangerous when done outside of Whonix ™ because Tor Browser's transparent proxying feature could result in clearnet traffic; for instance if the gateway does not have a transparent torification feature (like Whonix-Gateway ™). In the case of Whonix ™, even if the transparent proxying feature is set, Whonix-Gateway ™ will "torify" traffic and force it through Tor. Similarly, if transparent proxying is set and happens to use a JonDo-Gateway, traffic will be forced through JonDo.
Transparent proxying should not be confused with:
TransPort [address:]port|auto [isolation flags]setting [archive].
- Tor's IsolatingProxy [archive].
Refer to this wiki entry if any of the following advanced topics are of interest:
- Tor Browser and former Torbutton design.
- Tor Browser without Tor.
- Setting a custom homepage.
- A custom Whonix ™ configuration or Workstation is in use.
- Proxy settings changes are necessary.
- Differences between tor-launcher and tor-browser launcher.
- Qubes-Whonix ™ topics:
- Split Tor Browser.
- Tor Browser in a DisposableVM.
- Tor Browser in a Qubes DisposableVM Template.
- Tor Browser debugging is required.
Running Tor Browser in Qubes DisposableVM Template
This entry has been moved here.
- Watching YouTube Videos in Whonix ™
- Downloading YouTube Videos in Whonix ™ using the
youtube-dlcommand line downloader
- Tor Browser, Advanced Users
- Install Tor Browser Outside of Whonix ™
- Verify Tor Browser in Microsoft Windows
- For a comprehensive list of reasons, readers are encouraged to review some or all of the references in this section.
- https://tb-manual.torproject.org/ [archive]
- https://blogs.gnome.org/muelli/2018/12/the-patch-that-converts-a-firefox-to-a-tor-browser/ [archive]
A good overview of the browser component is provided by The Tor Project design document [archive].
The Tor Browser is based on Mozilla's Extended Support Release (ESR) Firefox branch. We have a series of patches against this browser to enhance privacy and security. Browser behavior is additionally augmented through the Torbutton extension, though we are in the process of moving this functionality into direct Firefox patches. We also change a number of Firefox preferences from their defaults.
Tor process management and configuration is accomplished through the Tor Launcher add-on, which provides the initial Tor configuration splash screen and bootstrap progress bar. Tor Launcher is also compatible with Thunderbird, Instantbird, and XULRunner.
To provide censorship circumvention in areas where the public Tor network is blocked either by IP, or by protocol fingerprint, we include several Pluggable Transports in the distribution. As of this writing, we include Obfs3proxy, Obfs4proxy, Scramblesuit, meek, and FTE.
- https://web.stanford.edu/class/msande91si/www-spr04/readings/week1/InternetWhitepaper.htm [archive]. DNS servers enable the browser to know where resources are located on the Internet, and the corresponding IP address for fetching these.
- See below for a further description of these features.
- On average. Mid-2019 has seen a sudden spike to over 3 million users -- in recent years, sharp increases in the number of Tor clients were suspected to be adversary attacks on the network.
- https://en.wikipedia.org/wiki/HTTPS [archive]
- HTTPS is not foolproof due to reliance on the Certificate Authority (CA) system that issues digital certificates (private keys) for websites. As a trusted third party, this trust can be abused or the CAs can be subject to adversary attacks.
- https://2019.www.torproject.org/docs/faq#AmITotallyAnonymous [archive]
- https://www.whonix.org [archive]
- https://www.eff.org/pages/tor-and-https [archive]
- https://riseup.net/en/security/network-security/tor/onionservices-best-practices [archive]
- This does not however defend against improved cryptanalysis that breaks underlying ciphers being used, for example by the emergence of quantum computers. Only post-quantum ciphers resistant to these attacks will prevail.
- https://2019.www.torproject.org/docs/onion-services [archive]
- Extra layers of encryption are not strictly necessary, since a completely encrypted tunnel is already formed (but it certainly does not hurt). Until recently, these certificates would not validate because of the *.onion hostname.
- https://riseup.net/en/security/network-security/tor/onionservices-best-practices [archive]
- https://blog.torproject.org/blog/cooking-onions-names-your-onions [archive]
- This is why onion addresses appear absurdly long and random.
- Experienced Tor developer Mike Perry has noted that even with scripts globally enabled, NoScript still provides significant protection in Tor Browser [archive]:
We provide NoScript mostly for the non-filter features it provides, such as click-to-play for media, webgl and plugins, XSS protection, remote font blockage, and so on.
- https://en.wikipedia.org/wiki/NoScript [archive]
XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.
- Anti-clickjacking [archive] was previously available to protect against hidden or disguised user interface elements masquerading as trusted web page buttons, links and so on. This is no longer available following the shift to Firefox extensions in Tor Browser based on Firefox 60 ESR. This feature protected against malicious activation of microphones or webcams, as well as user interaction with hidden elements to steal important financial, personal or other data.
- https://ianix.com/pub/firefox-addons-and-bandwidth-consumption.html [archive]
- Having a large user base is important for strong anonymity, as Roger Dingledine explains here [archive].
- The Tor Project bug report: NoScript configured to globally allow all scripts [archive]
- https://noscript.net/ [archive]
- To fix this problem, close Tor Browser then run:
Restart Tor Browser.
- Even if the manpower existed, it would make more sense to establish a new "Privacy Browser" project, rather than merge its development with Whonix ™. At a later stage, the theoretically more secure browser could then be bundled with the Whonix ™ platform.
- Whonix ™ includes Tor Browser by default, with only minor differences.
- Although there are unresolved tbb-fingerprinting [archive] and tbb-linkability [archive] issues.
- This preference was first offered in alpha Tor Browser v8.5a2, but is now available in both the alpha and stable Tor Browser series.
- https://trac.torproject.org/projects/tor/ticket/27175 [archive]
- https://trac.torproject.org/projects/tor/ticket/27175#comment:12 [archive]
- https://blog.torproject.org/new-release-tor-browser-85a2 [archive]
- The default Tor Browser setting.
- https://tb-manual.torproject.org/plugins/ [archive]
- https://support.mozilla.org/en-US/kb/find-and-install-add-ons-add-features-to-firefox [archive]
- For example, most videos [archive] can be viewed in HTML5 which Tor Browser supports and prefers.
- https://2019.www.torproject.org/docs/torbutton/torbutton-faq.html.en [archive]
- https://blog.torproject.org/blog/torbutton-141-released [archive]
- See tbb-linkability [archive] and tbb-fingerprinting [archive].
- https://trac.torproject.org/projects/tor/ticket/9442 [archive]
- https://tails.boum.org/doc/anonymous_internet/Tor_Browser/index.en.html [archive]
- https://tb-manual.torproject.org/en-US/security-slider.html [archive]
- https://blog.torproject.org/new-release-tor-browser-85 [archive]
- https://trac.torproject.org/projects/tor/ticket/29825 [archive]
Tor Browser Starter by Whonix ™ (
/usr/bin/torbrowser) simply navigates to the Tor Browser folder and runs
./start-tor-browser. The former has more features like reporting error conditions or the absence of a Tor Browser folder, generation of non-zero exit code failures, and more.
- Or manually navigate to the Tor Browser folder and then launch it in debugging mode.
- https://www.torproject.org/download/download [archive]
- And that website does not:
- Use HTTP Strict Transport Security (HSTS) [archive]. See also: https://security.stackexchange.com/questions/91092/how-does-bypassing-hsts-with-sslstrip-work-exactly [archive]. Without HSTS, sites with non-encrypted resources or sub-domains are vulnerable to SSLstrip.
- Have a HTTPS Everywhere [archive] rule in effect.
- Use HSTS preloading [archive].
- Use HTTP Public Key Pinning [archive]. See also: https://news.netcraft.com/archives/2016/03/22/secure-websites-shun-http-public-key-pinning.html [archive]. HPKP limits trust to a handful of Certificate Authorities, but is not used by many websites due to the risk of site breakage if keys are not managed vigilantly.
- https://blog.torproject.org/new-release-tor-browser-95 [archive]
- https://forums.whonix.org/t/onion-forum-site-redirects-to-clearnet/197 [archive]
- The Tor Project server side Onion Location feature is documented here [archive].
- Onion location header is a server side feature. Not a client side feature.
Quote Onion redirects using Onion-Location HTTP header [archive]:
3.1. No security/performance benefits
While we could come up with onion redirection proposals that provide security and performance benefits, this proposal does not actually provide any of those.
As a matter of fact, the security remains the same as connecting to normal websites, since for this proposal to work we need to trust their HTTP headers, and the user might have already provided identifying information (e.g. cookies) to the website. The performance is worse than connecting to a normal website, since Tor first needs to connect to the website, get its headers, and then finally connect to the onion.
Still _all_ the website approaches mentioned in the "Motivation" section suffer from the above drawbacks, and sysadmins still come up with ad-hoc ways to inform users about their onions. So this simple proposal will still help those websites and also pave the way forward for future auto-redirect
- https://blog.torproject.org/new-release-tor-browser-80 [archive]
- https://blog.torproject.org/new-release-tor-browser-90 [archive]
- https://www.torproject.org/download/languages/ [archive]
- Language packs might be another fingerprinting vector, but this issue requires further investigation.
- Since it uses predetermined ports on the localhost.
- https://trac.torproject.org/projects/tor/ticket/10419 [archive]
- https://trac.torproject.org/projects/tor/ticket/11493 [archive]
- Alternatively it is possible to remove Tor Browser's proxy settings, but this method is still vulnerable to the same fingerprinting issues as configuring an exception. There are also other factors which will worsen the user's fingerprint, such as the breaking of both stream isolation and the tab isolation by socks user name in Tor Browser.
- https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor#Ad-hocSolutionsforaccessingblockedcontentonTor [archive]
Ad-hoc Solutions for accessing blocked content on Tor [archive]
License: Content on this site is Copyright The Tor Project, Inc.. Reproduction of content is permitted under a Creative Commons Attribution 3.0 United States License [archive].
- Note the icon is not visible with Tor Browser's security slider set to safest, but can still be clicked. Startpage documentation [archive] states:
- Searx instances utilizing v3 onions can be found here [archive] (.onion) [archive].
- https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor#Otherrelevantservices [archive]
- It confines programs according to a set of rules that specify what files a given program can access, and with what privileges. This also provides some protection against zero-day attacks and exploits via unknown application flaws.
- If AppArmor is applied, Tor Browser can only read and write to a limited number of folders. Permission denied errors are quite common, for example when trying to download files directly to the home folder.
- The workaround for AppArmor denied errors is saving files from Tor Browser to the ~/Downloads folder that is located within the home folder. In order to upload files with Tor Browser, first copy them to that folder.
- tb-starter [archive] will enable the Tor Browser Firejail profile. development discussion [archive]
- The Tor Project does not currently provide a hardened / sandboxed Tor Browser build, see: Stop building and distributing sandboxed-tor-browser binaries [archive].
- Linux Sandboxed Tor Browser Documentation [archive]:
WARNING: This project is no longer maintained. DO NOT EXPECT ANY FURTHER FIXES, INCLUDING SECURITY AND STOP USING THIS AS SOON AS POSSIBLE.
WARNING: There are several unresolved issues that affect security and fingerprinting. Do not assume that this is perfect, merely "an improvement over nothing".
WARNING: Active development is on indefinite hiatus. DO NOT EXPECT ANY SIGNIFICANT NEW FEATURES OR IMPROVEMENTS.
- https://forums.whonix.org/t/tor-browser-hardening-hardened-malloc-firejail-apparmor-vs-web-fingerprint/7851 [archive]
- This does not protect against the sudden loss of networking, which could reveal to the attacker that two activities / accounts suddenly going off-line are probably related.
- https://trac.torproject.org/projects/tor/ticket/25540 [archive]
- This does not protect against potential infection of dom0 or the Whonix-Workstation ™ DisposableVM-Template by advanced adversaries. Traces of activity may also be left on storage media or in RAM.
- https://blog.torproject.org/new-release-tor-browser-90a1 [archive]
- Selfrando [archive] (load-time memory randomization) protection is being removed from alpha Tor Browser Linux builds [archive]. Although Selfrando provides a security improvement over standard address space layout randomization (ASLR) present in Tor Browser and other browsers, Tor developers believe it is relatively easy for attackers to bypass and not worth the effort.
- The "hardened" Tor Browser series has been deprecated, see: https://trac.torproject.org/projects/tor/ticket/21912 [archive]
- Following the official release of the v8.0+ Tor Browser series (based on Firefox 60 ESR), the stable and alpha Tor Browser versions both have a native sandbox [archive].
- Tor Browser Update:Technical Details
- This does not yet notice upgrades [archive] performed by Tor Browser's Internal Updater.
- Since v5.0, Tor Browser is configured to update itself [archive].
- https://tb-manual.torproject.org/en-US/updating.html [archive]
- At time of writing: https://aus1.torproject.org/torbrowser/update_3/release/downloads.json [archive]
- This might be due to pragmatic reasons (work flow) or perhaps this is a staged rollout release strategy. (The term staged rollout hasn't been seen; see this definition here [archive].)
- Finalize RecommendedTBBVersions format [archive]
- Counter downgrade / stale mirror attacks on RecommendedTBBVersions - sign / verify tbb versions file [archive]
- For a definition of these attacks, see the threat model [archive] of TUF [archive] (The Update Framework [archive]) (w [archive]).
- Adversaries capable of breaking SSL could mount these attacks by replacing RecommendedTBBVersions [archive] with invalid, frozen or outdated version information.
- Unfortunately, Tor Browser signatures do not yet provide expiration dates in a manner similar to Debian's valid-until [archive] field.
- Rollback attacks are possible because if a computer's clock is wrong, there is no solid basis for comparison.
- That is, a browser and not a messenger or other application.
- GnuPG (OpenPGP) common misconceptions.
- The name of the file is stored in the hash file and verified to match the downloaded file name and hash.
- Tor Browser Update: Technical Details
- It is possible to run Tor Browser Downloader by Whonix inside a DispVM as well -- probably easiest using Tor Browser Internal Updater -- and then restart Tor Browser. However, these updates will not persist due to the DispVM design.
- See tb-updater in Qubes Template VM for technical details.
Starting with this release, Tor Browser will now also download and apply upgrades in the background, to ensure that users upgrade quicker and with less interaction. This behavior is governed by the about:config pref app.update.auto, but we do not recommend disabling it unless you really know what you're doing.
The internal updater process involves several automatic steps (source [archive]):
1) Tor Browser contacts server "A" and asks if an update is available. If there is an update, then server "A" responds with metadata about the update file (a URL for that file, the size of the file, the SHA512 hash of the file).
2) Tor Browser follows the provided URL and connects to server "B" and downloads the file 3) Tor Browser verifies the size of the file and sha512 hash of the file are as expected 4) Tor Browser verifies the cryptographic signature on the file. Tor Browser has two public keys hard-coded for which signatures on updates will be accepted.
The update is installed after all checks pass.
- Before the introduction of Tor Browser's internal updater, manual installation was a difficult task which required the renaming (or deletion) of the old Tor Browser folder before the new version was extracted. If Tor Browser functions "under the hood" are a mystery, then unsurprisingly problems are often encountered during manual installation, particularly on the host.
- Whonix ™ is not a standalone package, but a complete operating system. Whonix ™ has a small team, while torproject.org has a much larger community and dedicated, paid support staff. Therefore, Whonix ™ users are expected to learn Tor Browser basics in the first instance.
- https://blog.torproject.org/comment/291401#comment-291401 [archive]
- This does not relate to websites being able to read the bookmarks in the library, but rather addresses that are appended with unique parameters [archive] like a string of random characters. The implication is:
If you save a bookmark that contains parameters that mark you as unique and then you start a New Identity, if you open that bookmark, those parameters can be used to continue tracking you in your New Identity.
- For example, it is unsafe to disable Tor Browser protections in order to save cookies [archive] for the sake of convenience.
- https://forums.whonix.org/t/should-still-recommend-against-maximizing-tor-browser-window [archive]
New Release: Tor Browser 9.0 [archive]:
Tor Browser in its default mode is starting with a content window rounded to a multiple of 200px x 100px to prevent fingerprinting the screen dimensions. The strategy here is to put all users in a couple of buckets to make it harder to single them out. That worked so far until users started to resize their windows (e.g. by maximizing them or going into fullscreen mode). Tor Browser 9 ships with a fingerprinting defense for those scenarios as well, which is called Letterboxing, a technique developed by Mozilla and presented earlier this year. It works by adding white margins to a browser window so that the window is as close as possible to the desired size while users are still in a couple of screen size buckets that prevent singling them out with the help of screen dimensions.
Anonymous (not verified) said [archive]:
Is using the default window size still recommended?
Yes, the default size is still recommended. But, if users are resizing their window they should get some protection now. Before that we only had the notification bar popping up and essentially saying "Don't do that! Danger!" which was kind of lame. Now, we have something better to offer which fits more to our privacy-by-design goal.
- This changes Tor Browser's fingerprint slightly. Tor project member sysrqb has stated [archive]:
Your browser is likely not unique, but it is one additional distinguisher from other users. You can see the effect of it on https://arkenfox.github.io/TZP/tzp.html [archive]. Under the "screen" section, the "resolution" and "inner/outer window" values should change.
- https://2019.www.torproject.org/docs/faq.html.en#AmITotallyAnonymous [archive]
- See identifier-linkability [archive] and sec19-shusterman.pdf [archive].
- Fission [archive] is still work in progress.
- https://forums.whonix.org/t/tor-browser-8-5-in-whonix-no-longer-can-save-passwords-and-it-deleted-all-existing-ones/7424 [archive]
- Mozilla notes:
Even though the Password Manager stores your usernames and passwords on your hard drive in an encrypted format, someone with access to your computer user profile can still see or use them. The Use a Master Password to protect stored logins and passwords article shows you how to prevent this and keep you protected in the event your computer is lost or stolen.
- Unless a strong master password is used to protect usernames and passwords, anyone with access to the computer (remote or physical) can easily see them; see here [archive] for further information. Due to their relatively large attack surface, security professionals suggest it is far safer to use a password manager rather than trust browsers with sensitive information.
- A critical security bug [archive] was found in the Password Manager in 2018: "If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible."
- https://firstname.lastname@example.org/msg29899.html [archive]
- https://email@example.com/msg29573.html [archive]
- Tor Bug 30600: Restore NoScript control widget icon to the Tor Browser toolbar [archive]
- https://blog.torproject.org/comment/282733#comment-282733 [archive]
- https://blog.torproject.org/comment/282735#comment-282735 [archive]
- The same blog discussion confirms that moving the NoScript icon back onto the URL bar does not pose a known fingerprinting risk.
- https://trac.torproject.org/projects/tor/ticket/30570 [archive]
- https://trac.torproject.org/projects/tor/ticket/19652 [archive]
- This is so Whonix-Workstation ™ does not have access to the information about which Tor middle relay or Tor entry guard [or bridge] are in use. See also: Indicator for current Circuit Status and Exit IP.
- The default Tor Browser Bundle uses about:tor as the landing page. See: https://trac.torproject.org/projects/tor/ticket/13835 [archive]
- In Whonix-Workstation ™, anon-ws-disable-stacked-tor [archive] listens on 127.0.0.1 9150 and 9151 (Tor Browser's default ports) and forwards them to Whonix-Gateway ™ 10.152.152.10 9150 (where a Tor SocksPort is listening) and 9151 (where Control Port Filter Proxy is listening). Tor does not get started by the tor-launcher [archive] Firefox add-on because the TOR_SKIP_LAUNCH [archive] environment variable has been set set to 1. See also: Dev/anon-ws-disable-stacked-tor.
- No changes have been made in Whonix ™ code to prevent such a warning.
- https://forums.whonix.org/t/tor-browser-error-perhaps-from-9-0-1-update/8468 [archive]
- The error is likely related to existing Tor bugs reported against (incremental) [archive] updates [archive].
- https://forums.whonix.org/t/tor-browser-ended-with-non-zero-error-exit-code-again/10889 [archive]
- https://forums.whonix.org/t/is-anyone-having-white-bars-in-the-tbb-tor-browser-letterboxing/8345 [archive]
- https://www.reddit.com/r/Whonix/comments/ky7jqr/troubleshooting_i_just_installed_whonix_when_i/ [archive]
- https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy [archive]
Whonix ™ Tor Browser Basics wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix ™ Tor Browser Basics wiki page Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <firstname.lastname@example.org>
This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.