Jump to: navigation, search

Tor Browser

Tor Browser, privacy by design. Fighting web fingerprinting and linkability.

Contents

Introduction[edit]

Only Tor Browser is recommended for use in Whonix when browsing the Internet. [1]

Tor Browser [2] is a fork of the Mozilla Firefox web browser. It is developed by The Tor Project and optimized and designed for anonymity. Many users will have browsed with Firefox and be familiar with the user interface that resembles those found in other popular, modern browsers.

Users are encouraged to read this entire wiki entry so Tor Browser is used effectively and safely on the Whonix platform.

Anonymity vs Pseudonymity[edit]

If browsers other than Tor Browser are used in Whonix, the user's IP address and Domain Name Service (DNS) requests [3] are still protected. However, users do not profit from Tor Browser's protocol level cleanup in this scenario; a feature unsupported by other browsers. Using other browsers is pseudonymous rather than anonymous.

In comparison to other browsers, Tor Browser is optimized for anonymity and has a host of privacy-enhancing patches and add-ons. [4] With Tor Browser, the user "blends in" and shares the Fingerprint of around two million other users, which is advantageous for privacy.

HTTPS Encryption[edit]

It is important to understand the difference between HTTP and HTTPS: [5]

HTTPS (also called HTTP over Transport Layer Security (TLS), HTTP over SSL, and HTTP Secure) is a communications protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security, or its predecessor, Secure Sockets Layer. The main motivation for HTTPS is authentication of the visited website and protection of the privacy and integrity of the exchanged data.

HTTPS advantages include: [6]

  • Authentication of the website and web server the user is communicating with.
  • Protection against man-in-the-middle attacks.
  • Bidirectional encryption of communications between a client and server. This protects against eavesdropping and tampering with / forging of communication contents.
  • A reasonable user expectation that the website being communicated with is genuine. [7]


In the context of Tor Browser, this means users should prefer HTTPS instead of HTTP so communication is encrypted while browsing the Internet. While traffic is encrypted throughout the Tor network, the exit relay (third of three servers) can see traffic sent into Tor if it is plain HTTP. If HTTPS is used, the exit relay will only know the destination address. [8]

As an example, the screenshot below is how the browser looks when visiting the Whonix website. [9]

HTTPS-website-example.png

Take notice of the small area on the left-hand side of the address bar. Indicators of an encrypted connection are www.whonix.org is highlighted with a padlock and "Secure Connection" in green writing, and the URL begins with https:// instead of http://.

Try to only use services providing HTTPS when sensitive information is sent or received. Otherwise, passwords, financial / personal information or other sensitive data can be easily stolen or intercepted by eavesdroppers. HTTP webpage contents can also be modified on its way to your browser for malicious purposes.

The following figures from EFF provide an overview of HTTP/HTTPS connections with and without Tor, and what information is visible to various third parties. The descriptors are as follows: [10]

Potentially visible data includes: the site you are visiting (SITE.COM), your username and password (USER/PW), the data you are transmitting (DATA), your IP address (LOCATION), and whether or not you are using Tor (TOR).

Tor and HTTPS

Tor-with-https.png

Tor and No HTTPS

Tor-without-https.png

No Tor and HTTPS

Without-tor-with-https.png

No Tor and No HTTPS

Without-tor-https.png

HTTPS Everywhere[edit]

HTTPS Everywhere logo

HTTPS Everywhere is a Firefox extension shipped in Tor Browser and produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It helps to encrypt user communications with a number of major sites.

Many sites on the Internet offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, sites may default to unencrypted HTTP or fill encrypted pages with links that return to the unencrypted version of site. The HTTPS Everywhere extension addresses these problems by rewriting all site requests to HTTPS.

To learn more about HTTPS Everywhere, visit:

Torbutton[edit]

Tor alone is not enough to protect your anonymity and privacy while browsing the web. All modern web browsers, such as Firefox, support JavaScript[11], Adobe Flash[12], cookies[13] and other features which have been shown to be able to defeat the anonymity [14] provided by the Tor network.

In Tor Browser all such features are handled from inside the browser, because it is a modified version of Firefox Patches[15] and it contains an extension called Torbutton[16]. These do all sorts of things to prevent the above type of attacks. But that comes at a price: since this will disable some functionalities and some sites might not work as intended. Don't worry too much about this, the vast majority of websites works very well.

To learn more about Torbutton you can see:

To learn more about Data Collection Techniques, Fingerprinting you can see:

New Identity Button[edit]

The New Identity button on Tor Browser is not perfect yet (NOT a Whonix issue), there are open bugs.[17]

How.

click TorButton -> click New Idenity

Please understand New Identity and Tor circuits to learn what this actually does and what its limitations are.

Protection against dangerous JavaScript[edit]

Having all JavaScript disabled by default would disable a lot of harmless and possibly useful JavaScript and render unusable many websites. This would scare away lots of potential users "because it just doesn't work". Torbutton disables all potentially dangerous JavaScript. On the other hand, having a big user base is important for good anonymity as this very interesting mail by Roger Dingledine explains.[18]

That's why JavaScript is enabled by default in Tor Browser. We consider this as a necessary compromise between security and usability and as of today we are not aware of any JavaScript that would compromise Whonix anonymity.

For more technical details you can refer to the Torbutton design document.[19] Another related discussion justifying why JavaScript is enabled by default in Tor Browser was on tor-talk, "Tor Browser disabling Javascript anonymity set reduction".[20]

NoScript[edit]

NoScript logo

NoScript also comes with Tor Browser and provides many protections, even though JavaScript is enabled by default. You shouldn't mess with NoScript settings in Tor Browser unless you exactly know what you are doing.

For more information you can refer to the NoScript website and features.

Tips[edit]

Maximizing Browser Window[edit]

It is better for privacy and anonymity not to maximize the Tor Browser window. [21]

Tor Browser in Whonix differences[edit]

Introduction[edit]

The regular Tor Browser and Tor Browser in Whonix slightly differ. The environment Tor Browser is running in has been adjusted by Whonix to work behind the Whonix-Gateway. The network and browser fingerprint however, is the same.

Tor Browser's internal update check mechanism is untouched and works fine. Default homepage is

Whonix Proxy Settings[edit]

Short: You don't need to change any proxy settings in Tor Browser.

Long: [22]

(If you want to change or remove proxy settings, see #Change / Remove Proxy Setting.)

More than one Tor Browser in Whonix[edit]

For better isolation of different identities. For advanced users. Moved to the Advanced Security Guide.

Update Tor Browser[edit]

Introduction[edit]

Tor Browser's Internal Updater, built in stock update notification mechanism also works in Whonix. Use it.

Tor Browser Downloader (Whonix) does not notice upgrades done by Tor Browser's Internal Updater.

The Tor Project configured Tor Browser since version 5.0 to update itself. [23]

Additionally it might also be wise to subscribe to blog of the creators of Tor Browser https://blog.torproject.org for news.

Updating[edit]

Tor Browser Downloader by Whonix[edit]

Introduction[edit]

Tor Browser Downloader (Whonix) is really just a downloader, not a updater. Meaning, it is incapable of keeping user data, for example bookmarks and passwords. If you would like to keep your user data, use Tor Browser Internal Updater instead.

Here are some Tor Browser Downloader (Whonix) Screenshots.

Tor Browser Downloader (Whonix) checking for updates.
Tor Browser Downloader (Whonix) Download Confirmation
Tor Browser Downloader (Whonix) Downloading Tor Browser.
Tor Browser Downloader (Whonix) Installation Confirmation.
Tor Browser Downloader (Whonix) Extracting.
Tor Browser Downloader (Whonix) Finished Installing Tor Browser.


(Also available as CLI version.)

Tor Browser version check and download (after confirmation) in Whonix can be done with:

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Workstation AppVM (commonly named anon-whonix) -> Tor Browser Downloader (Whonix)

If you are using a graphical Whonix-Workstation, complete the following steps:

Start Menu -> Applications -> System -> Tor Browser Downloader (Whonix)

If you are using a terminal-only Whonix-Gateway, complete the following steps:

update-torbrowser

Download Confirmation Screen[edit]

Helps to keep you safe.

There is currently no reliable way for a program to securely determine the latest stable version of Tor Browser with reasonable certainty. [24] [25] When the version format changes, the automated parser of version information could falsely suggest, a still considered secure, stable version that is not the latest stable version, an alpha, beta or rc (release candidate) version. Rather, you could be the target of a denial of service, indefinite freeze or rollback (downgrade) attack. [26] [27]

Therefore the intelligence of the user is utilized as a sanity check. The Download Confirmation Screen enables users to detect such situations and abort.

Version numbers you see under Online versions come from the Tor Browser online RecommendedTBBVersions versions file that is provided by The Tor Project and parsed by Whonix's Tor Browser Downloader. All versions listed in that file are considered up to date, by The Tor Project, which means that no upgrade is required.

TODO: expand

Installation Confirmation Screen[edit]

Helps to keep you safe.

There is currently no reliable way for a program to securely determine if your download of Tor Browser was a target of an indefinite freeze or rollback attack with reasonable certainty. [28] [29]

When verifying cryptographic signatures there are multiple important aspects.

  • For one, the signature should be made by a trusted key.
  • Naturally, trusted keys have signed other files in past as well. So one must make sure to have also received the right file and not just some file that was signed by a trusted key.
  • Finally, even when having received the right type of file [30] it should be made sure, that a current signature has been used and not a historic one to counter indefinite freeze and rollback attacks.

By the time you see the Installation Confirmation Screen, the verification of the signature [31] already succeeded, but again the intelligence of the user has to be utilized to make sure there the user is not target of an indefinite freeze or downgrade attack.

Previous Signature Creation Date: When Tor Browser was previously installed by tb-updater, then tb-updater will have stored the creation date of the accompanying signature the signed Tor Browser. The Previous Signature Creation Date field shows you that date.

Last Signature Creation Date: This field shows you the date of the creation of the signature that was just downloaded.

Here is a screenshot:
torbrowser-updater_signature_verification_screen.

[32] [33]

Tor Browser local version number detection is not implemented.

TODO: Expand.

Tor Browser Manual Update[edit]

A future update of Tor Browser by The Tor Project might make Whonix's Tor Browser Updater or Tor Browser running in Whonix-Workstation unusable. In case Tor Browser (Updater) inside Whonix-Workstation breaks, a news with instructions on how to fix the issue will be posted within a few days. If not, the Whonix developers are not aware of the issue.

If the Tor Browser update script is ever broken, you are advised to update manually, see Manually Downloading Tor Browser.

Tor Browser Internal Updater[edit]

Tor Browser's Internal Updater Popup Screenshot:
Tor Browser Internal Updater Popup.png

Tor Browser's Internal Updater Wizard Screenshot:
Tor Browser Internal Updater Wizard.png

Here you can see a screenshot of Tor Browser's menu bar that contains Tor Browser's Internal Updater Update Symbol:
Tor Browser Tor Button Update Symbol.png

Tor Browser's Internal Updater Update Symbol:
The following symbol is quite useful. It indicates, that Torbutton has found out, that there is an update.
Tor Browser Tor Button Update Notification.png

A screenshot of about:tor, that is as useful as the above symbol:
Tor Browser Internal Updater About Tor.png

Start Tor Browser[edit]

Start Tor Browser.

If you are using Qubes-Whonix.

Qubes Start Menu -> Whonix-Workstation AppVM (commonly called anon-whonix) -> Tor Browser

If you are using Non-Qubes-Whonix.

Start Menu -> Tor Browser

If you are using a terminal (Konsole).

torbrowser

File Downloads[edit]

Lets say you wanted to download this image using Tor Browser. By default the download path going to be /home/user/.tb/tor-browser/Browser/Downloads. It is inconvenient to navigate to this sub sub sub folder.

Tbbd.png

To make things simpler, save files directly inside /home/user/Downloads.

Go to about:preferences in Tor Browser.

Tbbd6.png

Change the default Download folder.

Tbbd7.png

Change the setting to Safe files to.

Tbbd8.png

Done. Your files should now be downloaded to /home/user/Downloads. You can navigate there using dolphin or konsole.

If you stored files inside the "wrong" sub sub sub folder, and want to access you file anyhow, please press expand on the right.

Start dolphin.

Now in order to go to your downloadable path using dolphin please follow the images. First we need to enable showing hidden files.

Tbbd2.png

Double click on .tb folder.

Tbbd3.png

Get into the following path.

Tbbd4.png

Now you are going to find what you have downloaded.

Tbbd5.png

Not installed by Default[edit]

Reasons why Tor Browser is installed by default in Whonix-Workstation in Qubes-Whonix, but not in Non-Qubes-Whonix. If you are interested in the reasons why, see footnote. [34]

This will change in Whonix 14. [35]

Local Connections[edit]

Note: Accessing local application interfaces on 127.0.0.1 it is no longer possible due to a change in Tor Browser by The Tor Project. The configured exception means a small trade-off in privacy but is much safer than using another browser. (See #Local Connections Exception Threat Analysis.)

To configure an exception for local connections in Tor Browser:

Preferences -> Advanced -> Network | Connection Settings... -> No Proxy for: "127.0.0.1". Then, click on "OK" 

[36]

Web HTTP(S)/SOCKS proxies have different instructions and will not work with these steps, see Tor Browser Proxy Configuration.

Recommendations

For better anonymity.

  • Surf with JavaScript (JS) disabled in Tor Browser and enable only when needed - mitigates these browser fingerprinting issues completely.
  • Set passwords for WebGUIs listening on localhost.
  • Run sensitive daemons with local WebGUIs on a separate dedicated Whonix-Workstation + virtual network instance.

Browser Plugins / Flash / Java[edit]

See Browser Plugins.

Browser Language[edit]

If you want the browser interface in a different language than English, see Language.

AppArmor Confinement[edit]

To protect the system and your data from some types of attack against Tor Browser, you could consider to install Whonix's Tor Browser AppArmor profile.

As a consequence, it can only read and write to a limited number of folders. This is why you might face Permission denied errors, for example if you try to download files to the home folder. You can save files from Tor Browser to the ~/Downloads folder that is located in the home folder. If you want to upload files with Tor Browser, copy them to that folder first.

Update the package lists.

sudo apt-get update

Install the apparmor-profile-torbrowser package.

sudo apt-get install apparmor-profile-torbrowser

Advanced Topics[edit]

Tor Browser Hardened[edit]

With all major hardening features (selfrando and sandboxing) becoming part of the mainline version of Tor Browser, there is discussion among TBB devs to drop or rename the hardened version name to debug version.[37][38]

Debug features like ASan are not suited for security and are extremely resource intensive.

Note that sandboxing is only available in the 64-bit versions of Tor Browser only.

Tor Browser Sandboxed[edit]

Introduction[edit]

A sandbox is a secure environment in which you can run the Tor Browser to mitigate exploit vectors which would otherwise deanonymize you or infect your computer. For instance, sandboxing reduces the opportunities for an attacker to easily identify real IP and MAC addresses, install malware, or browse your files.[39] In simple terms, the Tor Browser runs in a limited awareness container that is prevented from interacting with the rest of your computer. The spate of recent attacks on the Tor Browser in the wild suggest this is a sensible approach for cautious users or those facing significant risks.

The Tor Browser sandbox is compatible with either the "release", "alpha" or "hardened" Tor Browser series. However, the sandboxed "hardened" Tor Browser is the combination least-tested by Tor developers.[40]

Sandboxing Effects on Tor Browser Functionality[edit]

Sandboxing improves security, but some functionality is lost inadvertently or by design. Also, some functions like sound must be optionally configured. In early 2017, broken items include:[41]

  • Foreign language support;
  • The meek pluggable transport; and
  • Manual checks for Tor Browser updates.


The Tor Browser sandbox is unlikely to ever support:

  • The FTE pluggable transport;
  • Hardware-accelerated 3D rendering;
  • Printing, except to a file;
  • Connections outside of the Tor network; and
  • Compatibility of the "hardened" Tor Browser with a grsec kernel (due to ASAN/Pax conflicts).


Manual configuration changes are required for: audio support, the Tor ciruit display (already disabled in Whonix), and installs/updates of Tor Browser add-ons. By design: fonts are limited to a minimal set, plug-ins like Flash or Silverlight will not work, users will not be able to see downloaded files, and further add-ons cannot be enabled without sandbox configuration changes.

Sandboxing Tor Browser in Non-Qubes-Whonix[edit]

Warning: these instructions are extremely alpha and require a 64-bit version of Whonix (Whonix 14) to work. Testers or advanced users only!

Tor Browser Sandbox Dependencies[edit]

In order to install and run the sandbox you need:

  • Bubblewrap from Debian Jessie backports;
  • A newer (Whonix-14-developers-only) version of the control-port-filter-python for Tor cookie control protocol authentification; and [42]
  • Optional: Libnotify4 for desktop notifications about events.


1. Boot your Whonix-Workstation VM

2. Add jessie-backports to sources.list

   sudo su -c "echo -e 'deb http://http.debian.net/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

Or to use the .onion mirror:

   sudo su -c "echo -e 'deb http://vwakviie2ienjx6t.onion/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

3. Use Apt-pinning Before Installing Dependencies

Apt-pinning provides a safe mechanism to mix and match packages from different Debian repository branches without breaking your base distribution.

A higher pin priority ensures that apt will prefer the stable package version over any other when installing. Note that these files have a .pref extension or none at all.

Open /etc/apt/preferences.d/debian-pinning.pref in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run.

kdesudo kwrite /etc/apt/preferences.d/debian-pinning.pref

If you are using a terminal-only Whonix, run.

sudo nano /etc/apt/preferences.d/debian-pinning.pref

Paste.

Package: *
Pin: release a=stable
Pin-Priority: 700

Package: *
Pin: release a=jessie-backports
Pin-Priority: 650

Package: *
Pin: release a=testing
Pin-Priority: 600

Package: *
Pin: release a=unstable
Pin-Priority: 550

Package: *
Pin: release a=experimental
Pin-Priority: 500

Save and exit.

4. Update the Package Lists and Install Bubblewrap

   sudo apt-get update
   sudo apt-get -t jessie-backports install bubblewrap

Note: golang is not needed unless manually building the sandbox from source. lib-seccomp dependencies are no longer required for v0.0.3 of the sandbox.

5. Optional: Install Libnotify4 for Desktop Notifications

   sudo apt-get install libnotify4

Note: the Adwaita Gtk+-2.0 theme is already installed in the Whonix template.

Download the Tor Browser Sandbox[edit]

1. Download the Sandbox Binary and Key File

For later releases, the Tor Project sandbox binaries and key files can be found here.

In the Whonix-Workstation VM, open a terminal and run:

   wget https://dist.torproject.org/torbrowser/7.0a1/sandbox-0.0.3-linux64.zip
   wget https://dist.torproject.org/torbrowser/7.0a1/sandbox-0.0.3-linux64.zip.asc

2. Download the Tor Project Signing Key and Verify the Zip File

In the terminal, run:

   gpg --recv-keys "EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290"
   gpg --verify sandbox-0.0.3-linux64.zip.asc

The output should show a good signature from the Tor developers and be similar to this:

   gpg: Signature made Tue 24 Jan 2015 09:29:09 AM CET using RSA key ID D40814E0
   gpg: Good signature from "Tor Browser Developers (signing key) "
   gpg: WARNING: This key is not certified with a trusted signature!
   gpg: There is no indication that the signature belongs to the owner.
   Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7  DE68 4E2C 6E87 9329 8290

If you receive a bad signature warning, delete the files, rotate your Tor circuits, and download them again.

3. Unzip the sandbox

In the terminal, run:

   unzip sandbox-0.0.3-linux64.zip

Launching sandboxed-tor-browser[edit]

To start the sandbox, open a terminal and run:

   cd sandbox
   ./sandboxed-tor-browser

When prompted, select the Tor Browser version you wish to use in your Whonix-Workstation VM. To check the sandboxed-tor-browser is correctly using the system Tor process run:

   env | grep TOR

The output should show:

   TOR_CONTROL_PORT=9151

Is set as an environment variable.

Important notes:

  • sandboxed-tor-browser is also a Tor Browser downloader similar to tb-updated / torbrowser-launcher;
  • Whonix network settings are auto-detected as system Tor. There is no need to manually configure settings;
  • 32-bit support has been deprecated since version 0.0.2 of the sandbox; and
  • 64-bit only support from sandbox version 0.0.3 onwards means it is only compatible with Whonix 14 (the next Whonix release).

Sandboxing Tor Browser in Qubes-Whonix[edit]

The Tor Browser alpha sandbox is currently blocked in Qubes-Whonix due to problems in upgrading to the Whonix-14-developers-only version of the control-port-filter-python. This issue is expected to be resolved with the official release of Whonix 14.

A recommended interim solution is to use Firejail to better contain the Tor Browser application.

Custom Homepage[edit]

This is an advanced topic.

As reported, setting a custom homepage in Tor Browser settings might not work.

Technical background: [43]

To set a custom homepage, you could try to purge the whonix-welcome-page package. [44] But this is difficult due to technical limitations as explained on the Whonix Debian Packages page.

Alternatively, you could modify /usr/lib/whonix-welcome-page/env_var.sh, but these changes would be reverted after upgrade. [45]

Or you could set environment variable TOR_DEFAULT_HOMEPAGE to a custom value. Doing so would be similar setting environment variables as explained in #Transparent Torification - No Proxy - System Default.

Unsupported Tor Browser Features in Whonix[edit]

Tor Circuit View[edit]

(screenshot)

This is unsupported for security reasons. [46]

Misc[edit]

Verify New Identity[edit]

This is an advanced topic. You most likely only need it in custom configurations, such as when using a Whonix-Custom-Workstation.

First of all, should it have failed, TorButton should notice, that it could not connect to Tor's ControlPort and should report, that giving a new identity failed. If you don't get such an error popup, it is a good indication, that there are no issues.

After the browser restarted, on the about:tor page, click "Test Tor Network Settings". It will lead to https://check.torproject.org (check.tpo) (or manually visit check.tpo, it doesn't matter.). In most cases (Not all! [47]) you should have a new exit relay. Check.tpo should report different IP.

On Whonix-Gateway, watch Control Port Filter Proxy's log while using TorButton's New Identity feature.

tail -f /var/log/control-port-filter-python.log

If you see something like this.

2015-12-12 23:59:41,276 - CPFP log - DEBUG - Request: signal newnym
2015-12-12 23:59:41,284 - CPFP log - DEBUG - Answer: 250 OK

Then Control Port Filter Proxy received the request from Tor Browser and got Tor's okay, that it worked.

Get New Identity without Tor ControlPort Access[edit]

This is an advanced topic. You most likely only need it in custom configurations, such as when not using Control Port Filter Proxy.

Simulate, what TorButton would do.

1. Close Tor Browser.
2. Get new identity on Whonix-Gateway using arm.
3. Start Tor Browser again.
4. Done.

Remove Proxy Settings[edit]

This is an advanced topic. You most likely only need it for advanced tunneling scenarios.

To remove Tor Browser proxy settings, i.e setting it to no proxy, apply the following instructions.

Introduction

This configuration causes Tor Browser to no longer use proxy settings. With no proxy, Tor Browser uses the (VM) system's default networking. This is identical to any other application inside the Whonix-Workstation that has not been explicitly configured to use Tor via socks proxy settings or a socksifier. This setting is also called transparent torification. [48]

Note: This action will break both the Stream Isolation for Tor Browser and Tor Browser's tab isolation by socks user name. This worsens the web fingerprint and causes the user to be pseudonymous, rather than anonymous. To mitigate these risks, consider using More than one Tor Browser in Whonix, or better yet, Multiple Whonix-Workstations.

If these settings are changed, expect Tor Button to show a red sign and state "Tor Disabled" if a mouse is hovered over it.

To enable transparent torification (no proxy setting), set the TOR_TRANSPROXY=1 environment variable. There are several methods, but the #/etc/environment Method is the simplest one.

For other methods with finer granulated settings, please press on Expand on the right.

<span id="
od"></span> Command Line Method

Navigate to the Tor Browser folder.

cd ~/tor-browser_en-US

Every time Tor Browser is started, run the following command to set the TOR_TRANSPROXY=1 environment variable.

TOR_TRANSPROXY=1 ./start-tor-browser.desktop

start-tor-browser Method

This only applies to a single instance of the Tor Browser folder that is configured. This method may not persist when Tor Browser is updated.

Find and open start-tor-browser in the Tor Browser folder in an editor.

This is most likely in ~/tor-browser_en-US/Browser/start-tor-browser below #!/usr/bin/env bash.

Set.

export TOR_TRANSPROXY=1

/etc/environment Method

This will apply to the whole environment, including any possible custom locations of Tor Browser installation folders. [49]

Open /etc/environment in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run.

kdesudo kwrite /etc/environment

If you are using a terminal-only Whonix, run.

sudo nano /etc/environment

Add the following line.

TOR_TRANSPROXY=1

Save and reboot.

Undo

Reverting this change is undocumented. Simply unsetting that environment variable will not work due to Tor Browser limitations. The easiest way to undo this setting is to install a fresh instance of Tor Browser (please contribute to these instructions)!

Ignore Tor Button's Open Network Settings

Whonix has disabled the Open Network Settings menu option in Tor Button. Read the footnote for further information. [50]

Change Proxy Settings[edit]

This is an advanced topic. You most likely only need it for advanced tunneling scenarios.

Note that these instructions do not apply to accessing local web-interfaces.

Due to a bug in Tor Browser, [51] extra steps are required to use proxies.

Note: This action will break both the Stream Isolation for Tor Browser and Tor Browser's tab isolation by socks user name. This worsens the web fingerprint and causes the user to be pseudonymous, rather than anonymous. To mitigate these risks, consider using More than one Tor Browser in Whonix, or better yet, Multiple Whonix-Workstations.

Complete the following steps inside Whonix-Workstation.

1. Install the FoxyProxy add-on in Tor Browser.

2. Change Tor Browser Settings.

  • Double-click the Default proxy in FoxyProxy and set up the IP and port of the proxy. If configuring a SOCKS proxy, check the option and specify the type.
  • Set Mode: Use Proxy "Default" for all URLs.

Local Connections Exception Threat Analysis[edit]

This applies to allowing local connections in Tor Browser.

Threat Details

According to this Firefox ticket, JavaScript can be abused to scan internal networks, fingerprint devices, and make malicious commands to those devices if they have a web interface. The configured exception means a small trade-off in privacy but is much safer than using another browser. [52] Read on about steps to further minimize the risks.

Analysis

There are no embedded devices attached to a Whonix internal network, it is isolated and untrusted. However malicious JavaScript (JS) will be able to tell an attacker that a service is running on a localhost port. This can reduce your anonymity set.

Malicious misconfiguration of daemons listening on localhost is possible but with limited impact because traffic is still forced through Whonix-Gateway.

Misc

tor-launcher vs torbrowser-launcher[edit]

Two totally different things with similar names.

tor-launcher[edit]

In case you are wondering if tor-launcher will result in Tor over Tor... No, because Tor Browser and Whonix play well together. tor-launcher is disabled by default in Whonix-Workstation.

Can or should you remove tor-launcher from TBB? In theory it makes no difference. In practice, it is untested and seems to provide no advantages. Just leave it enabled to have the same tested setup as everyone else.

tor-launcher is not (yet) available for usage in Whonix-Gateway. [53]

torbrowser-launcher[edit]

Tor Browser Updater (Whonix) (tb-updater) (installed by default in Whonix) is specifically designed to be co-installable with torbrowser-launcher. Maybe one day Whonix will deprecate tb-updater and install torbrowser-launcher by default, see forum development discussion if that is of interest to you.

Terminology[edit]

Tor vs Tor Browser[edit]

Tor is an anonymizer developed by The Tor Project. Tor Browser is a web browser developed by the Tor Project optimized for privacy. Please don't substitute writing Tor when you mean Tor Browser or the confusion will be perfect.

Tor Browser Transparent Proxying[edit]

This Tor Browser "transparent proxying" feature and/or the environment variable TOR_TRANSPROXY=1 causes lots of confusion. It was a bad decision by TPO to call it "transparent proxying". What it actually does, is "set to no proxy settings", i.e "set to system default". Then Tor Browser works network wise just as a unconfigured Firefox / Iceweasel. If the person using this Tor Browser "transparent proxying" feature, happens to not use a gateway with transparent torification features such as Whonix-Gateway, traffic would go through clearnet. If the person using this Tor Browser "transparent proxying" feature, happens to use a torifying gateway such as Whonix-Gateway, traffic happens to go through Tor. If the person using this Tor Browser "transparent proxying" feature, happens to have a JonDo-Gateway, traffic happens to go through JonDo.

Not to be confused with Tor's setting TransPort [address:]port|auto [isolation flags] setting. Not to be confused with TransparentProxy, which is different from an IsolatingProxy.

Qubes specific[edit]

Running Tor Browser in Qubes TemplateVM[edit]

If you want to know why, please press on expand on the right.

tb-updater in Qubes TemplateVM[edit]

Tor Browser is installed by default in Whonix-Workstation in Qubes-Whonix, but not in Non-Qubes-Whonix. If you are interested in the reasons why, see #Not installed by Default Footnote.

Beginning from Whonix 13 by default during Qubes-Whonix-Workstation builds, during the initial installation of #Tor Browser Downloader by Whonix (tb-updater package) (update-torbrowser) within chroot, it will be automatically run. If that fails, it will fail closed by default. This means, the package will fail to install. Therefore this could throw and error while building Whonix images from source code or when installing Whonix from repository. This is not great, but it has been decided to install Tor Browser by default in Qubes-Whonix-Workstation. The only way to ensure it really gets installed by default, is to fail closed by default.

Beginning from Whonix 13 by default in Qubes-Whonix-Workstation TemplateVMs, during upgrades of #Tor Browser Downloader by Whonix (tb-updater package) (update-torbrowser) it will be automatically run. If that fails, it will fail open by default. This means, you will be informed in the terminal, that no new Tor Browser could be downloaded but apt-get will terminate normally. This is required to implement the Qubes-Whonix feature up to date versions of Tor Browsers in newly created AppVMs inherited from updated TemplateVMs.

What should you do if it failed? If you can still update Tor Browser using #Tor Browser Internal Updater or manually re-download Tor Browser, then there is no need for concern and this is only a small inconvenience.

All of this can be configured, if you want to do so...

Open /etc/torbrowser.d/50_user.conf in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run.

kdesudo kwrite /etc/torbrowser.d/50_user.conf

If you are using a terminal-only Whonix, run.

sudo nano /etc/torbrowser.d/50_user.conf

When the tb-updater package is upgraded, by default in the Qubes-Whonix-Workstation TemplateVM a hardcoded[54] version Tor Browser tarball and signature is automatically downloaded. If you want to disable this, add.

tb_install_follow=false

Save.

Technical details:

By default in Qubes-Whonix-Workstation TemplateVMs during Debian maintainer postinst script, folders /var/cache/tb-binary/.cache/tb/ and /var/cache/tb-binary/.tb/tor-browser will be deleted if existing. tb-updater will then download files to /var/cache/tb-binary/.cache/tb/.

find /var/cache/tb-binary/.cache/tb/
/var/cache/tb-binary/.cache/
/var/cache/tb-binary/.cache/tb
/var/cache/tb-binary/.cache/tb/files
/var/cache/tb-binary/.cache/tb/files/sha256sums.txt.asc
/var/cache/tb-binary/.cache/tb/files/tor-browser-linux64-5.5.4_en-US.tar.xz
/var/cache/tb-binary/.cache/tb/files/sha256sums.txt
/var/cache/tb-binary/.cache/tb/temp
/var/cache/tb-binary/.cache/tb/temp/tar_fifo
/var/cache/tb-binary/.cache/tb/temp/tor_check_bootstrap_helper_bootstrap_file
/var/cache/tb-binary/.cache/tb/temp/sha256_output
/var/cache/tb-binary/.cache/tb/temp/pv_wrapper_fifo
/var/cache/tb-binary/.cache/tb/temp/tbb_remote_folder
/var/cache/tb-binary/.cache/tb/gpgtmpdir
/var/cache/tb-binary/.cache/tb/gpgtmpdir/secring.gpg
/var/cache/tb-binary/.cache/tb/gpgtmpdir/pubring.gpg~
/var/cache/tb-binary/.cache/tb/gpgtmpdir/pubring.gpg
/var/cache/tb-binary/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_status_fd_file
/var/cache/tb-binary/.cache/tb/gpgtmpdir/trustdb.gpg
/var/cache/tb-binary/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_output_file

After gpg verification, tb-updater will extract the Tor Browser archive to /var/cache/tb-binary/.tb.

find /var/cache/tb-binary/.tb
/var/cache/tb-binary/.tb/tor-browser/...

When a Qubes-Whonix-Workstation AppVM is booted for the first time, in essence, the systemd unit file /lib/systemd/system/tb-updater-first-boot.service runs /usr/lib/tb-updater/first-boot-home-population. That script copies /var/cache/tb-binary to /home/user. This results in...

ls -la /home/user/.tb
output... TODO
ls -la /home/user/.cache/tb
output... TODO

Informations for users creating Whonix using the build script.

If you are building Qubes-Whonix using the build script and want to fail open generally, a file /etc/torbrowser.d/50_user.conf has to be created inside chroot before the build with the following content.

anon_shared_inst_tb=open

If you are building Qubes-Whonix using the build script and want to skip initial download of Tor Browser during build of Whonix in chroot, a file /etc/torbrowser.d/50_user.conf has to be created inside chroot before the build with the following content.

tb_install_in_chroot=false

Whonix-Custom-Linux-Workstation specific[edit]

These instructions are new and you will be an early tester. There could be some connectivity issues.

Please contribute by testing and finishing these instructions!

These instructions were tested using Tor Browser version 6.0.1. Connectivity might break in later Tor Browser versions in case the developers of Tor Browser modify things related to how networking in Tor Browser gets configured. [55]

1) Manually download and install Tor Browser.

2) You have to set multiple environment variables.

Open /etc/environment in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run.

kdesudo kwrite /etc/environment

If you are using a terminal-only Whonix, run.

sudo nano /etc/environment

Add.

## Deactivate tor-launcher,
## a Vidalia replacement as browser extension,
## to prevent running Tor over Tor.
## https://trac.torproject.org/projects/tor/ticket/6009
## https://gitweb.torproject.org/tor-launcher.git
TOR_SKIP_LAUNCH=1

## Environment variable to disable the "TorButton" ->
## "Open Network Settings..." menu item. It is not useful and confusing to have
## on a workstation, because this is forbidden for security reasons. Tor must be
## configured on the gateway.
TOR_NO_DISPLAY_NETWORK_SETTINGS=1

## environment variable to skip TorButton control port verification
## https://trac.torproject.org/projects/tor/ticket/13079
TOR_SKIP_CONTROLPORTTEST=1

Save.

Reboot.

From now on, only the browser component of Tor Browser will be started.

3) Verify environment variables.

env | grep -i tor

Should show.

TOR_NO_DISPLAY_NETWORK_SETTINGS=1
TOR_SKIP_CONTROLPORTTEST=1
TOR_SKIP_LAUNCH=1

4) Configure network settings. [56]

Now you have to create ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js. This supposes you installed Tor Browser as per step 1). It supposes you have a folder ~/.tb/tor-browser. If you installed Tor Browser to another folder of your own choice, you need to adjust the path.

Open ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js in an editor.

If you are using a graphical environment, run.

kwrite ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js

If you are using a terminal (Konsole), run.

nano ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js

Add.

user_pref("extensions.torbutton.use_privoxy", false);
user_pref("extensions.torbutton.settings_method", "custom");
user_pref("extensions.torbutton.socks_host", "10.152.152.10");
user_pref("extensions.torbutton.socks_port", 9100);
user_pref("network.proxy.socks", "10.152.152.10");
user_pref("network.proxy.socks_port", 9100);
user_pref("extensions.torbutton.custom.socks_host", "10.152.152.10");
user_pref("extensions.torbutton.custom.socks_port", 9100);
user_pref("extensions.torlauncher.control_host", "10.152.152.10");
user_pref("extensions.torlauncher.control_port", 9052);

Save.

5) Done.

Windows specific[edit]

UNTESTED
UNFINISHED
Please contribute by testing and finishing these instructions!

When you are using a Custom-Whonix-Workstation, specifically a Windows-Whonix-Workstation and want to use Tor Browser...

1) Install Tor Browser.

2) Use Tor Browser without bundled Tor.

In the folder where you extracted Tor Browser, create a new text file. For example, you could give it the following name.

Start TB without Tor.bat

Add the following content to that file.

SET TOR_SKIP_LAUNCH=1

"Start Tor Browser.lnk"

Save.

[57]

3) Configure network settings.

Start Tor Browser. The following links for removing and changing proxy settings do not apply one to one to Windows! removing of proxy settings should be better avoided. changing proxy settings would be better. How to do this on Windows is currently undocumented but you might figure out.

  • Type: SOCKSv5.
  • IP address:
    • Qubes-Whonix
      • If Qubes Tools in the custom workstation are:
        • Installed: Find out the IP address of Qubes-Whonix-Gateway by running qubesdb-read /qubes-gateway inside the custom workstation.
        • Not installed: Find out the IP address of Qubes-Whonix-Gateway by running qubesdb-read /qubes-ip inside sys-whonix.
      • Unfortunately the IP address will not be static. [58] This means after restarting sys-whonix, the connection might break and the IP address setting may need to be manually updated.
    • Non-Qubes-Whonix: 10.152.152.10
  • Port: 9100.
  • Do not change the No Proxies for setting.

4) Figure out missing instructions. Port them from Linux specific to Windows specific.

Tor_Browser#Whonix-Custom-Linux-Workstation_specific

5) Done.

Start from Command Line[edit]

Open a terminal.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Workstation AppVM (commonly named anon-whonix) -> Konsole

If you are using a graphical Whonix-Workstation, complete the following steps.

Start Menu -> Applications -> System -> Konsole

Change into Tor Browser folder.

cd ~/.tb/torbrowser

Start Tor Browser.

./start-tor-browser --debug

Debugging[edit]

Open a terminal.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Workstation AppVM (commonly named anon-whonix) -> Konsole

If you are using a graphical Whonix-Workstation, complete the following steps.

Start Menu -> Applications -> System -> Konsole

Change into Tor Browser folder.

cd ~/.tb/torbrowser

Start Tor Browser from command line in debug mode.

./start-tor-browser --debug

Type into th address bar.

about:config

search for ___ and set to ___

extensions.torbutton.loglevel | 1
extensions.torlauncher.loglevel | 1

extensions.torbutton.logmethod | 0
extensions.torlauncher.logmethod | 0

Close Tor Browser.

Restart Tor Browser.

./start-tor-browser --debug

[59]

Footnotes / References[edit]

  1. For a comprehensive list of reasons, readers are encouraged to review some or all of the references in this section.
  2. https://tb-manual.torproject.org/linux/en-US/
  3. DNS is a distributed database which keeps track of computer's names and their corresponding IP addresses on the Internet https://web.stanford.edu/class/msande91si/www-spr04/readings/week1/InternetWhitepaper.htm. DNS servers enable the browser to know where resources are located on the Internet, and the corresponding IP address for fetching these.
  4. See below for a further description of these features.
  5. https://en.wikipedia.org/wiki/HTTPS
  6. https://en.wikipedia.org/wiki/HTTPS
  7. HTTPS is not foolproof due to reliance on the Certificate Authority (CA) system that issues digital certificates (private keys) for websites. As a trusted third party, this trust can be abused or the CAs can be subject to adversary attacks.
  8. https://www.torproject.org/docs/faq#AmITotallyAnonymous
  9. https://www.whonix.org
  10. https://www.eff.org/pages/tor-and-https
  11. https://en.wikipedia.org/wiki/JavaScript
  12. https://en.wikipedia.org/wiki/Adobe_Flash
  13. https://en.wikipedia.org/wiki/HTTP_cookie
  14. DoNot#Do_not_confuse_Anonymity_with_Pseudonymity..
  15. https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
  16. https://www.torproject.org/torbutton/
  17. See tbb-linkability and tbb-fingerprinting.
  18. http://www.mail-archive.com/liberationtech@lists.stanford.edu/msg00022.html
  19. https://www.torproject.org/torbutton/en/design/
  20. https://lists.torproject.org/pipermail/tor-talk/2012-May/024227.html
  21. http://forums.whonix.org/t/should-still-recommend-against-maximizing-tor-browser-window
  22. (permalink)
    There is no Tor over Tor in Whonix, which would be recommended against, due to Whonix's environment. Whonix does not modify Tor Browser's startup script, defaults, etc. In Whonix-Workstation rinetd listens on 127.0.0.1 9150 and 9151 (Tor Browser's default ports) and forwards them to Whonix-Gateway 10.152.152.10 9150 (where a Tor SocksPort is listening) and 9151 (where Control Port Filter Proxy is listening). Tor does not get started by the tor-launcher Firefox add-on because the TOR_SKIP_LAUNCH environment variable has been set set to 1. See also Dev/anon-ws-disable-stacked-tor.
  23. https://blog.torproject.org/blog/tor-browser-50-released

    Starting with this release, Tor Browser will now also download and apply upgrades in the background, to ensure that users upgrade quicker and with less interaction. This behavior is governed by the about:config pref app.update.auto, but we do not recommend disabling it unless you really know what you're doing.

  24. finalize RecommendedTBBVersions format
  25. counter downgrade / stale mirror attacks on RecommendedTBBVersions - sign / verify tbb versions file
  26. For a definition of these attacks, see TUF (The Update Framework)'s threat model (w).
  27. An adversary capable of breaking SSL could mount such an attacks by replacing RecommendedTBBVersions with invalid, frozen or outdated version information.
  28. This is because Tor Browser signatures do not provide expiration dates yet. (Similar to Debian's valid-until field.
  29. This is because the user's computer clock could be wrong, so there is no rock solid basis for comparison.
  30. i.e. for example, a browser, not a messenger
  31. and hash
  32. gnupg (OpenPGP) common misconceptions
  33. The name of the file is stored in the hash file and verified to match the downloaded name of the file and hash.
  34. Reasons why Tor Browser is installed by default in Whonix-Workstation in Qubes-Whonix, but not in Non-Qubes-Whonix. (link)

    Licensing reasons:
  35. Alternatively, can could remove Tor Browser's proxy settings, but then you would be vulnerable to the same fingerprinting issues (see #Local Connections Exception Threat Analysis). Additionally, you would be vulnerable to the fingerprinting issues that are opened up by remove Tor Browser's proxy settings.
  36. https://forums.whonix.org/t/hardened-tor-browser-bundle-not-as-hardened-you-think-soon-becoming-extinct/3582/3
  37. https://lists.torproject.org/pipermail/tbb-dev/2017-February/000454.html
  38. https://blog.torproject.org/blog/q-and-yawning-angel
  39. https://blog.torproject.org/blog/tor-browser-65a6-hardened-released
  40. https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Sandbox/Linux
  41. https://forums.whonix.org/t/tor-browser-sandbox-linux-alpha-coming-soon/3060
  42. The whonix-welcome-page package's file /usr/lib/whonix-welcome-page/env_var.sh sets environment variable to set TorBrowser homepage TOR_DEFAULT_HOMEPAGE to /usr/share/homepage/whonix-welcome-page/whonix.html. Perhaps it could be seen as a bug if Tor Browser if a user set custom homepage does not overrule the TOR_DEFAULT_HOMEPAGE environment variable? TODO: No bug has been reported at trac.torproject.org yet.
  43. sudo apt-get purge whonix-welcome-page.
  44. kdesudo kate /usr/lib/whonix-welcome-page/env_var.sh
  45. We do not want Whonix-Workstation to have access to the information, which Tor middle relay or Tor entry guard [or bridge] are being used. See also: Dev/Control_Port_Filter_Proxy#Indicator_for_current_Circuit_Status_and_Exit_IP
  46. Getting a new circuit, doesn't guarantee getting a new exit relay. This is normal. See also Stream_Isolation.
  47. This term was coined in context of a Tor Transparent Proxy. It acts as a simple gateway that routes all connections through Tor, but does not provide Stream Isolation.
  48. Unless this environment variable is manually unset before starting Tor Browser.
  49. The regular Tor Browser Bundle from The Tor Project (without Whonix) allows networking settings to changed inside Tor via the Open Network Settings menu option. It has the same effect as editing Tor's config file torrc. In Whonix, the environment variable export TOR_NO_DISPLAY_NETWORK_SETTINGS=1 has been set to disable the TorButton -> Open Network Settings... menu item. It is not useful and confusing to have in the Whonix-Workstation because:
    • In Whonix, there is only limited access to Tor's control port (see Dev/CPFP for more information).
    • For security reasons, Tor must be manually configured in /etc/tor/torrc on the Whonix-Gateway, and not from the Whonix-Workstation (see VPN/Tunnel support for more information).
  50. Circuit isolation by SOCKS proxy may be breaking other proxies or non-proxies
  51. https://trac.torproject.org/projects/tor/ticket/10419#comment:37
  52. https://phabricator.whonix.org/T118
  53. In the tb-updater package.
  54. Once Tor Browser moves to SocksSocket, this will certainly no longer work. References:
  55. Learn about network settings.
    • Type: SOCKSv5.
    • IP address:
      • Qubes-Whonix
        • If Qubes Tools in the custom workstation are:
          • Installed: Find out the IP address of Qubes-Whonix-Gateway by running qubesdb-read /qubes-gateway inside the custom workstation.
          • Not installed: Find out the IP address of Qubes-Whonix-Gateway by running qubesdb-read /qubes-ip inside sys-whonix.
        • Unfortunately the IP address will not be static. This means after restarting sys-whonix, the connection might break and the IP address setting may need to be manually updated.
      • Non-Qubes-Whonix: 10.152.152.10
    • Port: 9100.
    • Do not change the No Proxies for setting.
    ## The following TOR_SOCKS_HOST and TOR_SOCKS_PORT variables
    ## do not work flawlessly, due to an upstream bug in Tor Button:
    ##    "TOR_SOCKS_HOST, TOR_SOCKS_PORT regression"
    ##    https://trac.torproject.org/projects/tor/ticket/8336
    TOR_SOCKS_HOST="10.152.152.10"
    TOR_SOCKS_PORT="9150"
    
  56. We just have to set the **SET TOR_SKIP_LAUNCH=1** environment variable, then start Tor Browser. The Tor Browser Launcher add-on will detect this, skip the connection wizard and skip launching Tor.
  57. Qubes feature request: Optional static IP addresses.
  58. https://www.torproject.org/docs/torbutton/en/design/

Cite error: <ref> tag defined in <references> has no name attribute.

License[edit]

Whonix Tor Browser wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Tor Browser wiki page Copyright (C) 2012 - 2017 Patrick Schleizer <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

Random News:

We are looking for video production specialists to help create demonstration, promotional and conceptual videos or tutorials.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself.