Tor Browser Advanced Topics

From Whonix
Jump to navigation Jump to search


Tor Browser Adversary Model[edit]

The Tor Browser design has carefully considered the goals, capabilities and types of attacks undertaken by adversaries and planned accordingly. The design specifications address:

  • Application data isolation.
  • Cross-origin fingerprinting unlinkability.
  • Cross-origin identifier unlinkability.
  • Disk avoidance.
  • Long-term unlinkability via the "New Identity" button.
  • Proxy obedience.
  • State separation.
  • Other security measures to address many of the risks outlined below. [1] [2]

Adversary Goals[edit]

Table: Adversary Goals [3] [4]

Adversary Goals Description
Anonymity Set Reduction (Fingerprinting) To identify specific individuals, system data like the browser build, timezone or display resolution is used to track down (or at least track) their activities.
Bypassing Proxy Settings Directly compromising and bypassing Tor, or forcing connections to specific IP addresses.
Correlating Activity across Multiple Sites Learning if the person who visited site A is the same person who visited site B, in order to serve targeted advertisements.
Correlating Tor and Non-Tor activity If a proxy bypass is not possible, correlation of Tor and non-Tor activity is sought via cookies, cache identifiers, JavaScript events and Cascading Style Sheets (CSS).
History Disclosure Querying user history for censored search queries or websites.
History Records and other On-disk Information Seizing the computers of all Tor users in a given area and extracting history records, cache data, hostnames and disk-logged spoofed MAC address history.
Location Information Seeking timezone and locality information to determine if the user originates from a specific region they are trying to control, or focusing in on dissidents or whistleblowers.

Adversary Positioning Capabilities[edit]

Table: Positioning Capabilities [3] [4]

Location Description
Adservers and/or Malicious Websites Running websites or contracting ad space from adservers to inject content. Reducing a Tor user's anonymity is also good for marketing purposes. [5]
Exit Node or Upstream Router Running exit nodes or controlling routers upstream of exit nodes. [6]
Local Network / ISP / Upstream Router Injecting malicious content at the upstream router when Tor is disabled in order to correlate Tor and non-Tor activity. Additionally, block Tor or attempt to recognize traffic patterns of specific web pages at the entrance to the Tor network.
Physical Access Constant or intermittent physical access to computer equipment. This may happen to Internet cafe users or those in jurisdictions where equipment is confiscated due to general suspicion or solely for Tor use.

Adversary Attack Capabilities[edit]

Ambox warning pn.svg.png Warning: Advanced adversaries have numerous surveillance methods and attack vectors to deanonymize and spy on individuals.

Table: Attack Capabilities [3] [4]

Attack Capabilities Description
Inserting CSS
  • Using CSS pop-ups: Correlate Tor and non-Tor activity in order to reveal the non-Tor IP address.
  • Using CSS and JavaScript: Perform CSS-only history disclosure attacks.
  • CSS media queries: Gather information about desktop size, widget size, display type, DPI, user agent type and other information.
Inserting JavaScript
  • Extracting fingerprinting information: Available fonts, DOM objects to ascertain the user agent, WebGL to reveal the video card in use, and high precision timing information to reveal the CPU and interpreter speed.
  • Executing history disclosure attacks: Query the history of different attributes of visited links for specific queries, sites, or for user profiling (gender, interests etc.).
  • Querying: The user's timezone via the date object and reducing the anonymity set by querying the navigator object for operating system, CPU, location and user agent information.
Inserting or Exploiting Plugins
  • Using plugins: Perform network activity that is independent of browser (or its own) proxy settings in order to obtain the non-Tor IP address.
  • Using active plugin exploits: Leak the non-Tor IP address.
  • Enumerating: The list of plugins to fingerprint the user.
  • Gathering information: Use plugins capable of extracting font lists, interface addresses and other machine information.
  • Retrieving: Unique plugin identifiers.
Reading and Inserting Identifiers
  • Storing identifiers: HTTP auth, DOM storage, cached scripts, other elements with embedded identifiers, client certificates and TLS session IDs.
  • Performing a man-in-the-middle (MITM) attack: Inject elements to both read and inject cookies for arbitrary domains (affecting even SSL/TLS secured websites).
Other Attacks
  • Creating arbitrary cached content: Reading the browser cache which stores unique identifiers.
  • Observing request behavior: Fingerprinting is aided by observing the user agent, Accept-* headers, pipeline usage, and request ordering. Fingerprinting is worsened by custom filters like AdBlock and UBlock Origin.
  • Fingerprinting: Using the large number of browser attributes to reduce the anonymity set, or even uniquely fingerprinting individuals. [7]
  • Website traffic fingerprinting: Attempting to recognize the encrypted traffic patterns of specific websites, either between the user and the Guard node, or at the Guard node itself. [8]
  • Remotely or locally exploiting the browser and/or OS: Exploiting the browser, plugin or OS vulnerabilities to install malware or surveillance software, or physically access the machine to do the same.

Torbutton Design[edit]

With the release of Tor Browser 9.0 in late-2019, both the Torbutton and Tor Launcher extensions have been tightly integrated into Tor Browser, meaning Torbutton has been moved from the URL bar and neither appears on the about:addons page. Other changes include the New Identity function shifting to the URL bar and the New Tor Circuit function being accessible via the hamburger menu. As noted by Tor developers:

Now that the Tor Browser includes a patched version of Firefox, and because we don't have enough developer resources to keep up with the accelerated Firefox release schedule, the toggle model of Torbutton is no longer supported. Users should be using Tor Browser, not installing Torbutton themselves.

No functionality has been lost -- Torbutton's functions in Tor Browser behavior have simply moved into direct Firefox patches [9] which address the following dimensions.

Table: Torbutton Features Integrated into Tor Browser [10] [11]

Feature Description
Anonymity Set Preservation Tor Browser should not leak any other anonymity set reducing or fingerprinting information (such as user agent, extension presence, and resolution information) automatically via Tor.
Disk Avoidance Tor Browser should not write any Tor-related state to disk, or store it in memory beyond one Tor toggle.
Interoperability Tor Browser should inter-operate with third-party proxy switchers that enable the user to switch between a number of different proxies, with full Tor protection.
Location Neutrality Tor Browser should not leak location-specific information, like the timezone or locale via Tor.
Proxy Obedience Tor Browser must not bypass Tor proxy settings.
State Separation Cookies, cache, history, DOM storage, and more accumulated in one Tor state must not be accessible via the network in another Tor state.
Update Safety Tor Browser should not perform unauthenticated updates or upgrades via Tor.

Tor Browser patches and the integrated Torbutton features can potentially disable some functionality or interfere with the proper operation of some Internet sites, but the vast majority of websites work well. To learn more about former Torbutton, see:

New Identity Design[edit]

The Tor Browser design document describes the full features provided by this extension: [12] [13]

  • Disables Javascript and plugins on all tabs and windows.
  • Stops all page activity for each tab.
  • Clears the Tor Browser state:
    • OCSP state.
    • Content and image cache.
    • Site-specific zoom.
    • Cookies and DOM storage.
    • The safe browsing key.
    • Google Wi-Fi geolocation token.
    • Last opened URL preference (if it exists).
    • Searchbox and findbox text.
    • Purge session history.
    • HTTP authentication.
    • SSL session IDs.
    • Crypto tokens.
    • Site-specific content preferences.
    • Undo tab history.
    • Offline storage.
    • Domain isolator state.
    • NoScript's site and temporary permissions.
    • All other browser site permissions.
  • Closes all remaining HTTP keep-alive connections.
  • Sends Tor the "newnym" signal to issue a new Tor circuit.

After this process above, a fresh browser window is opened and the current browser window is closed (this does not spawn a new Firefox process, only a new window). When the final window is closed, any blob:UUID URLs that were created by websites are purged. [13]

New Tor Circuit Design[edit]

The "New Tor Circuit for this Site" feature sends the "newnym" signal to the Tor control port to cause a new circuit to be created for the current Tor Browser tab. [14] Other open tabs and windows from the same website will use the new circuit as well once they have reloaded, but connections to other websites on separate tabs are not affected. [15]

Security Slider Design[edit]

The Security Level preference tab and Tor Project manual describe the exact effect of each level and which features are disabled or partially disabled. Note that as of Tor Browser release v8.5, the security slider function has shifted from Torbutton to the taskbar ("shield" icon). [16] [17]

Table: Security Slider Settings [18]

Setting Description
  • All Tor Browser and website features are enabled.
  • Dangerous website features are disabled; some sites lose functionality.
  • On non-HTTPS sites, JavaScript is disabled.
  • Some fonts and maths symbols are disabled.
  • WebGL and HTML5 media (like audio and video) are click-to-play.
  • Only website features required for basic services and static sites are allowed; images, media and scripts are affected.
  • Javascript is disabled on all sites; some images, fonts, icons and math symbols are disabled.
  • HTML5 media (like audio and video) are click-to-play.

Disabled Tor Browser Functions[edit]

Open Network Settings[edit]

Info Whonix ™ has modified environment variables to prevent visibility of the "Open Network Settings..." menu option in Tor Browser.

The regular Tor Browser Bundle from The Tor Project (without Whonix ™) allows networking settings to be changed inside Tor via the Open Network Settings menu option. It has the same effect as editing Tor's torrc configuration file.

In Whonix ™, the environment variable export TOR_NO_DISPLAY_NETWORK_SETTINGS=1 has been set to disable the Tor BrowserOpen Network Settings... menu item. It is not useful and confusing to have in the Whonix-Workstation ™ because: [19] [20]

  • In Whonix ™, there is only limited access to Tor's control port (see Control Port Filter Proxy for more information).
  • For security reasons, Tor must be manually configured via /usr/local/etc/torrc.d/50_user.conf in Whonix-Gateway ™, and not inside Whonix-Workstation ™ (see VPN/Tunnel support for more information).

Tor Circuit View[edit]

Info Whonix ™ has removed the Tor Circuit View from Tor Browser for security reasons.

Normally this option in Tor Browser shows the three Tor relays used for the website in the current tab. This includes the IP addresses of each and the countries they are located in, and whether a bridge is being used (see below). The node immediately above the destination website reflects the Tor exit relay. [21]

Figure: Tor Circuit View - Disabled in Whonix [22]

Tor Browser Bundle's Improved Circuit Display

The Control Port Filter Proxy configuration in Whonix ™ intentionally does not whitelist the Tor control protocol commands that would be required for Tor Circuit View to function. This information is made unavailable to Whonix-Workstation ™ because Whonix-Workstation ™ should not have access to IP address information. If unavailable it cannot leak. Otherwise malicious or broken applications could leak it. Users might also unintentionally make screenshots of this information. One of the main advantages of Whonix ™ is, that there is no way to determine the real external IP address of the user from within Whonix-Workstation ™. Therefore also the IP address of the Tor entry guard or bridge as well as Tor middle relay should be inaccessible from Whonix-Workstation ™. Otherwise this information might aid an attacker who gained remote code execution capability within Whonix-Workstation ™.

Custom Homepage[edit]

It is unclear whether setting a custom homepage in Tor Browser settings will currently work. Previous attempts lead to the Whonix ™ default homepage being loaded on startup, even though a different homepage was manually set. The custom homepage only appeared following use of the New Identity function. [23]

The whonix-welcome-page package currently sets the environment variable TOR_DEFAULT_HOMEPAGE to /usr/share/homepage/whonix-welcome-page/whonix.html when setting the Tor Browser homepage. This is done via the bash script file [24] associated with the package. In light of this design, there are three possible options for a user-set custom homepage (untested):

  1. Attempting to purge the whonix-welcome-page package. [25] This solution is difficult due to technical limitations as explained on the Whonix ™ Debian Packages page.
  2. Modifying /usr/lib/whonix-welcome-page/ [26] Unfortunately these changes will revert after an upgrade.
  3. Setting the environment variable TOR_DEFAULT_HOMEPAGE to a custom value. This would have a similar effect as setting environment variables as outlined in Tor Browser Transparent Proxying.

A recent forum discussion in relation to this topic can be found here.

Custom Configurations[edit]

Info Custom configurations is an advanced topic. Only a small minority will ever need to apply the steps in this section.

Verify New Identity[edit]

Info Usually this action is only necessary for custom configurations, like when using a Whonix-Custom-Workstation ™.

If attempts to create a New Identity fail, then a related Tor Browser notification should appear once it realizes it cannot connect to Tor's ControlPort. If this error notification does not appear, then it likely means there are no problems.

After Tor Browser is restarted, click "IP Check" on the landing page. This will redirect to automatically, but the URL can be manually entered if preferred. In most, but not all cases [27] a new Tor exit relay will be received, with a different IP address being reported.

On Whonix-Gateway ™, examine the Control Port Filter Proxy log while using Tor Browser's New Identity feature.

sudo journalctl -f -u onion-grater

If the output is similar to the following.

Aug 16 05:30:19 host onion-grater[2316]: (filter: 30_autogenerated): → SIGNAL NEWNYM
Aug 16 05:30:19 host onion-grater[2316]: (filter: 30_autogenerated): <- 250 OK

Then the Control Port Filter Proxy received both the request from Tor Browser and Tor confirmation that it worked.

Get a New Identity without Tor ControlPort Access[edit]

Info This action is usually only needed for custom configurations, like when not using the Control Port Filter Proxy.

Simulate Tor Browser's New Identity functionality via these steps.

  1. Close Tor Browser.
  2. Get a new identity in Whonix-Gateway ™ using nyx.
  3. Start Tor Browser again.

The procedure is complete.

Proxy Settings[edit]

Info These steps are usually only needed for advanced tunneling scenarios.

Remove Proxy Settings[edit]

To remove Tor Browser proxy settings (set no proxy), apply the following instructions.


This configuration results in Tor Browser no longer using proxy settings. With no proxy set, Tor Browser uses the (VM) system's default networking. This is identical to any other application inside Whonix-Workstation ™ that has not been explicitly configured to use Tor via socks proxy settings or a socksifier. This setting is also called transparent torification. [28] [29]

Note: This action will break both Stream Isolation for Tor Browser and Tor Browser's tab isolation by socks user name. This worsens the web fingerprint and leads to pseudonymous (not anonymous) connections. To mitigate these risks, consider using More than one Tor Browser in Whonix ™, or preferably Multiple Whonix-Workstation ™.

To enable transparent torification (no proxy setting), set the TOR_TRANSPROXY=1 environment variable. There are several methods, but the simplest is the /etc/environment Method.

Note: Choose only one method to enable transparent torification.

For other methods with finer granulated settings, please press on Expand on the right.

Command Line Method

1. Platform specific notice:

2. Navigate to the Tor Browser folder.

cd ~/tor-browser_en-US

3. Every time Tor Browser is started, run the following command to set the TOR_TRANSPROXY=1 environment variable.

TOR_TRANSPROXY=1 ./start-tor-browser.desktop

4. Done.

start-tor-browser Method

This only applies to a single instance of the Tor Browser folder that is configured. This method may not persist when Tor Browser is updated.

1. Platform specific notice:

2. Find and open start-tor-browser in the Tor Browser folder with an editor.

This is most likely found in ~/tor-browser_en-US/Browser/start-tor-browser below #!/usr/bin/env bash.

3. Set.


4. Done.

start-tor-browser Method configuration has been completed.

/etc/environment Method

This will apply to the whole environment, including any possible custom locations of Tor Browser installation folders. [30]

1. Platform specific notice.

2. Open file /etc/environment in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/environment

3. Add the following line.

TOR_TRANSPROXY=1 ## newline at the end

4. Save and exit.

5. Reboot.

Reboot is required to make changes to configuration file /etc/environment take effect.

6. Done.

/etc/environment method configuration has been completed.

Tor Browser Settings Changes

This step is required since Tor Browser 10. [31]

1. Platform specific notice.

2. Tor Browser → URL bar → Type: about:config → Press Enter key. → search for and modify

3. network.dns.disabled → set to false

4. extensions.torbutton.launch_warning → set to false


Reverting this change is undocumented. Simply unsetting that environment variable will not work due to Tor Browser limitations. The easiest way to undo this setting is to install a fresh instance of Tor Browser (please contribute to these instructions)!

Ignore Tor Button's Open Network Settings

Whonix ™ has disabled the Open Network Settings... menu option in Tor Button. Read the footnote for further information. [32]

Change Proxy Settings[edit]

Info These instructions do not apply to accessing local web-interfaces.

Complete the following steps inside Whonix-Workstation ™ (anon-whonix).

Complete the following steps inside Whonix-Workstation ™ (anon-whonix).

1. Launch Tor Browser.

2. And enter about:config into the URL bar and press enter.

3. Change the following settings.

4. Set extensions.torbutton.use_nontor_proxy to true.

5. Set network.proxy.no_proxies_on to 0.

6. Proxy specific settings.

Depending on using a HTTP, HTTPS or SOCKS proxy.

A) HTTP proxy

If a HTTP proxy is being used, modify address and port number to the following strings.

  • network.proxy.http
  • network.proxy.http_port

B) HTTPS proxy

If a HTTPS proxy is being used, modify the following strings instead.

  • network.proxy.ssl
  • network.proxy.ssl_port

C) SOCKS proxy

This process can be repeated with socks proxies, but it is redundant and does not provide any advantage over the former types. The reason is because only Tor Browser is modified and no other programs are being tunneled through it.

  • Set network.proxy.socks to the IP of proxy server.
  • Set network.proxy.socks_port to the port number of the proxy server.
  • Set network.proxy.socks_remote_dns to
    • false - if the proxy server does not support resolving DNS. In this case, DNS will go through Tor exit nodes thanks to Whonix ™, or
    • true - if the proxy server does resolving DNS which is better.
  • Set network.proxy.socks_version to either 4 or 5 depending on the version of the proxy server.

7. Done.

Tor Browser proxy configuration has been completed.

Backup and Restore[edit]

It is possible to restore data from an old browser profile to a new browser profile. Regular Firefox documentation applies, except different file paths must be inspected.

In the old browser folder ~/.tb/tor-browser search for the following files:

  • ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/key4.db - This file stores the key database for passwords. To transfer saved passwords, this file and the one immediately below must be copied.
  • ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/logins.json - Saved passwords.
  • ~/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/places.sqlite - Bookmarks, downloads and browsing history.

Either backup these files or backup the whole browser folder, which is safer. Afterwards, copy them over after re-downloading Tor Browser.

Restore Backup[edit]

These Restore Backup instructions are untested and possibly incomplete.

Permission Fix[edit]

When restoring a backup, sometimes a fix is necessary due to lost file permissions. Note that the fix below has not yet been tested.

To apply a general permission fix, run.

sudo chown --recursive user:user /home/user

Retrieve a list of executable files from a functional Tor Browser version. Ideally it should be the same version as the one you are attempting to restore, possibly in a separate VM.

find ~/.tb/tor-browser/ -type f -executable -print

Then chmod +x all of these files.

In the collapsible section you can find a list created in June 2019. It might be outdated by now so you might have to create your own. Please press on Expand on the right.

chmod +x /home/user/.tb/tor-browser/Browser/ chmod +x /home/user/.tb/tor-browser/Browser/ chmod +x /home/user/.tb/tor-browser/Browser/ chmod +x /home/user/.tb/tor-browser/Browser/ chmod +x /home/user/.tb/tor-browser/Browser/updater chmod +x /home/user/.tb/tor-browser/Browser/ chmod +x /home/user/.tb/tor-browser/Browser/ chmod +x /home/user/.tb/tor-browser/Browser/ chmod +x /home/user/.tb/tor-browser/Browser/plugin-container chmod +x /home/user/.tb/tor-browser/Browser/gtk2/ chmod +x /home/user/.tb/tor-browser/Browser/ chmod +x /home/user/.tb/tor-browser/Browser/ chmod +x /home/user/.tb/tor-browser/Browser/execdesktop chmod +x /home/user/.tb/tor-browser/Browser/abicheck chmod +x /home/user/.tb/tor-browser/Browser/ chmod +x /home/user/.tb/tor-browser/Browser/ chmod +x /home/user/.tb/tor-browser/Browser/ chmod +x /home/user/.tb/tor-browser/Browser/ chmod +x /home/user/.tb/tor-browser/Browser/ chmod +x /home/user/.tb/tor-browser/Browser/ chmod +x /home/user/.tb/tor-browser/Browser/firefox.real chmod +x /home/user/.tb/tor-browser/Browser/ chmod +x /home/user/.tb/tor-browser/Browser/ chmod +x /home/user/.tb/tor-browser/Browser/start-tor-browser chmod +x /home/user/.tb/tor-browser/Browser/ chmod +x /home/user/.tb/tor-browser/Browser/start-tor-browser.desktop chmod +x /home/user/.tb/tor-browser/Browser/firefox chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/libstdc++/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fteproxy-lib/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/zope/interface/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fteproxy/tests/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fteproxy/ /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/obfs4proxy chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/meek-client chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fteproxy.wrapper chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/meek-client-torbrowser chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fteproxy.bin chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/tests/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/tests/dfas/test4.regex chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/tests/dfas/test3.dfa chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/tests/dfas/test1.dfa chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/tests/dfas/test6.dfa chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/tests/dfas/test4.dfa chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/tests/dfas/test6.regex chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/tests/dfas/test5.dfa chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/tests/dfas/test2.regex chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/tests/dfas/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/tests/dfas/test2.dfa chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/tests/dfas/test1.regex chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/tests/dfas/test5.regex chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/tests/dfas/test3.regex chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/tests/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/tests/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/tests/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/rank_unrank.h chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/fte/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/obfsproxy.bin chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/twisted/runner/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/twisted/python/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/twisted/test/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/Crypto/Util/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/Crypto/Util/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/Crypto/Cipher/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/Crypto/Cipher/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/Crypto/Cipher/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/Crypto/Cipher/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/Crypto/Cipher/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/Crypto/Cipher/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/Crypto/Cipher/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/Crypto/Cipher/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/Crypto/Hash/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/Crypto/Hash/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/Crypto/Hash/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/Crypto/Hash/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/Crypto/Hash/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/Crypto/Hash/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/Crypto/Hash/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/ chmod +x /home/user/.tb/tor-browser/Browser/TorBrowser/Tor/tor chmod +x /home/user/.tb/tor-browser/start-tor-browser.desktop

Local Connections Exception Threat Analysis[edit]

Info This section applies to those who are configuring an exception for Local Connections in Tor Browser.

According to this Firefox ticket, JavaScript can be abused to scan internal networks, fingerprint devices, and make malicious commands to those devices if they have a web interface.

In Whonix ™, there are no embedded devices attached to an internal network; it is isolated and untrusted. However, malicious Javascript can reveal to an attacker that a service is running on a localhost port. Consequently, this can reduce the user's anonymity set. Further, daemons listening on the localhost can be maliciously misconfigured, but this has limited impact because traffic is still forced through Whonix-Gateway ™.

For further reading on this topic, see this related Whonix ™ Forum topic and Tor Browser bug report.

The configured exception means a small trade-off in privacy, but it is much safer than using another browser. [33]

tor-launcher vs torbrowser-launcher[edit]

tor-launcher and torbrowser-launcher are two completely different things with similar names:


Do not be concerned that tor-launcher might result in a Tor over Tor scenario, as this is prevented by Whonix ™ proxy settings. By default, tor-launcher is disabled in Whonix-Workstation ™.

In theory it is possible to remove tor-launcher from TBB, but this would not make any difference. Taking this step is untested and seems unlikely to provide any additional advantages. For that reason, it is best to leave it enabled so the platform has the same tested and functional setup as everyone else.

tor-launcher is not yet available for use in Whonix-Gateway ™. [34]


Tor Browser Updater (Whonix ™) (tb-updater) is installed by default and specifically designed to be functional when installed alongside torbrowser-launcher. A possible long-term development goal in Whonix ™ is to deprecate tb-updater and instead install torbrowser-launcher by default. See this forum development discussion if that is of interest.

Platform-specific Issues: Qubes-Whonix ™[edit]

Running Tor Browser in Qubes Template or Disposable Template[edit]

Ambox warning pn.svg.png Do not start Tor Browser in the whonix-ws-16 Template or whonix-ws-dvm Disposable Template! It is unexpected behavior and dangerous.

To understand why, please press on Expand on the right.

  • Tor Browser should be used in its stock configuration with as few modifications as possible. This is in accordance with upstream recommendations by The Tor Project.
  • Internet connections are established if Tor Browser is started in a Disposable Template -- this risks a compromise of the template and all Disposables based upon it.
  • Various files are created when Tor Browser starts -- these might make an individual pseudonymous rather than anonymous, even if software has been designed against this. It is undesirable to have the same pseudonym linked to all App Qubes based on a singular Template.
  • It is far safer to start Tor Browser for the first time in a App Qube, rather than the Template. It is unrealistic to expect Tor Browser will perform perfectly, without any critical bugs being revealed later on. Current and past Tor Browser issues support this assertion; for example, see here and here.
  • See also Unsafe Tor Browser Habits.

tb-updater in Qubes Template[edit]

Tor Browser is installed by default in Whonix-Workstation ™.

Default Behavior[edit]

Whonix-Workstation ™ builds by default automatically run Tor Browser Downloader by Whonix ™ (tb-updater package) (update-torbrowser) following its initial installation within chroot. If the attempt to run the tb-updater package is unsuccessful, then it will fail closed by default and nothing will be installed. As a consequence, this could lead to an error while building Whonix ™ images from source code or when installing Whonix ™ from the repository. Although this is undesirable behavior, developers have still decided to install Tor Browser by default in Whonix-Workstation ™. This means the only way to ensure Tor Browser is really installed by default is to also fail closed when necessary.

Qubes-Whonix-Workstation ™ Templates by default automatically run update-torbrowser during upgrades of Tor Browser Downloader by Whonix ™ (tb-updater package). If the update-torbrowser process fails, it will fail open by default. In this case, a terminal message will inform that no new Tor Browser could be downloaded, but APT will terminate normally. This is necessary to implement the Qubes-Whonix ™ feature ensuring an up-to-date version of Tor Browser is available in freshly created App Qubes. [35]

Update Failures[edit]

If an update failure occurs, this only poses a small inconvenience. The problem is easily solved by one of the following methods:

  1. Running Tor Browser Downloader by Whonix ™ in Whonix-Workstation ™ Template (whonix-ws-16) or in an App Qube like anon-whonix.
  2. Using the Internal Updater in an App Qube like anon-whonix.
  3. Manually downloading Tor Browser in an App Qube like anon-whonix.

Optional Package Configuration[edit]

Actions of the tb-updater package can be optionally configured.

Disable Automatic Update Downloads[edit]

1. Open file /etc/torbrowser.d/50_user.conf in an editor with administrative (root) write permissions.

This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

sudoedit /etc/torbrowser.d/50_user.conf

2. Disable automatic downloads.

When the tb-updater package is upgraded in the Qubes-Whonix-Workstation ™ Template, by default a hard-coded [36] version Tor Browser tarball and signature is automatically downloaded. In order to disable this, add.


3. Save the file and exit.

Technical Details[edit]

By default, during the Debian maintainer postinst script run in Qubes-Whonix-Workstation ™ Templates, the folders /var/cache/tb-binary/.cache/tb/ and /var/cache/tb-binary/.tb/tor-browser will be deleted if they exist. tb-updater will then download files to /var/cache/tb-binary/.cache/tb/

find /var/cache/tb-binary/.cache/tb/


After gpg verification, tb-updater will extract the Tor Browser archive to /var/cache/tb-binary/.tb

find /var/cache/tb-binary/.tb


In essence, when a Qubes-Whonix-Workstation ™ App Qube is booted for the first time, the systemd unit file /lib/systemd/system/tb-updater-first-boot.service [37] runs /usr/lib/tb-updater/first-boot-home-population. [38] That script copies /var/cache/tb-binary to /home/user

The result is.

ls -la /home/user/.tb

drwxr-xr-x  6 user user 4096 Jun  8 01:17 .
drwx------ 20 user user 4096 Jun  8 01:17 ..
-rw-r--r--  1 user user    0 Jun  8 01:17 first-boot-home-population.done
drwxr-xr-x  3 user user 4096 Jun  8 01:17 tor-browser

ls -la /home/user/.cache/tb

drwxr-xr-x 5 user user 4096 Jun  8 01:17 .
drwxr-xr-x 3 user user 4096 Jun  8 01:17 ..
-rw-r--r-- 1 user user  167 Jun  8 01:17 RecommendedTBBVersions
drwxr-xr-x 2 user user 4096 Jun  8 01:17 files
drwx------ 3 user user 4096 Jun  8 01:17 gpgtmpdir
-rw-r--r-- 1 user user   26 Jun  8 01:17 last_used_gpg_bash_lib_output_signed_on_date
-rw-r--r-- 1 user user   11 Jun  8 01:17 last_used_gpg_bash_lib_output_signed_on_unixtime
-rw-r--r-- 1 user user    6 Jun  8 01:17 tbb_version_last_downloaded_save_file
drwxr-xr-x 2 user user 4096 Jun  8 01:17 temp

File Locations[edit]




Home folder:



Path to user.js in this documentation is just a hint. Whonix ™ does not influence that path, although it might change in later versions of Tor Browser. Any contents inside the /Browser/ folder are unmodified; this is the same as Tor Browser by The Tor Project. Whonix ™ does not perform any modifications.


Creating Whonix ™ Using the Build Script[edit]

If Qubes-Whonix ™ is built with the available script and it should fail open in general, then before building in chroot a file /etc/torbrowser.d/50_user.conf must be created with the following content.


If Qubes-Whonix ™ is built with the available script and skipping the initial download of Tor Browser is preferred, then before building Whonix ™ in chroot a file /etc/torbrowser.d/50_user.conf must be created with the following content.


tb-updater in Qubes DisposableVM Template[edit]

Ambox warning pn.svg.png Tor Browser Downloader by Whonix ™ should not be launched in Disposable Templates (whonix-ws-16-dvm)!

The only safe place to run Tor Browser Downloader by Whonix ™ is in either:

  • The Template (whonix-ws-16); or
  • The App Qube which is based on this template (anon-whonix).

The reason is because Tor Browser is stored in folder /var/cache/tb-binary which is non-persistent in Qubes' Disposable Template (whonix-ws-16-dvm), but persistent in Qubes' Template (whonix-ws-16).

Table: Qubes R4 Inheritance and Persistence

Inheritance [39] Persistence [40]
Template [41] [42] n/a Everything
App Qubes [43] /etc/skel/ to /home/ /rw/ (includes /home/ and bind-dirs)
Disposable Template [44] [45] /etc/skel/ to /home/ /rw/ (includes /home/, /usr/local and bind-dirs)
Disposable [46] [47] /rw/ (includes /home/, /usr/local and bind-dirs) Nothing

To learn more about persistence, see here or here.

Updating Tor Browser in Qubes' Template whonix-ws-16 is sufficient to make a copy of the latest Tor Browser available to all newly created App Qubes based upon it.

Template Customization[edit]

Similar to Disposable Template Customization.

Tor Browser customization is discouraged!

To start Tor Browser from the command line or in debugging mode in a Qubes Disposable Template, choose any of the following options below.

Disposable Template Customization[edit]

Tor Browser customization is discouraged!

To start Tor Browser from the command line or in debugging mode in a Qubes Disposable Template, choose any of the following options below.

Forum discussion: How to customize Tor Browser in a Whonix ™ TemplateBased DVM?

Option 1: Disposable Template Method[edit]

Using this method, customization would only apply to the Disposable Template and any Disposables based on that Disposable Template.

1. Start Whonix-Workstation ™ Template (whonix-ws-16).

2. Disable Tor Browser Downloader Disposable Service. [48]

sudo systemctl mask tb-updater-dispvm.service

3. Shutdown Template.

sudo poweroff

4. Open a terminal emulator in Whonix-Workstation ™ Disposable Template whonix-ws-16-dvm.

Run in dom0 terminal emulator.

qvm-run -a whonix-ws-16-dvm xfce4-terminal

5. Open Tor Browser Starter / Tor Browser Downloader (by Whonix ™ developers) configuration file.

In Whonix-Workstation ™ Disposable Template whonix-ws-16-dvm:

Create folder /usr/local/etc/torbrowser.d.

sudo mkdir -p /usr/local/etc/torbrowser.d

Open file /usr/local/etc/torbrowser.d/50_user.conf in an editor with root rights.

sudoedit /usr/local/etc/torbrowser.d/50_user.conf

6. Paste.

tb_qubes_dvm_template() {

7. Save.

8. Tor Browser in Disposable Template.

Running Tor Browser Starter / Tor Browser Downloader (by Whonix ™ developers) in Disposable Template is now possible. [49]

Start Tor Browser.


Optional: Download a new version Tor Browser Downloader by Whonix ™. Read chapter Tor Browser Downloader by Whonix ™ beforehand.


9. Customize Tor Browser.

Perform customization changes.

10. Shut down Disposable Template.

sudo poweroff

11. Start Tor Browser in Disposable.

12. Done.

Customized Tor Browser should now be started in the Disposable.

Option 2: Template Method[edit]

Using this method, customization this way would apply to all App Qubes and Disposables based on this Template.

In Whonix-Workstation ™ Template whonix-ws-16.

1. Open a terminal.

2. Change ownership of Tor Browser.

Change the ownership of the folder from root to user to be able to launch the browser from that folder.

sudo chown -R user:user /var/cache/tb-binary

3. Change directory.

cd /var/cache/tb-binary/.tb/tor-browser/Browser

4. Start Tor Browser in debugging mode.

./start-tor-browser --debug

Note: Tor Browser can also be started manually without the --debug argument.

5. Apply the desired modification.

6. Close Tor Browser.

7. Change back the ownership to root.

sudo chown -R root:root /var/cache/tb-binary

8. Disable automatic update downloads.

Optional: Consider Disable Automatic Update Downloads since these would overwrite any user modifications. [50]

9. Apply Tor Browser updates.

From time to time when updated for Tor Browser are available, re-apply this procedure and use Tor Browser Internal Updater to update Tor Browser. Alternatively use any other update method as documented on the Tor Browser wiki page.

10. Done.

Tor Browser customization using Qubes Template Method has been completed.

Note: If using Tor Browser Downloader by Whonix ™, user modifications in folder /var/cache/tb-binary/.tb/tor-browser will be lost and would need to be re-applied. [50]

Option 3: Manual Method[edit]

It is possible to ignore most of what Whonix ™ has implemented relating to Tor Browser and go back to square one, performing it all manually.

  1. Start a terminal emulator in Qubes Disposable Template.
  2. Ignore command torbrowser / /usr/bin/torbrowser on the command line. (Ignore Tor Browser Starter by Whonix ™ developers.)
  3. Ignore command update-torbrowser / /usr/bin/update-torbrowser on the command line. (Ignore Tor Browser Downloader by Whonix ™ developers.)
  4. Ignore Tor Browser (AnonDist) (by Whonix ™ developers) Qubes start menu entry.
  5. Manually install Tor Browser to folder /home/user as per instructions from The Tor Project. Nothing Whonix ™ specific. Free Support Principle applies. However, instructions for Tor Browser: Manual Download might be handy.
  6. Manually (by ignoring as instructed above) start Tor Browser such as from folder /home/user/tor-browser.
  7. Make any desired modifications.
  8. Close Tor Browser.
  9. Shutdown Qubes Disposable Template.
  10. Start a terminal emulator in Disposable.
  11. Navigate to the folder where you manually installed Tor Browser.
  12. Start Tor Browser.

Feel free to customize this further such as adding a new Qubes start menu entry. This is outside the scope of this documentation and can be done as per the usual Qubes start menu modification procedures.

Tor over Tor is a non-issue in this case due to minimal Whonix ™ Tor Browser Differences.

The advantage of this method is that whatever Whonix ™ implemented will probably not cause any issues. The disadvantage is slightly reduced usability, such as the superfluous Qubes start menu entry which can be ignored.

Split Tor Browser for Qubes[edit]

TODO: Try, review and document Qubes' Split Tor Browser.

Platform-specific Issues: Whonix ™ Custom Linux Workstation[edit]

For instructions on how to configure Tor Browser in a Whonix ™-Custom-Linux-Workstation, see: Whonix ™-Linux-Workstation Tor Browser Settings.

Platform-specific Issues: Windows[edit]

Instructions to configure Tor Browser in a Whonix ™-Custom-Windows-Workstation are untested and unfinished. Please contribute by testing and finishing these Windows Tor Browser Settings instructions.

Tor Browser Update: Technical Details[edit]

Linux Generally[edit]

Updating Tor Browser works differently in Debian and other Linux distributions generally, since it cannot be upgraded with APT package sources like most other applications (Whonix ™ is based on Debian). The reason is there are unresolved upstream issues, namely deb packages and/or a deb repository with Tor Browser are not provided:

Tor Browser Developer Georg Koppen (gk) has stated: [51]

We don't have plans to pick this up, but maybe someone from the community...

The usual process for general, non-Whonix ™ Linux platforms such as for example Debian supported by The Tor Project is:

  1. Navigate to
  2. Download Tor Browser for the relevant platform.
  3. Verify Tor Browser.
  4. Extract Tor Browser inside the home folder.
  5. Launch Tor Browser.

This process is simplified by programs such as torbrowser-launcher (for Debian users) and tb-updater (for Debian and Whonix ™ users), yet Tor Browser is still installed inside of the home folder. For this reason, Tor Browser cannot be updated by package management tools like apt.

torbrowser-launcher and tb-updater are Tor Browser installers. torbrowser-launcher (for Debian users) and tb-updater are not Tor Browser updaters. The difference between an installer and an updater is that an installer is incapable of preserving user data after updates -- only an updater can achieve that. In the long term, tb-updater will likely be renamed to tpo-downloader.

Another issue is that Tor Browser mixes binaries and user data into the same folder. Usually binaries used by users in Linux distributions generally reside in folder /usr/bin and user data resides in folder /home/user. This is further complicated since Tor Browser folder structure has changed over time. Future changes might happen. Therefore it would be unwise for a downstream Linux distribution such as Whonix ™ to attempt to separate binaries and user data. Since Tor Browser comes with its own internal updater and folder structure might change in future, updates might break or user data might become inaccessible if such attempts were made.


Info Prerequisite knowledge: see Qubes R4 Inheritance and Persistence.

The Tor Project requires Tor Browser to be installed inside of the home folder as explained earlier; see Linux Generally. Qubes' App Qubes have their own home folder, independent from the Template they are based on. This means updates of a Qubes' Template will not update Tor Browser which is already installed in a Qubes App Qube's home folder. In short, Tor Browser updates are a more cumbersome task in Qubes OS due to Qubes-specific design choices and technical limitations.

Due to these restrictions, the safest configuration that Whonix ™ has implemented is to ensure that new App Qubes and Disposables are created with a copy of the latest Tor Browser version. In essence:

  • When tb-updater is run in a Qubes Template, it stores Tor Browser in folder /var/cache/tb-binary.
  • When a App Qube starts and it has never copied Tor Browser before (likely only at first boot), and there is no copy of Tor Browser in /home/user, Tor Browser is copied from /var/cache/tb-binary to /home/user.
    • Existing copies of Tor Browser in the home folder are not overwritten. This is due to an explicit design goal to avoid data loss; see tb-updater in Qubes Template VM for technical details.

Since Tor Browser mixes binaries and user data into the same folder, special configurations such as Qubes Disposable Template Customization are more complicated than for other software. This is because either folder /var/cache/tb-binary is being kept up to date or user data is being preserved. There is no maintainable way for Whonix ™ to separate Tor Browser binaries from user data.

Multiple Tor Browser Instances and Workstations[edit]

Appropriate compartmentalization of user activities is important when different identities and/or additional software are in use. Multiple Tor Browser instances provide some separation of distinct identities, however this issue has not yet been fully solved by Tor Browser or Torbutton. A more secure method of compartmentalization is using Multiple Whonix-Workstation ™, which are easily created.

Multiple Tor Browser Instances[edit]

To better separate different contextual identities, consider starting multiple Tor Browser instances. Follow the steps in the Manually Downloading Tor Browser entry, except for minor changes that are necessary; for example Tor Browser must be extracted into a different folder.

This method is less secure than using multiple Whonix-Workstation ™, which is outlined below.

Multiple Whonix-Workstation ™[edit]

For tasks requiring different identities and/or additional software, it is recommended to utilize two or more Whonix-Workstation ™ VMs since different torified clients are isolated from each other. In this configuration, a Tor Browser exploit in one Whonix-Workstation ™ cannot simultaneously read the user's identity in another VM (for example, an IRC account). [52]

This method is less secure than using Tor Browser in a Qubes Whonix-Workstation ™ DisposableVM.

See Also[edit]

Footnotes / References[edit]

  2. This has also informed the development of the Torbutton extension.
  3. 3.0 3.1 3.2
  4. 4.0 4.1 4.2
  5. Partially explaining the unholy alliance between the corporate sector and government.
  6. This has already been observed.
  7. For instance, there is an estimated 29 bit-identifier based on the browser and desktop window resolution information alone.
  8. This attack is somewhat mitigated by the ocean of Tor traffic, which rapidly increases the rate of false positives when larger traffic sets are analyzed.
  11. Some of the design features have been deprecated due to changes in the Tor / Tor Browser design.
  13. 13.0 13.1
  22. New Release: Tor Browser 8.09a9 License: Creative Commons Attribution 3.0 United States License
  23. This is a potential bug since the custom homepage does not overrule the TOR_DEFAULT_HOMEPAGE environment variable. No bug has yet been reported.
  24. Also /usr/lib/whonix-welcome-page/
  25. sudo apt purge whonix-welcome-page
  26. Open file /usr/lib/whonix-welcome-page/ in an editor with administrative (root) write permissions.

    This box uses sudoedit for better security. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.

    sudoedit /usr/lib/whonix-welcome-page/

  27. Getting a new circuit does not guarantee receiving a new exit relay; this is normal behavior. Also see: Stream Isolation.
  28. This term was coined in context of a Tor Transparent Proxy (.onion). It acts as a simple gateway that routes all connections through Tor, but does not provide Stream Isolation.
  29. If these settings are changed, Tor Button would previously show a red sign and state "Tor Disabled" when a mouse was hovered over it.
  30. Unless this environment variable is manually unset before starting Tor Browser.
  31. The regular Tor Browser Bundle from The Tor Project (without Whonix ™) allows networking settings to changed inside Tor via the Open Network Settings menu option. It has the same effect as editing Tor's config file torrc. In Whonix ™, the environment variable export TOR_NO_DISPLAY_NETWORK_SETTINGS=1 has been set to disable the Tor BrowserOpen Network Settings... menu item. It is not useful and confusing to have in the Whonix-Workstation ™ because:
    • In Whonix ™, there is only limited access to Tor's control port (see Dev/CPFP for more information).
    • For security reasons, Tor must be manually configured in /usr/local/etc/torrc.d/50_user.conf on Whonix-Gateway ™, and not from Whonix-Workstation ™ (see VPN/Tunnel support for more information).
  34. Which is in turn inherited from updated Templates.
  35. In the tb-updater package.
  38. Upon creation.
  39. Following shutdown.
  41. The former name was Template.
  42. The former name was AppVM or TemplateBasedVM.
  44. Former names included DisposableVM Template, DVM Template, and DVM.
  46. Former names included DisposableVM and DispVM.
    • This is to prevent mounting /var/cache/tb-binary/.tb to /home/user/.tb.
    • /lib/systemd/system/tb-updater-dispvm.service
    • /usr/lib/tb-updater/dispvm
    The following will not work.
    sudo mkdir -p /usr/local/lib/systemd/system/
    sudo ln -s /dev/null /usr/local/lib/systemd/system/tb-updater-dispvm.service
    This is probably because Qubes mounts /usr/local too late to be regarded by systemd.
  47. When running torbrowser (Tor Browser Starter by Whonix ™ developers) in Disposable Template it will first copy /var/cache/tb-binary/.tb/tor-browser to user home folder /home/user/.tb/tor-browser. (Folder /var/cache/tb-binary/.tb/tor-browser was previously created by Tor Browser Downloader (by Whonix ™ developers).) Second, it will start the Tor Browser binary from folder /home/user/.tb/tor-browser.
  48. 50.0 50.1 Due to technical limitations. Because whole folder /var/cache/tb-binary/.tb/tor-browser is replaced. This is not an intentional user freedom restriction or security feature.
  50. This does not protect against the sudden loss of networking, which could reveal to the attacker that two activities / accounts suddenly going off-line are probably related.


Whonix ™ Tor Browser Advanced Topics wiki page Copyright (C) Amnesia <amnesia at boum dot org>

Whonix ™ Tor Browser Advanced Topics wiki page Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.

This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.