Tor Browser [2] is a fork of the Mozilla Firefox web browser. It is developed by The Tor Project and optimized and designed for Tor, anonymity and security. Many users will have browsed with Firefox and be familiar with the user interface that resembles those found in other popular, modern browsers. [3]
Users are encouraged to read this entire wiki entry so Tor Browser is used effectively and safely on the Whonix platform. Advanced users may also be interested in the Tor Browser Adversary Model.
If browsers other than Tor Browser are used in Whonix, the user's IP address and Domain Name Service (DNS) requests [4] are still protected. However, users do not profit from Tor Browser's protocol level cleanup in this scenario. Features like proxy obedience, state separation, network isolation, anonymity set preservation and a host of others are simply unsupported by other browsers.
In stark contrast to regular browsers, Tor Browser is optimized for anonymity and has a plethora of privacy-enhancing patches and add-ons. [5] With Tor Browser, the user "blends in" and shares the Fingerprint of nearly three million other users, which is advantageous for privacy.
It is important to understand the difference between HTTP and HTTPS: [6]
HTTPS advantages include: [7]
In the context of Tor Browser, this means users should prefer HTTPS instead of HTTP so communication is encrypted while browsing the Internet. While traffic is encrypted throughout the Tor network, the exit relay (third of three servers) can see traffic sent into Tor if it is plain HTTP. If HTTPS is used, the exit relay will only know the destination address. [9]
As an example, the screenshot below is how the browser looks when visiting the Whonix website. [10]
Figure: A Secure Connection to http://www.whonix.org
Take notice of the small area on the left-hand side of the address bar. Indicators of an encrypted connection are http://www.whonix.org is highlighted with a padlock and "Secure Connection" in green writing, and the URL begins with https:// instead of http://.
The following figures from EFF provide an overview of HTTP / HTTPS connections with and without Tor, and what information is visible to various third parties. The descriptors are as follows: [11]
Figure: Tor and HTTPS
Figure: Tor and No HTTPS
Figure: No Tor and HTTPS
Figure: No Tor and No HTTPS
Whenever possible, users are encouraged to stay within the Tor network for communications and web browsing via available .onion addresses. These services are commonly referred to as onion services (formerly "hidden services"), even when their location is publicly known. [12]
URLs ending in the .onion extension provide a superior level of security and privacy, since the user's connection forms a completely end-to-end encrypted tunnel that uses a random rendezvous point within the Tor network (HTTPS is not required). These connections also incorporate perfect forward secrecy (PFS). PFS means the compromise of long-term keys does not compromise past session keys. As a consequence, past encrypted communications and sessions cannot be retrieved and decrypted if long-term secrets keys or passwords are compromised in the future by adversaries. [13]
Other primary benefits of onion services include: [14]
Users who want to learn more about how onion services work should read the technical description.
HTTPS Everywhere is a Firefox extension shipped in Tor Browser and produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It helps to encrypt user communications with a number of major sites.
Many sites on the Internet offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, sites may default to unencrypted HTTP or fill encrypted pages with links that return to the unencrypted version of site. The HTTPS Everywhere extension addresses these problems by rewriting all site requests to HTTPS.
To learn more about HTTPS Everywhere, visit:
NoScript is a free, open source extension that comes bundled with Tor Browser and other Mozilla-based web browsers. NoScript can provide significant protection for users, depending on its configuration: [19]
NoScript protects against cross-site scripting, which otherwise enables attackers to inject malicious client-side scripts into web pages being viewed, bypassing the same-origin policy. The same-origin policy refers to web browsers usually only allowing scripts in the first web page to access data in a second web page if they have the same origin (URL scheme, hostname and port number).
Anti-clickjacking is also available to protect against hidden or disguised user interface elements masquerading as trusted web page buttons, links and so on (this is disabled by default in Tor Browser). Clickjacking can maliciously activate microphones or webcams, or trick users into interacting with hidden elements to steal important financial, personal or other data.
In the stock Tor Browser configuration, JavaScript is enabled by default for greater usability. The Tor Project FAQ provides a summary of the reasoning for this decision: [20]
The take-home message is disabling all JavaScript with white-list based, pre-emptive script-blocking may better protect against vulnerabilities (many attacks are based on scripting), [21] but it reduces usability on many sites and acts as a fingerprinting mechanism based on the select sites where it is enabled. [22] On the other hand, allowing JavaScript by default increases usability and the risk of exploitation, but the user also has a fingerprint more in common with the larger pool of users. [23] [24]
Developers are unaware of any JavaScript vulnerabilities that could compromise Whonix anonymity. That said, users should refrain from changing NoScript settings in Tor Browser, unless they are aware of the potential impacts. Users can enable/disable JavaScript, Java and/or plugin execution by left-clicking on the NoScript status bar icon, or via the the contextual menu. [25] Permissions can be selected either temporarily or on a permanent basis. "Temporarily allow" will only enable scripts for that site until the browser session is closed, or until permission is manually revoked.
For further information, refer to the NoScript website and features overview, or the Torbutton design document.
As Tor Browser is based on Firefox, any browser add-on that is compatible with Firefox can also be installed in Tor Browser. In this context, add-ons is the collective name for extensions, themes and plugins: [26]
[27]
The Tor Project explicitly warns against using non-default add-ons with Tor Browser: [28]
....
Recommendations
The problem with non-default add-ons is they are often non-free software, and can lead to linkability to the same pseudonym. Moreover, they worsen fingerprinting and open up attack vectors in the form of remote exploits.
This advice holds true even though Whonix is configured to prevent these applications (along with malware) from leaking the user's real external IP address, even if they are misconfigured (see Features). Users should first consider the various alternatives to plugins, such as HTML5 or online media converters. [29]
If this advice is to be disregarded, first read Browser Plugins before proceeding.
Tor alone is not enough to protect your anonymity and privacy while browsing the Internet. All modern web browsers support JavaScript, Adobe Flash, cookies and other features which are capable of defeating the anonymity [30] provided by the Tor network.
In Tor Browser, these features are handled from inside the browser, because it is a modified (patched) version of Firefox and it contains an extension called Torbutton:
Users are also encouraged to learn more about fingerprinting and data collection techniques. Advanced users who are interested in a detailed description of the Torbutton design and the functions described below can learn more here.
The "New Identity" menu option sends the protocol command "signal newnym" to Tor's ControlPort. This clears the browser state, closes tabs, and obtains a fresh Tor circuit for future requests. [32]
Sometimes Tor only replaces the middle relay while using the same Tor exit relay. This is by design and the Tor default. Further, "signal newnym" does not interfere with long-lived connections like an IRC connection.
New Identity is not yet perfect and there are open bugs; this is not a Whonix-specific issue. [33]For greater security, it is better to completely close Tor Browser and restart it. In Qubes-Whonix, the safest option is using a Whonix-Workstation Qubes/DisposableVM and closing it and recreating a new one after critical activities.
This is how to use the New Identity feature in Torbutton.
Click Torbutton -> Click "New Identity"
Please read New Identity and Tor circuits and the New Identity design to learn more about this option and its limitations.
The "New Tor Circuit for this Site" Torbutton feature causes a new circuit to be created for the current Tor Browser tab, including other open tabs or windows from the same website. [34]
If it is really necessary to separate contextual identities, it is always safer to close and then restart Tor Browser.
Potential use cases for this feature include: [35]
To use it:
Click Torbutton -> Click "New Tor Circuit for this Site"
Advanced users who want to learn more about this function should refer to the New Tor Circuit design entry.
Tor Browser includes a Security Slider that lets the user disable certain web features that can be used to compromise security and anonymity. Currently there are three levels: "Safest", "Safer" and "Standard". Users have to make a trade-off between security, usability and privacy. At the higher levels the slider will prevent some sites from working properly. [36]
To use this feature:
Click Torbutton -> Click "Security Settings..." -> Select desired security level
To learn more about the exact effect of each setting level, users should refer to the Security Slider design entry.
Torbutton will notify the user if a Tor Browser update is available. See Tor Browser Internal Updater for further information and screenshots of this process. Note that there are multiple methods of updating Tor Browser. To use the Torbutton menu option:
Click Torbutton -> Click "Check for Tor Browser Update..."
Users who are interested in why Torbutton's "Open Networking Settings" and "Tor Circuit View" features have been disabled in Whonix can learn more here.
Start Tor Browser.
If you are using Qubes-Whonix.
Qubes Start Menu -> Whonix-Workstation AppVM (commonly called anon-whonix) -> Tor Browser
If you are using Non-Qubes-Whonix.
Start Menu -> Tor Browser
To start Tor Browser from the command line or in debugging mode, please press Expand on the right.
Open a terminal.
If you are using Qubes-Whonix, complete the following steps.
Qubes App Launcher (blue/grey "Q") -> Whonix-Workstation AppVM (commonly named anon-whonix) -> Konsole
If you are using a graphical Whonix-Workstation, complete the following steps.
Start Menu -> Applications -> System -> Konsole
The user has two options. To start Tor Browser "normally" from the terminal. [37]
Or to generate debugging output if problems are experienced with Tor Browser (also see Debugging).
Change into the Tor Browser folder.
cd ~/.tb/tor-browser/Browser
Start Tor Browser in debugging mode.
./start-tor-browser --debug
Note: Tor Browser can also be started manually without the --debug argument.
If Tor Browser successfully launches and connects to the Tor network, check.torproject.org should show the following message.
Figure: Successful Tor Browser Connection
Whonix protects against these threats outlined below, such as files that inadvertently or maliciously attempt to reveal the real IP address of the user, or third-party, external applications that can leak information outside of Tor. However, users should always engage in best safety practices.
Do not Open Documents Downloaded via Tor while Online
The Tor Project explicitly warns users not to open documents handled by external applications, since in the normal case they may contain Internet resources that may be downloaded outside of Tor by the application that opens them. [38]
This warning is not strictly relevant to Whonix users since all traffic is forced over the Whonix-Gateway and the IP address will not be leaked. Despite this fact, for greater safety users should open files such as PDFs and word processing documents in offline VMs.
Malicious files or links to files pose a greater threat; potential compromise of the user's system. Therefore users should heed the Whonix advice to not open random links or files in the Whonix-Workstation. Instead, in Qubes-Whonix it is preferable to sanitize the PDF or open the file or link in a DisposableVM. Non-Qubes-Whonix users should only open the file in a separate, offline Whonix-Workstation.
Do not Torrent over Tor
See File Sharing.
Users often mistakenly believe that a secure, green padlock and a https:// URL makes any download from that particular website secure. This is not the case. The website might be redirecting to http.
In fact, the user may be vulnerable to an attempted SSLstrip attack if a link is pasted or typed into the address bar without the https:// component (e.g. torproject.org instead of https://torproject.org). [39]
In this instance, the user cannot actually confirm if the file is being downloaded over https://. Potentially, a SSLstrip attack might have made the download take place over plain http. The reason is the user cannot see a padlock; it just appears empty.
To avoid the risk of an SSLstrip attack or similar threats, users should always explicitly type or paste https:// in the URL / address bar. The SSL certificate button or padlock will not appear in this instance, but that is nothing to be concerned about. Unfortunately, few users follow this sage advice; instead most mistakenly believe pasting or typing http://www.torproject.org into the address bar is safe.
For even greater safety, where possible download files from onion services (.onion addresses). Greater security is provided by onion service downloads, since: the connection is encrypted end-to-end (with PFS), targeting of individuals is difficult, and adversaries cannot easily determine where the user is connecting to or from.
Also, if files are already available in repositories, then users should prefer mechanisms which simplify and automate software upgrades and installations (like apt-get functions), rather than download Internet resources. Avoid installing unsigned software and be sure to always verify key fingerprints and digital signatures of signed software from the Internet, before importing keys or completing installations.
Finally, consider using multiple Whonix-Workstations when downloading and installing additional software, to better compartmentalize user activities and minimize the threat of misbehaving applications.
For users who regularly download Internet files, Tor Browser's default download folder is inconvenient. For example, if the user downloaded the sample image below using Tor Browser, by default the download path is /home/user/.tb/tor-browser/Browser/Downloads. It is time-consuming to navigate to this folder so far down the directory tree.
More:
Tor Browser - Whonix
