Tor Browser – Whonix

It is recommended[1], that you use only Tor Browser for browsing the web in Whonix.

Tor Browser[2] is a fork[3] of the Mozilla Firefox[4] web browser, optimized[5] and designed[6] for anonymity, developed by The Tor Project[7]. Given Firefox's popularity, many of you have probably used it before and its user interface is like any other modern web browser.

Here are a few things worth mentioning in the context of Whonix.

When you were to use other browsers than Tor Browser, your IP/DNS would still be protected by Whonix, but you wouldn't profit from Tor Browser's protocol level cleanup. Using other browsers would be pseudonymous rather than anonymous.

Tor Browser in comparison to other browsers is optimized for anonymity, it contains privacy enhancing patches[8] and add-ons[9]. There are no other browsers other than Tor Browser capable of protocol level cleanup. When you use Tor Browser, you will blend in and share the Fingerprint of other Tor Browser users, which is a good thing.

Using HTTPS instead of HTTP encrypts your communication while browsing the web.

All the data exchanged between your browser and the server you are visiting are encrypted. It prevents the Tor exit relay to eavesdrop on your communications.

HTTPS also includes mechanisms to authenticate the server you are communicating with. But those mechanisms can be flawed, as explained on our warning page.

For example, here is how the browser looks like when we try to log in an email account at lavabit.com[10], using their interface[11]:

Notice the small area on the left of the address bar saying "lavabit.com" on a blue background and the address beginning with "https://" (instead of "http://"):

These are the indicators that an encrypted connection using HTTPS[12] is being used.

You should try to only use services providing HTTPS when you are sending or retrieving sensitive information (like passwords), otherwise it's very easy for an eavesdropper to steal whatever information you are sending or to modify the content of a page on its way to your browser.

HTTPS Everywhere[13] is a Firefox extension shipped in Tor Browser and produced as a collaboration between The Tor Project[14] and the Electronic Frontier Foundation[15]. It encrypts your communications with a number of major websites. Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site. The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.

To learn more about HTTPS Everywhere you can see:

Tor alone is not enough to protect your anonymity and privacy while browsing the web. All modern web browsers, such as Firefox, support JavaScript[16], Adobe Flash[17], cookies[18] and other features which have been shown to be able to defeat the anonymity [19] provided by the Tor network.

In Tor Browser all such features are handled from inside the browser, because it's a modified version of Firefox Patches[20] and it contains an extension called Torbutton[21]. These do all sorts of things to prevent the above type of attacks. But that comes at a price: since this will disable some functionalities and some sites might not work as intended. Don't worry too much about this, the vast majority of websites works very well.

To learn more about Torbutton you can see:

To learn more about Data Collection Techniques, Fingerprinting you can see:

The New Identity button on Tor Browser isn't perfect yet (NOT a Whonix issue), there are open bugs.[22]

How.

Please understand New Identity and Tor circuits to learn what this actually does and what its limitations are.

Having all JavaScript disabled by default would disable a lot of harmless and possibly useful JavaScript and render unusable many websites. This would scare away lots of potential users "because it just doesn't work". Torbutton disables all potentially dangerous JavaScript. On the other hand, having a big user base is important for good anonymity as this very interesting mail by Roger Dingledine explains.[23]

That's why JavaScript is enabled by default in Tor Browser. We consider this as a necessary compromise between security and usability and as of today we are not aware of any JavaScript that would compromise Whonix anonymity.

For more technical details you can refer to the Torbutton design document.[24] Another related discussion justifying why JavaScript is enabled by default in Tor Browser was on tor-talk, "Tor Browser disabling Javascript anonymity set reduction".[25]

NoScript also comes with Tor Browser and provides many protections, even though JavaScript is enabled by default. You shouldn't mess with NoScript settings in Tor Browser unless you exactly know what you are doing.

For more information you can refer to the NoScript website and features.

It might be better for privacy and anonymity not to maximize the Tor Browser window.

The regular Tor Browser Bundle and Tor Browser in Whonix slightly differ. The environment Tor Browser is running in has been adjusted by Whonix to work behind the Whonix-Gateway. The network and browser fingerprint however, is the same.

Tor Browser's internal update check mechanism is untouched and works fine. Default homepage is currently blank instead of original about:tor. [26]

Short: You don't need to change any proxy settings in Tor Browser.

Long: [27]

For better isolation of different identities. For advanced users. Moved to the Advanced Security Guide.

As of Whonix 11, you will be notified about new Tor Browser versions by whonixcheck - this will be deprecated in Whonix 12 (no more need).

Tor Browser's Internal Updater, built in stock update notification mechanism also works in Whonix. Use it.

Tor Browser Updater (Whonix) does not yet notice upgrades done by the internal updater. This will be fixed in Whonix 12.

The Tor Project configured Tor Browser since version 5.0 to update itself. [28]

Additionally it might also be wise to subscribe to blog of the creators of Tor Browser https://blog.torproject.org for news.

Tor Browser Downloader (Whonix) was previously called Tor Browser Updater (Whonix). It has/will be renamed in Whonix 12 to Tor Browser Downloader (Whonix), because it is incapable of keeping user data, for example bookmarks and passwords. If you would like to keep your user data, use Tor Browser Internal Updater instead.

Here are some (older) Tor Browser Downloader (Whonix) Screenshots.

(Also available as CLI version.)

Tor Browser version check and update (after confirmation) in Whonix can be done with:

Helps to keep you safe.

There is currently no reliable way for a program to securely determine the latest stable version of Tor Browser with reasonable certainty. [29][30] When the version format changes, the automated parser of version information could falsely suggest, a still considered secure, stable version that is not the latest stable version, an alpha, beta or rc (release candidate) version. Rather, you could be the target of a denial of service, indefinite freeze or rollback (downgrade) attack. [31][32]

Therefore the intelligence of the user is utilized as a sanity check. The Download Confirmation Screen enables users to detect such situations and abort.

Version numbers you see under Online versions come from the Tor Browser online RecommendedTBBVersions versions file that is provided by The Tor Project and parsed by Whonix's Tor Browser Updater. All versions listed in that file are considered up to date, i.e. no upgrade required by The Tor Project.

TODO: expand

Helps to keep you safe.

There is currently no reliable way for a program to securely determine if your download of Tor Browser was a target of an indefinite freeze or rollback attack with reasonable certainty. [33][34]

When verifying cryptographic signatures there are multiple important aspects.

By the time you see the Installation Confirmation Screen, the verification of the signature [36] already succeeded, but again the intelligence of the user has to be utilized to make sure there the user is not target of an indefinite freeze or downgrade attack.

Previous Signature Creation Date: When Tor Browser was previously installed by tb-updater, then tb-updater will have stored the creation date of the accompanying signature the signed Tor Browser. The Previous Signature Creation Date field shows you that date.

Last Signature Creation Date: This field shows you the date of the creation of the signature that was just downloaded.

Here is a screenshot:

[37][38]

TODO: Expand.

A future update of Tor Browser by The Tor Project might make Whonix's Tor Browser Updater or Tor Browser running in Whonix-Workstation unusable. In case Tor Browser (Updater) inside Whonix-Workstation breaks, a news with instructions on how to fix the issue will be posted within a few days. If not, the Whonix developers are not aware of the issue.

If the Tor Browser update script is ever broken, you are advised to update manually, see Manually Updating Tor Browser.

Tor Browser's Internal Updater Popup Screenshot:

Tor Browser's Internal Updater Wizard Screenshot:

Here you can see a screenshot of Tor Browser's menu bar that contains Tor Browser's Internal Updater Update Symbol:

Tor Browser's Internal Updater Update Symbol: The following symbol is quite useful. It indicates, that Torbutton has found out, that there is an update.

A screenshot of about:tor, that is as useful as the above symbol:

Tor Browser is not installed by default anymore. If you are interested in the reasons why, see footnote. [39]

Note, accessing 127.0.0.1 using Tor Browser is no longer possible due to a change in Tor Browser by The Tor Project. You could set to transparent torification, but then you would be vulnerable to fingerprinting issues. See Tor Browser, Local Connections for more information and a workaround.

A proxy exception in TBB must be configured to interact with software listening on localhost, for example, YaCy. TBB blocks communication with localhost to mitigate some fingerprinting attacks[40]. Note that this exception means a small trade-off in privacy but is much safer than using another browser [41]. Read on about steps to further minimize the risks.

To add an exception click on:

Proxies have different instructions and will not work with these steps, see Tor Browser Proxy Configuration.

Threat Details

According to this Firefox ticket, JavaScript can be abused to scan internal networks, fingerprint devices, and make malicious commands to those devices if they have a web interface.

Analysis

There are no embedded devices attached to a Whonix internal network, its isolated and untrusted. However malicious JavaScript (JS) will be able to tell an attacker that a service is running on a localhost port. This can reduce your anonymity set.

Malicious misconfiguration of daemons listening on localhost is possible but with limited impact because traffic is still forced through Whonix-Gateway.

Recommendations

Possible extra actions would be to:

Misc

Due to a bug in Tor Browser [42], extra steps are required to use proxies with Tor Browser. Note that these instructions do not apply to accessing local web-interfaces.

1. Install FoxyProxy add-on in Tor Browser

2. Change Tor Browser Settings:

See Browser Plugins.

If you want the browser interface in a different language than English, see Language.

To protect the system and your data from some types of attack against Tor Browser, you could consider to install Whonix's Tor Browser AppArmor profile.

As a consequence, it can only read and write to a limited number of folders. This is why you might face Permission denied errors, for example if you try to download files to the home folder. You can save files from Tor Browser to the ~/Downloads folder that is located in the home folder. If you want to upload files with Tor Browser, copy them to that folder first.

This is an advanced topic.

As reported, setting a custom homepage in Tor Browser settings might not work.

Technical background: [43]

To set a custom homepage, you could try to purge the whonix-welcome-page package. [44] But this is difficult due to technical limitations as explained on the Whonix Debian Packages page.

Alternatively, could modify /usr/lib/whonix-welcome-page/env_var.sh, but these changes would be reverted after upgrade. [45]

Or you could set environment variable TOR_DEFAULT_HOMEPAGE to a custom value. Doing so would be similar setting environment variables as explained in #Transparent Torification - No Proxy - System Default.

This is an advanced topic. You most likely only need it in custom configurations, such as when using a Whonix-Custom-Workstation.

First of all, should it have failed, TorButton should notice, that it could not connect to Tor's ControlPort and should report, that giving a new identity failed. If you don't get such an error popup, it is a good indication, that there are no issues.

After the browser restarted, on the about:tor page, click "Test Tor Network Settings". It will lead to https://check.torproject.org (check.tpo) (or manually visit check.tpo, it doesn't matter.). In most cases (Not all! [46]) you should have a new exit relay. Check.tpo should report different IP.

On Whonix-Gateway, watch Control Port Filter Proxy's log while using TorButton's New Identity feature.

If you see something like this.

Then Control Port Filter Proxy received the request from Tor Browser and got Tor's okay, that it worked.

This is an advanced topic. You most likely only need it in custom configurations, such as when not using Control Port Filter Proxy.

Simulate, what TorButton would do.

1. Close Tor Browser. 2. Get new identity on Whonix-Gateway using arm. 3. Start Tor Browser again. 4. Done.

This is an advanced topic. You most likely only need it for advanced tunneling scenarios.

Go here to see the original:
Tor Browser - Whonix