And this is why Whonix is critical - because even when you pop the browser, you still have another layer of protection - the gateway VM.
Tails browser on [almost anything] is one browser exploit away from beaconing out directly from your IP, and has done so rather frequently over the years.
Whonix stuffs the whole browser and such into a workstation VM, which is only connected to the gateway VM - which "torifies" everything coming in that port. So even if you pop the workstation and have root, you still can't beacon out directly without going through the gateway - you'd have to find an exploit in that bit as well, with only network access. Not impossible, but a lot harder.
And then package all that into Qubes and use it that way, because a disposable Whonix VM set is probably the safest way to browse the web...
I almost find it suspicious how heavily Tails is promoted over Whonix. Tails focuses on largely imaginary scenarios that only happen to people named Bob or Alice, while Whonix fixes the actual attacks that come up in subpoenas.
Modern browsers should really be treated like operating systems because they have so many capabilities and are so complex. I try to run all of mine in separate virtual machines on Debian Linux using virt-manager. Additionally, they're sandboxed with firejail (looking at moving to bubblewrap) and apparmor. I'm less concerned with my IP address and more with a website being able to access random files on my computer.
> Tails browser on [almost anything] is one browser exploit away from beaconing out directly from your IP
as far as I am aware Tails use IP tables to force all network connections through tor. You would require an escape from the browser and then a privilege escalation to get around this.
Just a heads up for Android users: The Play store version is a few releases out of date, to get current use FDroid and make sure Guardian Project repo is selected (it's not by default).
Question for the Mozillans/Googlers: How is it that Firefox Nightly are fast-track released multiple times a day to Play Store but stable Tor Browser updates are stuck for weeks? Is there a 'skip the review' option for nightly releases?
It's a JavaScript engine bug and JS is disabled by default. Still important, but I question whether anyone who enables JS in Tor is worth compromising.
> This vulnerability doesn’t break the anonymity and encryption of Tor connections.
> The Safest security level of Tor Browser is not affected because JavaScript is disabled at this security level.
> For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.
A reminder that Tor Browser might be one of the least safe browsers you can run: it's a fork of Firefox, meaning that its maintainers have to coordinate and port patches from the mainline project. Firefox is already not one of the most hardened browser engines. Meanwhile, the fork you'll be running is specifically designed to hide sensitive traffic, and collapses all those users into a single version for exploits to target.
I'm ambivalent about Tor, but if you're using Tor, don't use the Browser Bundle.
> A reminder that Tor Browser might be one of the least safe browsers you can run: it's a fork of Firefox, meaning that its maintainers have to coordinate and port patches from the mainline project.
Tor Browser ships updates as soon as new ESR versions come out.
> Firefox is already not one of the most hardened browser engines.
That might've been true in the past, it's hard to argue for it now.
> Meanwhile, the fork you'll be running is specifically designed to hide sensitive traffic, and collapses all those users into a single version for exploits to target.
The overwhelming majority of exit traffic now is using HTTPS and Tor Browser ships with HTTPS Everywhere to avoid SSL Striping attacks (in fact the next version of the Tor Browser will have the HTTPS-Only mode enabled by default, it's already being tested in the alpha release), so how will those evil exit node burn those exploits?
> I'm ambivalent about Tor, but if you're using Tor, don't use the Browser Bundle.
First off, the "Tor Browser Bundle" is a deprecated name. If you're not using the Tor Browser you're making yourself both insecure (it ships with a smaller attack surface, no WebGL for example) and fingerprintable defeating thus the full privacy advantages of the Tor Browser. There is simply no other alternative.
Terrible advice. If there is one thing I know from ~8 years of following the darkweb markets is that there's nothing worse than stepping outside of the common practice of: use Tor, use Tails, use Whonix
If you read the the DOJ indictments of Tor users what they have in common is that they stepped out of those bounds
There _was_ a period where Firefox (hence: the Tor Browser) was terrible and 0days were cheap (which is why most of the darkweb switched up to using VM's behing their browsers), but those days are over[0]
I can't recall a recent indictment where the adversary in the USA broke Tor Browser. If you are a dissident in Turkey, Syria or Russia .. you're more than safe using the Tor Browser bundle.
The NSA aren't burning 0days in Firefox and VM's on 99.9% of Tor users - if you're in that other 0.01% then good luck to you[1], your threat model is very different to those looking to obfuscate from oppressive regimes.
As somebody with an infosec background, this is where I feel the industry fails in the sense of "perfect is the enemy of good" - there is no such thing as perfect (I bet most who preach against Tor Browser wouldn't be able to come up with a model that is) - the practical advice today is, and always has been, use Tor (Browser), use Tails, use Whonix
[0] I used ungoogled-chromium in that period, until an DNM administrator during a chat told me he could spot me in his acccess logs
I no longer use Tor either (unless I have to for work projects such as remote pentesting).
What is you opinion of Landlock (Linux kernel 5.13 and newer)? If we wrap vanilla FireFox in LandLock, proxy that to tor and use Apparmor/Tomoyo to further limit what FireFox could do (when it gets compromised) then I think that would be a much safer approach than using the Tor Browser Bundle.
> Meanwhile, the fork you'll be running is specifically designed to hide sensitive traffic, and collapses all those users into a single version for exploits to target.
Yeah, I was never a fan of their position on this. It's basically "let all websites track you and push ads at you all day long, but we've customized 50,000 settings so that you should look identical to everyone else using the Tor Browser" where as I don't trust that they've managed to cover every possible means to fingerprint a specific user/browser install.
Instead, I prefer to limit the amount of data websites can collect about me in the first place. I harden the browser as best as I can, block all active content by default, block all the ads I can, and I randomize a few little details (like screen and window resolution or user agent) which in total makes me feel better about my chances of avoiding being fingerprinted across sites and prevents most of the vulnerabilities that would cause a person to get compromised just by browsing to a website.
I still love the Tor Browser project though because they're great at spotting things introduced into firefox that would make it easier for you to be fingerprinted, and while I prefer to not give data, or give random data I do understand their reasoning for what they do.
> Firefox is already not one of the most hardened browser engines
I'm pretty sure it's one of the most hardened, because the list of major engines that are on that list in first place numbers approximately 3. If you want to claim that blink or webkit are more secure that's a reasonable argument, but just say that.
> Meanwhile, the fork you'll be running is specifically designed to hide sensitive traffic, and collapses all those users into a single version for exploits to target.
That's a good thing too because of browser fingerprinting. It takes a lot of identifying points away by having everyone use the same.
Perhaps you mean "don't rely on just the Tor Browser"? How else would one use tor to browse the web? Certainly Whonix or another protection layer is advisable if you're doing anything serious as well.
Anyone know how much the Tor Browser 'Safer' security-level mitigates real exploits? Among several things it disables the JavaScript JIT functionality which has been a known mechanism for exploits.
What about the Brave browser in a private window? That used Tor but theoretically also has some added protection because of the browser. I’d love to hear your thoughts.
The more unique your browser (i.e., the more you deviate from the Tor Browser based on Firefox ESR), the more unique and therefore fingerprintable you are.
[+] [-] Syonyk|3 years ago|reply
Tails browser on [almost anything] is one browser exploit away from beaconing out directly from your IP, and has done so rather frequently over the years.
Whonix stuffs the whole browser and such into a workstation VM, which is only connected to the gateway VM - which "torifies" everything coming in that port. So even if you pop the workstation and have root, you still can't beacon out directly without going through the gateway - you'd have to find an exploit in that bit as well, with only network access. Not impossible, but a lot harder.
And then package all that into Qubes and use it that way, because a disposable Whonix VM set is probably the safest way to browse the web...
And still disable Javascript.
[+] [-] letmevoteplease|3 years ago|reply
[+] [-] 0daystock|3 years ago|reply
[+] [-] vorticalbox|3 years ago|reply
as far as I am aware Tails use IP tables to force all network connections through tor. You would require an escape from the browser and then a privilege escalation to get around this.
[+] [-] matheusmoreira|3 years ago|reply
[+] [-] hamiltonians|3 years ago|reply
[+] [-] joecool1029|3 years ago|reply
Question for the Mozillans/Googlers: How is it that Firefox Nightly are fast-track released multiple times a day to Play Store but stable Tor Browser updates are stuck for weeks? Is there a 'skip the review' option for nightly releases?
[+] [-] _rdvw|3 years ago|reply
[+] [-] landr0id|3 years ago|reply
[+] [-] retox|3 years ago|reply
This isn't true any more.
[+] [-] 3np|3 years ago|reply
Fixed in: Firefox 100.0.2, Firefox ESR 91.9.1, Firefox for Android 100.3, Thunderbird 91.9.1
https://www.mozilla.org/en-US/security/advisories/mfsa2022-1...
[+] [-] _rdvw|3 years ago|reply
[+] [-] elurg|3 years ago|reply
> The Safest security level of Tor Browser is not affected because JavaScript is disabled at this security level.
> For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.
This makes it relatively tame.
[+] [-] anthk|3 years ago|reply
Set the proper Socks4a proxy to the Tor daemon's one and mark that checkbox.
Enjoy.
[+] [-] rebelwebmaster|3 years ago|reply
[+] [-] mmastrac|3 years ago|reply
"Mozilla is aware of websites exploiting this vulnerability already."
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] tptacek|3 years ago|reply
I'm ambivalent about Tor, but if you're using Tor, don't use the Browser Bundle.
[+] [-] jerheinze|3 years ago|reply
> A reminder that Tor Browser might be one of the least safe browsers you can run: it's a fork of Firefox, meaning that its maintainers have to coordinate and port patches from the mainline project.
Tor Browser ships updates as soon as new ESR versions come out.
> Firefox is already not one of the most hardened browser engines.
That might've been true in the past, it's hard to argue for it now.
> Meanwhile, the fork you'll be running is specifically designed to hide sensitive traffic, and collapses all those users into a single version for exploits to target.
The overwhelming majority of exit traffic now is using HTTPS and Tor Browser ships with HTTPS Everywhere to avoid SSL Striping attacks (in fact the next version of the Tor Browser will have the HTTPS-Only mode enabled by default, it's already being tested in the alpha release), so how will those evil exit node burn those exploits?
> I'm ambivalent about Tor, but if you're using Tor, don't use the Browser Bundle.
First off, the "Tor Browser Bundle" is a deprecated name. If you're not using the Tor Browser you're making yourself both insecure (it ships with a smaller attack surface, no WebGL for example) and fingerprintable defeating thus the full privacy advantages of the Tor Browser. There is simply no other alternative.
You can read the Tor Browser design documentation (though old) to get a rough sketch of what it's trying--and what it's not trying--to achieve: https://2019.www.torproject.org/projects/torbrowser/design/
Further reading in case you think VPNs are the solution: https://matt.traudt.xyz/posts/2019-10-17-you-want-tor-browse...
[+] [-] ziddoap|3 years ago|reply
>The Safest security level of Tor Browser is not affected because JavaScript is disabled at this security level.
[+] [-] nikcub|3 years ago|reply
If you read the the DOJ indictments of Tor users what they have in common is that they stepped out of those bounds
There _was_ a period where Firefox (hence: the Tor Browser) was terrible and 0days were cheap (which is why most of the darkweb switched up to using VM's behing their browsers), but those days are over[0]
I can't recall a recent indictment where the adversary in the USA broke Tor Browser. If you are a dissident in Turkey, Syria or Russia .. you're more than safe using the Tor Browser bundle.
The NSA aren't burning 0days in Firefox and VM's on 99.9% of Tor users - if you're in that other 0.01% then good luck to you[1], your threat model is very different to those looking to obfuscate from oppressive regimes.
As somebody with an infosec background, this is where I feel the industry fails in the sense of "perfect is the enemy of good" - there is no such thing as perfect (I bet most who preach against Tor Browser wouldn't be able to come up with a model that is) - the practical advice today is, and always has been, use Tor (Browser), use Tails, use Whonix
[0] I used ungoogled-chromium in that period, until an DNM administrator during a chat told me he could spot me in his acccess logs
[+] [-] frankjr|3 years ago|reply
[+] [-] urda|3 years ago|reply
Citations and sources for this claim?
[+] [-] _wldu|3 years ago|reply
What is you opinion of Landlock (Linux kernel 5.13 and newer)? If we wrap vanilla FireFox in LandLock, proxy that to tor and use Apparmor/Tomoyo to further limit what FireFox could do (when it gets compromised) then I think that would be a much safer approach than using the Tor Browser Bundle.
Here's a landlock wrapper (in Go) for FireFox: https://github.com/62726164/misc/blob/main/go/landlock/firef...
Also, I've only ever been able to get Tomoyo to work as MAC for FireFox. SELinux and Apparmor were too difficult.
[+] [-] wp381640|3 years ago|reply
Further - many of the privacy enhancements in Firefox, such as fingerprint protection, were adopted from the work on Tor Browser
[+] [-] autoexec|3 years ago|reply
Yeah, I was never a fan of their position on this. It's basically "let all websites track you and push ads at you all day long, but we've customized 50,000 settings so that you should look identical to everyone else using the Tor Browser" where as I don't trust that they've managed to cover every possible means to fingerprint a specific user/browser install.
Instead, I prefer to limit the amount of data websites can collect about me in the first place. I harden the browser as best as I can, block all active content by default, block all the ads I can, and I randomize a few little details (like screen and window resolution or user agent) which in total makes me feel better about my chances of avoiding being fingerprinted across sites and prevents most of the vulnerabilities that would cause a person to get compromised just by browsing to a website.
I still love the Tor Browser project though because they're great at spotting things introduced into firefox that would make it easier for you to be fingerprinted, and while I prefer to not give data, or give random data I do understand their reasoning for what they do.
[+] [-] yjftsjthsd-h|3 years ago|reply
I'm pretty sure it's one of the most hardened, because the list of major engines that are on that list in first place numbers approximately 3. If you want to claim that blink or webkit are more secure that's a reasonable argument, but just say that.
[+] [-] stefan_|3 years ago|reply
[+] [-] GekkePrutser|3 years ago|reply
That's a good thing too because of browser fingerprinting. It takes a lot of identifying points away by having everyone use the same.
[+] [-] aftbit|3 years ago|reply
[+] [-] fsflover|3 years ago|reply
[+] [-] roastedpeacock|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] jraby3|3 years ago|reply
[+] [-] 0daystock|3 years ago|reply
[+] [-] cheeze|3 years ago|reply
[+] [-] RektBoy|3 years ago|reply
[+] [-] Vladimof|3 years ago|reply
What do you suggest?
[+] [-] mrtesthah|3 years ago|reply
[+] [-] aaron695|3 years ago|reply
[deleted]
[+] [-] mikojan|3 years ago|reply
[deleted]