[Whonix-devel] How to use Tor Browser for security not anonymity? How to use TBB using clearnet?

Patrick Schleizer patrick-mailinglists at whonix.org
Sun Apr 9 16:07:00 CEST 2017


TLDR:

1) How can one easily hack TBB to use clearnet? [1] (idea [2])

2) How can one enable cookies to persist in TBB?

3) How can one re-enable the Firefox password manager in TBB so one can
store passwords?

To archive that I've disabled private browser and tinkered with lots of
torbutton Firefox config settings to no avail. Could you please kindly
advice on how to archive that?

Long:

Tor Browser is better hardened than regular Firefox and over time, it
will be even better hardened, even sandboxed.

For clearnet browsing where Tor is either not required or creating a
mess (such as online banking), it would be awesome if one could use Tor
Browser without going through Tor.

I guess it's very safe to assume, the most users won't use TBB
exclusive. They also want to use clearnet. But the value of a super
hardened secure browser TBB is somewhat reduced when then using a
non-hardened browser for clearnet use, which could lead to system
compromise.

Of course this TBB hacking for clearnet use would for now only be advise
able for advancement users to not mess up a Tor Browser actually using
Tor vs a Tor Browser actually using clearnet. Would be up to oneself to
have some protections in place such as using a dedicated VM or computer
for that purposes so that one won't accidentally confuse one browser
with another.

Cheers,
Patrick

[1] I hear, at some point in future, TBB will no longer have TCP
compiled in, and only use unix domain sockets. That's awesome for TBB
use with Tor, but makes TBB use with clearnet hard. Long term a solution
to redirect TOR_SOCKS_IPC_PATH to clearnet would be needed.

[2] Idea how to hack TBB to use clearnet.

We could set these environment variables:

export TOR_NO_DISPLAY_NETWORK_SETTINGS=1
export TOR_SKIP_CONTROLPORTTEST=1
export TOR_SKIP_LAUNCH=1
export TOR_SOCKS_IPC_PATH=/path/to/unix-domain-socket-file

then use socat to redirect to unix domain socket file to 9150.

On 9150, we could have a local ssh server running

sudo apt-get install openssh-server

and then use ssh to open a local socks port forwarding to our local ssh
server, which then would use clearnet.

sudo apt-get install openssh-client

ssh -D 9150 user at 127.0.0.1


More information about the Whonix-devel mailing list