11/14/2022 0 Comments How to use tor browser sandboxThat means the text I clicked to read is displayed and is readable, the images I clicked to view are displayed, etc. The internet with NoScript is the best way to browse 90% of the time.Įven today, the vast majority of the sites I visit (including the one linked to in this post) work just fine (for what I want) without JS. I started because it was required for my work and I just got used to it and now do it everywhere. > Anybody claiming they regularly use the internet with JS disabled is just lying for some sort of feel of superiority. You can read the Tor Browser design documentation (though old) to get a rough sketch of what it's trying-and what it's not trying-to achieve: įurther reading in case you think VPNs are the solution. #HOW TO USE TOR BROWSER SANDBOX FULL#If you're not using the Tor Browser you're making yourself both insecure (it ships with a smaller attack surface, no WebGL for example) and fingerprintable defeating thus the full privacy advantages of the Tor Browser. > I'm ambivalent about Tor, but if you're using Tor, don't use the Browser Bundle.įirst off, the "Tor Browser Bundle" is a deprecated name. The overwhelming majority of exit traffic now is using HTTPS and Tor Browser ships with HTTPS Everywhere to avoid SSL Striping attacks (in fact the next version of the Tor Browser will have the HTTPS-Only mode enabled by default, it's already being tested in the alpha release), so how will those evil exit node burn those exploits? > Meanwhile, the fork you'll be running is specifically designed to hide sensitive traffic, and collapses all those users into a single version for exploits to target. That might've been true in the past, it's hard to argue for it now. > Firefox is already not one of the most hardened browser engines. Tor Browser ships updates as soon as new ESR versions come out. > A reminder that Tor Browser might be one of the least safe browsers you can run: it's a fork of Firefox, meaning that its maintainers have to coordinate and port patches from the mainline project. This is deeply misleading and based on old data. But if you're going to use Tor for things that have actual consequences, it may very well matter a lot, and at that point, fully understanding the various threats and how they've been used over the years may be a matter of your freedom.įor whatever it's worth, I try to add Tor traffic where I can, just to help with the noise factor. It's not impossible, but I would generally consider VMWare/Virtualbox somewhat softer targets to escape from than Xen.Īgain, does any of this matter for casual use? No. It's a far smaller codebase, and when you're using hardware virtualization with paravirtualized devices (virtio-type interfaces), there's just not as much surface exposed for attack. Badness in another VM can't directly impact the Whonix VMs, unless it's compromised Dom0, at which point you've lost with Qubes anyway.īoth are at risk from a hypervisor escape as well, but I generally consider Xen to be a somewhat better inspected and harder to escape from target than Virtualbox or VMWare Workstation, just because there's less to Xen. Qubes adds a few more layers of isolation and security, because you now have a Type 1 hypervisor under everything (currently Xen), with your other isolation VMs separated out. It's not a high risk, but if you're going to be doing something with Tor where failure of opsec puts you in prison for life (see DPR), it's something to consider. However, if you assume a "dirty host," with various bits of nastiness on it, if you're just using Virtualbox or something, it would be easy enough for a compromised Whonix workstation VM to chatter away with the host and have the host beacon out, or have the host modify the disk images for Whonix to add badness, or something of the sort. "Whonix alone" is probably fine against browser exploits in the Tor browser (of which I generally assume there are many, because it's a browser of Very Much Interest to plenty of agencies).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |