• Off Topic
  • Tradeoffs on running Tor Browser and Orbot?

kopolee11

Firefox should run every tab as an isolated process. But sandboxing is not as needed as you may think.

It is needed to prevent malicious code exploiting the rendering engines from accesing even more. But in some cased those exploits could also circumvent the Sandbox.

I had a Discussion about this recently and to my surprise was told Mozilla rewrote many core components of Firefox in memory safe Rust. This automatically gets rid of many security problems, while Chromium afaik uses unsafe languages.

To this "another attack surface", yes maybe but you already have Chromium, which due to its usage is a way bigger one. Firefox circumventing hardening is bad though.

Also, Vanadium executes all Javascript. The torbrowser and firefox in general can use Noscript, which increases Privacy and Security insanely.

You need to change defaults and block every new Javascript, then whitelist every single origin you trust. The web is unusable without Noscript.

To Orbot etc, you can use it, but a paid good VPN may be better. After all Tor is way more anonymous than any VPN, but makes you a target more. With regular apps and Orbot you would constantly use Exit Nodes (I run one, do the same!)

The tor network is only good if connecting is private (public wifi, vpn) and you stay inside.

Also checkout i2p, there is a purplei2p fdroid repo that has a Conversations fork for i2p!!

    missing-root Vanadium executes all Javascript. The torbrowser and firefox in general can use Noscript, which increases Privacy and Security insanely.

    You can change site settings in Vanadium or other chromium browsers to disable javascript then enable it on a site by site basis. Lots of sites dont work well without it.

    Vanadium does however disable JavaScript jit by default. Attacks against javascript jit are by far the most common browser exploits.

    Tor browser disables jit in its high security levels but its active when set to standard security level as with standard firefox.

      • [deleted]

      • Edited

      missing-root

      missing-root The tor network is only good if connecting is private (public wifi, vpn) and you stay inside.

      Why do you say this and what do you mean by stay inside? Seems like this is only a concern if you live somewhere where Tor is illegal or will cause excess attention from law enforcement (which some argue that any use of Tor will give you "extra" attention, but I digress). In that context then yes I guess one could say it's "only good with" because using Tor in itself would get you arrested, but that's not the case everywhere. If you're not concerned of your isp knowing that you're connecting to Tor then I don't really see it being a problem, unless you really need to conceal your IP address because there is a high liklihood of being targeted.

        Bit off topic, but does anyone know if there's an Orbot equivalent for desktop (Linux)? By that I mean a simple to use GUI app that tunnels either the whole system or just specific apps through Tor.

          missing-root Mozilla rewrote many core components of Firefox in memory safe Rust.

          TorProject does the same with Tor Browser and c-tor.
          C-tor development could still take years. In addition to security, the main feature is: Rust is multicore aware.
          Then we relay operators no longer have to run dozens or hundreds of Tor-instances on a modern multicore CPU-server.

            DeletedUser28 Orbot equivalent for desktop (Linux) is apt install tor.
            No GUI just edit /etc/tor/torrc
            HowTO man torrc

            Damn edit fails

            Tor runs by default in client mode & opens a socks proxy on port 9050.
            Configure $software to use tor: socks4 or socks5 proxy localhost:9050 or 127.0.0.1:9050

            TorBrowser has tor built in and binds default to 127.0.0.1:9150

              Carlos-Anso thanks, didnt know about JIT in Firefox and try to find the setting to completely disable it.

              Didnt know you could re-enable Javascript per site, but its still worse than Noscript which is per origin and also more granular.

              And I have to say Chromiums settings suck. I tried following that tutorial to add Startpage, didnt work.

              boldsuck there is the flatpak "Carburetor" which takes care of the proxy and also isolates it with Bubblewrap.

              Most Distros use networkmanager, so you need to set the proxy there.

              So it is totally possible, split tunneling probably not (mullvad bypasses that by spawning excluded apps with mullvad-exclude). It simply needs a GUI in addition to Carburetor

              [deleted] no idea what I meant with "stay inside".

              I like tor but it puts a lot of focus on you. I prefer to use it behind a VPN. Alternatively randomized Mac address and public wifi.

              For sure no cell data, home wifi maybe.

                • [deleted]

                missing-root

                Fair enough. Why not go full spook and run a yagi and snipe wifi a mile away? xD

                  missing-root
                  Yes, but there are no binaries, you have to compile it.
                  I haven't tested it yet. I use Tor more on the server side for my relays and Monero nodes.

                  "missing-root"#p61472 Most Distros use networkmanager, so you need to set the proxy there.

                  Then the whole system uses the Tor network. Then I would directly use Tails, Whonix or Qubes. Or install it on the router network-wide.

                  I use different routes e.g:
                  $Browser via privoxy -> my ISP proxy -> www
                  $Browser, Console -> VPN -> Datacenter
                  I only use Tor for some hidden services (irc, bisq.network, haveno.exchange, Monero nodes) or to test my services/servers.

                  [deleted] Why not go full spook and run a yagi and snipe wifi a mile away? xD

                  I can do something similar here in the student district and mix with many other anon users.

                  My ubiquiti nanostation <- (Freifunk Open-mesh) -> ubiquiti nanostation -> VPN -> Exit server