PREFACE
The following is an experimental project of mine, do not use this in your actual tor browser until other people have tested it. Know that any changes to the tor browser’s config can be detrimental to your anonymity - bar changing the security slider.
The problem:
Loading tor browser in a new disposable whonix workstation by default requires the user to manually change the security setting (which in my opinion should be safest by default but that is a TB upstream issue), which can get annoying. What can also be annoying is the flashbang that is the white theme, and having the noscript icon hidden by default. The latter are power user preferences, and the only really important thing is the security setting.
Therefore, I request that someone peer-review my solution! I have created a method that works on the user end (not fully tested the extent of the fingerprint change in the backend), even with the recently added mandatory restart after changing security settings in the TB.
Reproducing:
These are the main files we are concerned with:
- /var/cache/tb-binary/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/prefs.js
Located in the whonix workstation dvm template, this file is where we place the config lines which overwrite the tor browser’s.
- /rw/config/rc.local
Also located in the whonix workstation dvm template, this file is a shell script which runs every time a new disposable whonix machine is created. We will use this to cat the config into the prefs.js file.
The config:
user_pref("browser.contentblocking.category", "standard");
user_pref("browser.security_level.noscript_inited", true);
user_pref("browser.security_level.security_custom", false);
user_pref("browser.security_level.security_slider", 1);
user_pref("browser.startup.homepage", "about:tor");
user_pref("browser.theme.content-theme", 0);
user_pref("browser.theme.toolbar-theme", 0);
user_pref("browser.uiCustomization.state", "{\"placements\":{\"widget-overflow-fixed-list\":[],\"unified-extensions-area\":[],\"nav-bar\":[\"back-button\",\"forward-button\",\"stop-reload-button\",\"urlbar-container\",\"security-level-button\",\"new-identity-button\",\"downloads-button\",\"fxa-toolbar-menu-button\",\"_73a6fe31-595d-460b-a920-fcc0f8843232_-browser-action\",\"unified-extensions-button\"],\"toolbar-menubar\":[\"menubar-items\"],\"TabsToolbar\":[\"firefox-view-button\",\"tabbrowser-tabs\",\"new-tab-button\",\"alltabs-button\"],\"PersonalToolbar\":[\"import-button\",\"personal-bookmarks\"]},\"seen\":[\"_73a6fe31-595d-460b-a920-fcc0f8843232_-browser-action\",\"developer-button\"],\"dirtyAreaCache\":[\"nav-bar\",\"unified-extensions-area\",\"PersonalToolbar\"],\"currentVersion\":20,\"currentVersionBaseBrowser\":2,\"currentVersionTorBrowser\":1,\"newElementCount\":0}");
user_pref("browser.urlbar.placeholderName", "DuckDuckGo (.onion)");
user_pref("browser.urlbar.placeholderName.private", "DuckDuckGo (.onion)");
user_pref("extensions.activeThemeID", "firefox-compact-dark@mozilla.org");
user_pref("extensions.hideNoScript", false);
user_pref("extensions.webextensions.ExtensionStorageIDB.migrated.{73a6fe31-595d-460b-a920-fcc0f8843232}", true);
user_pref("extensions.webextensions.uuids", "{\"{73a6fe31-595d-460b-a920-fcc0f8843232}\":\"619ad31b-cfc9-4ea3-9932-ef259eff5bdc\",\"default-theme@mozilla.org\":\"6a587fe5-ef3e-46d5-a6b9-48bb067c4b2c\",\"firefox-compact-dark@mozilla.org\":\"e53517b4-aa5a-41a1-a23e-9ce9e4f6bb64\"}");
The first few lines are the important ones - setting the tor browser safety setting. The other ones are personal preferences (color theme, button arrangement) and would like feedback as to how this may affect my fingerprint and if javascript can be used to detect these things without exploiting a vulnerability in the browser.
The script:
Edit the /rw/config/rc.local script in the whonix workstation dvm template machine to include the following, replacing the “…” between the two EOF lines with the config above or of your choice:
cat > /var/cache/tb-binary/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/prefs.js <<\
EOF
...
EOF
chown -R user:user /var/cache/tb-binary/.tb/
This is a simple script that just cats the data into the prefs file, then sets permissions for the user ‘user’ (default in all whonix workstations) to be able to read the directory. This is necessary for the config to be loaded properly.
Conclusion:
I would greatly appreciate any feedback on this matter, and also would like some pointers as to where I can learn more about the technical sides of browser fingerprinting.