Hey @rustybird! Thanks for your great contrib and for a recent +WaitForSession patch. it works smoothly now!
Anyway, I have 3 dilemmas:
Can you provide us a mechanism to import bookmarks to bookmarks.tsv from a .json or .html backup, or there’s already a way to achieve this?
Can you provide us a mechanism to import logins to ~/.local/share/split-browser/logins/ from a chrome-passwords.csv or KeepasXC’s csv or html export, or there’s already a way to achieve this?
I have created persistent VM, whose dvm is whonix-ws-dvm. When starting it, Tor Browser would start. How would I start Firefox? Do I have to create another persistent qube for which default_dispvm would be fedora or debian based dvm, or there’s already a way to achieve this with a single created persistent qube whose default_dispvm is whonix-ws-dvm?
It’s starting default system browser defined with browser environment variable $BROWSER. For whonix-ws-dvm it’s torbrowser:
user@host:~$ echo $BROWSER
/usr/bin/x-www-browser
user@host:~$ cat /usr/bin/x-www-browser
#!/bin/bash
## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## Allow users of Kicksecure to use Tor Browser as their default browser when
## they create file /etc/torbrowser-default-browser.
if [ -f /etc/torbrowser-default-browser ]; then
browser=torbrowser
fi
## If none of above is true then default to Tor Browser.
if [ "$browser" = "" ]; then
browser=torbrowser
fi
"$browser" "$@"
You can change it manually or maybe with this command: sudo update-alternatives --config x-www-browser
So you need to make changes in disposable template and change the /usr/bin/x-www-browser file:
You don’t need a separate persistent VM to use firefox. However, you need to set the persistent VM’s default dispvm to a disposable VM that has firefox installed.
And
Non-“Tor Browser” versions of Firefox should also work: Symlink [/usr/local]/etc/split-browser-disp/22-firefox.bash.EXAMPLE (or copy it, if you need to adjust the Firefox location) without the .EXAMPLE suffix.
The two scripts in [/usr/local]/etc/split-browser-disp/ are executed sequently. So you may need to rename the other script, if you wish to launch firefox instead of tor-browser, when both of them present.
Do you want to use Split Browser with both Tor Browser and Firefox? That’s currently a bit convoluted, because which browser to launch is configured statically inside the -dvm disposable template. So to use both browsers you’d set up another -dvm for Firefox, and then it would indeed be easiest to also create a second persistent qube and set its default_dispvm to that Firefox -dvm. Alternatively it’s possible to have just a single persistent qube, but you’d have to switch its default_dispvm whenever you want Split Browser to launch a different browser than last time…
Something that’s been on my todo list forever: Allow the persistent side to choose a disposable side and a browser configuration dynamically, e.g. split-browser --disp=fedora-35-dvm --browser=firefox
Now the problem is syncing the bookmarks between the three AppVMs: tor-browsing <> bookmarks <> firefox-browsing
This could be achieved with a dom0 policy in /etc/qubes/policy.d/23-allowcopy.policy, but that will allow unrestricted file-copy to and from bookmarks by the two vms. However, given that the three vms are not connected to the net and they would only be used for storing bookmarks, it could be a tradeoff one is willing to take for this kind of set up.
Unless the sync is triggered by file modification on either secondary vm, at which point the policy could be set to ask and when users add bookmarks they’ll have to confirm inter-vm sync with a dom0 prompt, which could be a bit safer:
Wow, thanks to all of you guys. A lot of more than useful info.
One more question; if I add bookmark to a dispVM Tor Browser (or Firefox, whichever I’d use), would it persist in persistent AppVM? I mean, if I import bookmarks from .json or .html into Tor Browser in dispVM, would they persist?
Split-browser re-defined some FF shortcuts to trigger “add” and “get” bookmark events in your persistent VM. It doesn’t interact with FF’s bookmark storage. You have to open each item of your bookmark, and press Ctrl+D, for them to be stored in the persistent VM.
Oof, well before y’all turn to some tricky file syncing setups (there’s also the logins directory tree to worry about…) feel free to give the latest, very minimalist commit (not yet released in a package updateEdit: released as qubes-split-browser-0.15.0, which is in the contrib current-testing repo) a try instead. It allows you to choose the disposable side dynamically, even if there’s just one persistent qube.
Dynamically choosing different browser configurations within one -dvm is going to be more complicated and tbh I don’t know when I’ll get around to implementing that.
Why it’s not feasible (at least for me) to manually set non-tor-dvm-template (debian-11-minimal-dvm or fedora-35-dvm namely) on the fly (just as we can switch netVMs on the fly) in order to start Firefox, while persistent split-browser VM is up so we could get both browsers started in parallel from 2 dispVMs (one based on whonix-ws-dvm, and the other based on debian-11-minimal-dvm/fedora-35-dvm)?
What happens is that Tor Browser is started in disp1 and after switching to debian-11-minimal-dvm-template in surfer-settings-advanced-defaultDVM, disp2 based on it is started, but Firefox not, and disp2 is immediately shutdown (same for fedora-35-dvm).
In fact, based on my testing, I cannot reproduce your problem. I can switch the default_dispvm back and forth, each dispVM is working flawlessly with split-browser functions, respectively and simultaneously.
The x-www-browser stuff that @tzwcfq wrote about is completely unrelated to Split Browser, as @augschpointed out. Don’t do any of that.
So you haven’t actually configured your Firefox -dvm to use Firefox for Split Browser yet. (If you run split-browser in a terminal in your persistent qube, there’ll probably be an error message from the disposable side complaining that Tor Browser is missing, which would be why disp2 immediately shuts down.)
Bridging KeePassXC to Split Browser’s login system on the persistent side (not to the potentially malicious disposable side, where the browser runs) is another one of those eternal TODOs…
I’m not so worried about that aspect. It’s always possible to compartmentalize with multiple vault qubes.
What does worry me is using the vanilla, bidirectional KeePassXC protocol across a trust boundary. That protocol’s gotta be at least somewhat complex - is it documented somewhere? - and I’d be surprised if its implementation was already perfectly fit to withstand our unusual threat model, where an exploited browser might try to attack the vault by sending malformed data in order to extract all credentials. Or in the worst case, to execute arbitrary code and e.g. gain persistence by then using the vault as a foothold from which to launch exploits in the other direction, against every new disposable browser instance.
Thanks a bunch for this tip. It would be probably good to include it in your Github readme file, since obviously no one here didn’t know about the necessity of such a linking.
It’s a shame some kind of importing bookmarks doesn’t exist.
I have manually extracted links from my bookmarks.html file and imported it to tsv file in Calc and now I have all the bookmarks.
Regarding logins, for now I’d prefer to have them in my KeepasssXC in vault and manually copy pasting usernames and passwords. I just don’t feel safe enough to have them in a clear text file in some other AppVM.
Thanks once again for the great work here @rustybird
I found it helpful to have a way to easily delete some lines of the bookmark. Is it possible to add this function, using dmenu that’s triggered by Alt+B? I can’t imagine a way to do this. Thanks.
