The Grand Unified Browser

(Yeah, that’s a geeky physics reference)

Introduction/Rationale

From what I’ve seen, there are two major enhancements to firefox or tor that get referenced a lot here (presumably that means they get used a lot, too).

My experience has been entirely with Firefox. (I wish I could like tor, but it takes so ridiculously long to start it over my network…) I hope this carries over to tor, for those who do use it.

[Edit to add: Apparently, you don’t want to combine Tor in any form with Arkenfox. My source on this is unclear as to whether Tor+split browser is a bad idea. However, RusyBird (the originator of split browser) does support both Tor and Firefox.]

Hardening Based on Arkenfox

The first is basically an elaboration of Arkenfox’s work that is elaborated in [Guide] Automatically install extensions and configure new (dispvm) hardened Firefox profiles with arkenfox user.js and policies - #60 .

Arkenfox, as originally conceived (and I may be misreading this), sets up a preference file that is persistent between firefox runs…it gets copied into the runtime preferences when you start Firefox, and any settings you change during a session won’t “stick” and be around the next time you run Firefox. Arkenfox, however, wasn’t thinking in Qubes, and given that we have disposable virtual machines it’s possible to go one better on him. That is what @BEBF738VD did.

In essence, the Arkenfox user.js preference settings are added to a template with a fresh install of firefox in such a way that when you start an appvm (or disposable) based on that template, it’s as if you were running firefox for the first time…but the default settings are now what you want. BEBF738VD’s work also includes instructions on how to add a policy to the installation. (You need a policy to actually set the default browser; it cannot be done through prefs. A deliberate design decision by Firefox.)

[Incidentally, when you run Firefox for the very first time, it creates a “profile” with a random, gobbledygook name, which becomes your profile in subsequent runs…and it’s distinguishable. By doing things this way a different profile name is generated every time you run the browser because on a DVM every run is the first run.]

The BEBF738VD thread gives directions on how to do all this, and you have opportunities to set things up to use a subset of Arkenfox’s settings or to add more to them. (I did the latter, to configure the Firefox UI in a way more to my liking.) The Arkenfox file itself is well commented and organized topically, so it’s fairly easy to find settings you don’t care about (or which break something online) and remove them. After doing that they are translated into a different format and placed in an area Arkenfox himself didn’t envision, so that they become the default prefs when you start firefox for the first time (well, the first and last time in the life of that particular DVM). In fact I have three distinct copies of the original Arkenfox user.js file, one with basically everything in it, the other two with fewer and fewer Arkenfox settings actually enabled.

Some argue that this treatment is pointless, at least for Firefox, because Arkenfox emphasizes fingerprinting resistance and really the best way to accomplish that is through Tor. But there is a lot more to Arkenfox’s settings than just fingerprint resistance (though I kept that part in all three versions), so even if you think the fingerprinting is pointless, it’s still worth checking out.

The big disadvantage of this is, you have no bookmarks. You could import them, of course, but that involves copying files, doing the actual import…and a hacker could conceivably capture your bookmarks…all of them…unless you go to the trouble of maintaining separate sets of bookmarks, which multiplies the pain-in-the-hindquarters factor greatly.

Bookmarks from Split Browser

The other popular enhancement to browsers is split-browser, There are a number of threads on this topic, but the best starting place is here: GitHub - rustybird/qubes-app-split-browser: Tor Browser (or Firefox) in a Qubes DisposableVM, with persistent bookmarks and login credentials as @RustyBird has written good instructions. (NB: there seems to be an issue with this on Fedora so you may want to consider the “or install manually” directions if that gets in your way.)

The idea here is to create an AppVM where your bookmarks are stored, and use that AppVM to launch disposable browsers (the default-dispvm for that AppVM should point to the VM with the browser installed). Installation happens on both the bookmark-holding AppVM and the browser DVM template. Once installed the only thing you actually do on the bookmark AppVM is use it to launch browsers. You go to the browser and look up bookmarks with Alt-B (which tells the bookmark AppVM to pop up a window to let you select a bookmark, then the AppVM sends the bookmark to the browser, which opens in a new tab). Also the browser lets you save bookmarks, these are sent to the bookmark AppVM which puts them in the bookmarks file for future use. (There is a capability to manage passwords, too, but I haven’t tried it yet so I can’t summarize it.)

So this has the bookmarks, and those bookmarks are controlled elsewhere so someone who hacks your browser qube can’t steal them all. And the fact that the browser runs in a disposable means bookmarks you used previously aren’t there any more.

The problem with this is you get a bonestock Firefox install, complete with obnoxious “welcome to Firefox” page and Firefox’s default home page and the url bar sending your typos to google and…you name it. In other words, this brings with it a lot of the problems you can solve with the Arkenfox+ described previously.

Wouldn’t it be nice to combine these? Hardening and customization of your Firefox browser and bookmarks which persist and are kept elsewhere?

Well, when I first installed split browser, I did it in a half-assed “Arkenfoxed” VM (I think I just put a user.js in the profile area). And it did NOT work. The prior quasi-arkenfoxing I had done prevented the keyboard shortcuts in split browser (which are vital) from working. So basically it looked like the two couldn’t be combined.

The Grand Unified Browser (Best of Both Worlds)

However, It turns out they can be combined. And it’s fairly easy!

Step One: Install split browser as described in the github link above. Do this with the browser side being a template with a fresh, never-used Firefox installation. Verify it works by running the bookmark VM, using it to start a browser, and then, in that browser, saving a bookmark or two with ctrl-d, and getting the bookmark with alt-B. (NB: split browser checks your new bookmark to ensure it’s not a duplicate, so any additional bookmarks in your test must be distinct.)

Step Two: Create your user.js file as given in the instructions I linked above. I personally downloaded the latest version from Arkenfox’s github, modified it, then added some more settings. I then translated this (as described in BEBF738VD’s instructions, into a firefox.cfg file.

Do NOT put this where described in those instructions. Instead, append it to the file /usr/share/split-browser-disp/firefox/sb.js in your split-browser’s browser template. Please note I said “append.” Don’t replace, add to the end of the existing file. The existing file defines, among other things, the keyboard shortcuts that underpin split browser; if you destroy those, you don’t really have a split browser any more.

[Alternative: instead of appending to sb.js in the split browser’s browser template, place this file in the bookmarks AppVM in /etc/split-browser/prefs. But name it 50-user.js. This method allows you to alter the preferences without having multiple templates for the browser since this file gets copied over to the browser VM when it starts up. You can swap different versions of this file depending on how much (or how little) Arkenfox+ you want in the browser, right before starting the browser. This can be automated by writing scripts to copy a specific version of 50-user.js to that location and then run browser-start; each of these scripts can be referenced by a different .desktop file if you like calling things up from desktop shortcuts or the main Qubes menu.]

Step Three: Copy your policies.json file (if you have one) from your “Arkenfox+” setup, to /usr/lib/firefox-esr/distribution.

That’s it…the next time you run the split-browser browser, it should look exactly like your arkenfox+ browser…because it essentially is. But you have access to your bookmarks that are kept on your bookmarks AppVM.

OK, so there’s still some stuff missing…there’s no pre-canned solution for importing bookmarks into split-browser from one of those .html bookmark export files. But that was true before, too. Also it’d be nice if the bookmarks could be subdivided into folders…well, I think it would be nice, perhaps most people don’t care about that. But these are both characteristic of what’s already there; they are not new limitations of the Grand Unified Browser. (And as it happens, I am working on both of them.)

I hope that both @RustyBird and @BEBF738VD see this and read it and tell me if there are any gaping holes–especially with respect to security–with this concept.

Wouldn’t it be better to create a /etc/split-browser/prefs/50-user.js as described in split-browser --help ?

additional browser preference line, appended after those
stored in /etc/split-browser/prefs/*.js and
/usr/local/etc/split-browser/prefs/*.js

I haven’t tried, but I would assume it to be a safer option (if it works as described), as you wouldn’t have to edit the original file and it won’t be replaced by an update.

Also, I’d move this thread to the “Guides” section, what do you think?

Arkenfox’s approach differs wildly from Tor’s. The former focuses on making it harder to gather information on you or on a focus on customizing your setup. In contrast, the latter focuses on making you look as identical as it can to its other users. Customize beyond what I mention and you can and will compromize your (pseudo?)anonymity.

Owing to this, you want close to zero modifications for Tor browser. The only things you may freely modify are the security slider, .onion prioritizing, your search engine, and maybe your locale. Touch nothing else and do not expand the window. There are many more intricacies to its use, and it’s easy to shoot yourself in the foot (like I did in my past…). Depending on your threat model, it may be relatively harmless (say, you just wish for some privacy). Or it may necessitate you to flee your area (say, you’re a journalist in China, the next Assange, a political activist, and so on and so forth).

Edit: I sound harsh because it’s super easy to harm yourself with Tor by accident or through mishap. I hope I didn’t sound overly aggressive

It’s ridiculously narrow by default. You can’t even drag it wider with the mouse? (I can understand a prohibition against making it cover the whole screen.)

More seriously, what I’m getting here is that if you want to use Tor, you should simply use the split-browser implementation and not do this Grand Unified Browser, because there’s very little customization (which is what Arkenfox brings to the table) that’s not actively harmful. Is that right? If so I might edit my original post to reflect this.

I’ll sound harsh too, but sincerely not maliciously. Please name one case where Arkenfox makes sense more in Qubes than the Qubes’ philosophy itself? I am genuinely interested in to learn it is better than the approach (routine) I developed using Qubes.
It’s “hardening” that brought me to Qubes, not vice versa.

It’s narrow by design. While it does letterbox, it’s not perfect. It’s like this to make it harder to tell users apart. It’s much easier to suggest users to not expand beyond a small window than it is to hide screen dimensions.

Tbh I have no idea about split browser with Tor. I think you can ask on Whonix’s forum. They have a Qubes subsection. Edit: While you’re there you can ask them about window dimensions

I just know enough and have a low enough threat model to lightly browse with it. I have no idea about its intricacies except for a few tidbits unrelated to this thread’s subject. I simply read enough about it to know that blind usage is a bad idea.

Well it sounds like Tor+Arkenfox is a bad idea. I’ll amend my original post.

Ah, no, I didn’t mean to imply Arkenfox doesn’t go along nicely with Qubes. I meant to emphasize that it’s fine for Firefox and not Tor.

Yes, yes, I know. I just used your words as an intro to start my post the same way, nothing else or related.

I looked around for a way to do that, and I can’t find one.

I did it for you. Just click the pencil near the subject and then choose the category below the Subject.

Firefox / Tor Browser can export bookmarks to a much easier to parse JSON file (though the Manage Bookmarks window calls this a “backup”, and uses “export” to refer to the old not-quite-HTML format). There is a script to translate this JSON bookmarks file to Split Browser’s TSV format:

If you only have a .html export, you could use Firefox’s Manage Bookmarks screen to “import” it, then “backup” to JSON.

@RustyBird, I actually just yesterday merged an “importer” utility I wrote a few days ago into the “bookmark manager” app I created. (I’ll describe that below.)

Here’s the bad news: It’s importing into the tree-style menu (i.e., one with a “folder” hierarchy) I created. However, that file is exactly like the one split browser uses by default, except for a fourth column giving the “path” (gtk-style) to the bookmark. [basically, they look like this: “1:2:3” means the fourth child of the third child of the second top-level item, of course it numbers things like C does, starting with zero.] It also creates “folders” (title with no URL). The HTML file has nested folders in it, I simply preserve them. (I also allow for starting the top-level numbering with something higher than zero in case it’s being appended to an existing tree of bookmarks.) However, it’d be relatively trivial to go back to my original separate conversion utility, have it ignore folders, and skip writing the path. It would then be an HTML to three-column tsv file conversion utility.

The other piece of bad news is this is C++ code that has to be compiled, rather than a script. Some probably won’t like that. But it has literally no special library dependencies, it’s literally g++ <source filename> -o <executablename>. If you think it would be useful I can post that code once I rip out the folder-ing; it’s roughly two hundred lines of text I think.

OK, for the bookmark manager: It’s one source file (C++) which depending on an environment variable gives you two different executables. One is the bookmark-picker, it gives you a popup from which you navigate to and select a bookmark (it plugs in to split-browser-bookmark in place of dmenu), from a treed list with folders, OR compiles to create a bookmark-manager window that lets you rearrange, rename, and delete bookmarks–and again, they are in nested folders. The file runs about 1500 lines and also is C++ and must be compiled (and this one brings in gtk+ libraries but I believe they’re part of standard Qubes’ distributions). The manager can import either your three-column tsv, or an HTML file. The only reason I’d be hesitant to post that code right now is that I haven’t figured out how to block drag-and-drop from letting one bookmark be the parent to another bookmark (only folders should be parents). The other part of the puzzle is adding a bookmark to the treed, four column .tsv from the browser; I unfortunately had to write a LOT of bash stuff into my copy of split-browser-bookmark to get that to work. I could tell from reading it you know bash a lot better than I do, so you’d probably get a good giggle out of what I did.

The business end may be translatable to python. Doing so would bypass the compilation requirements. It’s the GUI part that keeps me away from writing it—I dislike handling it when I code.

Edit: That said, maybe I can try to write the business end and someone else can take the code and add GUI handling on top.

That bookmark manager sounds like an interesting experiment, so if you ever feel like uploading it why not.

What I’ve occasionally wanted to do is simply stick some tags to a bookmark, when neither the URL nor the title is descriptive enough to be easily retrievable through dmenu’s omni search. But so far I haven’t wanted it enough to figure out how to implement it, ideally with minimal code. Maybe as a hook if that ever becomes a thing, or by extending the “Page bookmarked” notification with an interactive element.

Unlike many other non-Qubes “hardenings”, “split-things” make a real and huge difference as I see it, and I’m sure they will draw devs’ attention more in the future as a way to tweak Qubes in a way to become even more “Reasonably Secure OS”.

I was about to report that this didn’t work.

Then the light dawned. If you wish to do it this way, the file must be stored in that location on the bookmark VM’s template not the template of the Browser! Apparently anything in that directory gets shipped over to the browser VM when it starts up.

In a way this is actually much much better. I created three different “levels” of Arkenfoxing (with progressively more and more of his settings not commented out). But the way I was doing that before, that meant three different browser templates. Now, I just have to copy the one I want into that filename before I start the browser with his desktop shortcuts, or alternatively create a few short scripts (copy one of the three files to /etc/split-browser/prefs/50-user.js, then start browser as before) and connect them to .desktop files.

You still need to put policies.json on the browser, so if there are multiple versions of this you’ll likely want multiple templates (though I can think of one trick that might cut that down to one TemplateVM and multiple dvm templates–IF I can get that to work.). I’m going to end up doing that, probably, because sometimes noscript is an impediment.

Yes, that’s correct. I probably should’ve mentioned it.

Fair, but you do have the option to disable the extension, even for one tab.

Btw, two quirks of [/usr/local]/etc/split-browser/prefs/*.js for all the power users:

• The files should not contain literal tab characters. Those would be replaced by newlines.

• The files must currently have a combined size of well under 64 KiB. That’s not a problem if the Arkenfox guide from the forum is used, which strips out the extensive commentary. But the original Arkenfox user.js (with only user_pref changed to pref) is too large. A future Split Browser version might bump up this size limit.

I’ll have to give that a look (disabling for one tab) as, obviously, it’d reduce the number of actual templates I need on the browser side. I know when I was using it and realizing it was causing me problems, I couldn’t see anything that was obviously a “disable” icon, much less for just one tab. [Insert my standard rant about often-cryptic doodles replacing text for labels on controls that now no longer look like controls because it’s not fashionable to make them look like buttons any more.]