I love Chrome but I'm sure in some way it reports what I'm doing to Google.

Why not just use Firefox?

Whonix is an OS, a modern browser of your choice could be firefox.

Whonix runs TOR in a separate VM from your browser/user space. The idea is that even if you get hacked they don't get your IP address since they can only access the internet through the gateway VM that pushes all traffic through TOR.

I always wondered why they need whonix gateway? Couldn't they just pass it through host's tor? Why do i need to run entire full blown debian just as a proxy?

Is there any reason not to use whonix?

What do I do if macOS is my host OS?

Only VirtualBox is an option but whonix says support is experimental (they don't test it at all). So... stick with it.

No.

That's indeed far better; specifically, Firefox ESR with all the calling-home features disabled in about:config and noscript with no whitelist on top of it.

Ideally you'd make sure the one responsible for going through tor isn't Firefox, too; IE at the very least a wrapper such as tsocks when running it or even better, a VM containing the browser and the entire VM connecting only through tor.

>This is bad and dangerous advice that can potentially put people in trouble. As I said elsewhere in this thread: If you don't use the Tor Browser you're exposing yourself to all the fingerprinting attacks that the Tor Browser tries to protect from: https://www.torproject.org/projects/torbrowser/design/

And if you do use Tor Browser you're exposing yourself to an old insecure browser. This situation has dramatically improved recently, but it's still far from optimal.

I think for most people fingerprinting is the far lesser threat, especially when discussing an install that'll presumably always remain behind Tor.

>Not only that, using the particular setup you're describing, you wont have stream isolation, so all of your website browsing can be watched by a single exit node (whereas with the Tor Browser each site has its own circuit) which makes correlation attacks much damaging (whole browsing history in a session vs 1 site).

Both Firefox and Chrome should grab KDEs proxy settings and therefore automatically benefit from stream isolation on Whonix, no?

> And if you do use Tor Browser you're exposing yourself to an old insecure browser.

1) The Tor Browser is based on the Firefox 52 ESR, sure, it's not the most secure browser in the market, but it's far from being "old and insecure".

2) If you're considering the alpha Linux 64 version, it includes Selfrando, which should provide more protection than a vanilla Firefox. See "Real-world Exploits against the Tor Browser" pages 9-10 where they conclude [1],

> The reason is that these function pointers are only accessed through an indirection layer, i.e., memory objects on the heap contain a pointer to a virtual table which is located in the code or data section of the application and contains a number of pointers to virtual functions. Since the attackers can only disclose the virtual table pointer, but not the virtual table itself, as it is not on the heap, they cannot disclose gadget addresses. Note that, when only ASLR is applied, the address of the virtual table is randomized with the same offset as the ROP gadgets. Therefore, such an attack can bypass ASLR but not selfrando.

> We therefore conclude that selfrando can thwart most real-world exploits. Attackers can only succeed in rare cases where they can disclose the complete heap and data section.

It's only for Linux for now, but that may change in the future.

3) Would you consider the Tor Browser with the security slider set to High or even just Medium to be "insecure"?

4) You still provided no alternatives.

> I think for most people fingerprinting is the far lesser threat, especially when discussing an install that'll presumably always remain behind Tor.

Sorry, shoving up all your traffic through Tor while not caring about your browser's fingerprint is useless, 29 bits of identifying information just from screen resolution output alone. It's just too easy...

And it's not just about fingerprinting, I'm afraid, see the other problems mentioned in the Tor Browser Design document.[2]

> Both Firefox and Chrome should grab KDEs proxy settings and therefore automatically benefit from stream isolation on Whonix, no?

No, unfortunately, these two different browsers will use two different catch-all circuits, but you wont get _first party_ stream isolation on them, _which was my whole point_. In other words, your Chromium (I assume that Chrome in your comment was just a typo) will use a single circuit for all of your websites, whereas with the Tor Browser each website will get its own circuit. That means that it's much much easier for an adversary who controls a portion of Tor relays to de-anonymize ALL your traffic with Chromium, when he can de-anonymize only a single website with the Tor Browser.

Also since you mentioned Whonix, note that they actually recommend using the Tor Browser without Tor for clearnet browsing instead of other browsers since it's (quoting their lead dev) "better hardened than regular Firefox".[3]

[1] : https://people.torproject.org/~gk/misc/Selfrando-Tor-Browser... [2] : https://www.torproject.org/projects/torbrowser/design/ [3] : https://lists.torproject.org/pipermail/tbb-dev/2017-April/00...

many things wrong with tails but it is not the browsers fault anyone breaking firefox will have an extensive hardware profile and easily determine your entry node, bssid, mac and by running traffic correlation (3-letter now knows the entry) determine exactly who you are connecting from and all this without a root exploit just by breaking the TBrowser

nothing new really has been there since the beginning which is why tails doesn't even come close to whonix/qubesos which make this inherent insecurity a lot harder to exploit