{{Header}} {{#seo: |description=No IP leaks! Anonymous Flash plugin. Anonymously using Adobe Flash or other browser plugins with Tor in the {{project_name_long}} Anonymous Operating System. |image=Plugins.png }} [[File:Plugins.png|thumb|200px]] {{intro| No IP leaks! Anonymous Flash plugin. Anonymously using Adobe Flash or other browser plugins with Tor in the {{project_name_long}} Anonymous Operating System. }} = Introduction = The risks of browser plugins like (now deprecated) Flash are explained below. Alternatives are discussed, along with steps on how to use browser plugins anyway in the most secure manner possible. For information about Tor Browser in general, see [[Tor Browser]]. = Plugin Warnings = == Introduction == {{mbox | type = critical | image = [[File:Ambox_warning_pn.svg.png|40px|alt=warning against non-Free browser plugins]] | text = Some popular plugins are non-free, closed source software! See [[Warning#Avoid_non-Free_Software|Warning, Avoid non-Free Software]] before proceeding, particularly if the browser plugin is Free Software before using it. }} The {{project_name_short}} [[Features]] chapter states:
Java, JavaScript, Flash, browser plugins and mis-configured applications cannot leak the user's real external IP address.This is still not recommended as they may decrease anonymity (e.g. Flash cookies) and they often have security vulnerabilities. Also some popular plugins are closed source; see [[Whonix_against_Real_Attacks|Security in real world]]. Although unrecommended, the knowledge of how to use browser plugins is not withheld from the reader. IP leaks are not easily possible; see [[Comparison_with_Others#Attacks|Attack on {{project_name_short}}]] and/or [[Design]] for details on how much effort would be needed. The primary browser plugins concerns are: # Non-Free Software: -- see the warning box above. # Linkability: browser plugin use can be probably correlated to the same [[Tips_on_Remaining_Anonymous#Do_not_confuse_Anonymity_with_Pseudonymity|pseudonym]]. For an overview about Flash Tracking Techniques and why {{project_name_short}} users are much better off than users who run Tor and proxifiers and/or custom firewall rules, see: [[Comparison_with_Others#Flash_.2F_Browser_Plugin_security|Flash / Browser Plugin Security]]. # Fingerprinting: browser plugins most probably leak a lot of information about the (virtual) operating system ({{project_name_workstation_long}}). # Security: some plugins have a history of remote exploits. In more precise terms, the risk of a virtual operating system being infected by trojan horses or other malware is higher. Always look for safer alternatives before utilizing a browser plugin (see below). However, if browser plugins are used then an isolating/transparent proxy like {{project_name_short}} is probably the safest option. == Avoid Browser Plugins == Avoiding browser plugins is better than using them. There are various alternatives to browser plugins, although most of the workarounds are not a complete, perfect drop-in replacement. Alternatives that may work sufficiently -- for example, if you only need YouTube -- include HTML5, gnash, Flash video replacer, Flash video download, or using a flash video download and convert online service. Applications worth exploring include youtuberipper, ClipGrab, minitube, Totem with totem-plugins-extra, and so on. Discussing Flash alternatives in detail is beyond the scope of {{project_name_short}}. The Tails team has prepared a good list of Flash alternatives, see [https://gitlab.tails.boum.org/tails/tails/-/issues/5363 Tails Flash support]. Note that Flash has been officially deprecated in Firefox; see below for further details. == Avoid Non-Free Plugins == {{mbox | type = critical | image = [[File:Ambox_warning_pn.svg.png|40px|alt=warning against non-Free browser plugins]] | text = Avoid non-free, closed source software! Be sure to read the warnings above first! }} If you insist on using browser plugins anyway, it is still possible to install new software Read [[Install_Software]] in {{project_name_workstation_short}}. It is probably safest to use Tor Browser for this purpose. [https://jdownloader.org/ JDownloader] is a Libre alternative to Flash for downloading videos for local viewing. https://gitlab.tails.boum.org/tails/tails/-/issues/5363 Although your IP/location will remain hidden the plugin usage should be considered ''[[Tips_on_Remaining_Anonymous#Do_not_confuse_Anonymity_with_Pseudonymity|pseudonymous rather than anonymous]]''. It is recommended to read this entire chapter, as this summary does not include all security considerations. Be aware if plugins are used, it is likely the exit relay and the exit relay's ISP and website will know you are a {{project_name_short}} user. Most "plugins over Tor" users probably use Mozilla Firefox and Flash on Microsoft Windows with a socksifier. They can be easily browser fingerprinted and probably even linked, see [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO/WebBrowsers TorifyHOWTO/WebBrowsers] and [https://www.torproject.org/torbutton/torbutton-faq.html.en#oldtorbutton Tor Button FAQ]. That is because very few people use Tor Browser with plugins, which are routed through Tor. Also because Tor Browser was at {{project_name_short}} build time manually configured to use a Tor's SocksPort (for stream isolation), while user-installed plugins will will be automatically routed Tor's TransPort. The SocksPort and the TransPort will go through different circuits and most times through different exit relays. That probably differs from the rest of the "Plugins over Tor" users group. For demonstration, see screenshot: [[File:flash_leak_test.png|Flash Leak Test SocksPort and TransPort|thumb]] you'll see, that the Tor Browser and Flash have different Tor exit IP's. It is questionable if that particular difference could and should be fixed and if situation had improved afterwards. See [[Tor_Browser#Change.2FRemove_Proxy_Settings|Change/Remove Proxy Settings]] for how to route Tor Browser through Tor's TransPort. Then both, Tor Browser and plugins would go through Tor's TransPort. This has been tested, see screenshot [[File:Flash_leak_test_both_transport.png|thumb]]. The question would be, if that would actually improve the situation talked about in earlier footnotes. There are probably only a very few using Tor Browser and plugins through the same circuit. (In a earlier footnote, it was mentioned, that they are still using Mozilla Firefox, even though that's even more discouraged.) = Flash Player Deprecation = Flash Player was deprecated by Firefox in 2020 and the Debian
flashplugin-nonfree
package is [https://tracker.debian.org/pkg/flashplugin-nonfree no longer available]: https://support.mozilla.org/en-US/kb/end-support-adobe-flash
Firefox ended support for Adobe Flash in Firefox at the end of 2020, [https://blog.mozilla.org/futurereleases/2017/07/25/firefox-roadmap-flash-end-life/ as announced back in 2017]. Adobe and other browsers also ended support for Flash at the end of 2020. [https://support.mozilla.org/en-US/kb/find-what-version-firefox-you-are-using Firefox version] 84 was the final version to support Flash. Firefox version 85 (released on January 26, 2021) shipped without Flash support, improving our performance and security. There is no setting to re-enable Flash support. ... What if I still depend on Flash content? For enterprise customers who need help transitioning Flash content to other supported technologies or require Flash Player licensing support after 2020, please contact Adobe’s official distribution licensing partner, HARMAN, for more information about their [https://services.harman.com/partners/adobe commercial support offerings].[https://addons.mozilla.org/en-US/firefox/addon/flash-player-emulator/ Emulators] are still available to play Flash content if it is absolutely necessary. = How to Use Other Browser Plugins = Note that Tor Browser developers added a patch https://gitweb.torproject.org/torbrowser.git/tree/src/current-patches/firefox/0005-Block-all-plugins-except-flash.patch, which blocks all plugins except Flash. To use other plugins, read the advanced guide below. == Advanced Guide == If Tor Browser is not preferred, it is possible to install the mainstream Firefox or Chromium browsers. For a discussion about anonymity implications, see the "More Security" section below. Firefox. https://wiki.debian.org/Firefox It is also possible to [https://medium.com/@mos3abof/how-to-install-firefox-on-debian-jessie-90fa135e9e9 install the latest Firefox version] on Debian. {{Install_Package|package= firefox-esr }} Or Chromium. {{Install_Package|package= chromium-browser chromium-browser-l10n }} = How to Use Browser Plugins: More Security = It is recommended to read the earlier instructions first, which are easier. == Deactivate Unneeded Browser Plugins == It is recommended to only activate plugins that are essential for use. On most browsers there is a pseudo URL
about:plugins
which can be accessed to check which plugins are activated.
Go to: Tor Browser
→ Tools
→ Plugins
and deactivate all plugins which are not needed. It is even better to uninstall them.
== Separate Tor Browser or Separate {{project_name_workstation_short}} Dedicated to Browser Plugins ==
For the best security use [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO/WebBrowsers#TorBrowserbehindatransparentorisolatingproxy More than one Tor Browser behind a transparent or isolating proxy] or even better, [[Security_Guide#Recommendation_to_use_multiple_VM_Snapshots|multiple VM snapshots]] or [[Multiple Whonix-Workstation|Multiple {{project_name_workstation_short}}]].
== SocksPort vs TransPort ==
Using the easy instructions in this chapter will cause Tor Browser to go through SocksPort and browser plugins to go through TransPort. It may or may not make sense to either force both through a SocksPort (difficult) or to force both through the TransPort; see footnotes for further details.
Most "plugins over Tor" users probably use Mozilla Firefox and plugins on Microsoft Windows with a socksifier. They can be easily browser fingerprinted and probably even linked, see [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO/WebBrowsers TorifyHOWTO/WebBrowsers] and [https://www.torproject.org/torbutton/torbutton-faq.html.en#oldtorbutton Tor Button FAQ]. That is because very few people use Tor Browser with plugins, which are routed through Tor. Also note Tor Browser uses Tor's SocksPort (for stream isolation), while user-installed plugins will automatically be automatically routed via Tor's TransPort. The SocksPort and the TransPort will go through different circuits and most times through different exit relays. That probably differs from the rest of the "Plugins over Tor" user group. For a demonstration, see screenshot: [[File:Flash_leak_test.png|thumb]]. It is clear Tor Browser and Flash have different Tor exit IP's. It is questionable if that particular difference could and should be fixed and if the situation has since improved.
= Footnotes =
{{reflist|close=1}}
= License =
{{JonDos}}
The "Restrict Flash Settings" chapter of the {{project_name_short}} BrowserPlugins wiki page contains content from the JonDonym documentation [https://web.archive.org/web/20210223070012/https://anonymous-proxy-servers.net/en/help/flash-applets.html How to anonymize Flash videos and applets] page.
[[Category:Documentation]]
{{Footer}}