Setting up Chromium to work with Tor [Resubmitted in light of multiple 0days in Tor Browser]

From this post asking why users were switching away from Tor Browser/Firefox and using Chromium - the 0days revealed for Tor Browser in Kaspersky's Equation Group report is why.

Setting up Chromium reprinted here:

Quick Tutorial on Setting up a Secure Chromium Based Browser

  1. Download Chromium
  2. Install for your platform
  3. Go to settings then extensions
  4. Install scriptsafe and proxy switchy sharp and user agent switcher
  5. change the user agent to Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
  6. Setup Tor in proxy switchy sharp by specifying the proxy as socks5 127.0.0.1 and port 9040 (defaults for Tor)
  7. Switch to the Tor profile in Proxy Switchy Smart
  8. Create a separate browser profile for each market you use
  9. Disable all checkboxes under Settings > Privacy
  10. Disable all plugins in chrome://plugins
  11. In chrome://flags disable WebGL, WebRTC, SPDY, NCL, QUIC, SafeLists, Notifications, Identity Consistancy (almost everything on this page should be disabled, if in doubt, disable it).
  12. Change content settings (under settings > advanced) to disable all location services, clear all history on restart and to not save passwords
  13. Create a shortcut to run Chrome from with the command flag --host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE 127.0.0.1"

Note: You should still be running this on Linux and in a VirtualMachine

edit: Before some fool responds with "just run Tor Browser in a virtual machine" - the virtual machine is a last line of defense, not your method for securing your browser. You don't leave all the doors on your car unlocked and open just because you have an alarm.

edit 2: Before some fool responds again with "but there are issues in Chromium that cause privacy issues. Most of those have been fixed (the Tor wiki page you will almost certainly link to hasn't been updated in 20 months) and the plugins above fix the rest. Besides, a cookie ID correlation attack is much less dangerous than a literal browser code-exec. Clear your cookies/sessions.


Comments


[7 Points] throwaway:

edit 2: Before some fool responds again with "but there are issues in Chromium that cause privacy issues. Most of those have been fixed (the Tor wiki page you will almost certainly link to hasn't been updated in 20 months) and the plugins above fix the rest.

Can you please give specific citations for how each of the ImportantGoogleChromeBugs are fixed? The tails developers are still taking it seriously.


[3 Points] al_eberia:

You really think that if you are valuable enough for them to be dropping 0days chromium is going to stop them? I'm sure the NSA discovered that it has a sandbox and has just given up on exploiting the browser used by ~45% of the planet.

The 0days mentioned were targeting TBB because that is what the targets were using, not because they can only exploit Firefox and IE. If they find out you are using chromium they will just redirect you to a different attack framework.


[1 Points] sapiophile:

Which 0days in Tor Browser are you talking about in the headline? I can't seem to find anything referencing any current 0days. There is unspecified talk in the Kaspersky report about some 0days against Firefox 17, but that hasn't been used in Tor Browser since 2013.

According to this discussion, it seems pretty clear that it's legitimately bad advice to be telling Tor users to stop using Tor Browser.

I always appreciate diversifying the discussion around security, but honestly, it seems like you are spreading FUD, and it certainly seems that you do have an agenda:

I don't want to spill many details, but this is well endorsed and is being used widely amongst a certain subset of DNM users (namely those who can afford to pay for good advice)

I'm sure that that paid "good advice" doesn't come from some other pseudonym of yours. Sure.

Anyway, would it be great if Chromium became harder to fingerprint than Tor Browser, and if the Tor Project could afford to release both a Chromium and a Firefox based browser? Definitely. Maybe even the Firefox-derived Tor Browser could fall out of use. Is the time to make that browser switch right now? No, I don't think so. Chromium simply isn't equipped for it just yet.

edit: sure looks like this issue isn't fixed. How many others are conveniently missing from your "complete solution?"