Commit 5c2bce6f authored by Tails developers's avatar Tails developers
Browse files

Add documentation for the Unsafe Browser.

parent 8af3698b
......@@ -400,7 +400,9 @@ a DNS UDP
thread on the or-talk mailing-list).
Any exception to these rules MUST be thoroughly thought through and
properly documented.
properly documented. If an action that is excepted from the above
rules is user initiated, that MUST be made obvious to the user, and
user opt-out MUST be offered, if possible.
#### Fingerprinting
......@@ -28,6 +28,10 @@ Tails also forbids DNS queries to RFC1918 addresses; those might
indeed allow the system to learn the local network's public IP
An exception to the above DNS configuration is the `clearnet` user
used to run the [[contribute/design/Unsafe_Browser]], which uses the
DNS server provided for DHCP for resolving.
[resolvconf]( is used to
configure the system resolver in `/etc/resolv.conf`; it is also setup
to prevent NetworkManager and dhcp-client to modify this file.
......@@ -31,6 +31,12 @@ Like the `debian-tor` user, the `i2p` user is allowed to connect
*directly* to the Internet. See [[the design document dedicated to
Tails use of I2P|I2P]] for details.
#### Unsafe Browser and the `clearnet` user
The `clearnet` user used to run the
[[contribute/design/Unsafe_Browser]] is granted full network access
(but no loopback access) in order to deal with captive portals.
#### Local Area Network (LAN)
Tails short description talks of sending through Tor *outgoing
[[!toc levels=2]]
Internet connections restricted by captive portals pose a problem in
environments like Tails, where all Internet traffic is routed through
Tor. There's a catch 22 since the portal cannot be reached before Tor
is working (and it most likely isn't reachable through Tor any way)
and Tor cannot work before logging in to the portal. Since most (if
not all) of these portals are web based, a web browser with direct
Internet access seem required for avoiding this problem.
* It must run a completely separate Iceweasel profile from the
Torified browser's.
* It must be hard to start by mistake.
* It must be hard to mistake for the Torified browser.
* It must be configured to use the DNS provided by DHCP (which is required
by some captive portals).
* It must be granted full access to the network so that any captive
portals can be reached.
* It should be restricted access to as much information from the
system as possible in case of leaks or compromise.
The aptly named *Unsafe Browser* implements all the above, although at
this time only a reasonable effort has been made to sandbox it to
fulfill the last point (restrict access to information).
User interface
The Unsafe Browser can be found in the `Applications -> Internet`
section (with a "warning triangle" as icon) and does the following
when started:
0. Show a dialog asking the user for verification, while also briefly
explaining that the Unsafe Browser won't be anonymous.
0. "No" is the default answer, but if "Yes", we start a separate
Iceweasel instance.
0. Iceweasel is configured to use a theme with scary colors (red). To
not raise suspicion the scary theme is not used when Windows
camouflage is activated.
0. Add a small visual cue to "amnesia branding" addon (which will be
the only cue for Windows camouflage users),
0. Its start page (locally stored) makes it clear that this is the Unsafe
Browser and explains the issues involved with the Unsafe Browser
and how to proceed from now on.
The Unsafe Browser is run by a separate `clearnet` user, which is
restriced to network access only; access to local services like Tor
etc. are blocked so it cannot interfere with them if compromised.
The Unsafe Browser is run inside a chroot consisting of a throw away
aufs union between a read-only version of the pre-boot Tails
filesystem, and a tmpfs as the rw branch. Hence, the post-boot
filesystem (which contains any user data) isn't available to the
Unsafe Browser within the chroot. The chroot and aufs union is created
upon Unsafe Browser start, and is torn down after it exits, forcefully
killing any remaining processes run from inside it.
It should be noted that chroots are pretty weak jails, so an exploit
could easily escape it and have access to the complete filesystem (as
restricted for the `clearnet` user). Hence, the reason for using a
chroot is not for that purpose, but for separating its insecure
configuration from the rest of the Tails system. For instance, within
the chroot the DNS server obtained through DNS is configured as the
system resolver, which would be dangerous if it set in the outside
......@@ -18,4 +18,5 @@
- [[Create & Configure the Persistent Volume|first_steps/persistence/configure]]
- [[Enable & Use the Persistent Volume|first_steps/persistence/use]]
- [[Delete the Persistent Volume|first_steps/persistence/delete]]
- [[Logging in to captive portals|first_steps/unsafe_browser]]
- [[Reporting Bugs|first_steps/bug_reporting]]
[[!meta title="Logging in to captive portals"]]
Many publicly accessible Internet connections (usually available
through a wireless network connection) require its users to register
and login in order to get access to the Internet. This include both
free and paid for services that may be found at Internet cafés,
libraries, airports, hotels, universities etc. Normally in these
situations, a so called *captive portal* intercepts any website
request made and redirects the web browser to a login page. None of
that works when Tor is used, so a browser with unrestriced network
access is necessary. Note that this means that **the Unsafe Browser
is NOT anonymous**, so use it carefully.
Tails includes an "Unsafe Browser" for this purpose, and it can be
started via the menu: `Applicationg -> Internet -> Unsafe
Browser`. Its red/yellow theme should make it fairly obvious that a
different (and in this case, unsafe) browser is used compared to the
normal, safe web browser included in Tails.
Security recommendations:
* While this browser can be used unrestrictively for anything, it is
*highly* recommended to only use it for the purpose stated above,
i.e. to access and login on captive portals.
* Do not run this browser at the same time as the normal, anonymous
web browser. This makes it easy to not mistake one browser for the
other, which could have catastrophic consequences.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment