Browser_Plugins.mw

{{Header}}
{{#seo:
|description=No IP leaks! Anonymous Flash Plugin. Anonymously using Adobe Flash or other browser plugins with Tor using the {{project name}} Anonymous Operating System.
|image=https://www.{{project_clearnet}}/w/images/8/81/Plugins.png
}}
[[image:Plugins.png|thumb]]

= Introduction =
We explain the risks of browser plugins (flash etc.), discuss some alternatives and finally explain how to use browser plugins anyway in the best possible secure manner.

= Tor Browser =
For information about Tor Browser in general, see 
[[Tor Browser]].

= Warning not to use them =
{{mbox
| type       = critical
| image      = [[File:Ambox_warning_pn.svg.png|40px|alt=warning against non-Free browser plugins]]
| text    = 
Some popular plugins are non-Free, Closed Source software!
See [[Warning#Avoid_non-Free_Software|Warning, Avoid non-Free Software]].
Check if your browser plugin is Free Software before using it.
}}

Quoted the {{project name}} Features page <ref>[[Features]]</ref>: "''Java / JavaScript / flash / browser plugins / Malware <ref>https://en.wikipedia.org/wiki/Malware</ref> / misconfigured applications cannot leak your real external IP.''" "''This is still not recommended as they may decrease anonymity (e.g. flash cookies) and often have security vulnerabilities. Some popular plugins are closed source. See [[Security_in_Real_World|Security in real world]].''"

Although it is not recommended, we don't want to withhold the knowledge from you how to use browser plugins.

IP leaks are not easily possible.<ref>Read [[Comparison_with_Others#Attacks|Attack on {{project_name}}]] and/or [[Design]] for details on how much effort would be needed.</ref>

The concern against browser plugins can be broken down to:

1. Non-Free Software. See our warning box above.

2. Linkability: browser plugins use can be probably correlated to the same [[DoNot#Do_not_confuse_Anonymity_with_Pseudonymity|pseudonym]]. <ref name=compare>For an overview about Flash Tracking Techniques and why {{project name}} users are much better off than users who run Tor and proxifiers and/or custom firewall rules, see chapter [[Comparison_with_Others#Flash_.2F_Browser_Plugin_security|Flash / Browser Plugin Security]]</ref>

3. Fingerprinting: browser plugins can probably leak lots of information about your (virtual) operating system ({{workstation_product_name}})

4. Security: some plugins have a history for remote exploits. More precise: the risk for your virtual operating system to get infected by trojan horses etc. is higher.

But anyway, of course you should look for alternatives first (see below), but if you insist on using browser plugins, an isolating/transparent proxy like {{project name}} is probably your best bet. <ref name=compare />

= Avoiding browser plugins =
Avoiding browser plugins and flash is better than using them.

Note that there are alternatives to browser plugins. Most of the workarounds aren't a 100% complete, perfect drop in replacement, but perhaps it works sufficient for you (for example, if you only need youtube). Alternatives are html5, gnash, flash video replacer, flash video download or using a flash video download and convert online service. There are also applications worth checking, such as youtuberipper, ClipGrab, minitube, Totem with totem-plugins-extra, etc. Discussing the flash alternatives in details is beyond the scope of {{project_name}}.

Also the Tails folks prepared a good list of Flash alternatives, see [https://tails.boum.org/todo/Flash_support Tails Flash support].

If you still want to use browser plugins or flash, read below.

= How to use Flash - EASY =
{{mbox
| type       = critical
| image      = [[File:Ambox_warning_pn.svg.png|40px|alt=warning against non-Free browser plugins]]
| text    = 

Adobe Flash is non-Free, Closed Source software! <br />
Make sure you have read our [[Browser_Plugins#Warning_not_to_use_them Warning not to use them]] above first!
}}
If you insist on using browser plugins anyway (read [[Browser_Plugins#Warning_not_to_use_them|warnings]] above), you can install new software <ref>Read [[Install_Software]]</ref> in {{workstation_product_name}}. Your best bet may be using the Tor Browser. JDownloader is a Libre alternative to Flash for downloading videos for local viewing.<ref>https://labs.riseup.net/code/issues/5363</ref>

Your IP/location will still be hidden. Consider the plugin usage ''[[DoNot#Do_not_confuse_Anonymity_with_Pseudonymity|pseudonymous rather than anonymous]]''. This is the EASY chapter, which does not include all security considerations. For those, read the whole page.

If you are using any plugins such as Flash, it will be probably known to the exit relay, exit relay's ISP and website, that you are a {{project name}} user.

<ref name=four>Most "plugins over Tor" users probably use Mozilla Firefox and Flash on Microsoft Windows with a socksifier. They can be easily browser fingerprinted and probably even linked, see [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO/WebBrowsers TorifyHOWTO/WebBrowsers] and [https://www.torproject.org/torbutton/torbutton-faq.html.en#oldtorbutton Tor Button FAQ].</ref>

<ref name=five>That is because very few people use Tor Browser with plugins, which are routed through Tor. Also because Tor Browser was at {{project name}} build time manually configured to use a Tor's SocksPort (for stream isolation), while user-installed plugins will will be automatically routed Tor's TransPort. The SocksPort and the TransPort will go through different circuits and most times through different exit relays. That probably differs from the rest of the "Plugins over Tor" users group. For demonstration, see screenshot: [[Image:flash_leak_test.png|Flash Leak Test SocksPort and TransPort|thumb]] you'll see, that the Tor Browser and Flash have different Tor exit IP's. It is questionable if that particular difference could and should be fixed and if situation had improved afterwards.</ref>


<ref name=six>See [[Tor_Browser#Change.2FRemove_Proxy_Settings|Change/Remove Proxy Settings]] for how to route Tor Browser through Tor's TransPort. Then both, Tor Browser and plugins would go through Tor's TransPort. This has been tested, see screenshot [[File:Flash_leak_test_both_transport.png|thumb]]. The question would be, if that would actually improve the situation talked about in earlier footnotes. There are probably only a very few using Tor Browser and plugins through the same circuit. (In a earlier footnote, it was mentioned, that they are still using Mozilla Firefox, even though that's even more discouraged.)</ref>

Install Flash.

{{Install_Package|package=
flashplugin-nonfree
}}

(2) Additionally, it might make sense to install Firefox (Tor Browser) Add-On [https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/ BetterPrivacy BetterPrivacy], which can be setup to delete Flash Cookies.

(3) Activate browser plugins in Tor Browser.

To activate browser plugins in Tor Browser <ref>Note that Tor Button in Tor Browser disables all plugins by the default settings. That decision is made by the Tor Browser developers, not by the {{project name}} developers. (Of course, the {{project name}} developers second their decision.)</ref> right click on Tor Button &rarr; Preferences... &rarr; Security Settings &rarr; uncheck: Disable Plugins during Tor usage. You have to restart Tor Browser.

(4) Updating Flash

Each time there is a new version of flash, you should update.

{{CodeSelect|code=
sudo update-flashplugin-nonfree --install --verbose
}}

= How to use other browser plugins =
Note that Tor Browser developers added a patch <ref>https://gitweb.torproject.org/torbrowser.git/tree/src/current-patches/firefox/0005-Block-all-plugins-except-flash.patch</ref>, which blocks all plugins except flash. To use other plugins, read the more advanced guide below.

= How to use browser plugins - Advanced =
If you don't like to use Tor Browser, you could install the mainstream Firefox, Chromium, Flash etc. For a discussion whether this is good or bad for anonymity, see the "More Security" section below.

Firefox. <ref>https://wiki.debian.org/Firefox</ref> <ref>It is also possible to [https://medium.com/@mos3abof/how-to-install-firefox-on-debian-jessie-90fa135e9e9 install the latest Firefox version] on Debian.</ref>

{{Install_Package|package=
firefox-esr
}}

Or Chromium.

{{Install_Package|package=
chromium-browser chromium-browser-l10n
}}

= How to use browser plugins - More Security =
== Read the EASY chapter above first ==
Read the EASY chapter above first

== Deactivate unneeded browser plugins ==
It is recommended to activate only plugins, you really use. On most browsers their is a pseudo URL 'about:plugins' to check which are activated. Go to Tor Browser &rarr; Tools &rarr; Plugins and deactivate all plugins, which you don't need, or even better, uninstall them.

== Separate Tor Browser or Separate {{workstation_product_name}} dedicated to browser plugins ==
For best security use [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO/WebBrowsers#TorBrowserbehindatransparentorisolatingproxy More than one Tor Browser behind an transparent or isolating proxy] or even better, [[Security_Guide#Recommendation_to_use_multiple_VM_Snapshots|multiple VM snapshots]] or [[Multiple Whonix-Workstation|Multiple {{workstation_product_name}}]].

== SocksPort vs TransPort ==

Using the easy instructions above will cause Tor Browser to go through SocksPort and browser plugins such as Flash to go through TransPort. It may or may not make sense to either force both through a SocksPort (difficult) or to force both through the TransPort, see footnotes.

<ref name=four>Most "plugins over Tor" users probably use Mozilla Firefox and Flash on Microsoft Windows with a socksifier. They can be easily browser fingerprinted and probably even linked, see [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO/WebBrowsers TorifyHOWTO/WebBrowsers] and [https://www.torproject.org/torbutton/torbutton-faq.html.en#oldtorbutton Tor Button FAQ].</ref>

<ref name=five>That is because very few people use Tor Browser with plugins, which are routed through Tor. Also because Tor Browser uses Tor's SocksPort (for stream isolation), while user-installed plugins will will be automatically routed Tor's TransPort. The SocksPort and the TransPort will go through different circuits and most times through different exit relays. That probably differs from the rest of the "Plugins over Tor" users group. For demonstration, see screenshot: [[File:Flash_leak_test.png|thumb]] you'll see, that the Tor Browser and Flash have different Tor exit IP's. It is questionable if that particular difference could and should be fixed and if situation had improved afterwards.</ref>

<ref name=six />

== Download Flash directly from Adobe ==
{{mbox
| type       = critical
| image      = [[File:Ambox_warning_pn.svg.png|40px|alt=warning against non-Free browser plugins]]
| text    = 

Adobe Flash is non-Free, Closed Source software! <br />
Make sure you have read our [[Browser_Plugins#Warning_not_to_use_them Warning not to use them]] above first!
}}

If you insist on using it... For better security <ref>http://lists.debian.org/debian-security/2012/12/msg00025.html</ref> or if Flash from the Debian repository does not work for you, Flash can be downloaded directly from Adobe.

(1) Go to https://get.adobe.com/flashplayer/otherversions/

(2) choose Linux (64-bit)

(3) choose 11.2 for other Linux (.tar.gz) 64-bit

(4) click on the Download now button

(5) you will see

<pre>
An external application is needed to handle:

https://fpdownload.macromedia.com/get/flashplayer/pdc/11.2.202.270/install_flash_player_11_linux.i386.tar.gz

[...]
</pre>


Verify, that you'll download from http''s''.

(6) Download.

(7) Unpack.

(8) Follow the Installation instructions in the readme.txt.

= Footnotes =
{{reflist|close=1}}


= License =
{{JonDos}}
The "Restrict Flash Settings" chapter of the {{project name}} BrowserPlugins wiki page contains content from the JonDonym documentation [https://anonymous-proxy-servers.net/en/help/flash-applets.html How to anonymize Flash videos and applets] page.

[[Category:Documentation]]

{{Footer}}