How do you draw the line? If I just browse clearnet sites for greater anonymity than a hardened Firefox can provide, on safest setting, is there a point to use a full anon OS?
Not really, IMO. Anonymous OSes are for people with a really high threat model. You are probably good just using one of the recommended Linux distros
When you are concerned about your life or getting arrested, then you probably should consider Whonix/Tails.
Only you can answer this question as only you know your threat model. Honestly this is the best answer:
If you’re just a curious individual with a penchant for researching bizarre stuff then perhaps Tor browser or even a VPN is sufficient. If you are a whistleblower or an enemy of the state you better have a much more in depth security plan (physical and digital) than just “Is Tor browser good enough”.
Telling people to use privacy focused OS only if their threatmodel is high enough is as stupid as telling others i don’t need encryption, because i have nothing to hide.
If you are very interested in privacy and dont want to share your information with others who have no right to receive this information, you SHOULD use this given tools every time you can.
There is a difference between using an extreme privacy focussed OS such as Tails or Whonix (which come with extreme tradeoffs in usability) and using standard privacy focussed solutions which don’t have those tradeoffs such as encryption. Using a recommended Linux distribution (which already provides privacy) is enough for most people. When considering solutions, one needs to take into account their threat model… The knowledge base has more info about this topic.
What can go wrong with a standard Tor Browser that Tails/Whonix would save me from? Does it have to be malware that can either escape the web browser’s sandbox or bypass Tor and make clearnet connection? Is the real-life likelihood of something like this happening large enough to be concerned?
Firstly, Tails provides similar security to Tor Browser, Whonix provides much better security. The (only) advantage of Tails is that it leaves no trace on the computer you are using after the fact.
Basically.
Yes, for certain people, see: When is Tor Browser Bundle not enough, and you need Whonix or Tails? - #4 by deadorbit & also see:
A real life example of Facebook hacking a Tails user which wouldn’t have been possible if they were using Whonix: Facebook Helped the FBI Hack a Child Predator
Tails attempts to provide an operating system that appears uniform for all users, boots from a USB flash memory and leaves no trace on the host device. It also routes all traffic through Tor (except for captive portals) and provides Tor Browser.
My naive view about a standard operating system in comparison to Tails:
- Tor Browser is potentially fingerprintable because of the OS characteristics (fonts, installed apps, etc.). Tor Browser does a lot to resist fingerprinting, but had vulnerabilities in the past and should not be assumed to be invulnerable.
- The user’s uniquely-identifying data, sensitive information and operating system logs that persist (whether or not by user’s permission) on their device are compromised if any browser or other app is hacked.
- A lot of work must be done to harden a fresh install of a standard Linux operating system against security/privacy risks: restrict root access (the default might be sudo everything works!), disable logging, restrict the firewall (the default might be accept all traffic!), MAC address randomization, disable IPv6 or prevent IPv6 MAC address leakage, disable automatic connecting to WiFi, secure APT, install Tor and related software, etc. Tails does some of these things out of the box.
Aside to your question, what reasons are there not to use Tails or Whonix? If Tails or Whonix satisfies your use case, whether you have a “high risk threat model” or not, just use it.
Not true. I encourage everyone to have locks on their doors and make sure their windows are locked from the inside as well. I do not advocate for the average individual to have bank style vault doors that require a retina scan and to get in. That would be preposterous.
There is a difference between using tools to harden your systems and decrease the likelihood of state level intrusion but they will greatly affect your experience and usability. Also why in the fuck would I use Whonix / Tor Browser to log in to my university email account or my bank account?
I see two different points of view that are all true. I see the view of @fidentyn0x that other people have no right to our information and we should prevent our information being given up whenever and however we (reasonably) can. I also see the view of @deadorbit that security almost always has time, financial, emotional, social, usability and other costs.
The analogy of the bank vault and retinal scanning kind of breaks down in our context of digital security, and (to me) looks like the use of an extreme example in an attempt to invalidate reasonable examples. Those kinds of physical security systems are very expensive to install, operate and maintain. In comparison, running Tor, VPN, Whonix, Tails etc on your devices is relatively easy.
I find it unfortunate that many people jump straight to “Not true” without appreciating arguments’ viewpoints and nuances.
Also why in the fuck would I use Whonix / Tor Browser to log in to my university email account or my bank account?
Of course they will know who you are, but (aside from some protections that Whonix or Tor Browser offer) using Tor helps prevent services from tracking your location by IP address. That might not be a problem if you log in from the same known location all the time, for example your home or workplace, but might be a problem if you use different locations: internet cafe, other people’s houses, hotels and so on.