Calendar: add FT sprint

[tails/test.git] / wiki / src / support / faq.mdwn

[[!meta title="Frequently asked questions"]]

- For hardware compatibility issues, refer to our [[known issues|support/known_issues]].
- To learn what you can do with Tails, refer to our [[documentation|doc]].
- For questions related to Tor, see also to the [Tor support pages](https://support.torproject.org/).

[[!toc levels=2]]

<h1 id="project">Tails project</h1>

<h2 id="tor">What is the relationship between Tor and Tails?</h2>

See our explanation about [[why does Tails use Tor|doc/about/tor#relationship]].

<h2 id="debian">Why is Tails based on Debian and not on another distribution?</h2>

We are deeply rooted and involved in Debian. The friendships, relationships, and
technical expertise we have in Debian have many benefits for Tails, and we are
not ready to build the same relationship with Ubuntu, OpenBSD, or any other
distribution. See our statement about our
[[contribute/relationship_with_upstream]] for details.

See also the article [Why there are so many Debian
derivatives](http://upsilon.cc/~zack/blog/posts/2011/09/why_there_are_so_many_debian_derivatives/)
by Stefano Zacchiroli.

<h2 id="ubuntu">Why isn't Tails based on Ubuntu?</h2>

First, see the answer to the [[previous question|faq#debian]].

0. The rapid development cycle of Ubuntu would be too fast for Tails.
0. Ubuntu adds features in ways that we find dangerous for privacy. For example
   Ubuntu One
   ([partly discontinued](http://blog.canonical.com/2014/04/02/shutting-down-ubuntu-one-file-services/))
   and the [Amazon ads and data leaks](https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks).
0. Ubuntu is led by a company that takes most of the important decisions and has
   the power to make them happen.
0. We usually ship kernels and video drivers from [Debian
   backports](http://backports.debian.org/). The result
   is comparable to Ubuntu in terms of support for recent hardware.
0. We think that the general quality of the maintenance work being done on
   packages matters from a security perspective. Debian maintainers generally are
   experts in the fields their packages deal with; while it is generally not
   the case outside of the limited number of packages Ubuntu officially supports.
0. We are actively working on improving
   [[AppArmor support|contribute/design/application_isolation]] in Tails; a security
   framework that is already used in a few Ubuntu applications.
0. We are also working on adding compiler hardening options to more Debian
   packages included in Tails; another security feature that Ubuntu already
   provides.

<h2 id="gnome">Why does Tails ship the GNOME Desktop?</h2>

We had users ask for LXDE, XFCE, MATE, KDE, and so on, but we are not going to
change desktop. According to us, the main drawback of GNOME is that it
requires quite a lot of resources to work properly, but it has many advantages.
The GNOME Desktop is:

  - Well integrated, especially for new Linux users.
  - Very well translated and documented.
  - Doing relatively good regarding accessibility features.
  - Actively developed.
  - Well maintained in [[Debian|faq#debian]], where it is the default
    desktop environment.

We invested quite some time in acquiring GNOME
knowledge, and switching our desktop environment would require going through that
process again.

We are not proposing several desktop environments to choose from because
we want to [[limit the amount of software included in Tails|faq#new-software]].

<h1 id="hardware">Hardware compatibility</h1>

See also:

- [[System requirements|doc/about/requirements]]
- [[Known issues|support/known_issues]]

<h2 id="32-bit">Does Tails work on 32-bit computers?</h2>

No. Tails stopped working on 32-bit computer in [[Tails
3.0|news/Tails_3.0_will_require_a_64-bit_processor]] (June 2017). Software
built for 64-bit processors can benefit from several improvements that make it
harder for attackers to exploit security vulnerabilities.

Before Tails 3.0, we estimated that [[only 4% of our
users|news/Tails_3.0_will_require_a_64-bit_processor]] still had a 32-bit
computer. We decided that the increased security for everybody else was more
important than the compatibility with 32-bit computers.

<h2 id="arm">Does Tails work on ARM architecture, Raspberry Pi, tablets, or phones?</h2>

For the moment, Tails is only available on the x86_64 architecture.
The Raspberry Pi and most tablets and phones are based on the ARM architecture. Tails does
not work on the ARM architecture so far.

Look for a tablet with an AMD or Intel processor. Try to verify its
compatibility with Debian beforehand, for example make sure that the Wi-Fi
interface is supported.

<h1 id="installation">Installation</h1>

<h2 id="permanent-install">Can I install Tails permanently onto my hard disk?</h2>

This is not possible using the recommended installation methods. Tails is
designed to be a live system running from a removable media: USB stick or DVD.

This is a conscious decision as this mode of operation is better for what we
want to provide to Tails users: amnesia, the fact that Tails leaves no traces on
the computer after a session is closed.

<h2 id="unetbootin">Can I install Tails with UNetbootin, YUMI, Rufus or my other favorite tool?</h2>

No. Those installation methods are unsupported. They might not work at
all, or worse: they might seem to work, but produce a USB stick
that does *not* behave like Tails should. Follow the
[[download and installation documentation|install]] instead.

<h2 id="upgrade">Should I update Tails using <span class="code">apt upgrade</span> or <span class="application">Synaptic</span>?</h2>

No. Tails provides upgrades every six weeks, that are thoroughly tested
to make sure that no security feature or configuration gets broken.
If you upgrade the system yourself using `apt` or <span class="application">Synaptic</span>,
you might break things. Upgrading when you get a notification from
<span class="application">[[Tails Upgrader|doc/upgrade]]</span> is enough.

<h2 id="preinstalled">Can I buy a preinstalled Tails USB stick or DVD?</h2>

No, we don't sell preinstalled Tails devices.

Selling preinstalled devices would in fact be a pretty bad idea:

* If burned on a DVD, then this DVD would be outdated on the next
  release. This means after 6 weeks at most.
* If installed onto a USB stick, then it would be impossible to verify
  that the Tails on the USB stick is genuine. Trusting that a Tails USB stick
  is genuine should be based either on cryptographic verification or
  on personal trust (if you know someone you trust who can clone a Tails USB stick for you). But
  once Tails is installed on a USB stick it is not possible to use our
  cryptographic verification techniques anymore. Being able to trust
  your Tails USB stick is something that we really care about.

<h2 id="checksum">Where can I find the checksum to verify my Tails download?</h2>

We do not provide a checksum (SHA hash or similar) to verify your Tails download.

Verification using a checksum would be no better than verifying using
one of the techniques documented on our download page: our JavaScript
verification, BitTorrent, or basic OpenPGP.

These verification methods all rely on some information being securely
downloaded from our website using HTTPS. Similarly, verification using a
checksum would rely on the checksum being securely downloaded from our
website.

In order to verify your Tails download without having to rely on some
information being securely downloaded from our website, you need to use
[[OpenPGP and authenticate our signing key through the OpenPGP Web of
Trust|install/download#openpgp]].

<h1 id="browser">Web browser</h1>

<h2 id="javascript">Why is JavaScript enabled by default in <span class="application">Tor Browser</span>?</h2>

Many websites today require JavaScript to work correctly. As a consequence
JavaScript is enabled by default in Tails to avoid confusing many users. But
*Tor Browser* takes care of [[blocking dangerous JavaScript
functionalities|doc/anonymous_internet/Tor_Browser#javascript]].

Tor Browser also includes a [[security level|doc/anonymous_internet/Tor_browser#security-level]] and the [[NoScript|doc/anonymous_internet/Tor_browser#noscript]]
extension to optionally disable more JavaScript. This might improve
security in some cases. However, if you disable JavaScript, then the
[[fingerprint|doc/about/fingerprint]] of your browser will
differ from most Tor users. This might break your anonymity.

We think that having JavaScript enabled by default is the best possible
compromise between usability and security in this case.

<h2 id="add-ons">Can I install other add-ons in <span class="application">Tor Browser</span>?</h2>

Installing add-ons in <span class="application">Tor Browser</span> might break the security built in Tails.

Add-ons can do many things within the browser, and even if all the networking goes
through Tor, some add-ons might interact badly with the rest of the
configuration or leak private information.

1. They can track and reveal information about your browsing behaviour, browsing
history, or system information, either on purpose or by mistake.

2. They can have bugs and security vulnerabilities that can be remotely exploited by an
attacker.

3. They can have bugs breaking the security offered by other add-ons
and break your anonymity.

4. They can break your anonymity by making your browsing behaviour
distinguishable amongst other Tails users.

Unless proven otherwise, no add-on, apart from the ones already
included in Tails, have been seriously audited and should be
considered safe to use in this context.

<div class="next">
  <ul>
    <li>[[Warnings about the Persistent Storage|doc/first_steps/persistence/warnings#index3h1]]</li>
    <li>[[Browsing the web with <span class="application">Tor Browser</span>|doc/anonymous_internet/Tor_browser]]</li>
    <li>[[Can I hide the fact that I am using Tails?|doc/about/fingerprint/]]</li>
  </ul>
</div>

<!--
XXX: Push that information to the browser documentation?
XXX: Check https://2019.www.torproject.org/docs/torbutton/torbutton-faq.html.en#recommendedextensions
-->

<h2 id="update-add-ons">Should I manually update add-ons included in <span class="application">Tor Browser</span>?</h2>

No. Tails provides upgrades every six weeks, that are thoroughly tested
to make sure that no security feature or configuration gets broken.
Updating add-ons in <span class="application">Tor Browser</span> might
break the security built in Tails.

<h2 id="anonymity-test">How to analyse the results of online anonymity tests?</h2>

Fingerprinting websites, such as <https://panopticlick.eff.org/>,
try to retrieve as much information as possible from
your browser to see if it can be used to identify you.

As explained in our documentation about
[[fingerprinting|doc/about/fingerprint]], Tails provides anonymity on the web by
making it difficult to distinguish a particular user amongst all the users of
<span class="application">Tor Browser</span> (either in Tails or on other operating systems).

So, the information retrieved by such fingerprinting websites is not harmful for
anonymity in itself, as long as it is the same for all users of <span class="application">Tor Browser</span>.

For example, the user-agent string of <span class="application">Tor Browser</span> includes
<em>Windows NT</em> but this value preserves your anonymity even if
you run Windows NT. On the other hand, changing this value makes you distinguishable from
other users of <span class="application">Tor Browser</span> and, as a
consequence, weakens your anonymity.

Furthermore, we verify the result of those websites before each release, see our
[[test suite|contribute/release_process/test]].

<h2 id="java">Is Java installed in the <span class="application">Tor Browser</span>?</h2>

Tails does not include a Java plugin in its browser because it could break your anonymity.

<h1 id="persistent-storage">Persistent Storage</h1>

<h2 id="custom-settings">Can I save my custom settings?</h2>

<em>&hellip; like Tor Browser preferences, Tor configuration, desktop
background, mouse and touchpad settings, etc.</em>

By default Tails does not save anything from one session to another.
Only the Persistent Storage allows you to reuse data across different Tails
sessions. See the [[list of features of the Persistent Storage|doc/first_steps/persistence/configure#features]].

We are frequently requested to add new features to the Persistent Storage but we are usually
busy working on other priorities. See the
[[!tails_gitlab
groups/tails/-/issues?scope=all&utf8=✓&state=opened&label_name%5B%5D=C%3APersistence
desc="list of issues about the Persistent Storage"]].

<h2 id="luks">How strong is the encryption of the Persistent Storage and LUKS?</h2>

Tails uses LUKS to encrypt the Persistent Storage. This is the same technique as
the one we recommend for [[creating and using encrypted
volumes|doc/encryption_and_privacy/encrypted_volumes]] in general.

LUKS is a very popular standard for disk encryption in Linux. LUKS is the
default technique for full-disk encryption proposed by many distributions,
including Debian and Ubuntu, when installing a regular system.

The Persistent Storage is created with the default LUKS parameters used
by `udisks` and `cryptsetup`.

To understand better how the Persistent Storage works, see our [[design
document|contribute/design/persistence]].

<h2 id="recover-passphrase">Is it possible to recover the passphrase of the Persistent Storage?</h2>

No. The encryption of the Persistent Storage is very strong and it is
impossible to recover the passphrase of the Persistent Storage. If the passphrase
is weak enough, an attacker can try many
possible passphrases and end up guessing your passphrase.
Such an attack is called [[!wikipedia Brute_force_attack desc="*brute-force attack*"]].

<h1 id="networking">Networking</h1>

<h2 id="vpn">Can I use Tails with a VPN?</h2>

Tails does not work with VPNs.

There are three scenarios where a VPN would be involved in Tails:

  - Using a VPN instead of Tor.
  - Using a VPN to connect to Tor (VPN before Tor).
  - Connecting to a VPN using Tor (VPN after Tor).

For more information, see our [[!tails_blueprint desc="blueprint on VPN support" vpn_support]].

### Using a VPN instead of Tor

Unlike Tor, using a VPN does not provide anonymity.

Tor provides anonymity by making it impossible for a single point in the
network to know both the origin and destination of a connection.

With VPNs, the administrators of the VPN can know both where you are
connecting from and where you are connecting to.

It is [[fundamental to Tails|doc/about/tor]] that all outgoing traffic be
forced through Tor. We have no plans to make it possible to use a VPN
*instead* of Tor in the future.

### Using a VPN to connect to Tor (VPN before Tor)

In some situations, you might need to use a VPN to connect to Tor.
For example, your Internet Service Provider (ISP) might restrict connections to Tor relays.

In these situations, try using
[[Tor bridges|doc/first_steps/welcome_screen/bridge_mode]] to
bypass the restrictions imposed by your ISP or local network.

It is currently impossible to use a VPN in Tails to connect to Tor.
We might make this possible in the future. ([[!tails_ticket 17843]])

### Connecting to a VPN using Tor (VPN after Tor)

In some situations, it can be useful to connect to a VPN through Tor:

  - To access services that block connections coming from Tor.
  - To access resources only available inside a VPN, for example, a server at
    your company or university.

It is currently impossible to connect to a VPN in Tails using Tor.
We might make this possible in the future. ([[!tails_ticket 5858]])

<h2 id="torrc">Can I choose the country of my exit nodes or further edit the <span class="code">torrc</span>?</h2>

It is possible to edit the Tor configuration file (`torrc`) with
administration rights but you should not do so as it might break your
anonymity.

For example, as mentioned in the <span class="application">Tor Browser</span>
[FAQ](https://2019.www.torproject.org/docs/torbutton/torbutton-faq.html.en#recommendedextensions),
using `ExcludeExitNodes` is not recommended because "overriding the
exit nodes can mess up your anonymity in ways we don't
understand".

<h2 id="dns">How does the DNS resolution work in Tails?</h2>

See our [[design document|contribute/design/Tor_enforcement/DNS]] on this topic.

<h2 id="htp">Why does Tails automatically connect to several websites when starting?</h2>

Tor requires the system clock to be well synchronized in order to work
properly. When starting Tails, a notification is displayed while the clock is
being synchronized.

This synchronization is made by sending HTTPS queries through Tor to several
websites and deducing a correct time from their answers. The list of websites
that could be queried in this process can be found in `/etc/default/htpdate`.

See also our [[design document|contribute/design/Time_syncing]] on this topic.

<h2 id="relay">Can I help the Tor network by running a relay or a bridge in Tails?</h2>

It is currently impossible to run a Tor relay or bridge in Tails.

<h2 id="onion-service">Can I run a Tor onion service on Tails?</h2>

It is technically possible to use Tails to provide an onion service
but it is complicated and not documented yet.

For example, some people have been working on
[[!tails_ticket 5688 desc="self-hosted services behind Tails-powered onion services"]].

<h2 id="ping">Can I use <span class="command">ping</span> in Tails?</h2>

It is impossible to use <span class="command">ping</span> in Tails,
because <span class="command">ping</span> uses the ICMP protocol while Tor
can only transport TCP connections.

<h1 id="software">Software not included in Tails</h1>

<h2 id="new-software">Can my favorite software be included in Tails?</h2>

First of all, make sure that this software is already available in Debian, as
this is a requirement to be included in Tails. Adding to Tails software which is
not in Debian imply an additional workload that could compromise the
sustainability of the project. On top of that, being in Debian brings many
advantages:

  - It is included in the Debian process for security updates and new versions.
  - It is authenticated using OpenPGP signatures.
  - It is under the scrutiny of the Debian community and its many users and
    derivatives, including Ubuntu.

To check whether a software is in Debian, search for it on
<https://packages.debian.org/>. If it is not yet available in Debian, you should
ask its developers why it is not the case yet.

Second, this software might not be useful to accomplish our design goals. Refer
to our [[design documents|contribute/design]] to understand which are
the intended use cases, and the assumptions on which Tails is based.

We also try to limit the amount of software included in Tails, and we only add
new software with a very good reason to do so:

  - We try to limit the growth of the images and automatic upgrades.
  - More software implies more security issues.
  - We avoid proposing several options to accomplish the same task.
  - If a package needs to be removed after its inclusion, for example because of
    security problems, then this might be problematic as users might rely on it.

After considering all this, if you still think that this software is a good
candidate to be included in Tails, please explain us your
proposal on [[tails-dev@boum.org|about/contact#tails-dev]].

<div class="tip">

<p>If a software is not included in Tails, but is included in Debian, you can use
the [[Additional
Software|doc/first_steps/persistence/configure#additional_software]] feature of
the Persistent Storage to install it automatically every time you start Tails.</p>

</div>

Here is some of the software we are often asked to include in Tails:

  - **bitmessage**: not in Debian
  - **retroshare**: not in Debian
  - **rar/unrar**: is not [[free software|doc/about/license]], but you can use the
        [[additional software|doc/first_steps/additional_software]] feature to install it

<h2 id="bittorrent">Can I download using BitTorrent with Tails?</h2>

Tails does not ship any BitTorrent software and is unlikely to do so in the
future.

The problem with using BitTorrent over Tor is double:

  - It is technically hard to do it properly, see:
    <https://blog.torproject.org/bittorrent-over-tor-isnt-good-idea>.
  - It harms the network, see:
    <https://blog.torproject.org/why-tor-slow-and-what-were-going-do-about-it>.

We had relatively vague [[!tails_ticket 9563 desc="plans to improve
on this situation"]].

<h2 id="youtube">Can I download videos from websites?</h2>

You can install <span class="code">youtube-dl</span> as an [[additional
package|doc/first_steps/additional_software]]. <span class="application">youtube-dl</span>
allows downloading videos from more than
[700 websites](https://github.com/rg3/youtube-dl/blob/master/docs/supportedsites.md).

For example, to download a YouTube video, execute the following command
in a terminal:

    torsocks youtube-dl "https://www.youtube.com/watch?v=JWII85UlzKw"

For more information, refer to the [official
<span class="application">youtube-dl</span> documentation](https://rg3.github.io/youtube-dl/).

<h1 id="desktop">Desktop environment</h1>

<h2 id="timezone">Why is the time set wrong?</h2>

When Tails starts, the system timezone is set to UTC (Greenwich time). So, this time
might be a few hours in the future if you are west of the United
Kingdom, or in the past if you are east of the UK. The minutes
should be accurate.

We do this for anonymity reasons: if some application reveals your actual
timezone, it might help identifying who you are.

Having all Tails users set to the same timezone, makes it more difficult to
distinguish you amongst all the other Tails users.

<div class="note">

We are working on a custom clock applet with configurable timezone. See
[[!tails_ticket 6284]].

</div>

<h1 id="misc">Other security issues</h1>

<h2 id="older-version">Is it safe to use an older version of Tails?</h2>

It is not safe to use an older version of Tails. Only the latest version of
Tails should be used.

Because it is not safe to use an older version of Tails, we distribute only
the latest version of Tails.

Older versions of Tails have security vulnerabilities and other issues that
are fixed in the latest version of Tails.

We understand why you might want to use an older version of Tails. For
example, the latest version of Tails might not be compatible with your
hardware.

If you are experiencing an issue with the latest version of Tails, you can
check our [[list of known issues|support/known_issues]] to find out if there
is a workaround for the issue you are experiencing.

If there is no known workaround for the issue you are experiencing, you might
want to [[make a bug report|doc/first_steps/bug_reporting]] to let us know
about the issue.

<h2 id="compromised-system">Is it safe to use Tails on a compromised system?</h2>

Tails runs independently from the operating system installed on the computer.
So, if the computer has only been compromised by software, running from inside
your regular operating system (virus, trojan, etc.), then it is safe
to use Tails. This is true as long as Tails itself has been installed
using a trusted system.

If the computer has been compromised by someone having physical access to it and
who installed untrusted pieces of hardware, then it might be unsafe to use
Tails.

If the BIOS of the computer has been compromised, then it might
also be unsafe to use Tails.

See our [[warning page|doc/about/warning]] for more details.

<h2 id="integrity">Can I verify the integrity of a Tails USB stick or DVD?</h2>

It is not possible to verify the integrity of a Tails device, USB stick or DVD, when running Tails
from this same device. This would be like asking to someone whether she is a
liar; the answer of a true liar would always be "no".

- To verify the integrity of a DVD from a separate trusted system, you can
  verify the signature of the ISO image as documented in [[verify the ISO image
  using OpenPGP|install/download-iso#openpgp]]
  against the DVD itself.

- There is no documented method of verifying the integrity of a Tails USB stick.
  However, if you have another trusted Tails USB stick,
  you can [[clone it onto the untrusted USB stick|doc/upgrade]] to
  reset it to a trusted state.

<h2 id="reuse-memory-wipe">Can I use the memory wipe feature of Tails on another operating system?</h2>

The memory wipe mechanism that Tails uses on shutdown to [[protect against cold
boot attacks|doc/advanced_topics/cold_boot_attacks]] should be reusable in
other Linux distributions.

If you want to implement this feature outside of Tails, have a look at the
corresponding [[design documentation|contribute/design/memory_erasure]].

<h2 id="new-identity">Where is the <span class="guilabel">New Identity</span> button?</h2>

There is no <span class="guilabel">New Identity</span> button for Tails as a
whole.

The [[<span class="guilabel">New Identity</span> feature of
<span class="application">Tor Browser</span>|doc/anonymous_internet/Tor_Browser#new-identity]]
is limited to the browser.

In the same way as the <span class="guilabel">New Identity</span> button of
<span class="application">Tor Browser</span> restarts the browser, you have to
restart Tails before using a different identity.

<div class="next">

<p>See also our [[warning about contextual identities|doc/about/warning#identities]].</p>

</div>

<h2 id="boot-statistics">Does Tails collect information about its users?</h2>

When Tails starts, two HTTPS requests are made automatically to our website
through Tor:

- A security check is performed to know if security issues have been announced
  for this version of Tails. The language of the working session is passed along
  with this request to display the notification in the preferred language of the
  user.
- [[<span class="application">Tails Upgrader</span>|doc/upgrade]]
  checks for newer versions. The version of the running Tails is passed along
  with this request.

We believe it is important to notify the user of known security issues and newer
versions. We calculate statistics based on the security check to know how many times
Tails has been started and connected to Tor. Those statistics are published in
our [[monthly reports|news]].

<h2 id="antivirus">Does Tails need an antivirus?</h2>

No, as other Linux systems, Tails doesn't require an antivirus to protect itself
from most malwares, such as viruses, trojans, and worms. There are various reasons
why Linux operating systems generally don't need antivirus softwares, including
the permission design of Linux systems.

See the [[!wikipedia Linux_malware desc="Wikipedia page on Linux malware"]]
for further details.