Application Configuration

Applications in Obscurix are configured for privacy and security by default. This page documents all the configuration done.


Hexchat (an IRC client) is configured for stream isolation, gets rid of protocol leaks via DCC, identd flags, and CTCP, uses generic status messages, uses a generic username, uses a generic nick completion suffix and disables autostart.

See for more information.


VLC's metadata collection is disabled by default and no confirmation message appears.


Thunderbird uses a user.js that disables many unneeded features (javascript, chat, SVG etc.) to reduce attack surface, disables telemetry and Google Safebrowsing, enables some privacy enhancing settings like fingerprinting protection and is configured for stream isolation. The "enigmail" addon is installed by default for encrypted email. The "torbirdy" addon may be installed in the future but currently it doesn't support newer thunderbird versions.


evince-previewer and evince-thumbnailer are disabled to reduce potential attack surface. It does this by commenting "Exec=" in /usr/share/thumbnailers/evince.thumbnailer, setting both of the binaries permissions to 000 and configuring an AppArmor profile that doesn't allow them access to any file.


Thunar is configured so it uses the ISO format for dates, disables thumbnails, disables thunar-volman and disables the network bookmark.


Pacman is configured for stream isolation and is configured to only use HTTPS mirrors. This prevents malicious exit nodes from injecting potentially malicious code during updates and it prevents exit nodes from seeing what you're downloading.


NetworkManager does a connectivity check by default using HTTP. This is disabled in Obscurix as the HTTP connection can be MITMed.


Obscurix uses Jacob Applebaum's hardened GPG configuration.