TLDR / Short
Want to mirror Whonix releases?
Updated instructions can be found here:
At the moment we’re still using sourceforge as primary download mirror, because there is a problem with mirror.whonix.org and non-https downloads. That is, for better security, we asked to get whole whonix.org to be added to HSTS Preload List before we had mirror.whonix.org in mind. Now some browsers rightly attempt to enforce https on mirror.whonix.org, which our mirrors do not support. Changing whonix.org hsts settings would take a long time until it hit major browsers and operating systems (not sure if Debian stable uses a hard coded hsts list).
Therefore soon mirror.whonix.de will become Whonix’s primary download mirror.
Our short/mid term plan is to get a stable http mirror network, getting in touch with lots of mirrors. Our long term plan is getting sslmirror.whonix.org. About the latter idea, you can read more here:
Testers wanted for security / maintenance release.
Download link for Virtual Box images (.ova), experimental .qcow images and OpenPGP signatures (.asc):
- updated Debian packages including Heartbleed OpenSSL bug fix
- Whonix’s Tor Browser updater: download from torproject’s clearnet domain instead of torproject’s onion domain by default, because the onion domain is too slow/can’t handle the load. Downloading form the onion domain is possible using –onion.
- no longer recommending to use VirtualBox’s snapshot feature in VirtualBox’s VM import text due to data loss bug in VirtualBox
Mike Perry recently discovered a leak bug in custom transparent proxies (not related to Whonix!) and published his findings on the tor-talk mailing list:
This leak test has been adapted for Whonix and documented here:
Fortunately, I wasn’t able to reproduce this leak using Whonix. Probably because the Linux version Whonix is using isn’t affected by this bug and/or because Whonix’s Firewall uses iptables default policy drop for input-, output-, fowardchain and only allows the Tor user to establish external connections. However, other users using different host operating systems and setups than I should repeat the test.
Please feel encouraged,
- to comprehend the original thread on the tor-talk mailing list
- verify yourself that this leak test doesn’t find a leak and share your results
- check if upstream (Linux kernel / iptables) consider this a bug and if it has already been reported (this is not clear yet)
Check this out…
Already a bit older, but if true – and it seems to be true (I’ve tested this!) – it would be still up to date – and quite a scandal!
The Linux Security Circus: On GUI isolation:
Our clearnet domain continues to be reachable:
Due to the heartbleed bug we needed to create a new .onion domain:
If you are wondering what our .onion domain is useful for anyway, see this note:
Due to the heartbleed bug we also needed to get a new SSL certificate. We used this opportunity to get an SSL certificate from Gandi. (We used a SSL certificate from startssl.com before.)
OpenPGP signed SSL fingerprints and .onion domain can be found here:
Credits:Thanks to our webmaster fortasse for sorting this out!