Looking for mirror hosts! – Mirroring instructions updated

TLDR / Short
Want to mirror Whonix releases?

Updated instructions can be found here:

Full Story

At the moment we’re still using sourceforge as primary download mirror, because there is a problem with mirror.whonix.org and non-https downloads. That is, for better security, we asked to get whole whonix.org to be added to HSTS Preload List before we had mirror.whonix.org in mind. Now some browsers rightly attempt to enforce https on mirror.whonix.org, which our mirrors do not support. Changing whonix.org hsts settings would take a long time until it hit major browsers and operating systems (not sure if Debian stable uses a hard coded hsts list).

Therefore soon mirror.whonix.de will become Whonix’s primary download mirror.

Our short/mid term plan is to get a stable http mirror network, getting in touch with lots of mirrors. Our long term plan is getting sslmirror.whonix.org. About the latter idea, you can read more here:

Posted in Contribute

Testers wanted! Whonix 8.2

Testers wanted for security / maintenance release.

Download link for Virtual Box images (.ova), experimental .qcow images and OpenPGP signatures (.asc):

- updated Debian packages including Heartbleed OpenSSL bug fix
- Whonix’s Tor Browser updater: download from torproject’s clearnet domain instead of torproject’s onion domain by default, because the onion domain is too slow/can’t handle the load. Downloading form the onion domain is possible using –onion.
- no longer recommending to use VirtualBox’s snapshot feature in VirtualBox’s VM import text due to data loss bug in VirtualBox

Posted in testers-wanted

Testers wanted! New FIN ACK / RST ACK Leak Test

Mike Perry recently discovered a leak bug in custom transparent proxies (not related to Whonix!) and published his findings on the tor-talk mailing list:

This leak test has been adapted for Whonix and documented here:

Fortunately, I wasn’t able to reproduce this leak using Whonix. Probably because the Linux version Whonix is using isn’t affected by this bug and/or because Whonix’s Firewall uses iptables default policy drop for input-, output-, fowardchain and only allows the Tor user to establish external connections. However, other users using different host operating systems and setups than I should repeat the test.

Please feel encouraged,
- to comprehend the original thread on the tor-talk mailing list
- verify yourself that this leak test doesn’t find a leak and share your results
- check if upstream (Linux kernel / iptables) consider this a bug and if it has already been reported (this is not clear yet)

Posted in Development, testers-wanted

The Linux Security Circus: On GUI isolation – Your opinion?

Check this out…

Already a bit older, but if true – and it seems to be true (I’ve tested this!) – it would be still up to date – and quite a scandal!

The Linux Security Circus: On GUI isolation:

Posted in General-Security

new SSL certificate and new secondary .onion domain

Our clearnet domain continues to be reachable:

Due to the heartbleed bug we needed to create a new .onion domain:

If you are wondering what our .onion domain is useful for anyway, see this note:

Due to the heartbleed bug we also needed to get a new SSL certificate. We used this opportunity to get an SSL certificate from Gandi. (We used a SSL certificate from startssl.com before.)

OpenPGP signed SSL fingerprints and .onion domain can be found here:

Credits:Thanks to our webmaster fortasse for sorting this out!

Posted in Important


Whonix IRC Chat

Users helping users. There are currently X people in #Whonix on irc.oftc.net. (Webchat | Other Support Channels | Safety Advice)


Would you like to contribute to the Whonix project?

Contributing can be as easy as sharing the blog over social media, volunteering, or making a monetary Donation.

For more ideas on how to get involved see the Contribute wiki page or click on "Contribute" to see where volunteers are most needed.