Survey: How to make Whonix really user friendly? Looking for your suggestions!

Future Directions – Where Whonix wants to be in 2 or 5 years?

Do we want Whonix to be for average users or just for those with unix knowledge?

Whonix is a useful tool for some already, got many fans. How can we make Whonix really user friendly to allow mass adaption by regular people who need anonymity most?

It seems, Whonix limits itself by its two machines design. It’s not exactly simple and user friendly to say “you first need to get VirtualBox, then import these two VMs, then start Whonix-Gateway, then start Whonix-Workstation or use physical isolation“. How could that be improved while keeping Whonix’s design?

In the last days many had great ideas. One was to create a hardware appliance. Whonix running as physically isolated gateway running on devices such as Raspberry PI or OpenWRT or creating a Tor WiFi Hotspot (a WiFi hotspot once using it, torifying the whole connection). The issue is, having a “route everything through Tor” approach alone doesn’t make it anymore nowadays. If someone would run their usual applications, such as their Firefox or Internet Explorer browser they used for non-anonymous stuff beforehand over Tor, they wouldn’t be anonymous at all due to (flash) cookies, browser fingerpriting and so forth. Saying “plug this hardware appliance between your router and your computer AND install this client package” also doesn’t sound exactly simple.

Another idea was to create a Whonix Live DVD. But even if we managed to create one, it would still be clumsy to say “you have to burn this iso to DVD, then boot it, then start Whonix-Gateway, then start Whonix-Workstation”.

Jason Ayala suggested to create an Whonix USB installer. It would still be clumsy (as above), but installing Whonix would get simpler and more encouraging to use a non-Windows, separate operating system. We then would have to support lots of different hardware, but additional support by funding this would be possible. Users still would have to figure out how to boot from USB, which is not entirely trivial due to different BIOS implementations. Also “secure boot” won’t make this simpler.

Cerberus raised the idea to make Whonix fully managed. Perhaps he meant to enable automatic updates for the host, Whonix-Gateway and Whonix-Workstation. Whonix-Gateway could then be fully managed and hidden from non-advanced users. However, there are some settings that need to be set up on Whonix-Gateway, such as settings for Tor bridges. Maybe a Whonix-Host operating system could ssh into Whonix-Gateway to manage it.

Or maybe while we’re at discussing a Whonix-Host operating system, we should revive the OneVM concept? In essence, we’re shipping Whonix-Gateway as VM package, because it is a simpler and more robust implementation to support a variety of different host operating systems and configurations. As long as Whonix doesn’t provide a host operating system, the two VM solution is more robust. But if Whonix is enters the next stage of evolution, i.e. by shipping a host operating system, the OneVM concept may work better.

The idea to add Whonix to the usual app stores, such as Windows / Mac app store as well as “sudo apt-get install whonix” has been raised as well. This wouldn’t make Whonix less clumsy (still two VMs), but it would make installation simpler and more secure.

In summary, we’re not sure yet where the journey should go to. We’d appreciate the input of the community. Please share ideas on how Whonix could become really usable while not sacrificing security.

Patrick started developing Whonix, the Anonymous Operating System in 2012, when quickly others joined efforts. He collected experiences working pseudonymous on Whonix for two years, enjoys collaboratively working on privacy preserving software.

6 comments on “Survey: How to make Whonix really user friendly? Looking for your suggestions!
  1. João Pereira says:

    In my opinion, the most user friendly way of doing something like this would be hardware only.
    I imagine something like a hdmi minipc (or USBstick) plugged into a pc and making the gateway work.
    Then the user would have to make all coms (cable our wifi) go through that gateway that would install (and look) as a usb network card.
    The only device the I know may resemble my suggestion is this one:
    but the HDMI plug should be a USB witch is not just an hardware issue.
    This way the two-machines-design is kept only they no longer are virtual.

    You may guess I am not an expert, and I am not, this is just a suggestion.

  2. Hardware solutions could only provide censorship circumvention. Can not providing anonymity alone, due to protocol leaks, i.e. browser tracking / fingerprinting. Hiding IP alone isn’t enough nowadays.

    So it would require a hardware device + “you must install this package on your device before you’re ready to go” solution. I don’t think that would Whonix simpler. Unfortunately.

  3. Anonymous says:

    I’ve got one small idea to help usability – as I’m setting up Whonix for my folks (where I don’t live) so I can then communicate with them anonymously and they can browse freely on sensitive subjects also!

    This is it:

    The update steps (apt-get) in konsole are a bit much for a windows-usually, 60-something technoklutz! How about including a one-click shortcut with a big nice ‘Update Whonix’ and icon on the Desktop, and instead of (only) giving scary unintelligible instructions to do those commands like WhonixCheck currently instructs, instead say: ‘Updates found! Click on ‘Download Updates’ on the Desktop to stay secure! (Advanced users: do .)’?

    I’ve set a simple shortcut to a sh script just doing:

    kdesudo apt-get update && kdesudo apt-get dist-upgrade -y

    And all it does it gui-prompt for password after clicking on it once! Ease of use indeed will increase security for the mainstream, and anonymity for us ALL – the more people can use Tor and Whonix and encryption and all these tools, the better for all of us and the harder for those who want to take our rights away!

    (Btw I’m new to linux too so probably aren’t using state-of-the-art syntax back there :P)

    Anyway, thanks for everything you do with Whonix Patrick – it is a just amazing and essential tool for anonymous Internetting!

    Btw, is there some ‘whonix suggestion box’ that one can submit simple but useful (anonymous) suggestions for improving the security/privacy/usability of Whonix for dev consideration?

    I know thre’s the forum, the wiki and github, but I mean something that doesn’t require an account – just a ‘dropbox’ for sharing helpful suggestions with a simple text submit form and begrudging captcha if need be.

    Cos I’ve got another one, and I’m sure I’d have more in the future as I get used to whonix! and that is, removing the maximize button in kde settings, so the user (e.g. your technoklutz folks), can’t accidentally maximize TBB and suddenly make their fingerprint INSANELY unique (cos ofc, it’s too hard to expect not to use JS when they browse! I will, but not having a maximize button by default will help retain anonymity – and power users can always manually resize a window anyway, or add the button back of course!)


  4. Anonymous says:

    Oh, me again, with another small friendly suggestion! You can also double click on titlebar to maximize too, not good for accidental use by a ‘mainstream’ non-technical user and they don’t realise they have a highly unique fingerprint for the rest of that browsing session! (which since this is a persistent vm, could be for a very long time, weeks even – longer, if they ‘save state’ when closing and whonix never needs to be restarted!) I think TBB resets window size when starting up (and probably with ‘New Identity’) but still…it can happen, and it’s an anonymity liability!

    So: System Settings, Windows Behavior, Window Behavior, Titlebar Actions, Titlebar double-click: set it to nothing by default!

  5. Anonymous says:

    Me for a third time this time: yeah the above script ended up not actually working. My current revision is:

    konsole -e kdesudo apt-get update && sudo apt-get dist-upgrade -y

    (I’m learning! probably sudo is not even needed for dist-upgrade but hey it’s improving.)

    It means grandpa only has to double-click on it, be prompted for password by the nice friendly kde window, watch the terminal text zoom past and learn something, and just let it do its thing until it automatically closes off – but of course, you’d be able to make an even nicer GUI progress bar tool for updating that doesn’t even show the terminal!

  6. Such an update tool would be desirable. There are quite some technical challenges implementing one. Those are documented here: