Jump to: navigation, search

Dev/Anonymity Network

Dev(Redirected from Anonymity Network)
This page contains changes which are not marked for translation.

Other languages:
English

Introduction[edit]

This page describes, why Tor was chosen for the Whonix Example Implementation as anonymity network and also discussed alternatives, which also have been considered.

Tor[edit]

Tor has been chosen for the Whonix Example Implementation, because it's the best researched and most used network. Whonix developer Patrick believes Tor is currently the most secure anonymity network legally available to most users. See anonbib for a collection about research papers about Tor and other anonymity networks.

Many users are important, because you can only be anonymous within a big group of people. More secure networks exist in theory, such as the mixminion high latency network, but without enough users, in practice they are less secure. See Roger Dingledine explanation for details.

On the Warning page are some shortcomings of Tor listed.

Whonix and other Anonymity Networks[edit]

The Whonix Framework is agnostic about the Anonymity Network being used. In theory also Tor could be completely exchanged with any other suited anonymizing network, see Technical Introduction Whonix Framework. Development in this area stalled due to lack of interest from users, upstream developers and Whonix developers. Anyway, there has been some research, theoretical and practical work done towards such integration, see Inspiration in case you are interested.

Security considerations[edit]

Any successful attacks against Tor, does also work against Whonix and will result in a compromise of location/identity. 1

Whonix does not try to defend against network attacks, like a massive amount of evil Tor nodes, end-to-end correlation attacks and so on. The Tor software package from the Debian repository is installed in Whonix. There are no modifications to Tor software. This is left to the Tor developers and Debian packagers.

If TransPort, DnsPort or SocksPort, which Whonix heavily relies on, can be exploited, then it's also game over.

There is no known bug (or "feature") to obtain the users real IP address through either SocksPort, TransPort or DnsPort. If there were such a bug found in the future, which is possible, it would be a major bug in Tor. We would hope, that the Tor developers fix that bug. We hope that compile time hardening features will be added. Bug #5210: Enable gcc and ld hardening by default in 0.2.3.x has been fixed. Bug #5024: compile time hardening of TBB (RELRO, canary, PIE) is still open.

There are other attacks thinkable, which we can not defend against. For example, if an adversary controls your entry node or can observe your ISP and has access to the Whonix-Workstation. He can simply use "morse" (5 seconds much traffic, 10 seconds no traffic...) And then observe it's incoming connections. Then it's game over as well.

1 Unless Tor is combined with other means of anonymization (available as optional feature).

Other Anonymity Networks reviewed for Whonix[edit]

High latency networks[edit]

In theory, high latency networks would be safer than Tor. Unfortunately there is no high latency network, with enough users, which is well designed, developed and maintained.

AdvOR[edit]

Not suited for Whonix at all.

AdvOR, the "Advanced" Onion Router is not suited for Whonix. Reasons:

  • No interest from the research community.
  • No source control, i.e. git.
  • Licensing issues (See Nick Mathewson's (Tor's Chief Architect) analysis below.)
  • Absence in the Tor community.
  • No Linux support.
  • Whonix developer believes the Tails developers and the Tor developers to be modest and genuine. Doing their best on providing fine software. They generally work thoroughly, come to, in Patrick's opinion, clever conclusions. A Tails developer and a Tor developer wrote about AdvOR. Patrick believes it's best not to summarize the their writings. Please read it yourself, in case you're interested.
  • In Patrick's opinion: less safe than Tor.

I2P[edit]

Review[edit]

It may not be possible to reliably replace the Tor network with the I2P network for Whonix-Gateway. The I2P network is mainly designed to host all services inside the I2P network. We have to update the Whonix-Workstation's operating system and software packages. That is not possible with I2P. Outproxies exist in past (http, https and socks), but too few of them? And they are not suited for use with Whonix. They are too unreliable (too often offline). At time of writing the I2P chapter (March 2012) there where no working https or socks outproxies, which we could use for apt-get. (Still the case of of today?)

I2P can only be used as an addition to Whonix (tunnel ip2 over Tor). See [I2P].

Even if there where enough reliable outproxies, there is one question which would have to be answered. Is I2P designed for withholding the external IP from a Workstation, i.e. does the I2P webinterface spill the external IP and if yes, can it be configured, not to? -> We could make I2P listen on Whonix-Gateway local host only. And only have other services, such as the outproxy, listen on the internal interface that is accessible by Whonix-Workstation(s).

There was development idea to install Tor and optionally I2P on Whonix-Gateway, but stalled due to lack from Whonix developers and I2P community.

That I2P is not in Debian package sources would also make integration harder.

Summary[edit]

Not suited for Whonix for the Default-Download-Version.

  • No out proxies at the moment. (Can not connect to any servers outside the I2P network. I2P is much different than Tor.) Clearnet websites could not be reached, apt-get wouldn't work, etc. Still up to date as of today?
  • Less interest from the research community.
  • No interest from the I2P community.
  • In Patrick's opinion: less safe than Tor.

JonDonym[edit]

Not suited for Whonix for the Default-Download-Version.

This JonDonym chapter is a summary of the JonDonym chapter from the "Inspiration" page, which is about adding an option to Whonix to use JonDonym instead of Tor and a summary of the JonDonym introduction chapter, which reflects Patrick's opinion about the JonDonym network security.

  • Less interest from the research community.
  • Too less help (interest?) from upstream developers to create a JonDoBOX (See JonDonym chapter from the "Inspiration" page.).
  • Free version too limited.
  • In Patrick's opinion: less safe than Tor.

VPN[edit]

Not suited for Whonix for the Default-Download-Version. This is a summary of Comparison of Tor and VPN services.

  • Fail open, which is bad. Ok, that could be prevented using VPN-Firewall or even better developing/using a VPN-Gateway.
  • No distributed trust, just a single trusted provider.
  • Affected by identity correlation.
  • No free ones without restrictions.
  • In Patrick's opinion: less safe than Tor.

Freenet[edit]

Not suited for Whonix for the Default-Download-Version.

Replacing Tor with Freenet is impossible, as Freenet is a separated network, not designed to exit the network, i.e. clearnet websites could not be reached, apt-get wouldn't work, etc.

There was a development idea to install Tor and optionally Freenet on Whonix-Gateway. It would pose the questions. Is Freenet designed for withholding the external IP from a Workstation, i.e. does the Freenet webinterface spill the external IP and if yes, can it be configured, not to?

RetroShare[edit]

Not suited for Whonix for the Default-Download-Version.

In fact RetroShare is not an anonymizing network, it is a friend-to-friend (F2F) network, or optionally a darknet. RetroShare has a very different audience and threat model. RetroShare does not support using an outproxy yet, for this reason, it can not replace Tor on the Whonix-Gateway.

Proxies / Proxy Chains[edit]

This is a summary of Comparison Of Tor Proxies CGI proxies Proxy Chains And VPN Services.

"(High) Anonymous" Proxies or even "Elite" Proxy Chains are not suited for Whonix for the Default-Download-Version.

  • Inferior to Onion Routing (Tor). Just two strong points (many more exist): no encryption between the user and the proxy possible (only end-to-end encryption possible); no onion routing alright (changing circuits).
  • Difficult (impossible?) to find a free, stable proxy, which is supposed to be legally used as proxy and which could handle enough Default-Download-Version users.
  • In Patrick's opinion: less safe than Tor.

Combinations of Anonymity Networks[edit]

Not suited for Whonix for the Default-Download-Version.

There is too much controversy, see Tor Plus VPN or Proxy.

Controversy is avoided as a political project strategy with the goal to protect the project:

Quoted from the [FAQ]: "Whonix tries to be as less special as possible to ease security auditing of Whonix. Any changes to the Tor routing algorithm should be proposed, discussed and eventually implemented upstream in Tor on torproject.org. And if discussion fails, a Tor fork could be created. Tor has already been forked at least once. Doing such changes directly in Whonix would limit discussions about Whonix to the security of the modified routing algorithm. To allow further exploration of Whonix security, it is required to be as agnostic as possible about all parts of Whonix."

The user is able to tunnel Other Anonymizing Networks over Tor (see Other Anonymizing Networks in case you're interested).

Tunneling other Other Anonymizing Networks over Tor[edit]

It's possible with Whonix. (See Other Anonymizing Networks in case you're interested).


Random News:

Bored? Want to chat with other Whonix users? Join us in IRC chat (Webchat).


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.