Anonymity Operating System Comparison - Whonix vs Tails vs Tor Browser Bundle
This page contains a detailed comparison of Whonix, Tails, Tor Browser, Qubes OS TorVM and corridor.
Introduction[edit]
Although Qubes' TorVM -- a dedicated ProxyVM providing torified networking to all clients -- is now deprecated, it has been kept for comparison purposes since it acted like Whonix-Gateway™ (sys-whonix
). [1]
If any incorrect or outdated information is noted, the reader can either directly edit this page, or contact us and we will correct it as soon as possible. Also see the statement about the neutrality of this page.
Last Update[edit]
Table: Comparison Information Currency
Whonix | Tails | Tor Browser | Qubes OS TorVM | corridor (tor-talk) | |
---|---|---|---|---|---|
Compared Version [2] | 16.0.3.7 | 2.4 | 6.0 | 0.1.3 | ? |
Latest Version [3] | 17.2.8.1 | 5.16.1 | 12.5.2 | 0.1.3 | ? |
Status | This wiki page is up to date | This wiki page is up to date | This wiki page is up to date | This wiki page is up to date | This wiki page is up to date |
General[edit]
Table: General Factors
Whonix | Tails | Tor Browser | Qubes OS TorVM | corridor | |
---|---|---|---|---|---|
Focus on anonymity, privacy and security | Yes | Yes | Yes | Yes | Yes |
Type | General purpose OS available as VM images and physical isolation | Live DVD / Live USB / Live SDCard | Portable browser | General purpose OS, VM plugin for Qubes OS | Tor traffic whitelisting gateway |
Supported hardware | x86 compatible and/or Virtual Machines + [4] | x86 compatible and/or Virtual Machines | Windows, Linux, Mac and Virtual Machines | Any capable of running Qubes OS, see: System Requirements and HCL | Any Linux (?) |
Based on | Tor, Debian [5] and a Virtualizer [6] when not using Physical Isolation | Tor, Debian | Tor, Firefox | Tor, Qubes OS, Fedora | iptables, sh |
Gateway and torify any operating system [7] | Yes [8] | Not a torifying Gateway | Not a torifying Gateway | Yes [9] | Not a torifying Gateway |
Live Mode | Yes [10] | Yes | No | No | No |
Live DVD | No | Yes | No | No | No |
Live USB | No | Yes | No | No | No |
USB bootable | Yes [11] | Yes | Yes [11] | Yes [11] | Yes [11] |
USB installer feature | No [12] | Yes [13] | ? | Yes | No |
Requires VirtualBox [14] | No | No | No | No | No |
Requires VMware [14] | No | No | No | No | No |
Requires Qubes OS [14] | No | No | No | Yes | No |
System requirements | Higher | Lower | Lowest | Highest | Lowest |
Can run in VirtualBox | Yes | Yes, but not recommended. [15] Well documented [16] | Yes, but (?) | No [17] | No |
Can run in VMware | Yes, but not recommended and unsupported [18] | Yes, but not recommended [15] | Yes, but (?) | No [19] | No |
Can run in Qubes OS | Yes [20] | Yes [21] | Probably yes, but without security features provided by an Isolating Proxy | Yes | Yes |
Persistence [22] | Full | Optional for Live USB | Yes [23] | Full | Full |
Number of developers | Multiple [24] | Multiple | Multiple | Multiple | One |
Maturity | Project since 2012 | Project since 2009 [25] | Project since 2002 [26] | Project since 2012 (now deprecated) | Project since 2014 |
Open source | Yes | Yes | Yes | Yes | Yes |
Non-anonymous developers [27] | Yes | No | Yes | Yes | No (?) |
Security[edit]
Network[edit]
Table: Network Security
Whonix | Tails | Tor Browser | Qubes OS TorVM | corridor | |
---|---|---|---|---|---|
Responsibility for building Tor circuits | Tor client running on Whonix-Gateway | Tor client running on workstation | Tor client running on workstation | Tor client running on TorVM (Gateway) | Tor client running behind corridor-Gateway |
Protection against IP address / location discovery [28] on the Workstation [29] | Yes [30] | No [31] | No [31] | Yes | No [32] |
IP / DNS protocol leak protection | Full [33] | Depends [34] | Depends [34] | Full | Depends |
No need for the Workstation to trust the Gateway | Yes | Not a gateway | Not a gateway | Yes | No |
Takes advantage of entry guards [35] | Yes | No [36] | Yes | Yes | Not applicable [37] |
Takes advantage of vanguards, which protects against guard discovery and related traffic analysis attacks and fixes CVE-2020-8516 Hidden Service deanonymization. | No [38] | No [39] | No | No | Not applicable [37] |
Stream Isolation[edit]
Table: Stream Isolation
Whonix | Tails | Tor Browser | Qubes OS TorVM | corridor | |
---|---|---|---|---|---|
Stream isolation [40] | Yes [41] | Yes [42] | Yes [43] [44] | Manually [45] | Yes |
Enforces stream isolation when one of X Workstations behind the same Gateway is compromised in the default configuration [46] |
|
Not a gateway | Not a gateway | Yes [49] | Yes [37] |
Stream isolation in Tor Browser | Yes | Yes | Yes | Yes | ? |
Updates[edit]
Table: Updates
Whonix | Tails | Tor Browser | Qubes OS TorVM | corridor | |
---|---|---|---|---|---|
Operating system updates | Persist once updated | Incremental upgrades [50] | Persist once updated | Persist once updated | Persist once updated |
Update notifications | Yes [51] | Yes | Yes | Yes | ? |
Important news notifications | Yes [52] | Yes [53] | ? [54] | No | ? |
APT unreliable exit code security workaround [55] | Yes [56] | ? | ? | ? | ? |
Hardware Serials[edit]
Table: Hardware Serials
Whonix | Tails | Tor Browser | Qubes OS TorVM | corridor | |
---|---|---|---|---|---|
Hides hardware serials from malicious software with default settings | Yes [57] | No [58] | No [58] | Yes | No [58] |
Hides hardware serials from malicious software when additional hardware is assigned | No | No | No | No | No |
No collection of hardware serials | Yes | Yes | Yes | Yes | Yes |
Hides the MAC address from websites | Invalid [59] | Invalid [59] | Invalid [59] | Invalid [59] | Invalid [59] |
Hides the MAC address from the local LAN [60] | No, see footnote [61] | Yes [62] | No | Yes, but not enabled by default [63] | Not applicable |
Hides the MAC address from applications | Yes [64] | No | No | Yes, by default, unless... [65] | Not applicable |
Defeats advanced Wi-Fi device tracking [66] [67] | No [68] [69] | No | No | No [70] | Not applicable |
Forensics[edit]
Table: Forensic Issues
Whonix | Tails | Tor Browser | Qubes OS TorVM | corridor | |
---|---|---|---|---|---|
Amnesic |
|
Yes [72] | No [73] | Possible [74] | Not applicable [75] |
Local disk encryption | Should be applied on the host | Yes, for a persistent USB | Should be applied on the host | Should be applied on the host | Should be applied on the host |
Cold boot attack protection [76] | No - should be applied on the host | Yes | No - should be applied on the host | No [77] | No - should be applied on the host |
Download Security[edit]
Whonix | Tails | Tor Browser | Qubes OS | corridor | |
---|---|---|---|---|---|
Onion | Yes | No | Yes | Yes [78] | No |
TLS (SSL) [79] | Yes | Yes | Yes | Yes | Unneeded |
OpenPGP signatures available | Yes | Yes | Yes | Yes | Yes |
Signify signatures available | Yes | No | No | No | No |
Codecrypt (Post-Quantum Cryptography Resistant) signatures available | Planned | No | No | No | No |
Server not under control of hosting provider [80] | No | No | No | No | No |
Verifiable Builds[edit]
Table: Verifiable Builds Comparison
Whonix | Tails | Tor Browser | Qubes OS TorVM | corridor | |
Deterministic builds [81] | No | No (planned) [82] | Yes [83] | No | Not applicable [84] |
Based on a deterministically built [81] operating system | No [85] | No [85] | Not applicable | No [85] | No [85] |
Verifiably no backdoor in the project's own source code | Invalid [86] | Invalid [86] | Invalid [86] | Invalid [86] | Invalid [86] |
Verifiably vulnerability-free | No [87] | No [87] | No [87] | No [87] | No [87] |
Verifiably no hidden source code [88] in upstream distribution / binaries [89] | No [90] | No [90] | No [90] | No [90] | No [90] |
Project's binary builds are verifiably created from project's own source code (no hidden source code [88] in the project's own source code) | No (deprecated) [91] | No | Yes | No | Not applicable [84] |
Fingerprint[edit]
Table: Fingerprinting Issues
Whonix | Tails | Tor Browser | Qubes OS TorVM | corridor | |
---|---|---|---|---|---|
Network / web fingerprint | Whonix fingerprint page | Tails fingerprint page | TBB traffic is tunneled through Tor. Host traffic passes over clearnet | ? | ? |
Network fingerprint: ISP cannot trivially guess the project type [92] | Yes | Yes | Yes | No [93] | Yes |
Network fingerprint: ISP cannot guess that a non-persistent Tor directory is in use | Yes | No [94] | Yes | Yes | Yes |
Clearnet traffic | All Whonix-Gateway and Whonix-Workstation traffic is tunneled through Tor. Host traffic [95] uses clearnet | None, unless other users sharing the same internet connection are not using Tails | TBB traffic is tunneled through Tor. Host traffic [96] uses clearnet | The gateway is not torified, therefore emitting clearnet traffic [97] | The gateway is not torified, therefore emitting clearnet traffic |
Network fingerprint: ISP cannot guess which anonymity software is in use due to the ratio of Tor and clearnet traffic | Unknown [98] | The ISP can guess a Tor live system is in use, unless... [99] | ? | Not applicable [100] | ? |
Network fingerprint: ISP cannot guess which anonymity software is in use because of tordate [101] | Yes, does not include tordate | No, if the clock is grossly inaccurate when booting [101] | No, not an operating system | Yes, does not include tordate | Yes, does not include tordate |
Web fingerprint [102] | Same as TBB [103] | Not the same as TBB [104] | TBB [105] | Does not include Tor Browser [106] [107] | Not applicable |
Unsafe browser fingerprint [108] | [109] | [110] | ? | ? | ? |
Network time synchronization runs at randomized times during the session | Yes [111] [112] | Does not continuously run network time synchronization | Not an operating system, does not include network time synchronization | Does not include network time synchronization | Does not include network time synchronization |
Connection wizard prevents unwanted / accidental connections to the public Tor network [113] | Yes | Yes | ? | ? | ? |
Includes Tor Browser from The Tor Project | Yes | Yes + patches | Yes | No | No |
Privacy-enhanced browser [114] | Yes, Tor Browser | Yes, Tor Browser + patches [115] [104] | Yes, Tor Browser | No | Not applicable |
Secure distributed network time synchronization | Yes [116] | Yes [117] | No | No | No |
Hides the time zone (set to UTC) | Yes | Yes | Yes | No | Not applicable |
Hides the operating system account name [28] [29] [118] | Yes, set to user | Yes, set to amnesia | No | Yes, set to User | Not applicable |
Secure gpg.conf [119] [120] | Yes | Yes | Not an operating system | Not an operating system | Not an operating system |
Privacy-enhanced IRC client configuration | Yes | Yes | Not an IRC client | Not an operating system | Not an IRC client |
Keystroke Anonymization |
|
No | No | Not an operating system | Not an operating system |
Implement TCP ISN CPU Information Leak Protection to prevent de-anonymization of Tor onion services by installing Tirdad kernel module for random ISN generation. |
|
No | No | Not an operating system | Not an operating system |
Miscellaneous[edit]
Table: Miscellaneous Issues
Whonix | Tails | Tor Browser | Qubes OS TorVM | corridor | |
---|---|---|---|---|---|
A warning appears when run in an unsupported / unrecommended virtualizer | Yes | Yes | Unnecessary (?) | Invalid (?) [123] | Not applicable |
Security and anonymity check | Yes [124] | ? | ? | ? | ? |
Hardening[edit]
Table: Security Hardening
Whonix | Tails | Tor Browser | Qubes OS TorVM | corridor | |
---|---|---|---|---|---|
AppArmor [125] is enabled by default | Yes | ? | ? | ? | ? |
AppArmor profiles are enabled by default | Partial [126] | ? | ? | ? | ? |
Kernel Hardening through Kernel Boot Parameters | ? | ? | ? | ? | |
Strong Linux User Account Separation | ? | ? | ? | ? | |
Protection against Bruteforcing Linux User Account Passwords |
|
? | ? | ? | ? |
security-misc (Kernel Hardening; Improve Entropy Collection; Enhances Misc Security Settings; ...) | Yes | ? | ? | ? | ? |
SUID Disabling and Permission Hardening | Planned. | ? | ? | ? | ? |
secure mount options | Planned. | ? | ? | ? | ? |
Console Lockdown | Yes | ? | ? | ? | ? |
hardened-kernel | Planned. | ? | ? | ? | ? |
apparmor.d (AppArmor for everything. APT, systemd, init, all systemd units, all applications. Mandatory Access Control. ) | Planned. | ? | ? | ? | ? |
Flash / Browser Plugin Security[edit]
Table: Flash and Browser Plugins Security
Whonix-Workstation | Tor on the Host | |
---|---|---|
Proxy bypass IP leak | Protected | Insecure, leads to deanonymization |
Protocol IP leak | Protected | Insecure, leads to deanonymization |
Flash cookies | Reduces anonymity to pseudonymity. It is recommended to delete Flash cookies | Flash activity over clearnet and Tor can be linked, which leads to deanonymization (or a significant reduction in the anonymity set) if the skew is large and rare. Flash is also useful for additional fingerprinting, which has an adverse impact [133] |
Number of installed fonts | The number of fonts inside Whonix-Workstation (anon-whonix ) and the host (clearnet) operating system will differ, which is good for anonymity
|
The same fonts are reported for both clearnet and Tor Flash activity, which is harmful to anonymity [133] |
Exact flash player version | The Flash version is shared among many users, [134] which is good for anonymity, since it reduces the impact of fingerprinting. The version is also probably different from the host (clearnet) operating system, which is beneficial | The same version is reported for Flash activity over both clearnet and Tor, which is harmful to anonymity [133] |
GNU/Linux kernel version | This version is shared among many people, [134] which is good for anonymity, since it reduces the impact of fingerprinting | The same version is reported for Flash activity over both clearnet and Tor [133] |
Language | Set to en_US for all Whonix users | Set to the user's local language setting. This is useful for fingerprinting, since it leads to anonymity set reduction [133] |
Exact date and time | This differs from the host (clearnet) operating system, which is beneficial (see TimeSync for details) | The same time / clockskew is reported for both clearnet and Tor Flash activity, which is harmful to anonymity [133] |
Exact screen resolution and DPI | ? | The same screen resolution and DPI (dots per inch) is reported for both clearnet and Tor use, which is harmful to anonymity [133] |
Full path to the Flash plugin | This is shared among many people, [134] which is good for anonymity | Depends on the host (clearnet) operating system. In the worst case it could contain the operating system user name, which is fatal if it is the user's actual name. The same path to the Flash plugin is reported for both clearnet and Tor use, which is harmful to anonymity [133] |
Other factors [135] | Assume reduction from anonymity to pseudonymity | Greater possibilities for fingerprinting and linkage of activities, which is harmful to anonymity [133] |
Conclusion | A user's IP address / location / identity will remain hidden inside Whonix-Workstation (anon-whonix ), but it is assumed to be pseudonymous rather than anonymous
|
Flash over Tor -- on the host, without software like Whonix -- is completely unsafe. If Flash is ever used over clearnet, linkage of activities is possible. In the worst case scenario, assume the strong Flash fingerprint can lead to full deanonymization |
For further information about using Flash and other browser plugins in Whonix, see here.
Attacks[edit]
Circumventing Proxy Obedience Design[edit]
Introduction[edit]
This section presupposes the user is familiar with:
- The security comparison of different Whonix variants.
- Unsafe Browser: Tails and Liberte Linux package a so-called "Unsafe Browser". The Unsafe Browser does not use Tor, but instead connects in the clear. It is useful for hotspot registration or for viewing clearnet content without Tor.
- Feasible exploits against a physically isolated Whonix-Gateway: this is difficult when the Whonix-Gateway is running in a bare metal configuration. The reason is that only Whonix-Workstation has access to Tor running on Whonix-Gateway. [136]
Whonix protects against discovery of a user's IP address / location via a successful root exploit (Malware with root rights) on the Whonix-Workstation (anon-whonix
). [29] Users should not deliberately test this feature and risk becoming infected with malware, since all the data inside Whonix-Workstation (anon-whonix
) would become available to the attacker.
Whonix is not a perfect or unbreakable system, nor can it ever be. However, Whonix does raise the bar for attackers, meaning greater effort and skill is needed to discover the user's real IP address and successfully deanonymize them. The following table summarizes the defense-in-depth provided by the Whonix design.
Terms that are used in the following table are defined below:
- TBB: Tor Browser Bundle.
- Fail: the IP address / location of the user is compromised.
- Safe: the IP address / location of the user is hidden behind Tor.
Overview[edit]
Table: Proxy Circumvention Threats
Attack | Whonix Default | Whonix Physical Isolation | Tails | Tails in a VM | TBB | TBB in a VM | Qubes OS TorVM | corridor |
---|---|---|---|---|---|---|---|---|
1. Proxy bypass IP leak [137] | Safe [138] | Safe [138] | Safe [138] | Safe [138] | Fail | Fail | Safe | Safe |
2. Protocol IP leak [139] | Safe [140] | Safe [140] | Fail | Safe [141] | Fail | Safe [141] | Safe | Safe [141] |
3. Exploit [142] [143] | Safe | Safe | Fail [144] | Fail [144] | Fail | Fail | Safe | Fail |
4. Exploit + root exploit [142] [145] | Safe | Safe | Fail [144] | Fail [144] | Fail | Fail | Safe | Fail |
5. Root exploit [142] [146] | Safe | Safe | Fail [144] | Fail [144] | Fail | Fail | Safe | Fail |
6. Exploit + VM exploit [147] [148] | Fail | Safe | Fail | Fail | Fail | Fail | Fail | Fail |
7. Exploit + VM exploit + exploit against physically isolated Whonix-Gateway [149] | Fail | Fail | Fail | Fail | Fail | Fail | Fail | Fail |
8. VM exploit [150] | Fail | Safe | Safe | Fail | Safe | Fail | Fail, see [151] | Fail |
9. VM exploit + exploit against physically isolated Whonix-Gateway [152] | Fail | Fail | Safe | Fail [153] [154] | Safe | Fail [153] [154] | Fail, see [151] [153] [154] | Fail |
10. Exploit against Tor process [155] | Fail [156] | Fail [156] | Fail | Fail | Fail | Fail | Fail | Fail |
11. Attack against the Tor network [157] | Fail | Fail | Fail | Fail | Fail | Fail | Fail | Fail |
12. Backdoor [158] [81] | Fail | Fail | Fail | Fail | Fail | Fail | Fail | Fail |
13. Onion service domain name security after server software exploit | Safe [159] | Safe [159] | Fail [160] | Fail [160] | Not an operating system | Not an operating system | ? [161] | Fail |
[edit]
Introduction[edit]
This section presupposes the user is familiar with:
Terms that are used in the following table are defined below:
- (VM host) update/crypto block: prevention of (VM host) operating system updates and cryptographic verification such as TLS (SSL) in the (VM host) browser.
- u/c-block: update/crypto block.
- Tor blocked: prevention of connections to the Tor network until the clock is manually fixed.
- Big clock skew: more than 1 hour in the past or more than 3 hours in the future. [162]
- Small clock skew: less than 1 hour in the past or less than 3 hours in the future. [162]
Overview[edit]
Table: Network Time-related Issues
Whonix Default | Whonix Physical Isolation | Tails | Tails in a VM | TBB | TBB in a VM | Qubes OS TorVM | |
---|---|---|---|---|---|---|---|
VM host time synchronization mechanism | NTP | Gateway: there is no VM host. Workstation host: NTP | There is no VM host. Same as the operating system synchronization mechanism | NTP | There is no VM host | NTP | NTP |
Operating system synchronization mechanism | sdwdate | sdwdate | tordate and tails_htp | tordate and tails_htp | NTP | NTP | NTP |
Effect of a grossly inaccurate clock | Tor blocked | Tor blocked | tordate fixes the clock | tordate fixes the clock | Tor blocked | Tor blocked | Tor blocked |
VM host time differs from operating system time | Yes [163] | Yes [163] | There is no VM host | Yes [164] | No [165] | Possibly [166] | No |
Unsafe browser time differs from torified browser time [167] | Yes [163] | Yes [168] | No [169] | No [169] | No [165] | Possibly [166] | No |
Large clock skew attack against NTP [170]: VM host effects | u/c-block | VM host u/c-block | There is no VM host | VM host u/c-block | There is no VM host | VM host u/c-block | u/c-block |
Large clock skew attack against NTP [170]: operating system effects | Tor blocked | Tor blocked | [171]; tordate fixes the clock skew | [171]; tordate fixes the clock skew | Tor blocked; u/c block | Tor blocked; u/c block | Tor blocked |
Fingerprintable reaction [172] when a large clock skew attack is used | No, fails identically to TBB | No, fails identically to TBB | Probably yes, see the fingerprint section above | Probably yes, see the fingerprint section above | TBB | TBB | No |
Small clock skew attack against NTP [170], VM host effects: | VM host u/c block (?) | VM host u/c block (?) | There is no VM host | VM host u/c block (?) | VM host u/c block (?) | VM host u/c block (?) | VM host u/c block (?) |
Small clock skew attack against NTP [170], operating system effects: | Whonix VMs: sdwdate fixes the clock skew | sdwdate fixes the clock skew | VM: tails_htp fixes the clock skew | tails_htp fixes the clock skew | If the user visits a page monitored by an adversary, they will know who is connecting [173] | If the user visits a page monitored by an adversary, the will know who is connecting [173] | If the user visits a page monitored by an adversary, they will know who is connecting [173] |
Usability[edit]
Table: Overall Usability
Whonix | Tails | Tor on the Host | Qubes OS TorVM | corridor | |
---|---|---|---|---|---|
Difficulty: installing additional software while the IP address remains hidden [174] | Easy [175] | Moderate [176] | Difficult [177] | Easy | Moderate |
Difficulty: installation of the base anonymity software |
|
Easy | Easy | Easy | Difficult [179] |
Required knowledge to prevent serious user error [180] | Difficult | Difficult | Difficult | Difficult | Difficult |
Pre-installed applications | Wide selection | Wide selection | None | Not applicable | Not applicable |
Grossly inaccurate host clock | No connection to the Tor network until the clock is manually fixed | Uses tordate to fix the clock | No connection to the Tor network until the clock is manually fixed | No connection to the Tor network until the clock is manually fixed | ? |
Comprehensive documentation | Yes [181] | Yes [182] | ? | ? | ? |
Disable power savings in VMs | Yes [183] | No, but there is no sleep mode | ? | ? | ? |
Features[edit]
Table: Features
Whonix | Tails | Tor Browser | Qubes OS TorVM | |
---|---|---|---|---|
Default desktop | Xfce | GNOME | Whatever the user has installed. Not an operating system | Xfce |
Multi-language support | No | Yes | Yes | ? |
Fits on a DVD | No | Yes | Not an operating system | ? |
VPN support: user → VPN → Tor → destination
|
Manual configuration is required [184] | No [185] | Possibly can be manually installed (?) | Yes |
VPN support: user → Tor → VPN → destination
|
Manual configuration is required [184] | No [185] | ? | Yes [186] |
VPN support: user → VPN → Tor → VPN → destination
|
Manual configuration is required [184] | No [185] | ? | Yes |
IRC client pre-configured for privacy | No | Yes (Pidgin) [187] | Not an operating system | No |
Flash support | Manual installation is required [188] | No, but HTML5 videos are functional [189] | Manual installation is required | ? |
Ricochet IM [190] [106] | No [191] | Unsupported, but can be manually installed [192] | Not applicable | ? |
FTP support | Partial [193] | No (?) [194] | Not an operating system | ? |
Download manager | Manual installation is required [195] | Manually installation is required [196] | ? | ? |
Webmail can be used in the browser | Yes | Yes | Yes | Yes |
Email client | Thunderbird | Thunderbird | ? | ? |
Hidden service support | Manual configuration is required [197] | Manual configuration is required [198] | ? | ? |
Hidden server configuration GUI | No | No [199] | ? | ? |
Support for free Wi-Fi hotspots | Yes [200] | Yes [201] | Yes [202] | ? |
Video / streaming software | Manual installation is required | Some applications are included, more can be manually installed | Not an operating system | Manual installation is required |
Control port filter proxy | Yes [203] | Yes | No | No |
TBB about:tor success message
|
Yes | ? | ? | ? |
Functional new identity option in Tor Button | Yes [204] | Yes [205] [204] | Yes [204] | ? |
Default browser set to Tor Browser | Yes | Yes (?) | Not applicable | ? |
File / link open confirmation | Yes | ? | ? | ? |
I2P over Tor | Manual installation and configuration is required [206] | ? | Not an operating system | Manual installation is required (?) |
RetroShare over Tor | Manual installation is required [207] | ? | Not an operating system | Manual installation is required (?) |
Shared folder help | Yes [208] [209] [210] | ? | ? | ? |
Higher boot resolution | Yes [211] | ? | ? | ? |
Verbose boot output | Yes [212] | ? | ? | ? |
RAM-adjusted desktop starter | Yes [213] [214] | ? | ? | ? |
Circumvention[edit]
Table: Censorship Circumvention Options
Whonix | Tails | Tor Browser | Qubes OS TorVM | corridor | |
---|---|---|---|---|---|
obfs4 | Yes [215] | Yes | Yes | ? | ? |
meek | Yes [216] | Yes [217] | Yes | ? | ? |
Snowflake | Yes [218] [219] | No [220] | Yes | ? | ? |
Other Censorship Circumvention Tools | ? | ? | ? | ? | ? |
Statement about Neutrality of this Page[edit]
General[edit]
An impartial comparison of anonymity platforms and tools is difficult, since contributors to this page are most likely Whonix users. Regardless, an imperfect comparison page is better than none at all. The reader should bear in mind that this wiki content might have been anonymously posted elsewhere, such as Wikipedia. The contributors to this page have decided to attach their pseudonyms.
Anonymous edits are allowed and are generally published within a short time frame. Readers who notice any mistakes can immediately edit the page. This entire article is published under a Free (as in speech) license (GPLv3+). [221]
Different Views[edit]
Opinions should always be expressed carefully, particularly when analyzing the merits and weaknesses of other software projects. A range of different opinions already exist on this exact issue. Interested readers can refer to the following resources or add their own:
- Tails-dev: please look at Comparison of Whonix, Tails and TBB
- Tails-dev: please look at Comparison of Whonix, Tails and TBB #2
- qubes-devel: please look at Comparison of Whonix, Tails, TBB and Qubes OS TorVM
Systems Omitted from the Comparison[edit]
The following software platforms were not considered in this comparison, but may be included in the future: [222]
See Also[edit]
Footnotes[edit]
- ↑
The Qubes website states:
If you are interested in TorVM, you will find the Whonix implementation in Qubes a more usable and robust solution for creating a torifying traffic proxy.
- ↑ At the time of last comparison.
- ↑ Most recent stable version.
- ↑ Custom-Workstation: self-made builds can run on any real or virtual hardware so long as they are behind a Whonix-Gateway (
sys-whonix
). Tor Browser binaries are limited to a handful of platforms - Windows, Linux, BSD and Mac. - ↑ Whonix-Workstation™ (
whonix-workstation-17
): Other Operating Systems are also supported. With respect to Whonix-Gateway (whonix-gateway-17
), developers are agnostic about supporting any other secure distributions. Of course another operating system could be used as the base, but it requires significant effort. - ↑ The default downloads are for VirtualBox, but this is subject to change in the future. Physical Isolation is an optional security feature for advanced users. Experimental, optional support is available for VMware. Images can be built for other virtualizers, but it requires some work, see: Other Virtualization Platforms.
- ↑ For advanced users.
- ↑ See Other Operating Systems.
- ↑ See also HVM.
- ↑ Qubes-Whonix™: Disposables
- ↑ 11.0 11.1 11.2 11.3 Users can install the host operating system on a USB.
- ↑ Whonix does not have a fully-featured USB installer. Installing the operating system on a USB is recommended, but the decision is left to the user.
- ↑ Tails has a professional USB installer.
- ↑ 14.0 14.1 14.2 This has a neutral blue color, because the project dictates whether or not a specific virtualizer is required.
- ↑ 15.0 15.1 https://tails.boum.org/contribute/design/virtualization_support/
- ↑ https://tails.boum.org/doc/advanced_topics/virtualization/
- ↑ This has a red color because it raises the bar for new users, who must expend significant effort to try it.
- ↑ This is only available as an experimental proof of concept, see: VMware. It is not recommended because VMware is closed source software. Whonix developers do not support or test this configuration.
- ↑ This has a neutral color because Qubes OS is open source, while VMware is closed source and should therefore be discouraged.
- ↑ Qubes-Whonix.
- ↑ https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/tails.md
- ↑ Custom installed applications and user data can be stored and survive reboot.
- ↑ Depending on a user's settings, bookmarks and passwords can be saved, and downloaded files retained.
- ↑ See Contributors.
- ↑ https://en.wikipedia.org/wiki/Tails_%28operating_system%29
- ↑ https://en.wikipedia.org/wiki/Tor_browser
- ↑ This matters because until Deterministic Builds become standard, (non-)anonymous developers might imply trust. A project's reputation, formal education and expertise are other relevant factors.
- ↑ 28.0 28.1 Protection from root exploits, specifically malware with root rights.
- ↑ 29.0 29.1 29.2 The Workstation is where the browser, IRC client and other user applications are run. The Gateway is where Tor and the firewall are running.
- ↑ Whonix protects against IP address / location discovery through root exploits (malware with root rights) inside Whonix-Workstation (
anon-whonix
), although this feature should not be unnecessarily tested. Successful attacks by adversaries cannot yield the user's real IP address / location, because Whonix-Workstation (anon-whonix
) can only connect through the Whonix-Gateway (sys-whonix
). More skill is required to compromise Whonix due to its design; also see attacks on Whonix. - ↑ 31.0 31.1 If Tails is compromised by a root exploit, the adversary can simply bypass the firewall to discover the user's real IP address.
- ↑ corridor is not designed for that purpose. A compromised application could contact a colluding Tor relay.
- ↑ IP / DNS leaks are impossible in Whonix, since Whonix-Workstation (
anon-whonix
) is unaware of its external IP address. - ↑ 34.0 34.1 Please read how Whonix protects against realistic threats first. IP leaks are possible in Tails if applications are configured incorrectly or have a critical bug - this similarly applies to the Tails platform itself. The Tails Security Page notes:
Until an audit of the bundled network applications is done, information leakages at the protocol level should be considered as - at the very least - possible.
- ↑ https://support.torproject.org/#about_entry-guards
- ↑ https://gitlab.tails.boum.org/tails/blueprints/-/wikis/persistent_Tor_state/
- ↑ 37.0 37.1 37.2 Since the responsibility for building Tor circuits falls on clients running behind corridor-Gateway.
- ↑ vanguards
- ↑ Similar to above because it requires persistent Tor entry guards.
- ↑ Stream isolation provides protection against identity correlation through circuit sharing.
- ↑ For further details, see stream isolation.
- ↑ Separate Tor streams in Tails.
- ↑ Ever since the following ticket was implemented: Tor Browser should set SOCKS username for a request based on referer.
- ↑ Tor Browser comes with its own Tor instance. It is just a browser, not a live system or an operating system.
- ↑ The user must configure applications manually to use stream isolation. In Whonix, all applications that are installed by default (like curl, wget, ssh, tbb, and others) are configured to use their own SocksPort. Tails also has this feature, but it is not as extensive as Whonix. When QubesOS TorVM was last checked, it did not provide stream isolation.
- ↑ This is relevant when workstations x1, x2, ..., xn are all running behind the same gateway y.
- ↑ See: IP spoofing protection.
- ↑ A user can either run Multiple Whonix-Gateway or configure an encrypted and/or authenticated connection between the Whonix-Gateway and Whonix-Workstation.
- ↑ See: https://groups.google.com/d/msg/qubes-devel/le7-Rrq6yxY/k_fQdSTzvLAJ
- ↑ See https://tails.boum.org/contribute/design/upgrades/#index5h3
- ↑ See systemcheck, Whonix news.
- ↑ See Whonix news.
- ↑ A GNOME
libnotify
notification pops up with a link and offers the user an opportunity to subscribe to news by email. - ↑ This might be possible via the browser's https://check.torproject.org function. This was never implemented, even after old Tor Browser bundles became a popular exploit.
- ↑ See security issues when using apt update in scripts.
- ↑ The systemcheck function check_operating_system uses /usr/libexec/security-misc/apt-get-update.
- ↑ See Protocol-Leak-Protection and Fingerprinting-Protection for details.
- ↑ 58.0 58.1 58.2 By default this information is not sent to anyone. It is only at risk when the machine is compromised by malware.
- ↑ 59.0 59.1 59.2 59.3 59.4 The design of assigned MAC addresses means that destination servers cannot see them. Therefore yes, they are always hidden from destination servers.
- ↑ This is a realistic threat considering some ISPs are based on LANs, which means they can see the MAC addresses of their clients. Hotspots can also see the MAC addresses of connected devices.
- ↑ Please read Whonix in public networks / MAC Address.
- ↑ Tails spoofs the MAC address. This feature can be easily disabled.
- ↑ https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/anonymizing-your-mac-address.md
- ↑ The virtual MAC address for Whonix-Gateway internal network interface (
eth1
) is shared among all Whonix users, because Whonix-Workstation can see it. However, Whonix-Workstation cannot see the MAC address of Whonix-Gateway external network cards (eth0
). - ↑ Unless a physical network card is assigned to the virtual machine.
- ↑ Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms
- ↑ A Passive Technique for Fingerprinting Wireless Devices with Wired-side Observation
- ↑ https://forums.whonix.org/t/your-mac-address-randomization-attempts-are-futile
- ↑ MAC Address Introduction
- ↑ https://github.com/QubesOS/qubes-issues/issues/2361
- ↑ Disposables are not amnesic.
- ↑ Tails is amnesic by design.
- ↑ Although Tor Browser is designed to prevent browser activity leaking to disk, the implementation could be faulty, or swap might still leak. Also see The Tor Project blog post Forensic Analysis of Tor on Linux and the full pdf results.
- ↑ A Disposable could be used with a TorVM. For a discussion of TorVM anti-forensics features, see Disposable versus local forensics?.
- ↑ corridor-Gateway itself is not amnesic. The amnesic feature must be implemented by the workstations (and possibly gateways) behind corridor-Gateway.
- ↑ See Cold boot attack.
- ↑ https://github.com/QubesOS/qubes-issues/issues/716
- ↑ Mirror by unman: https://www.qubes-os.org/news/2019/04/17/tor-onion-services-available-again/
- ↑ Having TLS (SSL) supported mirrors may seem like an oxymoron. The common practice is to assume that mirrors are not to be trusted. Even if the mirror owners were trusted persons, it is still an open question how good their server security is. Even if their server security is exceptional, mirrors are generally also hosted in hosting companies and we cannot trust those. However, not all adversaries have extensive capabilities like being capable of mounting man-in-the-middle attacks, breaking server security or forcing the hosting company to turn over the keys and so on. Users who do not use verification are still better off downloading from a TLS supported mirror. Therefore, TLS protected mirrors work well against less sophisticated adversaries. In terms of numbers, this results in fewer users potentially ending up with maliciously altered downloads.
- ↑ It would also be safer if the download server was under the full control of the developers and not under control of a company, the hosting provider. Unfortunately that is not how things work today. Self-hosting is very expensive, requires a fast internet connection (home user contracts are not fast enough), and adequate physical security. Even the servers of The Tor Project are not hosted in a developer's home. This is being elaborated in chapter Trusting the Whonix Website.
- ↑ 81.0 81.1 81.2
Open Source software does not automatically prevent backdoors, unless the user creates their own binaries directly from the source code. People who compile, upload and distribute binaries (including the webhost) could add hidden code, without publishing the backdoor. Anybody can claim that a certain binary was built cleanly from source code, when it was in fact built using the source code with a hidden component. Those deciding to infect the build machine with a backdoor are in a privileged position; the distributor is unlikely to become aware of the subterfuge.
Deterministic builds can help to detect backdoors, since it can reproduce identical binary packages (byte-for-byte) from a given source. For more information on deterministic builds and why this is important, see:
- liberationtech mailing list: Deterministic builds and software trust.
- gitian.org
- As Mike Perry has observed: Current popular software development practices simply cannot survive targeted attacks of the scale and scope that we are seeing today. See: Deterministic Builds Part One: Cyberwar and Global Compromise.
- The Debian wiki tracking progress / development efforts to implement Reproducible Builds for all packages.
- ↑ See Tails Roadmap.
- ↑ See Deterministic Builds Part One: Cyberwar and Global Compromise and Deterministic Builds Part Two: Technical Details.
- ↑ 84.0 84.1 corridor only uses shell scripts.
- ↑ 85.0 85.1 85.2 85.3 To be fair, there are no deterministically built operating systems yet. It is a difficult process and takes a lot of effort to complete. While Debian has around 25,000 reproducible packages in mid-2021, this work has been ongoing since 2013 and is far from done.
- ↑ 86.0 86.1 86.2 86.3 86.4
The first form of backdoor is a vulnerability (bug) in the source code. Vulnerabilities are introduced either purposefully or accidentally due to human error. Following software deployment, an attacker may discover the vulnerability and use an exploit to gain unauthorized access. Such vulnerabilities can be cleverly planted in plain sight in open source code, while being very difficult to spot by code auditors. Examples of this type of backdoor include:
- An attempt to backdoor the kernel.
- The Debian SSL debacle; many argued that this wasn't a bug but in fact a backdoor, as it hadn't been spotted for several years.
It is therefore impossible to claim that non-trivial source code is backdoor-free, because backdoors can be hidden as vulnerabilities. Auditors scrutinizing the source code can only state an opinion about the quality of the source code, and eventually report vulnerabilities if/when they are identified. Assertions that source code is free of computer viruses (like trojan horses) is the only reasonable assertion that can be made. - ↑ 87.0 87.1 87.2 87.3 87.4 Although theoretically possible, there are no mathematically proven bug-free operating systems yet.
- ↑ The upstream distribution is the distribution on which the project is based. Whonix and Tails are based on Debian, thus Debian is their upstream distribution. QubesOS TorVM is based on Qubes OS, which is itself based on Fedora and Xen.
- ↑ See verifiable builds.
- ↑ To discover if Whonix, Tails or TBB is running.
- ↑ Because TorVM's own traffic is not torified.
- ↑ Tails does not support persistent entry guards yet.
- ↑ Operating system updates, use of a host browser and so on.
- ↑ Operating system updates, use of an untorified second browser and so on.
- ↑ Due to package selection, it will probably also reveal that it is an Qubes OS TorVM.
- ↑ Whonix users might tend to have more traffic than TBB users, as operating system updates of Whonix-Workstation (
whonix-workstation-17
) and Whonix-Gateway (whonix-gateway-17
) take place over Tor. It is unknown if the data volume is specific enough to guess a transparent or isolating proxy is in use, or if a significant proportion of other Tor users route a large amount of traffic through Tor (to help disguise Whonix users). Research prior to the foundation of Whonix suggested that a large amount of file sharing occurred via Tor. Classical file-sharing is likely to have far greater upload than Whonix, but it is unclear how many people have disabled upload settings or moved to methods which have minimal upload, such as file hosters. - ↑ The unsafe browser is in use, or other people are sharing the same Internet connection who are not using Tails.
- ↑ See above: Network fingerprint: ISP cannot trivially guess the project type.
- ↑ 101.0 101.1 The Tails Design about Time syncing states:
Our initial time guess based on the Tor consensus is probably easier to fingerprint, though: a fresh Tor is started, and restarted again right after the consensus has been downloaded.
- ↑ Fingerprint for the websites that are visited.
- ↑ Whonix uses the original Tor Browser from The Tor Project, with the only difference being Tor runs on Whonix-Gateway instead of using the locally shipped Tor.
- ↑ 104.0 104.1 Refer to the following Tails resources for the latest status update: (fingerprint) for the websites that you are visiting, evaluate web fingerprint and Tails: Trying to hide the fact one is using Tor.
- ↑ This is the original Tor Browser Bundle from torproject.org.
- ↑ 106.0 106.1 While preventing Tor over Tor, which is recommended.
- ↑ This could probably be installed manually, but users are generally not aware of fingerprinting issues. Further, they usually have trouble in using Tor Browser without the bundled Tor instance - which is of course recommended to prevent Tor over Tor scenarios.
- ↑ Tails and Liberte Linux contain a so called "Unsafe Browser". The Unsafe Browser does not use Tor and it connects in the clear. It is available on these platforms because it is useful for registering on hotspots or for general (non-anonymous) browsing purposes.
- ↑ When using VMs:
- The unsafe browser on the host is untouched, so it is not affected by installing Whonix.
- From Whonix 0.5.6 onwards, there is no unsafe browser. A separate third machine with clearnet access could be configured.
- ↑ Tails Todo: Improve fingerprint of the Unsafe Browser
- ↑ This is useful for keeping the clock synchronized for long running sessions.
- ↑ See also TimeSync.
- ↑ Users who want to hide Tor and Whonix from the ISP should not connect to the public Tor network when starting the platform for the first time.
- ↑ Settings, patches and add-ons.
- ↑ See Tor Browser.
- ↑ See TimeSync.
- ↑ See Tails - Time syncing.
- ↑ It is best when account names are shared among anonymity-focused distributions.
- ↑ https://github.com/ioerror/torbirdy/blob/master/gpg.conf
- ↑ gpg.conf optimized for privacy
- ↑
- ↑
- ↑ As TorVM may not run inside other virtualizers in the first place, although this is untested.
- ↑ systemcheck
- ↑ https://en.wikipedia.org/wiki/AppArmor
- ↑ Additional profiles can be manually installed. Profiles are already enabled by default for Tor, obfsproxy, Tor Browser and many others.
- ↑ https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581
- ↑ https://github.com/Kicksecure/security-misc/tree/master/etc/default/grub.d
- ↑ https://github.com/QubesOS/qubes-issues/issues/2695
- ↑ https://www.whonix.org/wiki/Dev/Strong_Linux_User_Account_Isolation#Bruteforcing_Linux_User_Account_Passwords_Protection
- ↑ See above.
- ↑ Due to anonymity, privacy and security problems associated with Adobe Flash.
- ↑ 133.0 133.1 133.2 133.3 133.4 133.5 133.6 133.7 133.8 If the fingerprint is detailed enough, then linkage of activities and subsequent deanonymization becomes easier.
- ↑ Users can conduct their own checks on https://ip-check.info
- ↑ Whonix developers have also minimized the attack surface, added hardening features and so on. Refer to developer documentation on security and hardening for further details.
- ↑ An application not honoring proxy settings. Example: Tor Browser Bundle: Firefox security bug (proxy-bypass).
- ↑ 138.0 138.1 138.2 138.3 Prevented by the firewall.
- ↑ This occurs when applications leak the user's real IP address. See Whonix Track Record against Real Cyber Attacks for examples where Whonix prevented them. Leaks are often circumvented in Whonix because Whonix-Workstation (
anon-whonix
) is unaware of the real IP address. - ↑ 140.0 140.1 The workstation does not know its own external IP address.
- ↑ 141.0 141.1 141.2 The VM replaces the IP address with an internal LAN IP, which is safe.
- ↑ 142.0 142.1 142.2 Consider the following example. A user visits a website over Tor with a torified browser. The website uses a known or zero day vulnerability to gain remote code execution on the user's machine, and then installs malware.
- ↑ The vulnerability "only" allows the adversary to gain user rights, not root. The adversary could then remotely start the Unsafe Browser in order to discover the user's real IP address. This attack is circumvented by Whonix, because any applications running inside Whonix, including malware, can only connect through Tor.
- ↑ 144.0 144.1 144.2 144.3 144.4 144.5 Tails bug report The Unsafe Browser allows to retrieve the public IP address by a compromised amnesia user with no user interaction contains an example how this attack could be accomplished.
- ↑ The vulnerability "only" allows the adversary to gain user rights, not root. The adversary gains root rights by escalating privileges with a second vulnerability. The adversary is then capable of tampering with iptables rules to make non-Tor connections and so on. This attack is circumvented by Whonix, because the firewall runs on another (virtual) machine. Further, any root applications inside Whonix, including malware with root rights, can only connect through Tor.
- ↑ The vulnerability used allows the adversary to gain root rights. The adversary is then capable of tampering with iptables rules to make non-Tor connections and so on. This attack is circumvented by Whonix, because the firewall runs on another (virtual) machine. Further, any root applications inside Whonix, including malware with root rights, can only connect through Tor.
- ↑ Consider the following example. A user visits a website over Tor with a torified Browser. The website uses a known or zero day vulnerability to gain remote code execution on the user's machine, and then installs malware.
- ↑ A second exploit is then used to break out of the virtual machine. The default Non-Qubes-Whonix and Qubes-Whonix platforms are vulnerable to this attack. Whonix with physical isolation defeats this attack, because the Whonix-Workstation host does not know its real IP address, only Whonix-Gateway does, which is running on another physical machine.
- ↑ This is the same as attack number six, except in this case the adversary uses an extra vulnerability to break into Whonix-Gateway. Whonix is vulnerable to this form of attack.
- ↑ Consider the following example. A user visits a website over Tor with a torified Browser. The website uses a known or zero day vulnerability to gain remote code execution on the user's machine. The default Non-Qubes-Whonix and Qubes-Whonix platforms will fall to this attack, the same as attack number six. Physical isolation defeats this attack in the same manner as per attack number six.
- ↑ 151.0 151.1 White is used as a more neutral color because according to this post by Joanna Rutkowska, exploiting a QubesOS virtual machine is more difficult than exploiting VirtualBox.
- ↑ Consider the following example. A user visits a website over Tor with a torified Browser. The website uses a known or zero day vulnerability to gain remote code execution on the host. The adversary then uses an extra vulnerability to break into Whonix-Gateway. Whonix is vulnerable to this kind of attack.
- ↑ 153.0 153.1 153.2 Fail, because it has already fallen victim to a VM exploit.
- ↑ 154.0 154.1 154.2 This is not usually run behind a physically isolated Whonix-Gateway.
- ↑ Consider the following example. A user visits a website over Tor with a torified Browser, with Tor controlling (processing) the traffic. The adversary uses a vulnerability to gain remote code execution on the user's machine. The machine where Tor is running knows the user's real IP address (Tor control protocol command: getinfo address), unless this machine is itself behind another Gateway which is difficult to configure; see Chaining Multiple Gateways.
- ↑ 156.0 156.1 Unless a user is Chaining Multiple Gateways, which is unfortunately only available to expert users. Whonix is vulnerable to this form of attack.
- ↑ For example, an end-to-end correlation attack. Research has established that Tor is vulnerable to numerous other attack vectors. Any successful attack against Tor, where an anonymity operating system is dependent on it, will naturally deanonymize the user. The exception is users who are Chaining Multiple Gateways, which unfortunately is only available to expert users. Whonix is capable of defeating some attacks against Tor and associated components such as Tor Browser; for example, see the secure and distributed time synchronization mechanism and protocol and fingerprinting leak protection, along with the rest of the Design page.
- ↑ Any backdoor in Tor would be fatal for operating systems which rely upon it, since it would open up an avenue for targeted attacks. Widespread attacks are more likely to be identified.
- ↑ 160.0 160.1 Tails is not yet meant to be used as a server.
- ↑ This is safe in theory, but it is unclear if TorVM supports onion services.
- ↑ 162.0 162.1 Source: https://lists.torproject.org/pipermail/tor-talk/2012-February/023264.html
- ↑ 163.0 163.1 163.2 Because the unsafe browser runs on the VM host which uses NTP, and the torified browser runs inside Whonix-Workstation (
anon-whonix
) which uses sdwdate. - ↑ The VM host time is synchronized with NTP, and operating system time is synchronized with tails_htp.
- ↑ 165.0 165.1 An untorified host browser uses the same clock as TBB.
- ↑ 166.0 166.1 The host and VM clock are both synchronized with NTP, but there still might be a difference since they are synchronized independently.
- ↑ This is important because if the clock skew is too large and/or unique, non-anonymous and anonymous activity might be linked.
- ↑ The time differs because Whonix-Workstation (
anon-whonix
) and Whonix-Gateway (sys-whonix
) use separate sdwdate instances. - ↑ 169.0 169.1 The unsafe browser and torified browser share the same clock via tails_htp
- ↑ 170.0 170.1 170.2 170.3 An attack initiated by an ISP-level adversary.
- ↑ 171.0 171.1 This assumes installation of a regular operating system using NTP which was used earlier, and the introduction of a clock skew by an adversary.
- ↑ Such as running tordate.
- ↑ 173.0 173.1 173.2 Due to a unique clock skew introduced by an adversary.
- ↑ That is, installing new software safely.
- ↑ In Whonix, it is possible to install a (Tor-unsafe) BitTorrent client. In the worst case it would be pseudonymous rather than anonymous, as the IP address would still be hidden.
- ↑ Tails has a firewall to block non-Tor traffic, but an audit at the protocol level is still required. The Tails Security Page notes:
Until an audit of the bundled network applications is done, information leakages at the protocol level should be considered as - at the very least - possible.
- ↑ The user must manually prevent non-Tor traffic, DNS leaks and protocol level leaks.
- ↑ Text, screenshot and video instructions are available.
- ↑ The user must install and set up the Gateway from source code.
- ↑ For examples of what not to do, see DoNot.
- ↑ Documentation
- ↑ https://tails.boum.org/doc/index.en.html
- ↑ https://github.com/Kicksecure/vm-config-dist/blob/master/etc/profile.d/20_power_savings_disable_in_vms.sh
- ↑ 184.0 184.1 184.2 Necessary software is included, but there is no GUI to complete the process. For documentation on this optional configuration, see tunnel introduction.
- ↑ 185.0 185.1 185.2 Tails status for VPN support: https://gitlab.tails.boum.org/tails/tails/-/issues/5858
- ↑ By configuring the NetVM of the TorVM as a VpnVM.
- ↑ https://tails.boum.org/contribute/design/#index42h3
- ↑ See Browser Plugin Security and Browser Plugins.
- ↑ Tails status for Flash support: https://gitlab.tails.boum.org/tails/tails/-/issues/5363
- ↑ https://en.wikipedia.org/wiki/Ricochet_%28software%29
- ↑ Ricochet has been broken since Whonix 15 despite all efforts to fix it, see: Ricochet IM.
- ↑ Tails wishlist.
- ↑ Filezilla works out of the box, but is not pre-installed.
For Tor Browser and/or wget, users could experiment with
TrackHostExits
. Further information onTrackHostExits
can be found here and here. - ↑ Tails status for FTP support: https://gitlab.tails.boum.org/tails/tails/-/issues/6096
- ↑ Users can install any download manager, preferably using SocksPort, although TransPort works as well. wget -c (pre-configured to use SocksPort) has also been tested to work.
- ↑ Users can manually install any download manager in Tails. It only needs configuration to use the proper SOCKS proxy.
- ↑ Hidden services can be used without IP address / DNS leaks, see onion service support. No GUI is available to setup an onion service, but it works well nonetheless.
- ↑ This is possible via ordinary torrc mechanisms; see Persistence preset: Tor state
- ↑ Tails server: Self-hosted services behind Tails-powered Tor onion services
- ↑ When using VMs, this can be easily achieved on the host. For users relying on physical isolation, from Whonix 0.5.6 onward there is no unsafe browser. A separate third machine with clearnet access could also be configured.
- ↑ Tails has a unsafe browser for such tasks.
- ↑ The host operating system mechanism can be used.
- ↑ See onion-grater, a Tor Control Port Filter Proxy, design documentation.
- ↑ 204.0 204.1 204.2 The option is just as effective as comparable platforms, like Debian.
- ↑
This option is fully functional in Tails, despite the quote below - see the additional footnote.
As noted on the Tails' website, https://tails.boum.org/doc/anonymous_internet/Tor_Browser/index.en.html#new-identity:
This feature is not enough to strongly separate contextual identities in the context of Tails as the connections outside of Tor Browser are not restarted.
Shutdown and restart Tails instead.
- ↑ See I2P.
- ↑ See RetroShare.
- ↑ https://github.com/Kicksecure/vm-config-dist/tree/master/usr/lib/systemd/system
- ↑ VirtualBox shared folders.
- ↑ KVM shared folders.
- ↑ https://github.com/Kicksecure/usability-misc/blob/master/etc/default/grub.d/30_screen_resolution.cfg
- ↑ https://github.com/Kicksecure/debug-misc/blob/master/debian/control
- ↑ https://www.whonix.org/wiki/Desktop#RAM_Adjusted_Desktop_Starter
- ↑ https://github.com/Kicksecure/rads
- ↑ See Bridges.
- ↑ meek_lite is available from Whonix 14.
- ↑ https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/10-tor.sh
- ↑ Manual configuration is required, see: Snowflake.
- ↑ https://forums.whonix.org/t/replacing-meek-snowflake/5190
- ↑ https://gitlab.tails.boum.org/tails/tails/-/issues/5494
- ↑ Permission is granted by adrelanos (Patrick Schleizer) for anyone editing this page to shift the content to a more neutral place, like Wikipedia. Should it be required, Schleizer would also agree to dual / multi / re-licensing of this page under a different Free (as in speech) license, such as GFDL. Note that moving the article to Wikipedia is difficult to achieve anonymously, since they do not allow Tor user edits (and most people interested in this article are Tor users).
- ↑ Subgraph OS has been removed from this list; the distribution has not released an ISO since 2017.
We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!