Jump to: navigation, search

Comparison with Others

Introduction[edit]

This page contains the comparisons of Whonix, Tails, Tor Browser and Qubes OS TorVM. If anything here is incorrect or becomes outdated feel free to edit this page or contact us, we'll correct as soon as possible. See also #Statement about Neutrality of this Page.

Last update[edit]

Whonix Tails Tor Browser Qubes OS TorVM corridor (tor-talk)
Version [1] 8 0.16 [2] 3.5 0.1.3 (?)
Status This wiki page is up to date. There is a newer version. The information on this page could be outdated. This wiki page is up to date. There is a newer version. The information on this page could be outdated. This wiki page is up to date.

General[edit]

Whonix Tails Tor Browser Qubes OS TorVM corridor
Focus on anonymity, privacy and security Yes Yes Yes Yes Yes
Type General purpose OS available as VM images and physical isolation Live DVD / Live USB Portable browser General purpose OS, VM plugin for Qubes OS Tor traffic whitelisting gateway
Supported hardware x86 compatible and/or VirtualBox + [3] x86 compatible and/or Virtual Machines Windows, Linux, Mac and Virtual Machines Any capable of running Qubes OS, see System Requirements and HCL. any Linux (?)
Based on Tor, Debian [4] and a Virtualizer [5] (VirtualBox) when not using Physical Isolation Tor, Debian Tor, Firefox Tor, Qubes OS, Fedora iptables, sh
Gateway and torify any operating system [6] Yes [7] Not a torifying Gateway. Not a torifying Gateway. Yes [8] Not a torifying Gateway.
Live DVD No Yes No No No
Live USB No Yes No No No
USB Bootable Yes [9] Yes Yes [9] Yes [9] Yes [9]
USB Installer Feature No [10] Yes [11]  ?  ? No
Requires VirtualBox [12] If not using Physical Isolation, yes. [5] No No No No
Requires VMware [12] No No No No No
Requires Qubes OS [12] No No No Yes No
System requirements higher lower lowest highest lowest
Can run in VirtualBox Yes Yes, but not recommended. [13] Yes, but (?) No. [14] (?)
Can run in VMware Yes, but not recommended and unsupported.[15] Yes, but not recommended. [13] Yes, but (?) No. [16] (?)
Can run in Qubes OS Probably yes, but needs some work. [17] Probably yes, as HVM (?), but without security features provided by an Isolating Proxy. Probably yes, but without security features provided by an Isolating Proxy. Yes (?)
Persistence (custom installed applications and user data can be stored and survive reboot) Full Optional for Live USB Yes [18] Full Full
Number of developers one with lots of anonymous contributions multiple multiple multiple one
Maturity project since 2012 established, respected project for many years established, respected project for many years project since 2012 project since 2014
Open Source Yes Yes Yes Yes Yes
Non-Anonymous Developers [19] Yes No Yes Yes No (?)

Security[edit]

Network[edit]

Whonix Tails Tor Browser Qubes OS TorVM corridor
Responsible for building Tor circuits Tor client running on Whonix-Gateway Tor client running on workstation Tor client running on workstation Tor client running on TorVM (Gateway) Tor client running behind corridor-Gateway
Protection against IP/location discovery [20] on the Workstation. [21] Yes [22] No [23] No [23] Yes No [24]
IP/DNS protocol leak protection Full [25] Depends [26] Depends [26] Full Depends
Workstation does not have to trust Gateway No Not a gateway. Not a gateway. No Yes
Takes advantage of Entry Guards[27] Yes No Yes Yes Not applicable. [28]

Stream Isolation[edit]

Whonix Tails Tor Browser Qubes OS TorVM corridor
Stream Isolation [29] Yes [30] Yes [31] See [32][33] Manually [34] Yes
Enforces Stream Isolation when one of X Workstations behind the same Gateway are compromised in default configuration [35] No Not a gateway. Not a gateway. No Yes [28]
Can enforce Stream Isolation when one of X workstations are compromised with special configuration [35] Yes [36] Not a gateway. Not a gateway. Yes [37] Yes [38]
Stream isolation in Tor Browser No [32] No [32] No [32] No [32] No [32]

Updates[edit]

Whonix Tails Tor Browser Qubes OS TorVM corridor
Operating System Updates persist once updated Incremental upgrades in testing [39] persist once updated persist once updated persist once updated
Update Notifications Yes [40] Yes Yes Yes  ?
Important News Notifications Yes [41] Gnome libnotify notification pops up with a link  ? [42]  ?  ?

Hardware Serials[edit]

Whonix Tails Tor Browser Qubes OS TorVM corridor
Hides hardware serials from malicious software with default settings Yes [43] No [44] No [44] Yes No [44]
Hides hardware serials from malicious software when additional hardware is assigned No No No No No
No collection of hardware serials Yes Yes Yes Yes Yes
Hides your MAC address from websites Invalid [45] Invalid [45] Invalid [45] Invalid [45] Invalid [45]
Hides your MAC address from local LAN [46] No, see. [47] Yes [48] No No Not applicable.
Hides your MAC address from applications Yes [49] No No Yes, by default, unless...[50] Not applicable.

Forensics[edit]

Whonix Tails Tor Browser Qubes OS TorVM corridor
Amnesic No [51] Yes [52] No [53]  ? [54] Not applicable. [55]
Local Disk Encryption Should be applied on host. Yes, for persistent USB. Should be applied on host. Should be applied on host. Should be applied on host.
Cold Boot Attack Protection [56] No Yes No No, planned. [57] No

Verifiable Builds[edit]

Whonix Tails Tor Browser Qubes OS TorVM corridor
Deterministic Builds[58] No No Yes [59] No Not applicable. [60]
Based on a Deterministically Built[58] Operating System No [61] No [61] No [61] No [61] No [61]
Verifiably no backdoor in the project's own source code Invalid [62] Invalid [62] Invalid [62] Invalid [62] Invalid [62]
Verifiably vulnerability[63] free No [64] No [64] No [64] No [64] No [64]
Verifiably no hidden source code[65] in upstream distribution/binaries[66] No [67] No [67] No [67] No [67] No [67]
Project's binary builds verifiably created from project's own source code (no hidden source code[65] in the project's own source code) Yes [68] No Yes  ? Not applicable. [60]

Fingerprint[edit]

Whonix Tails Tor Browser Qubes OS TorVM Corridor
Network/Web Fingerprint Whonix Fingerprint Page Tails Fingerprint Page TBB traffic is tunneled through Tor. Host traffic passes clearnet. (?) (?)
Network fingerprint: ISP can not trivially guess project type [69] Yes Yes Yes No [70] Yes
Network fingerprint: ISP can not guess, that a non-persistent Tor directory is being used Yes No, because not yet supporting persistent Entry Guards[71]. Yes (?) Yes
Clearnet traffic All Whonix-Gateway and Whonix-Workstation traffic is tunneled through Tor. Host traffic (operating system updates, eventually host browser etc.) uses clearnet. None, unless other users sharing the same internet connection are not using Tails. TBB traffic is tunneled through Tor. Host traffic (operating system updates, eventually untorified second browser etc.) uses clearnet. Gateway is not torified, thus emitting clearnet traffic and probably due to package selection, revealing that it is an Qubes OS TorVM. Gateway is not torified, thus emitting clearnet traffic.
Network fingerprint: ISP can guess which anonymity software is being used because of ratio of Tor and clearnet traffic Unknown. [72] Can guess a Tor Live DVD is being used, unless Unsafe Browser is in use or other people sharing same internet connections not using Tails.  ? Not applicable. [73] (?)
Network fingerprint: ISP can not guess which anonymity software is being used because of tordate [74] Yes, does not include tordate. No, if clock is too much off when booting. [74] No, not an operating system. Yes, does not include tordate. Yes, does not include tordate.
Web fingerprint [75] Same as TBB. [76] Not exactly same as TBB. [77] TBB. [78] Does not include Tor Browser.[79] [80] Not applicable.
Unsafe browser fingerprint [81] [82] [83]  ?  ?  ?
Network Time Synchronization runs at Randomized Times when booting [84] No. No. Not an operating system, not including Network Time Synchronization. Not including Network Time Synchronization. Not including Network Time Synchronization.
Network Time Synchronization runs at Randomized Times when during Session [84] Yes [85] Does not continuously run Network Time Synchronization. Not an operating system, not including Network Time Synchronization. Not including Network Time Synchronization. Not including Network Time Synchronization.
Pulling Update notifications and News at Randomized Times Yes [86]  ? [84]  ? [84]  ? [84]  ? [84]
Connection Wizard preventing one from unwanted and accidental connections to the public Tor network [87] Yes  ?  ?  ?  ?
Includes Tor Browser from The Tor Project Yes No Yes No No
Privacy Enhanced Browser[88] Yes, Tor Browser Yes, Iceweasel + Patches [89] [77] Yes, Tor Browser No Not applicable.
Secure Distributed Network Time Synchronization Yes [90] Yes [91] No No No
Hides your time zone (set to UTC) Yes Yes Yes No Not applicable.
Hides your operating system account name [20] [21] [92] Yes, set to user. Yes, set to amnesia. No Yes, set to User. Not applicable.
Secure gpg.conf [93] [94] Yes Yes Not an operating system. Not an operating system. Not an operating system.
Privacy enhanced IRC client configuration. Yes Yes Not an IRC client. Not an operating system. Not an IRC client.

Misc[edit]

Whonix Tails Tor Browser Qubes OS TorVM corridor
Warn when run in a virtualizer which is unsupported and/or recommended against by project developers. Yes Yes Not necessary? No such issue? [95] Not applicable.

Flash / Browser Plugin Security[edit]

Note: It is not recommended to install browser plugins such as Flash [96] when anonymity is the goal.

Flash Tracking Technique Whonix-Workstation Tor on host
Proxy bypass IP leak Protected. Insecure, leads to deanonymization.
Protocol IP leak Protected. Insecure, leads to deanonymization.
Flash Cookies Reduce anonymity to pseudonymity. Recommended to delete Flash Cookies. Can link your clearnet Flash activity to your Flash activity over Tor, which leads to deanonymization (or at least a good guess) if the skew is big and rare. Also useful for fingerprinting, which is bad. [97]
Number of installed fonts. The number of fonts inside Whonix-Workstation and your clearnet/host operating system will differ, which is good. Same fonts are reported for your clearnet and your Tor Flash activity, which is bad. [97]
Exact flash player version. Shared among much people [98], which is good. Not too useful for fingerprinting. Probably different from your clearnet/host operating system, which would be good. Same version is reported for your clearnet and for your Flash activity over Tor, which is bad. [97]
GNU/Linux Kernel version. Shared among much people [98], which is good. Not too useful for fingerprinting. Same version is reported for your clearnet and for your Flash activity over Tor. [97]
Language. Set to en_US for all Whonix users. Your local language setting. Useful for fingerprinting and anonymity set reduction, which is bad. [97]
Exact date and time. Differs from your clearnet/host operating system, which is good. (See TimeSync for details.) Same time/clockskew is reported for your clearnet and your Tor Flash activity, which is bad. [97]
Exact screen resolution and DPI. Shared among all Whonix users, who did not install VirtualBox Guest Additions, which is recommended against. (See Protocol-Leak-Protection and Fingerprinting-Protection for details.) Even if you changed it, the screen resolution and DPI, it will differ from your clearnet/host operating system (as long you didn't install guest additions), which is good. Same screen resolution and DPI is reported for your clearnet and Tor use, which is bad. [97]
Full path to your flash plugin. Shared among much people [98], which is good. Depends on your clearnet/host operating system. In worst case it could contain your operating system user name, which is even worse if that is your real name. Same path to your flash plugin is reported for your clearnet and Tor use, which is bad. [97]
Anything else. (Check that yourself on http://ip-check.info.) Assume reduction from anonymity to pseudonymity. Even more possibilties for fingerprinting and linking, which is bad. [97]
Conclusion IP/location/identity will still be hidden inside Whonix-Workstation. Assume it to be pseudonymous rather than anonymous. Flash over Tor (on the host, without something like Whonix) is totally unsafe. In case you also ever use(ed) Flash over clearnet, linkability is possible. Assume the Flash fingerprint to be that strong, that your clearnet and your Tor Flash activity can be linked together, which leads to deanonymization.

For more information about Flash and Browser Plugins in Whonix, see also Browser Plugins.

Attacks[edit]

Circumventing Proxy Obedience Design[edit]

Knowledge assumed:

  • Comparison of different Whonix variants.
  • Unsafe Browser: Tails and Liberte Linux contain a so-called Unsafe Browser. The Unsafe Browser does not use Tor. It connects in the clear. It is useful to register on hotspots or to view content in the clear without Tor.
  • Exploit against physically isolated Whonix-Gateway: difficult against a bare metal physical isolated Whonix-Gateway. This is because Whonix-Workstation can only access Tor running on Whonix-Gateway. We minimized attack surface, hardening etc. See the whole Security and Hardening page for details.
  • TBB stands for Tor Browser Bundle.
  • In the following table,
    • "Fail" is defined as "IP/location of user is compromised.".
    • "Safe" is defined as "IP/location of user is hidden behind Tor.".

Whonix protects against IP/location discovery through root exploits (Malware with root rights) on the Workstation [21]. This does not mean you should deliberately place yourself at risk to become infected with malware. Do not! It would still make all data inside Whonix-Workstation available to the attacker. Again, Whonix is not a perfect system. It cannot be. Whonix is not unbreakable. What Whonix does is increase the effort required by an attacker to find out the user's real IP address, thus de-anonymizing the user. The following table visualizes the various defense layers provided by Whonix.

Attack Whonix Default Whonix Physical Isolation Tails Tails in a VM TBB TBB in a VM Qubes OS TorVM corridor
1. Proxy Bypass IP leak [99] Safe [100] Safe [100] Safe [100] Safe [100] Fail Fail Safe Safe
2. Protocol IP leak [101] Safe [102] Safe [102] Fail Safe [103] Fail Safe [103] Safe Safe [103]
3. Exploit + Unsafe Browser [104] Safe Safe Fail Fail Fail Fail Safe Fail
4. Exploit + Root exploit + Unsafe Browser [105] Safe Safe Fail Fail Fail Fail Safe Fail
5. Root exploit + Unsafe Browser [106] Safe Safe Fail Fail Fail Fail Safe Fail
6. Exploit + VM exploit + Unsafe Browser [107] Fail Safe Fail Fail Fail Fail Fail Fail
7. Exploit + VM exploit + Exploit against physically isolated Whonix-Gateway [108] Fail Fail Fail Fail Fail Fail Fail Fail
8. VM exploit [109] Fail Safe Safe Fail Safe Fail fail, see [110] Fail
9. VM exploit + Exploit against physically isolated Whonix-Gateway [111] Fail Fail Safe Fail [112][113] Safe Fail [112][113] fail, see [110] [112][113] Fail
10. Exploit against Tor process [114] Fail [115] Fail [115] Fail Fail Fail Fail Fail Fail
11. Attack against the Tor network [116] Fail Fail Fail Fail Fail Fail Fail Fail
12. Backdoor [117] [58] Fail Fail Fail Fail Fail Fail Fail Fail
13. Hidden service domain name security after server software exploit Safe [118] Safe [118] Fail Fail Not an operating system. Not an operating system.  ? [119] Fail

Network Time related[edit]

Knowledge assumed:

  • Whonix Design: TimeSync
  • Tails Design: Time syncing
  • In the following table,
    • "(VM host) update/crypto block" is defined as: Can prevent (VM host) operating system updates and cryptographic verification such as for SSL verification in (VM host) browser.
    • "u/c-block" is defined as: update/crypto block
    • "Tor blocked" is defined as: Can prevent connections to the Tor network until clock gets manually fixed.
    • "big clock skew" is defined as: more than 1 hour in past or more than 3 hour in future. [120]
    • "small clock skew" is defined as: less than 1 hour in past or less than 3 hour in future. [120]
Whonix Default Whonix Physical Isolation Tails Tails in a VM TBB TBB in a VM Qubes OS TorVM
VM host time synchronization mechanism NTP Gateway: There is no VM host.; Workstation host: NTP There is no VM host. Same as operating system synchronization mechanism NTP There is no VM host. NTP NTP
Operating system synchronization mechanism sdwdate sdwdate tordate and tails_htp tordate and tails_htp NTP NTP (?)
If clock is too much off Tor blocked Tor blocked tordate will fix it. tordate will fix it. Tor blocked Tor blocked Tor blocked
VM host time differs from operating system time Yes, [121] Yes, [121] There is no VM host. Yes. [122] No. [123] Maybe. [124] No
Unsafe browser time differs from torified browser time. [125] Yes. [121] Yes. [126] No. [127] No. [127] No. [123] Maybe. [124] No
Big clock skew attack against NTP [128]: VM host effects u/c-block VM host u/c-block There is no VM host. VM host u/c-block There is no VM host. VM host u/c-block u/c-block
Big clock skew attack against NTP [128]: operating system effects Tor blocked Tor blocked [129]; tordate will fix it. [129]; tordate will fix it. Tor blocked; u/c block Tor blocked; u/c block Tor blocked
Fingerprintable reaction [130] when big clock skew attack was used No, fails the same way TBB fails. No, fails the same way TBB fails. Probably yes, see Fingerprint section above. Probably yes, see Fingerprint section above. TBB TBB No
Small clock skew attack against NTP [128], VM host effects: VM host u/c block ? VM host u/c block ? There is no VM host. VM host u/c block ? VM host u/c block ? VM host u/c block ? VM host u/c block ?
Small clock skew attack against NTP [128], operating system effects: Whonix VMs: sdwdate will fix it. sdwdate will fix it. VM: tails_htp will fix it. tails_htp will fix it. If the user visits a page which is under observation by the adversary, the adversary knows who is connecting. [131] If the user visits a page which is under observation by the adversary, the adversary knows who is connecting. [131] If the user visits a page which is under observation by the adversary, the adversary knows who is connecting. [131]

Usability[edit]

Whonix Tails Tor on the host Qubes OS TorVM corridor
Difficulty to install additional software while IP remains hidden [132] easy [133] medium [134] hard [135] easy medium
Difficulty to initially install the anonymity software medium [136] easy easy easy (?) difficult [137]
Required knowledge to prevent the user shooting its own feet [138] hard hard hard hard hard
Pre-installed applications Not many. [139] Nice selection. None. Not many. (?) Not applicable.
Host clock too much off No connection to the Tor network until clock gets manually fixed. Uses tordate to fix it. No connection to the Tor network until clock gets manually fixed. No connection to the Tor network until clock gets manually fixed. (?)

Features[edit]

Whonix Tails Tor Browser Qubes OS TorVM
Default Desktop KDE GNOME Whatever the user has installed. Not an operating system. KDE or Xfce4
Multi language support No Yes Yes  ?
Fits on a DVD. No Yes Not an operating system.  ?
VPN support: user -> VPN -> Tor -> destination Can be manually installed. [140] No [141] Can be manually installed. (?) Yes
VPN support: user -> Tor -> VPN -> destination Can be manually installed. [140] No [141]  ? Yes [142]
VPN support: user -> VPN -> Tor -> VPN -> destination Can be manually installed. [140] No [141]  ? Yes
IRC client pre-configured for privacy Yes (XChat) Yes (Pidgin) Not an operating system. No
Flash Support Can be manually installed. [143] No [144]
Mixmaster over Tor Yes [145] No Not an operating system. No.
TorChat[146] [79] Can be manually installed. [147] Not supported. [148] Not applicable.  ?
FTP Support Partial [149] No? [150] Not an operating system.  ?
Download Manager Can be manually installed. [151] Can be manually installed. [152]  ?  ?
Webmail can be used in browser Yes Yes Yes Yes
E-Mail Client Can be manually installed. [153]  ? [154]  ?  ?
Hidden service support Can be manually installed. [155] Can be manually installed. [156]  ?  ?
Hidden Server configuration GUI No No [157]  ?  ?
Support for free wifi hotspots Yes [158] Yes [159] Yes [160]  ?
Works on 32 bit PCs Yes Yes Yes No [161]
Works on 64 bit PCs Yes Yes Yes Yes
32 bit builds Yes Yes Yes No [161]
64 bit builds Could be manually created. [162] [163] No Yes  ?
64 bit builds can be created from source code Yes [163]  ?  ? Yes [164]
Host Kernel When using VMs, can be any supporting VirtualBox.; When using Physical Isolation: Not applicable. When using VMs, can be any supporting Virtualizer.; When not using VMs: Not applicable.  ?  ?
i486 Kernel for compatibility Yes Yes Not an operating system. Up to the user. No
686-pae Kernel Yes Yes Not an operating system. Up to the user.  ?
64 bit Kernel Could be manually installed or a 64 bit build could be manually created. [163] No. Not an operating system. Up to the user.  ?
Kernel Autodetection at Boot Time No Yes Not a distribution. Not applicable.  ?
Video/Streaming Software Can be manually installed. Can be manually installed. Not an operating system. Can be manually installed.
Control Port Filter Proxy Yes [165] No No No
TBB version 3 about:tor success message Yes  ?  ?  ?
Functional new identity button in Tor Button Yes  ?  ?  ?
Default Browser set to Tor Browser Yes  ?  ?  ?
File/Link Open Confirmation Yes  ?  ?  ?
i2p over Tor Can be manually installed. [166]  ? Not an operating system. Can be manually installed. (?)
JonDonym over Tor Can be manually installed. [167]  ? Not an operating system. Can be manually installed. (?)
RetroShare over Tor Can be manually installed. [168]  ? Not an operating system. Can be manually installed. (?)

Circumvention[edit]

Whonix Tails Tor Browser Qubes OS TorVM corridor
obfs2 Yes [169] Yes Yes (?) (?)
obfs3 Yes [169] Yes Yes (?) (?)
Flash Proxy Bridges Untested. [169] No Yes (?) (?)
Other Censorship Circumvention Tools (?) (?) (?) (?) (?)

Conclusion[edit]

Different threat model, different implementation, different use cases, although some overlap. Different political and design decisions.

Statement about Neutrality of this Page[edit]

General[edit]

It is difficult to make a 100% neutral comparison since the main contributors to this page are mostly Whonix users. We still believe that having this non-perfect page is better than having no such page. Please also keep in mind that this page also could have been anonymously posted elsewhere (Wikipedia?). The contributors to this page decided to attach their pseudonyms.

We allow anonymous edits, and those we approve are usually published within a short time. Should anything still be wrong, feel free to edit it right away. The whole article is under a Free (as in speech) license, under GPLv3+, so if anyone is interested in editing this page to a more neutral place (such as Wikipedia?), adrelanos would be fine with that. Adrelanos would also agree to dual/multi/re-licensing this page under a different Free (as in speech) license (such as GFDL or so), should that be required. Ironically, moving the article to Wikipedia wouldn't work so well (adrelanos would still be fine with that!), since Wikipedia does not allow edits made by Tor users, and most people interested in this article are Tor users.

Different views[edit]

One has always to be very careful, when talking about others. Especially, when talking about advantages and disadvantages. Different opinions are accepted and listed here.

See also[edit]

Comparison Of Tor with CGI Proxies, Proxy Chains, and VPN Services

Footnotes[edit]

  1. At the time of comparing.
  2. There is a newer version. The information on this page could be outdated.
  3. Custom-Workstation: self made builds can run on any real or virtual hardware as long as they are behind a Whonix-Gateway. Tor Browser binaries are only available for a limited amount of platforms (Windows, Linux, BSD, Mac).
  4. Whonix-Workstation: also Other Operating Systems are supported.; Whonix-Gateway: In long term we are also agnostic about any other secure distributions. The concept is agnostic, you could use another operating system as base, but it requires effort.
  5. 5.0 5.1 Default downloads are for VirtualBox. (Subject for change in future.) Physical Isolation is an optional security feature for advanced users. Experimental optional support for VMware. You can build your own images for other virtualizers, but it requires some work. (See Dev/Other_Virtualization_Platforms.)
  6. For advanced users.
  7. See Other Operating Systems.
  8. See also HVM.
  9. 9.0 9.1 9.2 9.3 You can install your host operating system on USB.
  10. Whonix has no nice USB installer. Installing operating system on USB is recommended and left to the user.
  11. Tails has a nice USB installer.
  12. 12.0 12.1 12.2 In neutral blue color, because its in the nature of the project to require or not require this virtualizer.
  13. 13.0 13.1 https://tails.boum.org/contribute/design/virtualization_support/
  14. Red color, because that highers the bar for the effort new users must undertake to try it out.
  15. Only available as a gimmick, experimental, a proof of concept. See VMware. Not recommended, because VMware is closed source. Not supported and untested by any Whonix developers.
  16. Neutral color, because Qubes OS is Open Source while VMware is closed source and should therefore not be encouraged.
  17. See Dev/Other_Virtualization_Platforms.
  18. You can download files and keep them, save bookmarks and passwords depending on your settings.
  19. Why does this matter? As long as Deterministic Builds (discussed below) are not standard, (non-)anonymous developers might imply trust. Also related to reputation, formal education and expertise.
  20. 20.0 20.1 From root exploits, i.e. Malware with root rights
  21. 21.0 21.1 21.2 The Workstation is the place where the browser, IRC client and so on is running. The Gateway is the place where Tor and the firewall is running.
  22. Whonix has Protection against IP/location discovery through root exploits (Malware with root rights) inside Whonix-Workstation. But you should really not test it. In case Whonix-Workstation gets rooted, the adversary can not find out the user's real IP/location. This is because Whonix-Workstation can only connect through the Whonix-Gateway. How difficult is it to compromise Whonix? See Attack on Whonix and Design. More skill is required.
  23. 23.0 23.1 In case Tails or TBB gets rooted, the adversary can simply bypass the firewall and get the user's real IP.
  24. Not designed for that purpose. A compromised application could contact a colluding Tor relay.
  25. Such kinds of leaks are impossible in Whonix, since the Whonix-Workstation is unaware of its external IP.
  26. 26.0 26.1 Please read Whonix security in real world first. When applications in Tails are configured wrong, due to a bug in Tails or the application, IP can leak. Quoted from the Tails Security Page: "Until an audit of the bundled network applications is done, information leakages at the protocol level should be considered as - at the very least - possible."
  27. https://www.torproject.org/docs/faq.html.en#EntryGuards
  28. 28.0 28.1 Since it's up to the clients behind corridor-Gateway to build their own Tor circuits.
  29. Protection against identity correlation through circuit sharing
  30. For details, see Stream Isolation.
  31. Tails separate Tor streams
  32. 32.0 32.1 32.2 32.3 32.4 32.5 Tor Browser should set SOCKS username for a request based on referer
  33. Tor Browser comes with its own Tor instance. It's just a browser, not a live system or operating system.
  34. One has to configure it's applications manually to use stream isolation. In comparison, yes means, that pre-installed applications (such as wget, ssh, curl, apt-get) are pre-configured to use stream isolation.
  35. 35.0 35.1 In case workstation x1, x2, ..., xn are behind the same gateway y.
  36. By using Multiple Whonix-Gateways or by using encrypted and/or authenticated Connection Between Whonix-Gateway and Whonix-Workstation.
  37. By running multiple TorVMs.
  38. Enforces Stream Isolation when one of X Workstations behind the same Gateway are compromised in default configuration, see above.
  39. https://tails.boum.org/news/test_incremental_upgrades/index.en.html
  40. See whonixcheck, Whonix News.
  41. See Whonix News.
  42. They could use their browser https://check.torproject.org? They never did it, not even when there was this popular exploit.
  43. See Protocol-Leak-Protection and Fingerprinting-Protection for details.
  44. 44.0 44.1 44.2 By default of course these information are not sent to anyone. This is only at risk in case the machine gets compromised by malware. See also, Are hardware serial numbers hidden in TAILS?.
  45. 45.0 45.1 45.2 45.3 45.4 It is in the nature of the MAC addresses, that destination servers can not see them. Therefore yes, always hidden from destination servers.
  46. Sometimes from ISP. Most ISPs do not see the MAC addresses of their clients. But some ISPs are based on LANs, in that case they can see the MAC address. Also hotspots can see the MAC address.
  47. Please read Whonix in public networks / MAC Address.
  48. Tails >= 0.23 spoofs MAC address. Can be disabled.
  49. The virtual MAC address for Whonix-Gateway's internal network interface (eth1) is shared among all Whonix users, because Whonix-Workstation can see it. However, Whonix-Workstation can not see Whonix-Gateway's external network cards (eth0) MAC address.
  50. Unless you assign a physical network card to the virtual machine.
  51. There are no special measures to limit what is written to disk. This includes (non exclusive list) user created files, backup files, temporary files, swap, chat history, browser history and so on. Whonix acts like an ordinary installed operating system. It can also not be prevented, that the host memory swaps to the host disk. There is a Recommendation to use multiple VM Snapshots and it is recommended to apply Full Disk Encryption on the host. This is the price, Whonix has to pay, because many features could be more easily added to Whonix or can be easily installed by the user this way.
  52. Done by design.
  53. Although it does not try to store to disk, swap can still leak. See also torproject's blog post Forensic Analysis of Tor on Linux and its results in form of a pdf.
  54. A Disposable VM can be used with a TorVM. To find out what antiforensics features they have or not have, see Disposable VM versus local forensics?.
  55. It's up to the workstations (and possibly gateways) behind corridor-Gateway to implement the amnesic feature. corridor-Gateway itself is not amnesic.
  56. See Cold boot attack.
  57. http://qubes-os.org/trac/ticket/716
  58. 58.0 58.1 58.2 Open Source does not automagically prevent backdoors, unless the user creates its own binaries from source code itself. The ones who compile, upload and distribute (also the webhost) the binaries could add a hidden code without publishing the backdoor code. Nothing prevents one to claim, that a certain binary has been built from a clean source code, while the binary was actually built by the source code plus the backdoor code. Also the ones who may have infected the build machine with a backdoor are in position to add a backdoor without the distributor being aware of it. Deterministic builds can detect backdoors. For more information on deterministic builds and why this is important, see:
  59. See Deterministic Builds Part One: Cyberwar and Global Compromise and Deterministic Builds Part Two: Technical Details.
  60. 60.0 60.1 Just shell scripts.
  61. 61.0 61.1 61.2 61.3 61.4 To be fair, there are no deterministically built operating system yet. It would take lots of effort to create one and its far from easy. When you search through the websites / mailing list archives of Open Source operating systems, you notice, that there is not even yet awareness of this issue.
  62. 62.0 62.1 62.2 62.3 62.4 A backdoor can either be a vulnerability as in a bug in the source code. Vulnerabilities can get introduced by accident (human error) or on purpose. Once the software has been deployed and the vulnerability has been found, it might happen, that an attacker uses an exploits to gain unauthorized access. Such vulnerabilities (or purposely planted backdoors) can, with cleverness, be planted in Open Source code plain sight, while being very difficult and unlikely to be spotted by people looking at the code. Examples: Another form of a backdoor is adding the full code (or binary) of trojan horse (computer virus) to the binary build, while not publishing the extra source code and keeping that secret code. The latter, can only be detected with Deterministic Builds, which are discussed above.
    Therefore it is impossible to claim that non-trivial source code is backdoor free, because a backdoors can be hidden as vulnerabilities. Auditors scrutinizing the source code can only state their opinion about the quality of the source code and eventually report a vulnerability. It can only be reasonably easily checked, if the source code is free of computer viruses (for example, trojan horses), not backdoors.
  63. https://en.wikipedia.org/wiki/Vulnerability_(computing)
  64. 64.0 64.1 64.2 64.3 64.4 Although possible (in theory?), there are no mathematically proven bug free operating systems yet.
  65. 65.0 65.1 Hidden source code is defined as code, which gets added by an adversary, who compromised a build machine or by the person who builds (compiled) a binary builds before building the binary build. The secret source code will not be published and it will look like (or claimed) that the software was built from the source code, which has been published. The most reliable method to detect such hidden code (added on purpose or due to build machine compromise) is to compare Deterministic Builds, which are discussed above. (Other methods, such watching the traffic, only have good chances to spot a backdoor, when the backdoor is used in many cases. Even less likely backdoors are found through reverse engineering, because very few people are using a disassembler.
  66. The upstream distribution is the distribution on which the project is based on. Whonix and Tails are based on Debian, thus Debian is their upstream distribution. QubesOS TorVM is based on Qubes OS, which itself is based on Fedora and Xen.
  67. 67.0 67.1 67.2 67.3 67.4 No, since the upstream software is not deterministically built. See above to learn about Deterministic Builds.
  68. See Trust#Verifiable Builds.
  69. Find out if Whonix, Tails or TBB is running.
  70. Because TorVM's own traffic is not torified.
  71. https://www.torproject.org/docs/faq.html.en#EntryGuards
  72. Whonix users might tend to have more traffic than TBB users, due to operating system updates of Whonix-Workstation and Whonix-Gateway through Tor. Unknown if this is specific enough to guess a transparent or isolating proxy is being used or if enough other Tor users run big enough amounts of traffic through Tor. Research before Whonix was created has shown that big amounts of file-sharing traffic were run through Tor. Classical file-sharing tends to have more upload than Whonix, but it's also unknown how many people disabled upload or moved to methods which do not involve much upload, such as file hosters.
  73. See above, "Network fingerprint: ISP can not trivially guess project type".
  74. 74.0 74.1 Quoted from the Tails Design about Time syncing: "Our initial time guess based on the Tor consensus is probably easier to fingerprint, though: a fresh Tor is started, and restarted again right after the consensus has been downloaded."
  75. Fingerprint for the websites that you are visiting
  76. Uses the original Tor Browser from torproject.org with the only difference that Tor runs on Whonix-Gateway instead the locally shipped Tor.
  77. 77.0 77.1 See documentation for the websites that you are visiting and todo evaluate web fingerprint for latest status.
  78. Is the original Tor Browser Bundle from torproject.org.
  79. 79.0 79.1 While preventing Tor over Tor, which is recommended.
  80. Could most likely be installed manually, but users are not aware of fingerprinting issues and generally having trouble to only use Tor Browser without the bundled Tor while preventing Tor over Tor, which is recommended.
  81. Tails and Liberte Linux contain a so called Unsafe Browser. The Unsafe Browser does not use Tor. Connects in the clear. It is useful to register on hotspots or to view content in the clear without Tor.
  82. When using VMs: The unsafe browser on the host is untouched. It does not get any better or worse by installing Whonix.; When using Physical Isolation: As in Whonix 0.5.6 there is no unsafe browser. A separate third machine with clearnet access could be used.
  83. Tails Todo: https://tails.boum.org/todo/improve_fingerprint_of_the_Unsafe_Browser/
  84. 84.0 84.1 84.2 84.3 84.4 84.5 Neutral blue background, because it's not proven if this is really necessary and helpful.
  85. See also Dev/TimeSync.
  86. See whonixcheck.
  87. One who wants to hide Tor and Whonix from its ISP should not connect to the public Tor network when starting the anonymity focused distribution for the first time.
  88. settings, patches, add-ons
  89. See Iceweasel
  90. See TimeSync.
  91. See Tails - Time syncing.
  92. It's best when they are shared among anonymity focused distributions.
  93. https://github.com/ioerror/torbirdy/blob/master/gpg.conf
  94. gpg.conf optimized for privacy
  95. Because it can not be run inside other virtualizers in the first place?
  96. Due to anonymity, privacy and security issues associated with Adobe Flash
  97. 97.0 97.1 97.2 97.3 97.4 97.5 97.6 97.7 97.8 Because it could be used for fingerprinting, linking and also deanonymization (or at least a good guess) if the fingerprint is detailed enough.
  98. 98.0 98.1 98.2 Shared among all up to date Whonix users. Some Debian users. (Those who are using, what Whonix is based on, i.e. Debian wheezy in Whonix 0.5.6 or Debian testing in Whonix 6). Some users of Debian derivatives (such as Ubuntu), if they happen to use the same version.
  99. An application doesn't honor proxy settings. Example: Tor Browser Bundle: Firefox security bug (proxy-bypass).
  100. 100.0 100.1 100.2 100.3 Prevented by firewall.
  101. Where the applications spill the user's real IP. See Whonix security in real world, for examples where Whonix circumvented them. It gets circumvented by Whonix because Whonix-Workstation does not know the user's real IP address.
  102. 102.0 102.1 Workstation doesn't know its own external IP address.
  103. 103.0 103.1 103.2 VM replaces the IP with an internal LAN IP, which is safe.
  104. Example: user visits a website over Tor with a torified Browser. The website uses known or zero day vulnerability to gain remote code execution on the user's machine. Remote code execution is used to install malware on the user's machine. The used vulnerability allows the adversary to get "only" user rights, not root. The adversary could remotely start the Unsafe Browser and therefore find out the user's real IP address. This attack gets circumvented by Whonix, because any applications inside Whonix, including malware, can only connect through Tor.
  105. Example: user visits a website over Tor with a torified Browser. The website uses known or zero day vulnerability to gain remote code execution on the user's machine. Remote code execution is used to install malware on the user's machine. The used vulnerability allows the adversary to get "only" user rights, not root. The adversary gains root through escalate privileges using a second vulnerability. This allows the adversary to tamper with iptables rules, to make non-Tor connections and so on. This attack gets circumvented by Whonix, because Whonix's Firewall runs on another (virtual) machine. This attack gets circumvented by Whonix, because any root applications inside Whonix, including malware with root rights, can only connect through Tor.
  106. Example: user visits a website over Tor with a torified Browser. The website uses known or zero day vulnerability to gain remote code execution on the user's machine. Remote code execution is used to install malware on the user's machine. The used vulnerability allows the adversary to get root rights. This allows the adversary to tamper with iptables rules, to make non-Tor connections and so on. This attack gets circumvented by Whonix, because Whonix's Firewall runs on another (virtual) machine. This attack gets circumvented by Whonix, because any root applications inside Whonix, including malware with root rights, can only connect through Tor.
  107. Example: user visits a website over Tor with a torified Browser. The website uses known or zero day vulnerability to gain remote code execution on the user's machine. Remote code execution is used to install malware on the user's machine. A second exploit is being used to break out of the Virtual Machine. Whonix Default is broken against this attack. Whonix Physical Isolation defeats this attack, because the Whonix-Workstation's host does not know its real IP address, only Whonix-Gateway, running on an other physical machine knows it.
  108. Same as attack 6. But the adversary uses an extra vulnerability to break into Whonix-Gateway. Whonix is broken against this attack.
  109. Example: user visits a website over Tor with a torified Browser. The website uses known or zero day vulnerability to gain remote code execution on the host. Whonix Default: fail, same as attack 6. Physical Isolation defeats this attack, same as attack 6.
  110. 110.0 110.1 Using white as more neutral color, because according to this post by Joanna Rutkowska, exploiting a QubesOS virtual machine is more difficult than exploiting VirtualBox.
  111. Example: user visits a website over Tor with a torified Browser. The website uses known or zero day vulnerability to gain remote code execution on the host. The adversary uses an extra vulnerability to break Whonix-Gateway. Whonix is broken against this attack.
  112. 112.0 112.1 112.2 Fail, because it already failed against a VM exploit.
  113. 113.0 113.1 113.2 Usually not run behind a physically isolated Whonix-Gateway.
  114. Example: user visits a website over Tor with a torified Browser. Tor processes the traffic. The adversary uses a vulnerability to gain remote code execution. The machine where Tor is running knows the user's real IP address (Tor control protocol command: getinfo address), unless this machine is itself behind another Gateway, i.e. (Chaining Multiple Gateways [which is unfortunately only available to expert users]).
  115. 115.0 115.1 Unless you are Chaining Multiple Gateways, which is unfortunately only available to expert users, Whonix is broken against this attack.
  116. Example: end to end correlation attack, but there are much more attacks where Tor is known to be broken against. Any successful attack against Tor on a Tor based anonymity operating system will naturally deanonymize the user, unless you are Chaining Multiple Gateways (which is unfortunately only available to expert users). Whonix defeats some attacks against Tor (and components such as Tor Browser), for example, see Whonix's Secure And Distributed Time Synchronization Mechanism and Protocol-Leak-Protection and Fingerprinting-Protection and the rest of the Design page.
  117. A backdoor in Tor, the operating system which the project is based on or the project itself would be fatal. It would open up for targeted attacks. Big scale attacks would maybe be caught.
  118. 118.0 118.1 When server software on Whonix-Workstation gets (root) exploited, the attacker can not steal the key of the hidden service because it is stored on Whonix-Gateway.
  119. Safe in theory. Does it support hidden services yet?
  120. 120.0 120.1 Source of information: https://lists.torproject.org/pipermail/tor-talk/2012-February/023264.html
  121. 121.0 121.1 121.2 Because unsafe browser runs on the VM host (NTP) and torified browser runs inside Whonix-Workstation. (tails_htp)
  122. VM Host time gets synchronized with NTP and operating system time gets synchronized with tails_htp.
  123. 123.0 123.1 Untorified host browser uses the same clock as TBB.
  124. 124.0 124.1 Host and VM clock both get synchronized with NTP, but it could still make a difference, because they are synchronized independently.
  125. This is important because otherwise non-anonymous activity could be linked to anonymous activity if the clock skew is too big and/or too unique.
  126. Whonix-Workstation (tails_htp) and Whonix-Gateway (separate tails_htp) time differ.
  127. 127.0 127.1 Unsafe browser and torified browser share the same clock. (tails_htp)
  128. 128.0 128.1 128.2 128.3 Introduced by ISP level adversary attack.
  129. 129.0 129.1 Assumed an installed regular operating system using NTP was used earlier and the adversary introduced a clock skew.
  130. Such as running tordate.
  131. 131.0 131.1 131.2 Due to a unique clock skew introduced by the adversary.
  132. To do it safely.
  133. In Whonix one could also install an Tor-unsafe BitTorrent client. In worst case it would be pseudonymous (IP still hidden) rather than anonymous.
  134. Tails has a firewall to block non-Tor traffic, but an audit at protocol level is still required. Quoted from the Tails Security Page: "Until an audit of the bundled network applications is done, information leakages at the protocol level should be considered as ? at the very least ? possible."
  135. It's left to the user to prevent non-Tor traffic, DNS leaks and protocol level leaks.
  136. Text, screenshot or video instructions available.
  137. Requires installing and setting up your own Gateway from source code.
  138. Examples of what not to do: DoNot.
  139. This and the whole documentation will be improved in next Whonix version.
  140. 140.0 140.1 140.2 Included, although there is no nice gui, it's available as Optional Configuration, see VPN/tunnel support.
  141. 141.0 141.1 141.2 Tails Status: https://tails.boum.org/todo/vpn_support/
  142. By making the netvm of the TorVM be a VpnVM.
  143. See Browser Plugin Security and Browser Plugins.
  144. Tails Status: https://tails.boum.org/todo/Flash_support/
  145. Installed by default, see Mixmaster.
  146. https://en.wikipedia.org/wiki/TorChat
  147. See TorChat.
  148. Tails wishlist
  149. Filezilla (not pre-installed) works out of the box. For Tor Browser and/or wget, feel free to experiment with TrackHostExits. See Tor manual on how to use it. You can also have a look at wget ftp support broken and FTP download too difficult for further information on TrackHostExits.
  150. Tails Status: https://tails.boum.org/todo/fix_Internet_FTP_support/
  151. Users can install one of their choice, preferably using SocksPort, TransPort works as well. wget -c (pre-configured to use SocksPort) is also working.
  152. Users can manually install the download manager of their choice in Tails. It just needs to be configured to use the proper SOCKS proxy.
  153. Optional configuration, see Mozilla Thunderbird with TorBirdy.
  154. Tails Status: Return of Icedove
  155. Hidden services can be used without IP/DNS leaks, see Hidden Service Support. There is no nice graphical user interface to setup a hidden service, works well nonetheless.
  156. Can be used using ordinary mechanisms with torrc.; Tails Status: persistence preset - tor
  157. Tails server: Self-hosted services behind Tails-powered Tor hidden services
  158. When using VMs: Can be easily done on the host.; When using Physical Isolation: As in Whonix 0.5.6 there is no unsafe browser. A separate third machine with clearnet access could be used.
  159. Tails has a unsafe browser for such tasks.
  160. Mechanism of the host operating system can be used.
  161. 161.0 161.1 Qubes OS system requirements
  162. TODO: Still lacks 64 bit guest builds. 64 bit builds would offer more ALSR entropy, would safe some memory (page fusion?) and provide more performance.
  163. 163.0 163.1 163.2 Building them from source is already supported, see Build Configuration.
  164. QubesBuilder
  165. See Dev/Control_Port_Filter_Proxy.
  166. See i2p.
  167. See JonDonym.
  168. See RetroShare.
  169. 169.0 169.1 169.2 See Bridges.


Log in | OpenID | Contact | Impressum | Datenschutz | Haftungsausschluss

https | .onion [note] | Mirror | Mirror

This is a wiki. Want to improve this page? See Conditions for Contributions to Whonix, then Edit it! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.