Dev/Anonymity Network

From Whonix

< Dev


This page describes, why Tor was chosen for the Whonix ™ Example Implementation as anonymity network and also discussed alternatives, which also have been considered.


Tor has been chosen for the Whonix ™ Example Implementation, because it is the best researched and most used network. Whonix ™ developer Patrick believes Tor is currently the most secure anonymity network legally available to most users. See anonbib [archive] for a collection about research papers about Tor and other anonymity networks.

Many users are important, because you can only be anonymous within a big group of people. More secure networks exist in theory, such as the mixminion high latency network, but without enough users, in practice they are less secure. See Roger Dingledine explanation [archive] for details.

On the Warning [archive] page are some shortcomings of Tor listed.

Whonix ™ and other Anonymity Networks[edit]

The Whonix ™ Framework is agnostic about the Anonymity Network being used. In theory also Tor could be completely exchanged with any other suited anonymizing network, see ™_Framework Technical Introduction Whonix ™ Framework [archive]. Development in this area stalled due to lack of interest from users, upstream developers and Whonix ™ developers. Anyway, there has been some research, theoretical and practical work done towards such integration, see Inspiration [archive] in case you are interested.

Security considerations[edit]

Any successful attacks against Tor, does also work against Whonix ™ and will result in a compromise of location/identity. 1

Whonix ™ does not try to defend against network attacks, like a massive amount of evil Tor nodes, end-to-end correlation attacks and so on. The Tor software package from the Debian repository is installed in Whonix ™. There are no modifications to Tor software. This is left to the Tor developers and Debian packagers.

If TransPort, DnsPort or SocksPort, which Whonix ™ heavily relies on, can be exploited, then it is also game over.

There is no known bug (or "feature") to obtain the users real IP address through either SocksPort, TransPort or DnsPort. If there were such a bug found in the future, which is possible, it would be a major bug in Tor. We would hope, that the Tor developers fix that bug. We hope that compile time hardening features will be added. Bug #5210: Enable gcc and ld hardening by default in 0.2.3.x [archive] has been fixed. Bug #5024: compile time hardening of TBB (RELRO, canary, PIE) [archive] is still open.

There are other attacks thinkable, which we can not defend against. For example, if an adversary controls your entry node or can observe your ISP and has access to the Whonix-Workstation ™. He can simply use "morse" (5 seconds much traffic, 10 seconds no traffic...) And then observe the user's incoming connections. Then it is game over as well.

1 Unless Tor is combined with other means of anonymization (available as optional feature).

Other Anonymity Networks reviewed for Whonix ™[edit]

High latency networks[edit]

In theory, high latency networks would be safer than Tor. Unfortunately there is no high latency network, with enough users, which is well designed, developed and maintained.


Not suited for Whonix ™ at all.

AdvOR [archive], the "Advanced" Onion Router is not suited for Whonix ™. Reasons:

  • No interest from the research community.
  • No source control, i.e. git.
  • Licensing issues (See Nick Mathewson's (Tor's Chief Architect) analysis below.)
  • Absence in the Tor community.
  • No Linux support.
  • Whonix ™ developer believes the Tails developers and the Tor developers to be modest and genuine. Doing their best on providing fine software. They generally work thoroughly, come to, in Patrick's opinion, clever conclusions. A Tails developer and a Tor developer wrote about AdvOR. Patrick believes it is best not to summarize the their writings. Please read it yourself, in case you're interested.
  • In Patrick's opinion: less safe than Tor.



It may not be possible to reliably replace the Tor network with the I2P network [archive] for Whonix-Gateway ™. The I2P network is mainly designed to host all services inside the I2P network. We have to update the Whonix-Workstation ™ operating system and software packages. That is not possible with I2P. Outproxies exist in past (http, https and socks), but too few of them? And they are not suited for use with Whonix ™. They are too unreliable (too often offline). At time of writing the I2P chapter (March 2012) there where no working https or socks outproxies, which we could use for apt-get. (Still the case as of today?)

I2P can only be used as an addition to Whonix ™ (tunnel ip2 over Tor). See [I2P].

Even if there where enough reliable outproxies, there is one question which would have to be answered. Is I2P designed for withholding the external IP from a Workstation, i.e. does the I2P webinterface spill the external IP and if yes, can it be configured, not to? → We could make I2P listen on Whonix-Gateway ™ local host only. And only have other services, such as the outproxy, listen on the internal interface that is accessible by Whonix-Workstation ™(s).

There was development idea [archive] to install Tor and optionally I2P on Whonix-Gateway ™, but stalled due to lack from Whonix ™ developers and I2P community.

That I2P is not in Debian package sources would also make integration harder.

(w [archive])


Not suited for Whonix ™ for the Default-Download-Version.

  • No out proxies at the moment. (Can not connect to any servers outside the I2P network. I2P is much different than Tor.) Clearnet websites could not be reached, apt-get wouldn't work, etc. Still up to date as of today?
  • Less interest from the research community.
  • No interest from the I2P community.
  • In Patrick's opinion: less safe than Tor.


Not suited for Whonix ™ for the Default-Download-Version.

This JonDonym chapter is a summary of the JonDonym [archive] chapter from the "Inspiration" page, which is about adding an option to Whonix ™ to use JonDonym instead of Tor and a summary of the JonDonym introduction chapter, which reflects Patrick's opinion about the JonDonym network security.

  • Less interest from the research community.
  • Too less help (interest?) from upstream developers to create a JonDoBOX (See JonDonym [archive] chapter from the "Inspiration" page.).
  • Free version too limited.
  • In Patrick's opinion: less safe than Tor.


Not suited for Whonix ™ for the Default-Download-Version. This is a summary of Comparison of Tor and VPN services [archive].

  • Fail open, which is bad. Ok, that could be prevented using VPN-Firewall or even better developing/using a VPN-Gateway.
  • No distributed trust, just a single trusted provider.
  • Affected by identity correlation.
  • No free ones without restrictions.
  • In Patrick's opinion: less safe than Tor.


Not suited for Whonix ™ for the Default-Download-Version.

Replacing Tor with Freenet is impossible, as Freenet is a separated network, not designed to exit the network, i.e. clearnet websites could not be reached, apt-get wouldn't work, etc.

There was a development idea [archive] to install Tor and optionally Freenet on Whonix-Gateway ™. It would pose the questions. Is Freenet designed for withholding the external IP from a Workstation, i.e. does the Freenet webinterface spill the external IP and if yes, can it be configured, not to?


Not suited for Whonix ™ for the Default-Download-Version.

In fact RetroShare [archive] is not an anonymizing network [archive], it is a friend-to-friend [archive] (F2F) network, or optionally a darknet [archive]. RetroShare has a very different audience and threat model. RetroShare does not support using an outproxy yet, for this reason, it can not replace Tor on the Whonix-Gateway ™.

Proxies / Proxy Chains[edit]

This is a summary of Comparison Of Tor Proxies CGI proxies Proxy Chains And VPN Services.

"(High) Anonymous" Proxies or even "Elite" Proxy Chains are not suited for Whonix ™ for the Default-Download-Version.

  • Inferior to Onion Routing (Tor). Just two strong points (many more exist): no encryption between the user and the proxy possible (only end-to-end encryption possible); no onion routing alright (changing circuits).
  • Difficult (impossible?) to find a free, stable proxy, which is supposed to be legally used as proxy and which could handle enough Default-Download-Version users.
  • In Patrick's opinion: less safe than Tor.

Combinations of Anonymity Networks[edit]

Not suited for Whonix ™ for the Default-Download-Version.

There is too much controversy, see Tor Plus VPN or Proxy [archive].

Controversy is avoided as a political project strategy with the goal to protect the project:

Quoted from the [FAQ]: "Whonix ™ tries to be as less special as possible to ease security auditing of Whonix ™. Any changes to the Tor routing algorithm should be proposed, discussed and eventually implemented upstream in Tor on And if discussion fails, a Tor fork could be created. Tor has already been forked at least once. Doing such changes directly in Whonix ™ would limit discussions about Whonix ™ to the security of the modified routing algorithm. To allow further exploration of Whonix ™ security, it is required to be as agnostic as possible about all parts of Whonix ™."

The user is able to tunnel Other Anonymizing Networks over Tor (see Other Anonymizing Networks [archive] in case you're interested).

Tunneling other Other Anonymizing Networks over Tor[edit]

It is possible with Whonix ™. (See Other Anonymizing Networks [archive] in case you're interested).

Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Dev/Anonymity Network&body= link= Network link= Network link= Network%20 Network

Have you contributed to Whonix ™? If so, feel free to add your name and highlight what you did on the Whonix ™ authorship page.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.