Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes Intel / AMD64 ARM64 PPC64 USB ISO Raspberry Pi More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Comparison of anonymizers considered for the implementation of the Anonymous Operating System Whonix.

This page describes why Tor was chosen for the Whonix Example Implementation as the anonymity network and also discusses alternatives that were considered. See also Why does Whonix use Tor.

Tor was chosen for the Whonix Example Implementation because it is the best-researched and most widely used network. Whonix developer Patrick believes Tor is currently the most secure anonymity network legally available to most users. See anonbib for a collection of research papers about Tor and other anonymity networks.

Many users are important because you can only be anonymous within a large group of people. More secure networks exist in theory, such as the Mixminion high latency network, but without enough users, they are less secure in practice. See Roger Dingledine's explanation for details.

On the Warning page, some shortcomings of Tor are listed.

The Whonix Framework is agnostic regarding the anonymity network being used. In theory, Tor could be completely replaced with any other suitable anonymizing network, see Technical Introduction, chapter Whonix Framework. Development in this area has stalled due to lack of interest from users, upstream developers, and Whonix developers. However, there has been some research and practical work done toward such integration; see Inspiration if you are interested.

Any successful attacks against Tor also affect Whonix and will compromise location/identity. ¹

Whonix does not attempt to defend against network attacks such as a large number of malicious Tor nodes, end-to-end correlation attacks, and so on. The Tor software package from the Debian repository is installed in Whonix without modifications. This is left to the Tor developers and Debian packagers.

If TransPort, DnsPort, or SocksPort, which Whonix heavily relies on, can be exploited, then it is also game over.

There is no known bug (or "feature") that reveals the user's real IP address through either SocksPort, TransPort, or DnsPort. If such a bug were found in the future, which is possible, it would be a major issue in Tor. We would hope that the Tor developers fix it.

Other conceivable attacks cannot be defended against. For example, if an adversary controls your entry node or can observe your ISP and has access to the Whonix-Workstation^™, they could use a pattern (e.g., 5 seconds of heavy traffic, 10 seconds of no traffic...) (similar to morse code) and then observe incoming connections. That would also result in compromise.

¹ Unless Tor is combined with other means of anonymization (available as an optional feature).

In theory, high latency networks would be safer than Tor. Unfortunately, there is no high latency network with enough users that is well-designed, developed, and maintained.

Not suited for Whonix at all.

AdvOR, the "Advanced" Onion Router, is not suited for Whonix. Reasons:

• No interest from the research community.
• No source control (e.g., git).
• Licensing issues (See Nick Mathewson's (Tor's Chief Architect) analysis below.)
• Absence in the Tor community.
• No Linux support.
• Whonix developer believes the Tails and Tor developers are modest and genuine. They generally work thoroughly and come to, in Patrick's opinion, clever conclusions. A Tails developer and a Tor developer wrote about AdvOR. Patrick believes it is best not to summarize their writings. Please read them yourself if interested.
  • Answer from a Tails developer about AdvOR.
  • Nick Mathewson's (Tor's Chief Architect) analysis recommends against it.
• In Patrick's opinion: less safe than Tor.

It may not be possible to reliably replace the Tor network with the I2P network for Whonix-Gateway^™. The I2P network is mainly designed to host all services within the I2P network. We need to update the Whonix-Workstation operating system and software packages, which is not possible with I2P. Outproxies existed in the past (http, https, and socks), but were too few? They were also not suited for use with Whonix. Too unreliable (often offline). As of March 2012, when the I2P chapter was written, there were no working https or socks outproxies usable for apt. (Still the case today?)

I2P can only be used in addition to Whonix (tunnel I2P over Tor). See I2P.

Even if there were enough reliable outproxies, the question remains: Is I2P designed to withhold the external IP from a Workstation? For instance, does the I2P web interface expose the external IP, and if so, can it be configured not to? → We could configure I2P to listen only on Whonix-Gateway localhost, and have services such as the outproxy listen only on the internal interface accessible by Whonix-Workstation(s).

There was a I2P development idea to install Tor and optionally I2P on Whonix-Gateway, but this stalled due to lack of interest from Whonix developers and the I2P community.

That I2P is not in the Debian package sources would also complicate integration.

• I2P users can be deanonymized using browser fingerprinting.
• About I2P insecurity.

Not suited for Whonix for the Default-Download-Version.

• No outproxies at the moment. (Cannot connect to any servers outside the I2P network. I2P is much different than Tor.) Clearnet websites could not be reached, APT wouldn't work, etc. Still up to date as of today?
• Less interest from the research community.
• No interest from the I2P community.
• In Patrick's opinion: less safe than Tor.

Not suited for Whonix for the Default-Download-Version. For details, see Whonix versus VPNs.

Not suited for Whonix for the Default-Download-Version.

Replacing Tor with Freenet is impossible, as Freenet is a separate network, not designed to exit to the clearnet; clearnet websites could not be reached, APT wouldn't work, etc.

There was a Freenet development idea to install Tor and optionally Freenet on Whonix-Gateway. This raises the question: Is Freenet designed to withhold the external IP from a Workstation, i.e., does the Freenet web interface leak the external IP, and if so, can it be configured not to?

Not suited for Whonix for the Default-Download-Version.

In fact, RetroShare is not an anonymizing network; it is a friend-to-friend (F2F) network or optionally a darknet. RetroShare serves a different audience and threat model. RetroShare does not yet support outproxy usage; thus, it cannot replace Tor on the Whonix-Gateway.

This is a summary of Whonix versus Proxies.

"(High) Anonymous" Proxies or even "Elite" Proxy Chains are not suited for Whonix for the Default-Download-Version. The reasons are as follows:

• Inferior to Onion Routing (Tor). Just two strong points (many more exist): no encryption between the user and the proxy is possible (only end-to-end encryption); no onion routing (i.e., changing circuits).
• Difficult (or impossible?) to find a free, stable proxy legally usable as a proxy and capable of handling enough Default-Download-Version users.
• In Patrick's opinion: less safe than Tor.

Not suited for Whonix for the Default-Download-Version.

There is too much controversy; see Tor Plus VPN or Proxy.

Controversy is avoided as a political project strategy to protect the project:

Quoted from the [FAQ]: "Whonix tries to be as less special as possible to ease security auditing of Whonix. Any changes to the Tor routing algorithm should be proposed, discussed and eventually implemented upstream in Tor on torproject.org. And if discussion fails, a Tor fork could be created. Tor has already been forked at least once. Doing such changes directly in Whonix would limit discussions about Whonix to the security of the modified routing algorithm. To allow further exploration of Whonix security, it is required to be as agnostic as possible about all parts of Whonix."

The user is able to tunnel other anonymizing networks over Tor (see Other Anonymizing Networks if interested).

It is possible with Whonix. (Other Anonymizing Networks).

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Whonix is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!