- 1 Overview
- 2 Sustainability
- 3 Security
- 4 Usability
- 4.1 Interaction Simplification and Standardization
- 4.2 Other Operating System Support
- 4.3 Simplify Installation of Onion Service
- 4.4 Whonix Language Support
- 5 Circumvention
- 6 Links
The work outlined here is specifically focused on what could be done in a year with funding, though these goals should be considered as a larger roadmap for Whonix's development in general. This roadmap is focused on three goals:
- make Whonix more sustainable by making it easier for the community to engage and contribute code
- make Whonix more secure
- make Whonix more usable by average users in repressive situations
Given that Whonix was created by the community and is supported by the community, it is of the utmost importance that Whonix continues to do so.
Contribution Scalability and Security Improvement
Whonix consists of roughly 25.000 lines of code. Mostly all in one git repository. To streamline the development Whonix's source code, it would be better if Whonix was split into multiple packages. That would make it simpler to grasp Whonix's architecture, make it simpler to contribute to Whonix, simpler to audit the critical parts of Whonix and simpler to port Whonix to other targets.
[ - ]
We should pay The Tor Project (if they are willing) or someone else to implement torrc.d-style configuration directories (open for 4 years already). This feature is required for more robust and simplified implementation of features such as easier set up for bridges (just dropping a config snippet rather than programmability editing /etc/tor/torrc) or features such as "sudo apt-get install wordpress-hidden-service". 
Whonix's primary goal is security, without it nothing matters. Patrick, can you expand the issues in this section and make them each focused, say 3 main security issues that should be dealt with over the next year
Leak Test Expert Review
[ - ]
Added April 2014
Whonix's firewall is the heart of Whonix's security, preventing leaks, routing everything over Tor. We've done Dev/Leak Tests, but an expert in iptables / networking should audit Whonix for leaks. This can be done by a one time project contractor position.
More Secure and Usable Download Mechanism
[ - ]
To avoid man-in-the-middle capable adversaries exploiting whonix.org visitors or advising them to do malicious things, on whole whonix.org https is enforced. As alternative authentication, Whonix's website is reachable by an .onion address, because those are encrypted end-to-end by default and an alternative to the CA cartel. Due to the nature of Whonix's project, Whonix's downloadable files are big. Neither Whonix nor most other Linux distributions are capable to ship their downloadable files over https. Hence, most files are downloaded for most projects are downloaded from unauthenticated http - an invitation for man-in-the-middle attacks.
To circumvent this, many projects such as Whonix provide cryptographic checksums (sha) and/or OpenPGP signatures. A past usability experiment on our Download page helped to increase the number of people who do OpenPGP verification from 1 in ~32 to 1 in ~10 used OpenPGP verification. (The full experiment is documented on the Dev/Download_Statistics page.) Too few users are doing it, even though the requreed steps are documented and the importance is highlighted. Probably due to time constraints and due to usability issues with the popular free OpenPGP implementation gnupg.
A solution to this dilemma is to build the verification mechanism directly into the browser. Metalink is the answer. Unfortunately, it has not been build into popular browsers yet. We have a long standing github issue for it. The Whonix team currently has no recourses to tackle this issue.
Mozilla has an open feature request since 2006 and it doesn't look like they will be working on it anytime soon. With funding we could finally tackle this issue and help out lots of other security focused projects as well. Ideas:
- contact Mozilla and ask how much it would cost to buy this feature
- contact the Mozilla community and ask if someone would up to implement this feature for a price
- hire a capable programmer and pay her to implement this feature, to go through the proposal and review process as long as required until this feature gets merged into Firefox
If we had this feature, all downloads from untrusted mirrors would be at least as secure as https, because the verification has is supplied over https, while the bulk download is served over http.
Check for Revocation Certificates before running apt-get
Copied from https://github.com/Whonix/Whonix/issues/125
Neither Debian nor Whonix has no good mechanism to revoke apt keys in case of compromise, neither a way to inform users in emergency situations: https://lists.debian.org/debian-security/2013/10/msg00065.html
An apt key revoker should be written: https://lists.debian.org/debian-security/2013/12/msg00031.html
And up-streamed to Debian.
- Keyservers may not be used: https://lists.nongnu.org/archive/html/sks-devel/2013-12/msg00076.html
- The code for downloading the revocation certificates should be configurable. .d style configuration folder. Where distributions and PPA's can drop configuration snippets. Using arrays.
- Code should be re-usable for Whonix News key revocation as well (using plugin).
Secure Distributed Network Time Synchronization
Host operating systems such as Debian and Ubuntu have no way for secure and trust distributed network time synchronization, although that is crucial for security. (Debian bug confirmation; Ubuntu bug confirmation). Whonix already comes with a secure replacement as described on that Dev/TimeSync page. That mechanism should be split of Whonix's source code and be made a separate project available as a package (.deb), that users can download and install. Debian developers should then be encouraged to add that package to their offical repository, so it gets even simpler to install it (such as, as simple as ). If Debian developers are not interested, Whonix developers should attempt to become a Debian maintainer as well and maintain the package themselves in Debian. (From Debian, that package will flow down to other Debian-based distributions such as Ubuntu, Mint, etc.)
Verifiable APT Repository
For better protection against build machine compromise, Whonix has a Verifiable Builds feature.
Documentation on how to verify Whonix's APT Repository is currently a bit scare, should be extended and better scripted.
Currently, to use Whonix a user must get familiar with VirtualBox and Debian (KDE) to be able to use and configure Whonix. In order to allow those with less time/access to expert knowledge of Linux, who may be in areas where time and security are of the essence, usability issues must be a top priority.
Interaction Simplification and Standardization
Whonix needs an interaction designer to review and plan and implement an across the board standardization of the look and feel of Whonix in the system itself and online.
A general user interface review and revision of all user visible components. Streamlining installing of Whonix and running it. As well, looking at the systems once Whonix-Gateway or Whonix-Workstation boots, to make it simpler or more consistent of messages and what programs to run when. As well, this could go into the branding of Whonix and consistency in all of the documentation/website/software, so that it is clear that you are either visiting or using a Whonix page.
Other Operating System Support
Not everyone that needs privacy or security can use Unix, not all applications are available on Unix. Whonix aims to support a Mac OS X or Windows virtual workstation that uses the Whonix Gateway to route all traffic through Tor. We need better instructions on how one can tunnel Mac OS X or Windows through Tor by using Whonix-Gateway.
Simplify Installation of Onion Service
Currently quite a lot is required to set up an onion service (Onion Services). We should create packages, that ease the process, that automate installation of popular web services such as wordpress.
Whonix Language Support
As a new part of Whonix First Time Setup (which starts after Whonix starts for the first time), the user could be asked which language she wants to use.
Translation for Whonix
https://translatewiki.net has a pool of translation volunteers. Once Whonix gets ified, Whonix could apply for translatewiki.net and they could start translating Whonix software.
Translation for Documentation
We yet have to figure out how to use the translation extension and to prepare whonix.org's documentation for translation. We occasionally have offers to translate whonix.org, for example to French. Whonix developer Patrick Schleizer could translate whonix.org to German.
Port Whonix to LXDE or XFCE?
Reduce Image Size post-installing a desktop environment?
Do not install a desktop by default and allow the user to choose either KDE, LXDE/XFCE or no desktop environment at first boot?
Simpler than manually downloading VirtualBox and two Whonix VMs.
Stub installer (small installer the can be downloaded fast - that downloads the bigger files).
sudo curl --tlsv1.2 --proto =https --remote-name ... | sudo apt-key add ...
sudo apt-get install whonix
Better Circumvention User Interface
TBB uses the tor-launcher add-on, it looks good and makes it simpler to enter bridges. The upcoming version of tor-launcher even support pluggable transports. There is some work done creating a standalone xul application of tor-launcher. Tails devs are planing to use it. Whonix should use it as well. Some older screenshots of tor-launcher can be seen here: Dev/whonixsetup. (github ticket)
Shipping semi-public bridges
Current TBB beta comes with a list of hardcoded briges. Censors can easily obtain and ban them. Still, these hardcoded bridge relays work for a non-negligible share of users (otherwise TBB would not go this path). We could ship this list by default as well.
Other Circumvention Tools other than Bridges
There are lots of other Censorship Circumvention Tools other than Tor bridges. We should check out all of them and document how to use them with Whonix. The todo list of tools that should be documented can be found here: Censorship Circumvention Tools. (github ticket)
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.
- This is now implemented in Tor v0.3.1.1-alpha.