Whonix aims to be safer than Tor alone. The main goal is, that no one can find out the user's IP and location.
The basic idea is, that all applications are untrustworthy. No application must be able to obtain the user's real external IP. Whonix ensures that applications can only connect through Tor. Direct connections (leaks) must be impossible. This is the only way we know of, that can reliably protect your anonymity from client application vulnerabilities and IP/DNS and protocol leaks.10
Whonix consists of two machines, which are connected through an isolated network. One machine acts as the client or Whonix-Workstation, the other as a proxy or Whonix-Gateway, which will route all of the Whonix-Workstation's traffic through Tor. This setup can be implemented either through virtualization and/or Physical Isolation (explained below).
The Whonix Concept (see below) is agnostic about everything, the anonymizer, platform, etc. See Whonix Framework below.
Whonix Example Implementation: Anonymity setup built around Tor, two virtual machines using Qubes, KVM, VirtualBox or physical isolation and Debian GNU/Linux. Whonix can be installed on every supported platform. (Supports Windows, OS X, Linux, BSD and Solaris.)
Physical Isolation describes installing Whonix-Gateway and Whonix-Workstation on two different pieces of hardware. It is more secure than VirtualBox / KVM virtual machines alone, requires more physical space, and hardware and electricity costs are higher. Keep in mind that you don't need very powerful dedicated servers or desktops. Unfortunately, using Qubes-Whonix with physical isolation is unsupported. For more information, see Physical Isolation.
See Design for Technical Design and security of Whonix. For security introduction, see below.
The listed Features, advantages and disadvantages shall give you an overview, what Whonix is useful for, what Whonix can do for you, and what not.
The Whonix Concept is agnostic about everything. With some development effort you can replace any component. The Whonix developers would like to support each and any use case, but due to limited amount of developers this is impossible and we focus on the Whonix Example Implementation.
The Tor network is Whonix's official and best supported anonymizing network. Whonix can also potentially and optionally use other anonymizing networks (Such as JonDo, I2P, Freenet, RetroShare), either in addition (tunneled through Tor) or as a replacement for Tor. See the article for more information.
Other operating systems (e.g. Windows; *nix; BSD; etc.) can potentially be used as host and/or guest operating system. See the Other Operating Systems for more information.
In layman's terms
Shut up or put up! Is Whonix safe?
It is in the nature of security related software, that there is no 100% safety. Believe it or not, we use it ourselves and we keep maintaining and developing it. We believe that Whonix is safer than other tools in some aspects, threat models, and use cases. There is detailed reasoning for such claims on the Whonix Homepage.
If you are more paranoid or have higher security needs, read everything, full documentation and full technical design, you'll learn about physical isolation and build Whonix from source code and so on.
And no, Whonix does not claim to protect from very powerful adversaries, to be a perfectly secure system, to provide strong anonymity, or to provide protection from technically advanced surveillance and similar.
See also Whonix is a work in progress.
At first glance this site may create the impression that Whonix is completely insecure and everything is a lost cause. We are upfront with things we could do better and we are still working on and try to consider all possibilities and document all thinkable and future threats. You must judge for your own which risks are acceptable for your use cases.
With more technical terms
It is difficult to write a summary of Whonix security features. Both anonymity and security consist of so many different aspects. That's why there is lots of Documentation and the whole Technical Design.
The Technical Design intends to document security philosophy, design, goals and current shortcomings of Whonix.
This chapter is only a short introduction. Please read the full Design.
Whonix follows the principle of security by isolation. We know that making our currently used systems secure is a lost cause. They are too complex and too large to be trustworthy and verifiably free of any bugs. Whonix can't solve this but it tries to minimize attack surfaces and limit what danger exploitable bugs in more exposed parts can do, one primary danger specific to Tor is the danger of exposing the public IP address of a system. Whonix isolates client applications inside the Whonix-Workstation from discovering the external IP address. Specifically, Whonix is designed to prevent direct detection of the IP (not more!) even if an adversary has unrestricted access to the Whonix-Workstation.
Once there is a vulnerability found in Tor (ex: exploiting Tor's ports) or a successful attack against Tor, Whonix fails.
Same goes for iptables. Whonix is a setup based on Linux, iptables, Tor, etc. If any of the underlying projects has a vulnerability, which we can not rule out, of course, Whonix will fail as well.
In summary, Whonix does not claim to be a perfectly secure system or able to provide anonymity if one faces a very powerful adversary, and so on.
There are three ways to torify. Read the link for a comparison of the security.
Whonix-Workstation has no access to the internet without going through Tor. You can look into our setup. It is all Open Source and well documented.
Whonix uses multiple security layers.
- IP-forwarding is disabled.
- IPv6 is disabled.
- The firewall fails "closed": when Tor is disabled, loses connection, or the Whonix-Gateway crashes, no network connections are possible.
- Iptables redirects any traffic from Whonix-Workstation to Tor's ports. Local network connections are dropped. No leaks are possible, assuming the TCB is trustworthy.
- Applications are configured correctly using latest suggestions (correct application and proxy and other privacy settings, Stream Isolation).
- Firewall rules are enforced and prevent accessing the internet directly, thus leaks are prevented in case some application leaks.
- Optionally, Physical Isolation is documented.
- Protocol-Leak-Protection and Fingerprinting-Protection.
- Whonix's Secure And Distributed Time Synchronization Mechanism.
- Check.torproject.org is checked (see whonixcheck) anyway, even though we are sure, that there are no leaks.
- Built in update notification for operating system updates, Tor Browser version and Whonix version (see whonixcheck).
- Comprehensive, growing Documentation.
- Comprehensive, growing Technical Design.
- Openness about weaknesses, shortcomings, etc.
- Cryptographically signed binary builds and git source code tags.
Whonix was tested for leaks, see Dev/Leak Tests. All went negative. Additionally, Skype, which is known for it is ability to punch through firewalls, was not able to establish non-torified connections. Also BitTorrent doesn't leak the IP (there is an online bittorrent leak tester), which of course should never be used through Tor (because it chokes Tor nodes), but for leak testing it was welcome. Right now we don't know of any leak tests which leaks the real IP.
Whonix is safe (not affected) from Protocol leaks, like this the ones listed on Security in Real World, Skype, Flash or BitTorrent. This already justifies to use a "no non-Tor connections possible" approach.
When you go ahead now, and ask in a hacker forum, they probably won't spread a simple method to get the real IP of Whonix-Workstation. On the other hand, if you run an intelligence service and have 100.000 $ left over, you can announce something like "find a new exploit in Tor's SocksPort and get 100.000 $". Qualified people start looking into it and might find something.
- Since Whonix 0.2.1, Whonix-Gateway traffic is also routed over Tor. In this way, use of Whonix is hidden from persons or systems observing the network.
- To preserve the anonymity of a user's Whonix-Workstation activities, it is not necessary to torify Whonix-Gateway's own traffic.
- For reader interest: If DNS settings on Whonix-Gateway are changed in Stream Isolation). , this only affects Whonix-Gateways's own DNS requests issued by applications using the system's default DNS resolver. By default, no applications issuing network traffic on Whonix-Gateway use the system's default DNS resolver. All applications installed by default on Whonix-Gateway that issue network traffic (apt-get, whonixcheck, timesync) are explicitly configured, or forced by uwt wrappers, to use their own Tor SocksPort (see
- Whonix-Workstation's default applications are configured to use separate Tor SocksPorts (see Stream Isolation), thereby not using the system's default DNS resolver. Any applications in Whonix-Workstation that are not configured for stream isolation - for example - will use the default DNS server configured in Whonix-Workstation (via ), which is the Whonix-Gateway. Those DNS requests are redirected to Tor's DnsPort by Whonix-Gateway's firewall. Whonix-Gateway's does not affect Whonix-Workstation's DNS requests.
https | (forcing) onion
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.