Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes Intel / AMD64 ARM64 PPC64 USB ISO Raspberry Pi More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Whonix Project Very Long Term Vision

That's just a code name for a BOX setup "2.0" that may eventually offer strong guarantees of security and anonymity.

It should address all the current single points of failure:

CPU: Even in a microkernel + IOMMU system, the CPU (and to some extent the GPU) needs to be blindly trusted. The system needs to consist of multiple (diverse) CPUs. Whonix with Physical Isolation already does that. This is just a reminder that software-based isolation (through next-gen sandboxing and microkernel design) will never be able to replace hardware isolation.

Software/Compiler: Even if the trusted computing base (TCB) is small and verifiable to some extent, there is an inherently unsolvable problem: compilers ("trusting trust"). The only option to improve this is to rely on a diverse "polyculture" of software stacks and infrastructure instead of our current Windows and gcc monocultures. (I suppose most .mil and all research microkernels are written on monolithic untrusted "legacy" systems.) Alternatives do exist (most likely built with gcc...) but are probably not mature enough, though I hear the OpenBSD kernel can be built with pcc. clang/LLVM is probably the best bet. This also extends to the build system; workstations and gateways should be built on their respective target platforms, not a single build system.

Software updates: Currently, one single bad update from Debian and it is game over. Software updates are always a root "backdoor"; they grant unknown people full remote access to all your systems. This needs to change. If the TCB is small and well tested, there won't be many security updates, and they will be simple, small patches. Deterministic binary builds could make that user-friendly. At the very least, we should not rely on a single organization to provide security updates for all systems in Whonix (this includes having the same upstream for complicated software, i.e. the Linux kernel...).

Tor: Currently, one serious Tor vulnerability and it is game over. Even with true end-to-end communications, if Tor (or its TCB) is subverted, an adversary can find out who is talking and to whom one is talking. Whonix should route all traffic over at least two strong anonymity networks (not just a single-hop proxy/VPN/SSH). Further, there should be the option to use a high-latency network. This could be as simple as a single onion service (which would have to be fully trusted not to collude with our "global adversary"). A real solution would, of course, have to be decentralized. The only options so far are remailers (Mixminion...), but those have few users (poor anonymity set), which is probably related to their outdated user interface and experience. However, even with a small number of users, if remailers are routed through Tor, they are still more secure than Tor (in this context, the resulting anonymity is cumulative).

"Protocol leaks", Anonymity set reduction: The current platform of choice (for pretty much everything, including anonymous communication) is the web browser. Browsers really suck when it comes to privacy, anonymity, or security. Allowing scripting, storing IDs (cookies and more), constantly changing features (html5, webgl, websockets...), lack of a strong crypto environment make the web browser one of the worst platforms imaginable for strong anonymity (or security). Why? Because we also lack a credible alternative. One such alternative could have been the now dead or in limbo Syndie ("Syndie's design as an anonymity-sensitive client application carefully avoids the intricate data sensitivity problems that nearly every application not built with anonymity in mind does not.")

In summary: Whonix² needs to consist of at least two very diverse systems, different hardware manufacturers, different kernels, different companies/orgs providing support, and offer at least two different anonymizing networks. Bonus points for utilizing diverse crypto systems and cascades. Neither system should "know" both who is communicating and with whom.

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Whonix is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!