Jump to: navigation, search

FAQ

Contents

Why are the Whonix images so big?[edit]

Compared to other "Tor-VM" or "Tor-LiveCD/DVD" projects which sometimes use special minimal or stripped down Linux distributions (e.g. TinyCore, DSL, Puppy) Whonix is larger, both VMs together are currently almost 2 GB.

One reason for that is, that small distributions do not meet our requirements, namely: upstream needs to have a proactive security policy.

  • Most "minimal" distributions are small projects that do not have a dedicated security team that audits packages and releases security patches quickly.
  • We need a distribution that fully signs updates (this is always desirable but especially so when updating over untrusted exit relays).
  • For such distributions security consist in a small attack surface [1], but that's about it. A full distribution supports MAC, kernel patches, IDS...
  • "Big" projects with many users and developers (many eyeballs) are inherently more trustworthy.
  • Debian has loads of Security Features, see (Ubuntu article, but mostly true for Debian) Ubuntu Security Features. Small distributions don't have it.

There are maintenance and usability reasons:

  • We want to support a wide range of user cases such as hosting hidden services, small distributions usually have limited repositories.
  • Whonix, since based on Debian, is a complete operating system. An anonymous general purpose operating system, not a stripped down minimal system. Features, Design
  • Debian has much more documentation than small distributions, also about topics such as Security and Hardening.
  • Creating a slim system is difficult and requires a lot of of development time. This should not be Whonix's core competence. There are projects which do not focus on anonymity/privacy/security, but which are dedicated to a slim system.
  • To my knowledge, slim systems could never really attract big market shares. I don't know, why they are less favored, if they have worse marketing or for other reasons. It's the fact that they don't have a huge user base, that matters.
  • Slimming down the system will result in many "strange bugs". People who are used to Debian or Ubuntu will wonder why some things do not work or why Whonix is broken.

Another reason is that Whonix does not play in the anonymity oriented Live CD/DVD market:

Whonix is a new category of anonymity tools. Whonix does not have the requirement to fit on a DVD. (Although in future we may develop a Whonix Live DVD.) While anonymity oriented Live CD/DVD's have to balance between functionality they want to provide available space and security; Whonix, as an anonymous general purpose operating system can by default or optionally provide any functionality and doesn't has to care so much about space. For example, integrating BitCoin into Whonix would be, except for documentation, quite simple.

Last but not least reason, not putting security over usability:

  • Short: I don't put security over more users.
  • Long: For example, this interesting statement from Tor developer Roger Dingledine: Mixminion vs Tor. Similar applies here. Mixminion is a high latency remailer, with cover traffic, protection against traffic confirmation (end-to-end correlation), theoretically more secure than Tor. The problem is "theoretically". They couldn't attract enough users and without enough users it's equally (in)secure as Tor. That's why they decided, to no longer work on Mixminion. Whonix also needs lots of users, to 1) get press/publicity 2) more developers 3) more research and audits. 2 and 3 will result in more security. Creating the most secure and most slim system, would only attract a few geeks. The geeks get hopefully satisfied, because Whonix is highly customizable. Nothing prevents from optionally slimming, hardening and customizing.

Why is KDE (big) the default desktop environment? Why not use a minimal DE?[edit]

This was a difficult development path decision. Many people, including adrelanos, didn't like the old Openbox interface in TorBOX (deprecated project name) 0.1.3 because it was too inconvenient, non-intuitive, uncommon, difficult, etc. There is no rational unarguable choice for the best desktop.

MATE has not been choosen, because there are no packages in Debian repositories. It is my understanding, that GNOME2 is deprecated and only a fraction of GNOME2 users likes GNOME3. Other desktops (LXDE, XFCE, Openbox) are less widespread, not so pretty, in adrelanos opinion harder to use (even difficult to create a desktop shortcut), thus not attracting many users.

Choosing KDE is a personal preference by Whonix developer adrelanos. KDE has one advantage, the only developer likes it and remains interested to maintain and develop Whonix further.

You are free to uninstall KDE and install any other desktop environment of your own choice.

I recognize, that this is a non-ideal situation. Inspired by select your webbrowser, it would be ideal if Whonix would offer to choose which desktop to install but unfortunately, such a wizard does not exist yet. There are no development resources to implement such a solution. Help is welcome.

If there were contributors, we could maybe also include other desktop environments by default or offer alternative Whonix builds with different default desktop environments or ideally implement a "choose your desktop" option after first boot of Whonix.

Please also read #Why are the Whonix images so big? above, the same applies here.

See also Other Desktop Environments for workarounds/alternatives.

Why not use a Live CD/DVD as Whonix-Workstation operating system?[edit]

This FAQ entry should be updated.

We discussed this and came to the decision, that Live CD/DVDs are not suited for Whonix.

Positive:

  • often actively maintained
  • stabilized
  • hardened GNU/Linux distribution
  • with advanced features.

Negative:

  • no timely security updates
  • not persistent limited persistence
  • not flexible enough

anonymity orientated Live CD/DVD's negative in context of this FAQ:

  • anonymity orientated Live CD/DVD's often have their own Tor enforcement included, which would lead into a Tor over Tor scenario

Why should I (not) trust Whonix?[edit]

See Trust for a long answer.

Whonix crashes because of PAE?[edit]

See PAE crash.

You should not waste the Tor network's bandwith by downloading operating system updates over Tor![edit]

Short answer: We discussed this with torproject.org and were allowed to do so.

Long answer: We had a thread about this issue, updates over Tor, should not waste Tor bandwidth. Discussed thoroughly. We speculated a lot and thought about solutions until we finally did what we should have done in the first place. We asked torproject.org, see tor-talk Operating system updates / software installation behind Tor Transparent Proxy. Click here for an overview of all answers. Andrew Lewman (Executive Director, Director, press contact), too, downloads a lot of updates over Tor and did not complain.

Alpha? Beta? Stable? Development? Whonix version scheme[edit]

TODO: Needs revision. DRAFT!

Is Alpha, Beta or Stable related to security? No, our design makes security issues inherently less likely to occur.

We are still working heavily on usability, working on some user facing stuff (like zenity). Until those are all integrated and tested we wouldn't be doing our users a favor by calling it not an alpha. They get turned away if things don't work right.

Alpha: Features are constantly being added.

Beta: Only fix important stuff, test it.

Stable: Build and release the current beta with all fixes when we feel it's ready. We expect beta testing to last a month or so, shorter if we can get feedback from more users.

Development version: Only goes for the source. Things can be added in order to get feedback from others. The longer things are inside, the longer they are accepted. Doesn't mean they are better tested. Sometimes the source can even break.

Why do you use the 32 bit operating system, not 64 bit?[edit]

Update: A critical VirtualBox bug: VirtualBox ticket #10853: Mouse position repeatedly reset to top and/or left of screen.

Since Whonix 0.4.0 the build environment uses grml-debootstrap (perhaps kameleon in future) and chroot. Image creation goes much faster and changing the architecture requires only a very few changes. If Whonix revives contributions or due to user feedback it might be possible in future to have 32 and 64 bit downloads.

Old statement: 32bit software runs without problems on 32bit and 64bit hosts. 64bit software not so much. Because we generally don't control what host OS people use, I chose to base Whonix on 32bit. Secondly, 64bit software needs more RAM, we already run 3 operating systems on a system which, eats RAM. Let's better minimize that. KVM and other solutions improve RAM usage through page sharing or what it's called, VirtualBox doesn't. Thirdly, according to Brad Spengler and/or PAX team, amd64 is a brain dead instruction set and actually worse than x86, despite the large address space making ASLR more effective. They recommended to use grsec on x86 and we hope we can switch to a grsec kernel (wheezy has one, let's see if they maintain it).

Why aren't you using OpenBSD, it's the most secure OS ever!!!1![edit]

OpenBSD fails completely for the Tor threat model which downloading and updating software over untrusted exit relays. OpenBSD does not offer any signed files, they do not even offer hash sums for all required files (at least the ports tar ball doesn't have one). When asking about that the answer is "buy the CDs" (=something like $80 per year if you want to stay current). As if CDs via post through a 3rd party reseller offer a better trust chain than mirrors with hash sums, let alone proper WOT signatures. There are alternatives to GnuPG if it's just about the license... Further, tracking stable - which is recommended for production systems - is needlessly complex: it requires the user to recompile everything even though there are usually only a few packages that require an update. The most fitting approach would be to just apply the patches from the errata but apparently not all security related fixes in -stable are listed there and OpenBSD admits as much that patch branch is really not user-friendly. Further problems: OpenBSD seems to default to using very "conservative" hash algorithms, md5 or sha1 which are both broken. This clashes with their claimed crypto focus. FDE support is lacking/limited. There doesn't seem to be a modern mandatory access control (MAC[2]), instead there's systrace which has been criticized for having fundamental security problems (this may or may not have changed since then). OpenBSD doesn't seem to be using PIE executables by default, meaning, it doesn't really have ASLR. Documentation about such issues is completely lacking. There's also the strange policy of sticking with bind and sendmail when there were secure-by-design alternatives (see PDF!) with much better track record, BIND-9, despite the rewrite, continues to be a security hazard just judging by the OpenBSD errata entries. OpenBSD would otherwise be a great choice for Whonix-Gateway. It has a very capable firewall, the track record is probably better than of any other OS though they (just like their competition for fairness sakes) prefer to label "potential" code execution vulnerabilities as a DoS. OpenBSD is also a very small OS (small TCB), its kernel may be the most secure UNIX-like kernel, but it's still a monolithic kernel. Their claim of being THE most secure operating system has become more and more dubious since the introduction of actually usable microkernels. In summary: I don't like their attitude and several essential (for Whonix) security properties are missing.

Also see security vulnerability - NTP not authenticated and it doesn't look like they step forward to fix it. The suggestion was to authenticate the connection to the NTP server, which is not possible for Whonix for many reasons. [3]

OpenBSD's target audience aren't end users, that's why they don't care to provide signed updates for the masses, see How to check downloaded package on OpenBSD 5.1?.

OpenBSD's website isn't reachable over SSL or as a Tor hidden service. How are users supposed to securely view the OpenBSD site and not learn things set up by a man-in-the-middle?

If they don't attract the masses, ordinary crackers, hackers and the security research community doesn't get attracted as they do with more popular operating systems. At the same time a targeted attack gets easier, because people who get paid to find exploits can find them more easily.

If this sounds a bit harsh on OpenBSD it's because it could be such a great OS but it isn't (mostly more for political and social/"ego" than technical reasons) which is frustrating.

Update 1: There is now Qubes OS and I am missing such innovative security improvements from OpenBSD, which claims to be the most secure operating system.

Update 2: OpenBSD according to bststats.org (w) has very few users. 56 at time of writing. I know, that people must undergo a rather complicated manual process to get counted, however compared to 24,168 FreeBSD users, that's not very much.

Why don't you use FreeBSD, which is more secure?!?[edit]

It is difficult (very time consuming in this case) proofing a negative. Such as proofing non-existent security features. Either a search results in "security feature implemented" or nothing.

To avoid getting out of date and hurting other people's feelings, it's better not to make any statements about non-existent security features, but just asking the appropriate questions.

Does FreeBSD have a secure package manager? Can every user download from an already existing signed repository or is it required to run an own repository? Does it defend against outdated metadata, can a man-in-the-middle use a roll back or freeze attack against the repository? Does it defend this (w)? Does it cover the TUF threat model (w)?

Not finding anything doesn't mean there isn't something. The best way to get confirmation about the absence of security features or in other words, the best way to get a confirmation about possible attacks due to missing security features is asking the developers of that project. (An honest reply from Open Source projects is assumed.) There are simply too many distributions to ask these things.

So, if you believe that FreeBSD is a secure distribution, if you are even advocating that standpoint, then the burden of proof is on the person making the claim (you). It's up to you to come up with references that these security features are implemented. It is not up to the Whonix developers to spend a lot time, proving that these security features are non-existent. Or it's up to you to create such references by asking the distribution's developers. Another way would be coming up with arguments why these security features are unnecessary (this is unlikely in the specific case of package manager security). Until the claim of being a more secure distribution gets substantiated, please do not take offense by not considering that distribution.

Why don't you use OpenWRT, which is more secure?!?[edit]

Same reasons as above for FreeBSD.

OpenWRT do not have signed packages.

How is Whonix different from Tails?[edit]

See Comparison with Others.

Why don't you merge with Tails and join efforts?[edit]

UPDATE 7: Rewrite.

This is a subjective statement of opinion by Whonix developer adrelanos. (Still open for feedback, corrections, improvements!)

Tails is a respected project with similar goals (anonymity, privacy and security), which exists for many years and which has multiple developers, experience and a working infrastructure. The Whonix and the Tails developers cooperate to some degree and are discussing things, which are related to the projects on the Tails developers mailing list. Parts of Whonix are based on Tails. For example tails_htp was invented by Tails. Whonix also profits from their previous (Debian) upstream efforts (packaging and so on), their old and current discussions, their research, design documents, experience, feedback and so on.

Even though adrelanos highly values Tails, why is Whonix a separate project and not a contribution to Tails?

Whonix can not be merged into Tails by adrelanos. There are technical, skill and political reasons.

Adrelanos doesn't/didn't know how to implement various things into Tails, and don't/didn't know when the Tails developers will add them, which are adrelanos's priorities, but knew how to solve them in a separate project (Whonix), at least as in a way, that users are provided with instructions how to do it. Some examples.

Some of these items may already be either partially or fully solved in Tails by now.

TODO Broken since migration to whonix.org. Ignore for now.

(Previous) Tails Todo Whonix Instructions
remember installed packages By design, everything persists. [4]
Applications Audit By design, protocol leaks can not deanonymize.
Two-layered virtualized system Done by design, either using VMs or using Physical Isolation.
TorChat Chat
VPN support Features#VPN / Tunnel support
JonDo over Tor JonDonym
Freenet over Tor Freenet
obfsproxy Bridges
hide Tor from your ISP Hide Tor and Whonix from your ISP
i2p over Tor i2p
Transparent Proxy as fallback mechanism Done by design, everything not configured to use a SocksPort will automatically use Tor's TransPort.
use Tor Browser Tor Browser
OnionCat OnionCat
Stream Isolation Stream Isolation
evaluate web fingerprint Same as Tor Browser.
unsafe browser fingerprint Logging in to captive portals
Location Hidden/IP Hidden Servers Location/IP Hidden Servers
Voip Voip
... ...

Also political and design decisions differ too much.

  • As a code contributor to Tails, adrelanos would have to accept decisions made by the Tails decision making process and couldn't simply modify anything as personally desired, preferred or believed to be the best solution. That's the great thing about Free Software. You are free to disagree and to create a fork. Since adrelanos motivation was not about a Live DVD and personally found improving Tails much more difficult than starting fresh, a new project, Whonix, was created.
  • Source Code Merge Policy:
    • Whonix: does not yet have a comprehensive merge policy. It's welcome, but not compulsory to write a design or documentation.
    • Tails: In adrelanos opinion, Tails merge policy is too strict. This is not a complaint or critique. They will have their reasons for that and it has to be noted, that Tails is still doing well and useful for many people. Anyone who does not agree has the freedom to contribute to another project or to start a new project. Adrelanos just made use of that freedom.
  • One big difference is, that Tails is a Live DVD and therefore inherits some restrictions and limitations. Tails must fit on a DVD, while Whonix does not have such a requirement. Whonix has higher hardware requirements, but therefore more space to implement features. That means that initially fewer people will be able to use Whonix, but over the years available hardware to people will (hopefully) improve. Whonix is discovering both, theoretically and practically, new designs. Over time, depending on user feedback and general interest, a Live DVD or Live Blu-ray might be created.

How is Whonix different from the Tor Browser Bundle?[edit]

See Comparison with Others.

Does this mean that, for example, my IP and location is safe when using Skype?[edit]

This answer has been moved to the Voip page.

Isn't VirtualBox an insecure choice?[edit]

VirtualBox is not an ideal choice, I acknowledge it, see: Dev/Virtualization Platform, but there are no better alternatives, which are usable by a big amount of people.

It's about different goals. Whonix's main goal is to protect the user's IP/location.

At the moment Whonix is practically more secure in many cases, see Whonix Security in Real World.

Saying VirtualBox is too weak, is theoretical and does not have any practical implications at the moment. What are the alternatives? Continue running Tor and torified applications on the host? Running TBB and running into another proxy bypass bug? People failing to correctly torify software? Software not honoring proxy settings?

On the other hand, how many known exploits exist for VirtualBox? What's the track record of exploits?

I acknowledge, that virtual machine exploits may become a problem in future. Right now, Whonix provides more security out of the box. Whonix right now, advertises and educates the security by isolation principle.

Anyone seriously looking into Whonix for security will read the Documentation, the Security Guide and the Advanced Security Guide and find out about Physical Isolation. Whonix is an appetizer for the Isolating Proxy Concept and Security by Isolation.

A secure replacement for VirtualBox is already in development. Qubes OS is already in a productive state, it only lacks hardware support and it's being worked on. TorVM for Qubes (qubes-tor) was inspired by Whonix. (See Comparison with Others.)

The responsible thing to do from security perspective would have been in past, to switch from Windows to GNU/Linux and nowadays it would be to switch to Qubes OS. If you are most serious about Tor security, using Whonix with Qubes OS + physical isolation would be the most secure way.

Many users are still on Windows or Linux. Whonix can right now fill the void and improve real world security. They are better using Whonix, which is up to date, actively maintained and developed than any seriously outdated projects like JanusVM.

Whonix can not serve all target audiences. The more security educated/interested people will use things like Physical Isolation or qubes-tor. Hardcore security educated/interested people will probably build their own custom hardened solutions, but can still profit from Whonix's research and source code. Those more hardened solutions, such as the Hardened Gentoo Whonix-Gateway are more difficult to use and can therefore not be the default for Whonix.

UPDATE 1: Using Whonix on top of Qubes OS looks much easier now. See the blog post.

Will there be a Whonix Live CD or DVD?[edit]

Unless someone joins the project and contributes, this won't happen in near future.

Whonix developer adrelanos has limited knowledge about Live CD/DVD creation. At the moment Whonix is a rather simple project. Many things, get delegated to upstream. VirtualBox features to run on various platforms, Debian provides a fine operating system, hardware support is delegated to the host operating system and VirtualBox, Tor is providing a fine anonymizer. Creating a Live CD /DVD would be difficult, especially the hardware support. Whonix is also too big and that would be very difficult to fix, see #Why are the Whonix images so big? above. Adrelanos lacks experience about Live CD/DVD deployment.

A clean way to do it would be to contribute to Tails instead, see Tails wishlist: Two-layered virtualized system. A similar feature was already implemented in Liberte Linux, but ultimately rejected (reference).

For an alternative also see the next question below.

Is there something like Whonix Live?[edit]

Whonix runs fine when the host operating system is installed on external media.

There is a Recommendation to use a dedicated host operating system and a Recommendation to use Whonix on External Media.

It's the user's responsibility to honor that advice.

Why can't I ping the Whonix-Gateway?[edit]

Whonix-Gateway is firewalled (see /usr/bin/whonix_firewall or in Whonix source code) and does not answer to ping (-like) commands for security reasons. In most cases, you don't need to ping the Gateway.

If you really want to ping the Gateway or really want some uber special setup you can test wise clear all firewall rules with the dev_clearnet script (or hack Whonix's firewall to not load at all). It's only for experts and you need to comment out the exit 0 at the beginning.

You should add full disk encryption to Whonix![edit]

Short: No, you should add full disk encryption to your host!

Long: It is technically impossible to ship Whonix with an encrypted disk for several reasons.

While you can change the password for a luks/TrueCrypt/whatever volume, only the password for the masterkey gets replaced. The masterkey itself remains unchanged. (The masterkey is NOT some kind of backdoor, it's just how things work. Otherwise you would have to re-encrypt each time you want to change the password.)

In Whonix the masterkey would be known to everyone who downloads and changing the password wouldn't change the masterkey.

So all that could be added would be an option to encrypt it with a freshly and locally created masterkey (and user chosen password) after user downloads Whonix.

But there are two problems. There is no "encrypt after installing" software for Linux, like there is TrueCrypt for Windows.

The other one is that the host can swap to the disk and therefore leak stuff to the perhaps unencrypted host disk.

Therefore the only secure solution is applying full disk encryption on the host, as recommended in the Advanced Security Guide#Full Disk Encryption.

Speed up the Whonix-Gateway? Speed up Tor?[edit]

Is there a way to configure the number of nodes in a circuit and to allow selection according to their speeds?

Remember, Whonix is based on Debian, KDE, VirtualBox and Tor. It is nothing very special. Therefore Whonix does not limit Tor and your options in any way.

If you learn how to configure Tor in such a way in Debian command line, you also learned how to do it in Whonix-Gateway. While it's possible to learn it yourself and do manually, this is not recommended in Whonix-Gateway since also the Tor developers don't recommend it.

For these reasons there are no instructions in Whonix documentation how to do it. If you find general instructions the only thing changing would be that you do it in Whonix-Gateway instead on the host.

Please also see the next question below.

Does Whonix modify Tor?[edit]

NO!

Tor's configuration file has been adapted for Whonix, you can check it on Whonix-Gateway in /etc/tor/torrc. There are no patches to Tor. The normal Debian Tor package is being used in Whonix.

Whonix tries to be as less special as possible to ease security auditing of Whonix.

Any changes to the Tor routing algorithm should be proposed, discussed and eventually implemented upstream in Tor on torproject.org. And if discussion fails, a Tor fork[5] could be created. Tor has already been forked at least once.

Doing such changes directly in Whonix would limit discussions about Whonix to the security of the modified routing algorithm. To allow further exploration of Whonix's security, Whonix developer adrelanos believes, it is required to be as agnostic as possible about all parts of Whonix.

Why doesn't Whonix improve Tor?[edit]

Please see the question above.

Creating Whonix is difficult and time consuming enough. Improving Tor is left to the people who are better at this job. Any bugs/suggestions related to torproject.org will of course be reported. Happens.

Can you improve Tor?[edit]

No.

Any improvements to Tor should be proposed upstream. If adrelanos finds a bug or has a suggestion it will be proposed upstream on torproject.org. Happens.

For reasons why there isn't an improved version of Tor in Whonix see the question #Does Whonix modify Tor? above.

Anyone unhappy with Tor should provide patches upstream and as last resort fork[5] it. Hypothetically, if the fork[5] gets better respected than the original project, then Whonix will of course seriously consider switching.

You should disable JavaScript by default![edit]

No, this isn't a good idea for many reasons.

Whonix is an anonymity distribution gluing together concepts, which are generally respected by educated people and known to work reliably. It's not a browser project trying to create a secure browser such as "Privacy Browser - solves all browser fingerprinting problems". Whonix does not have the manpower to create such a browser. In theory, and even if it had, it would make more sense to create a new project "Privacy Browser" and when it gets better than Tor Browser to use, re-configure Whonix to use "Privacy Browser" instead of Tor Browser.

Whonix also doesn't modify Tor Browser for the same reasons also listed in the already answered questions #Does Whonix modify Tor?, #Why doesn't Whonix improve Tor? and #Can you improve Tor? above.

Whonix includes Tor Browser and with only minor differences, such as proxy settings for Stream Isolation.

Mike Perry, developer of Tor Browser has also made a good posting why it's better to have JavaScript enabled in Tor Browser by default, see tor-talk Tor Browser disabling Javascript anonymity set reduction. In summary to his post, Tor Button and the Tor Browser patches to handle the most serious issues related to JavaScript. There are no IP/location bypass problems. Although there are outstanding issues [6] [7], deactivating JavaScript by default couldn't attract enough users, without enough users the anonymity set will also reduce. When someone deactivates JavaScript it may be even more fingerpintable, depending on how many people disable JavaScript, which no one really knows. The Tor Project also plans to create a security slider and has recently updated its JavaScript FAQ stating Until we get there, feel free to leave JavaScript on or off depending on your security, anonymity, and usability priorities.

Last, but definitively not least, Whonix shares the same Fingerprint as other Tor Browser Bundle users, which is good for anonymity.

How difficult is it to develop Whonix?[edit]

This is just adrelanos's opinion and feeling.

Whonix source code isn't rocket science. In comparison to other things it's very simple.

I think it's best to make a comparison table.

Legend: 10 * equals very difficult.

**********

1 * equals very easy.

*

Table:

********** Hand written binary code.
********* Cryptographic algorithms development
********* Rocket science
********* Compiler development
******** Assembly language
******** Kernel development
******** Reverse engineering
******* Tor core development
****** Programming languages such as C/C++.
***** Using Hardened Gentoo
**** Scripting language
*** Whonix related anonymity/privacy research
** Writing Whonix documentation
** Writing Whonix bash scripts
* Using a computer

What is clearnet?[edit]

This term has two meanings.

  1. Connecting to the regular internet not using Tor (or other anonymity networks), and/or
  2. Connecting to regular servers (which are not Tor hidden services) (using Tor or not)

Can I use DNSCrypt in Whonix?[edit]

Yes, see Secondary DNS Resolver.

Why not use DNSCrypt as default for Whonix?[edit]

DNSCrypt may have good use cases for clearnet. In context of Whonix it's not useful and should not be installed and activated by default for everyone. It does not do what you may think, does not magically solve all DNS related security issues, does not implement end-to-end DNS encryption to the destination server. (That conceptually can not work. If you knew the IP of the destination server in advance, you wouldn't require DNS in the first place.) The server will still see all DNS requests in cleartext. This is only a short version for the many reasons, why it should not be activated by default for everyone

More reasons: Tor is about distributing trust. Tor's DNS server change as circuits change, thus trust is distributed. Circuits are stream isolated (for pre-installed applications) and change every ten minutes. As far as I know, there are only two public open resolvers supporting the protocol: CloudNS and OpenDNS. (There is a free server-side proxy that anybody can use.)

I have no reason to distrust public resolvers supporting DNSCrypt and/or OpenDNS. Even if I trusted the people running DNSCrypt servers, their servers would have to be trusted as well and that's not wise to let DNS security for all Whonix users depend on few servers. It's also about load balancing. If Whonix was to use a DNSCrypt supporting server by default and that server decides to forbid connections from the Tor network (due to the Tor network used to abuse their servers with DDOS or for whatever reasons) or if the servers go down for maintenance, DNS would break for all Whonix users.

For even more explanations on DNSCrypt, see forum post one and two related to this topic.

Can I use DNSCrypt on the host, in my router, for clearnet?[edit]

Yes, if you want. Also read the entry below.

Does DNSCrypt on the host or in my router, harm anonymity when using Tor/Whonix?[edit]

Short answer: No.

Long answer: No, DNSCrypt on the host or in your router only affects your clearnet activities. Tor assumes your local network and ISP to be totally unsafe and untrustworthy. Neither Tor nor Whonix are affected by DNS settings on your host or in your router.

Whether DNSCrypt is useful for your clearnet activities or not - that isn't clear. There are pro and contra arguments. If you ask me, it's useful when using foreign or untrusted Wifi networks (shared with others), since they could modify and/or read your DNS requests. Other than that, I think you will just shift the trust from one party (ISP) to another (DNSCrypt supporting DNS server, ex: OpenDNS). If the DNSCrypt supporting DNS server (ex: OpenDNS) is more trustworthy, then it's good. Which one should be trusted more, your ISP or OpenDNS - I don't know.

What's the difference of installing a VPN on the host versus installing on Whonix-Gateway?[edit]

This entry assumes, you already decided to use a VPN.

If you did that after reading the VPN / Tunnel Support documentation, and decided you want to use a VPN, continue reading, otherwise you can skip this FAQ entry.

If the VPN is installed on the host:

  • all Whonix traffic goes: user -> VPN -> Tor -> destination
  • all host traffic goes through the VPN: user -> VPN -> destination
  • When Whonix-Gateway ever gets compromised, this is a tiny bit more secure compared to having the VPN installed on Whonix-Gateway.

If the VPN is installed on Whonix-Gateway:

  • all Whonix traffic goes: user -> VPN -> Tor -> destination
  • all host traffic goes in the clear: user -> destination

When making the decision, you must ask yourself...

What do you want to hide from your ISP? All traffic? Then install the VPN on the host.

What should your VPN provider be able to see? All traffic? Then install the VPN on the host.

Should your VPN provider only be able to see Tor traffic but not your clearnet traffic? Then install the VPN on Whonix-Gateway.

Does Whonix/Tor protect you from the NSA or other three letter agencies?[edit]

If you are under active surveillance:
Whonix can do nothing against miniature cameras or microphones in your room etc.

If you are under passive surveillance just like anyone (PRISM):
That depends if Tor protects from such threats. The answer to that is not clear: https://lists.torproject.org/pipermail/tor-talk/2013-July/029014.html

And even if Tor was a whole lot better, you can never prove a negative. So it's better to hesitate to any broad claims as it would be skeptical if any other project claimed that.

Also Whonix does not make such broad claims. For a related statement about three letter agencies, also see: Technical Introduction#With more technical terms

check.torproject.org says "Sorry. You are not using Tor."[edit]

When you see this when using Whonix, probably everything is okay. You can make sure everything is okay if you want.

https://check.torproject.org (check.tpo) fails in some cases to detect Tor exit relays. It's a bug in check.tpo, which The Tor Project should fix. Whonix can do nothing about it.

You could use (using the Tor Browser Bundle on the host) ExoneraTor: a website that tells you whether a given IP address was a Tor relay or a search engine to find out if the given IP address is or was a Tor exit relay.

If the IP you are seeing is different from your own real external IP address, it's another strong sign that everything is fine.

If I do X - can this leak DNS and/or my real external IP/location?[edit]

Nothing you do inside Whonix-Workstation can cause IP/DNS leaks as long you leave Whonix-Gateway unchanged (besides documented stuff, which goes ok, such as bridges, hidden services, updates).

However, there are still ways you could shoot your own foot. It might be pseudonymous rather than anonymous, you may de-anonymize yourself by doing things you should not do, things like Secondary_DNS_Resolvers may lead to DNS related identity correlation or the application you are using may be hostile to you, such as in the example of Skype.

Graphical Whonix-Gateway?[edit]

If you think, it uses too much RAM or generally prefer a terminal version of Whonix-Gateway, you can use reduce Whonix-Gateway's RAM to 128 MB and RAM Adjusted Desktop Starter will automagically boot into a terminal version of Whonix-Gateway.

Whonix aims to become as accessible in usability as possible. Sorry, if you're a Linux geek and were happy with Whonix-Gateway 0.5.6, but you're not the only target audience. Whonix is also an attempt to get more casual users[8] [9] using Tor, because the more people use Tor, the better the anonymity Tor can provide becomes[10].

As in Whonix 0.5.6 it was difficult for users who never used Linux before to do tasks such as upgrading or configure obfuscated bridges etc. Many things are simpler and more encouraging in a graphical desktop environment. Such as:

  • setting up bridges / flashproxies
  • auditing logs
  • auditing iptables
  • auditing the system architecture in general
  • running Tests
  • running Leak Tests
  • editing Tor configuration file /etc/tor/torrc
  • editing firewall settings folder /etc/whonxi_firewall.d
  • reading status messages (whonixcheck and timesync)
  • changing Tor circuit.
  • copying and pasting (configuration) commands, (error) messages and logs
  • running tshark / wireshark
  • tunneling only Whonix-Gateway's traffic through a VPN

And big black text-only window (terminal) looks scary. A graphical desktop environment is also a prerequisite for further planed improvements, such as a Whonix Controller, which will be a graphical Whonix Controller, where you have buttons such as

  • "create hidden blog", and then you end up with a preconfigured blog
  • "enable TorChat"
  • "backup hidden service keys"
  • and so forth).

Also terminal-only environments are often unusable by users with disabilities. That's why Whonix 6 and above will feature an optional graphical desktop environment.

If you think, the graphical Whonix-Gateway uses too much disk size and/or you want to do non-originally intended things, such as running Whonix completely in RAM, sorry to say. Whonix has never been developed with low size, low RAM or low system requirements in mind. See also #Why are the Whonix images so big? and #Will there be a Whonix Live CD or DVD?.

Advanced users can build Whonix from source code and use a build configuration to create a terminal-only version of Whonix-Gateway. (Refer to Build Documentation in case that is of interest to you.)

Last but not least, if there was a Release Manager contributing to The Whonix Project or at least someone willing to build terminal-only versions of Whonix-Gateway (which is not about developing, only about running the build script and uploading), we could easily provide a terminal-only version of Whonix-Gateway. As long very few people are contributing to The Whonix Project, this won't be possible.

See also Other Desktop Environments for workarounds/alternatives.

Is there a substitute for Whonix's lack of an Amnesic feature / Live CD/DVD? Forensics?[edit]

Short answer:
No.

Long answer:
Warning#Whonix_is_not_amnesic and there is no Live CD/DVD of Whonix.

Many people suggested workarounds such shredding Whonix's hard disk images, having a zip archive of Whonix's hard disk images and restoring them every time they are using Whonix, restoring a fresh snapshot every time they use Whonix, using Full Disk Encryption and so forth.

These aren't substitutes for having an amnesic system. Not storing sensitive data on hard disks in the first place is much safer than dealing with it after the fact. In that regard, amnesic live systems are superior, because they do exactly this by design.

Never storing data unencrypted in the first place is much safer than trying to wipe it later. Using Full Disk Encryption is very useful. Still, this isn't an applicable stopgap as long as Whonix doesn't offer an amnesic version for every person in all cases. In some areas in the world, having encrypted disks isn't wise.

You should be very cautious about disk forensics claims. We don't know about swap or other strange things operating systems and harddrives are doing nowadays. We are not experts in forensics. Just have a basic understanding of it and know to be cautious. Check out Data Remains on USB and SSDs After Secure Erase and wear levelling. Ordinary hard disks also sometimes mark sectors as bad an never release their data. (?) See also forensics wiki to learn some more about the possibilities of forensics.

No matter how clever the setup sounds, nothing can beat an amnesic system. At bare minimum, before making any claims:

  1. Make an image of the hard drive.
  2. Run Whonix, do some stuff.
  3. Make again an image of the hard drive.
  4. Compare the images.

Without performing these basics steps, the setup may sound clever, but may not work out so well against actual forensics. So if you are concerned about local forensics, at bare minimum, use full disk encryption. When established Open Source encryption solutions such as Linux dmcrypt are rightly used, they usually hold their promises. Again, it's not as good as an amnesic system. If being forced to surrender the password is of concern to you, Whonix may not be the right tool for you. Again, without anyone doing actual forensics, be careful with any claims or assumptions how well data may be gone.

Footnotes[edit]

  1. Our attack surface is still very small, no network listening services, just a few selected applications.
  2. https://en.wikipedia.org/wiki/Mandatory_access_control
  3. We need to distribute the trust, not using only one NTP server and we must use free services which are available for anyone and not something requiring an own server.
  4. This is actually also a disadvantage, because that is the opposite of an amnesic system, which also many users prefer.
  5. 5.0 5.1 5.2 https://en.wikipedia.org/wiki/Fork_(software_development)
  6. tbb-fingerprinting
  7. tbb-linkability
  8. https://forums.virtualbox.org/viewtopic.php?f=3&t=57532
  9. See linked comment.
  10. Quote:

    [...] Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less dangerous it will be that you are one of them. Convince other people to use Tor, too!



Log in | OpenID | Contact | Impressum | Datenschutz | Haftungsausschluss

https | .onion [note] | Mirror | Mirror

This is a wiki. Want to improve this page? See Conditions for Contributions to Whonix, then Edit it! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.