- 1 Why are the Whonix images so big?
- 2 Why is KDE (big) the default desktop environment? Why not use a minimal DE?
- 3 Why not use a Live CD/DVD as Whonix-Workstation operating system?
- 4 Why should I (not) trust Whonix?
- 5 Whonix crashes because of PAE?
- 6 You should not waste the Tor network's bandwith by downloading operating system updates over Tor!
- 7 Alpha? Beta? Stable? Development? testers-only? developers-only? Whonix version scheme
- 8 Why do you use the 32 bit operating system, not 64 bit?
- 9 Why aren't you using OpenBSD, it's the most secure OS ever!!!1!
- 10 Why don't you use FreeBSD, which is more secure?!?
- 11 Why don't you use OpenWRT, which is more secure?!?
- 12 How is Whonix different from Tails?
- 13 Why don't you merge with Tails and join efforts?
- 14 How is Whonix different from the Tor Browser Bundle?
- 15 Does this mean that, for example, my IP and location is safe when using Skype?
- 16 Isn't VirtualBox an insecure choice?
- 17 Will there be a Whonix Live CD or DVD?
- 18 Is there something like Whonix Live?
- 19 Why can't I ping the Whonix-Gateway?
- 20 You should add full disk encryption to Whonix!
- 21 Speed up the Whonix-Gateway? Speed up Tor?
- 22 Does Whonix modify Tor?
- 23 Why doesn't Whonix improve Tor?
- 24 Can you improve Tor?
- 26 How difficult is it to develop Whonix?
- 27 What is clearnet?
- 28 Can I use DNSCrypt in Whonix?
- 29 Why not use DNSCrypt as default for Whonix?
- 30 Can I use DNSCrypt on the host, in my router, for clearnet?
- 31 Does DNSCrypt on the host or in my router, harm anonymity when using Tor/Whonix?
- 32 What's the difference of installing a VPN on the host versus installing on Whonix-Gateway?
- 33 Does Whonix/Tor protect you from the NSA or other three letter agencies?
- 34 check.torproject.org says "Sorry. You are not using Tor."
- 35 If I do X - can this leak DNS and/or my real external IP/location?
- 36 Graphical Whonix-Gateway?
- 37 Is there a substitute for Whonix's lack of an Amnesic feature / Live CD/DVD? Forensics?
- 38 Feedback & Suggestions
- 39 New Identity and Tor circuits
- 40 Footnotes
Why are the Whonix images so big?
Compared to other "Tor-VM" or "Tor-LiveCD/DVD" projects which sometimes use special minimal or stripped down Linux distributions (e.g. TinyCore, DSL, Puppy) Whonix is larger, both VMs together are currently almost 2 GB.
One reason for that is, that small distributions do not meet our requirements, namely: upstream needs to have a proactive security policy.
- Most "minimal" distributions are small projects that do not have a dedicated security team that audits packages and releases security patches quickly.
- We need a distribution that fully signs updates (this is always desirable but especially so when updating over untrusted exit relays).
- For such distributions security consist in a small attack surface , but that's about it. A full distribution supports MAC, kernel patches, IDS...
- "Big" projects with many users and developers (many eyeballs) are inherently more trustworthy.
- Debian has loads of Security Features, see (Ubuntu article, but mostly true for Debian) Ubuntu Security Features. Small distributions don't have it.
There are maintenance and usability reasons:
- We want to support a wide range of user cases such as hosting hidden services, small distributions usually have limited repositories.
- Whonix, since based on Debian, is a complete operating system. An anonymous general purpose operating system, not a stripped down minimal system. Features, Design
- Debian has much more documentation than small distributions, also about topics such as Security and Hardening.
- Creating a slim system is difficult and requires a lot of of development time. This should not be Whonix's core competence. There are projects which do not focus on anonymity/privacy/security, but which are dedicated to a slim system.
- Slimming down the system will result in many "strange bugs". People who are used to Debian or Ubuntu will wonder why some things do not work or why Whonix is broken.
Another reason is that Whonix does not play in the anonymity oriented Live CD/DVD market:
Whonix is a new category of anonymity tools. Whonix does not have the requirement to fit on a DVD. (Although in future we may develop a Whonix Live DVD.) While anonymity oriented Live CD/DVD's have to balance between functionality they want to provide available space and security; Whonix, as an anonymous general purpose operating system can by default or optionally provide any functionality and doesn't has to care so much about space. For example, integrating BitCoin into Whonix would be, except for documentation, quite simple.
Last but not least reason, not putting security over usability:
- Short: Not putting security over more users.
- Long: For example, this interesting statement from Tor developer Roger Dingledine: Mixminion vs Tor. Similar applies here. Mixminion is a high latency remailer, with cover traffic, protection against traffic confirmation (end-to-end correlation), theoretically more secure than Tor. The problem is "theoretically". They couldn't attract enough users and without enough users it's equally (in)secure as Tor. That's why they decided, to no longer work on Mixminion. Whonix also needs lots of users, to 1) get press/publicity 2) more developers 3) more research and audits. 2 and 3 will result in more security. Creating the most secure and most slim system, would only attract a few geeks. The geeks get hopefully satisfied, because Whonix is highly customizable. Nothing prevents from optionally slimming, hardening and customizing.
Why is KDE (big) the default desktop environment? Why not use a minimal DE?
This was a difficult development path decision. Many people, including Patrick Schleizer, didn't like the old Openbox interface in TorBOX (deprecated project name) 0.1.3 because it was too inconvenient, non-intuitive, uncommon, difficult, etc. There is no rational unarguable choice for the best desktop.
MATE has not been chosen, because there are no packages in Debian repositories. GNOME2 is deprecated and only a fraction of GNOME2 users like GNOME3. Other desktops (LXDE, XFCE, Openbox) are less widespread, not so pretty, in in some opinions harder to use (even difficult to create a desktop shortcut), thus not attracting many users.
Choosing KDE is a personal preference by Whonix developer Patrick Schleizer. KDE has one advantage, the only developer likes it and remains interested to maintain and develop Whonix further.
You are free to uninstall KDE and install any other desktop environment of your own choice.
This is a non-ideal situation. Inspired by select your webbrowser, it would be ideal if Whonix would offer to choose which desktop to install but unfortunately, such a wizard does not exist yet. There are no development resources to implement such a solution. Help is welcome.
If there were contributors, we could maybe also include other desktop environments by default or offer alternative Whonix builds with different default desktop environments or ideally implement a "choose your desktop" option after first boot of Whonix.
Please also read #Why are the Whonix images so big? above, the same applies here.
See also Other Desktop Environments for workarounds/alternatives.
Why not use a Live CD/DVD as Whonix-Workstation operating system?
This FAQ entry should be updated.
We discussed this and came to the decision, that Live CD/DVDs are not suited for Whonix.
- often actively maintained
- hardened GNU/Linux distribution
- with advanced features.
- no timely security updates
not persistentlimited persistence
- not flexible enough
anonymity orientated Live CD/DVD's negative in context of this FAQ:
- anonymity orientated Live CD/DVD's often have their own Tor enforcement included, which would lead into a Tor over Tor scenario
Why should I (not) trust Whonix?
See Trust for a long answer.
Whonix crashes because of PAE?
See PAE crash.
You should not waste the Tor network's bandwith by downloading operating system updates over Tor!
Short answer: We discussed this with torproject.org and were allowed to do so.
Long answer: We had a thread about this issue, updates over Tor, should not waste Tor bandwidth. Discussed thoroughly. We speculated a lot and thought about solutions until we finally did what we should have done in the first place. We asked torproject.org, see tor-talk Operating system updates / software installation behind Tor Transparent Proxy. Click here for an overview of all answers. Andrew Lewman (Executive Director, Director, press contact), too, downloads a lot of updates over Tor and did not complain.
Alpha? Beta? Stable? Development? testers-only? developers-only? Whonix version scheme
Is Alpha, Beta or Stable related to security? No, our design makes security issues inherently less likely to occur.
The terms alpha, beta lost their meaning. Too many applications which are working fine for years are called alpha or beta and have version numbers below 1.0. Users are not taking these terms serious anymore. Therefore Whonix avoids these terms. Rather, Whonix uses different terms which mean what they say.
- stable versions
- testers-only versions
Why do you use the 32 bit operating system, not 64 bit?
- A critical VirtualBox bug: VirtualBox ticket #10853: Mouse position repeatedly reset to top and/or left of screen.
- Since Whonix 0.4.0 the build environment uses grml-debootstrap (perhaps kameleon in future) and chroot. Image creation goes much faster and changing the architecture is possible by using for example the --64bit-linux build option. If Whonix receives contributions or due to user feedback it might be possible in future to have 32 and 64 bit downloads.
32bit software runs without problems on 32bit and 64bit hosts. 64bit software not so much. Because we generally don't control what host OS people use, 32bit has been chosen as base for official Whonix releases. Secondly, 64bit software needs more RAM, we already run 3 operating systems on a system which, eats RAM. Let's better minimize that. KVM and other solutions improve RAM usage through page sharing or what it's called, VirtualBox doesn't. Thirdly, according to Brad Spengler and/or PAX team, amd64 is a brain dead instruction set and actually worse than x86, despite the large address space making ASLR more effective. They recommended to use grsec on x86 and we hope we can switch to a grsec kernel.
Why aren't you using OpenBSD, it's the most secure OS ever!!!1!
Last update: 27.07.2014 UTC 16:40
This FAQ entry answers from perspective of the Whonix distribution to people who suggest to base Whonix on top of OpenBSD instead of Debian.
See security vulnerability - NTP not authenticated [by default for everyone] and it doesn't look like they step forward to fix it. The suggestion was to authenticate the connection to the NTP server, which is not possible for Whonix for many reasons. We need to distribute the trust, not using only one NTP server and we must use free services which are available for anyone and not something requiring an own server. And even if we would use authenticated NTP. @Fled pointed out , that the clock can not be moved more than 600 seconds. That is better than nothing - still - an adversary in position to move the clock 600 seconds can harm anonymity/privacy (see Dev/TimeSync for further explanation).
OpenBSD's website isn't reachable over SSL or as a Tor hidden service. How are users supposed to securely view the OpenBSD site and not learn things set up by a man-in-the-middle?
There is now Qubes OS, OpenBSD lacks such innovative security improvements, which claims.
OpenBSD is thought of by many security professionals as the most secure UNIX-like operating system, as the result of a never-ending comprehensive source code security audit.
Who are those many security professionals?
OpenBSD according to bststats.org (w) has very few users. 56 at time of writing. People must undergo a rather complicated manual process to get counted, however compared to 24,168 FreeBSD users, that's not very much. If they don't attract the masses, ordinary crackers, hackers and the security research community doesn't get attracted as they do with more popular operating systems. At the same time a targeted attack gets easier, because people who get paid to find exploits can find them more easily.
Why don't you use FreeBSD, which is more secure?!?
Last update: 27.07.2014 UTC 16:40
This FAQ entry answers from perspective of the Whonix distribution to people who suggest to base Whonix on top of FreeBSD instead of Debian.
It is difficult (very time consuming in this case) proofing a negative. Such as proofing non-existent security features. Either a search results in "security feature implemented" or nothing.
To avoid getting out of date and hurting other people's feelings, it's better not to make any statements about non-existent security features, but just asking the appropriate questions.
Does FreeBSD have a secure-by-default update mechanism? Will every (new) user download by default from an already existing signed repository, or are special settings required, or is it required to run an own repository? Does it defend against outdated metadata, can a man-in-the-middle use a roll back or freeze attack against the repository? Does it defend this (w)? Does it cover the TUF threat model (w)?
Not finding anything doesn't mean there isn't something. The best way to get confirmation about the absence of security features or in other words, the best way to get a confirmation about possible attacks due to missing security features is asking the developers of that project. (An honest reply from Open Source projects is assumed.) There are simply too many distributions to ask these things.
So, if you believe that FreeBSD is a secure distribution, if you are even advocating that standpoint, then the burden of proof is on the person making the claim (you). It's up to you to come up with references that these security features are implemented. It is not up to the Whonix developers to spend a lot time, proving that these security features are non-existent. Or it's up to you to create such references by asking the distribution's developers. Another way would be coming up with arguments why these security features are unnecessary (this is unlikely in the specific case of package manager security). Until the claim of being a more secure distribution gets substantiated, please do not take offense by not considering that distribution.
Why don't you use OpenWRT, which is more secure?!?
Same reasons as above for FreeBSD.
OpenWRT do not have signed packages.
How is Whonix different from Tails?
Why don't you merge with Tails and join efforts?
UPDATE 7: Rewrite.
This is a subjective statement of opinion by Whonix developer Patrick Schleizer. (Still open for feedback, corrections, improvements!)
Tails is a respected project with similar goals (anonymity, privacy and security), which exists for many years and which has multiple developers, experience and a working infrastructure. The Whonix and the Tails developers cooperate to some degree and are discussing things, which are related to the projects on the Tails developers mailing list. Parts of Whonix are based on Tails. For example tails_htp was invented by Tails. Whonix also profits from their previous (Debian) upstream efforts (packaging and so on), their old and current discussions, their research, design documents, experience, feedback and so on.
Even though Patrick Schleizer highly values Tails, why is Whonix a separate project and not a contribution to Tails?
Whonix can not be merged into Tails by Patrick Schleizer. There are technical, skill and political reasons.
Patrick Schleizer doesn't/didn't know how to implement various things into Tails, and don't/didn't know when the Tails developers will add them, which are Patrick Schleizer's priorities, but knew how to solve them in a separate project (Whonix), at least as in a way, that users are provided with instructions how to do it. Some examples.
Some of these items may already be either partially or fully solved in Tails by now.
TODO Broken since migration to whonix.org. Ignore for now.
|(Previous) Tails Todo||Whonix Instructions|
|remember installed packages||By design, everything persists. |
|Applications Audit||By design, protocol leaks can not deanonymize.|
|Two-layered virtualized system||Done by design, either using VMs or using Physical Isolation.|
|VPN support||Features#VPN / Tunnel support|
|JonDo over Tor||JonDonym|
|Freenet over Tor||Freenet|
|hide Tor from your ISP||Hide Tor and Whonix from your ISP|
|i2p over Tor||i2p|
|Transparent Proxy as fallback mechanism||Done by design, everything not configured to use a SocksPort will automatically use Tor's TransPort.|
|use Tor Browser||Tor Browser|
|Stream Isolation||Stream Isolation|
|evaluate web fingerprint||Same as Tor Browser.|
|unsafe browser fingerprint||Logging in to captive portals|
|Location Hidden/IP Hidden Servers||Location/IP Hidden Servers|
Also political and design decisions differ too much.
- As a code contributor to Tails, Patrick Schleizer would have to accept decisions made by the Tails decision making process and couldn't simply modify anything as personally desired, preferred or believed to be the best solution. That's the great thing about Free Software. You are free to disagree and to create a fork. Since Patrick Schleizer motivation was not about a Live DVD and personally found improving Tails much more difficult than starting fresh, a new project, Whonix, was created.
- Source Code Merge Policy:
- Whonix: does not yet have a comprehensive merge policy. It's welcome, but not compulsory to write a design or documentation.
- Tails: In Patrick Schleizer's opinion, Tails merge policy is too strict. This is not a complaint or critique. They will have their reasons for that and it has to be noted, that Tails is still doing well and useful for many people. Anyone who does not agree has the freedom to contribute to another project or to start a new project. Patrick Schleizer just made use of that freedom.
- One big difference is, that Tails is a Live DVD and therefore inherits some restrictions and limitations. Tails must fit on a DVD, while Whonix does not have such a requirement. Whonix has higher hardware requirements, but therefore more space to implement features. That means that initially fewer people will be able to use Whonix, but over the years available hardware to people will (hopefully) improve. Whonix is discovering both, theoretically and practically, new designs. Over time, depending on user feedback and general interest, a Live DVD or Live Blu-ray might be created.
How is Whonix different from the Tor Browser Bundle?
Does this mean that, for example, my IP and location is safe when using Skype?
This answer has been moved to the Voip page.
Isn't VirtualBox an insecure choice?
- KVM / Qemu / Virt-Manager in testing
- Using Whonix on top of Qubes OS looks much easier now. See the blog post. Whonix based on Qubes OS in development
VirtualBox is not an ideal choice, see: Dev/Virtualization Platform, but there are no better alternatives, which are usable by a big amount of people.
It's about different goals. Whonix's main goal is to protect the user's IP/location.
At the moment Whonix is practically more secure in many cases, see Whonix Security in Real World.
Saying VirtualBox is too weak, is theoretical and does not have any practical implications at the moment. What are the alternatives? Continue running Tor and torified applications on the host? Running TBB and running into another proxy bypass bug? People failing to correctly torify software? Software not honoring proxy settings?
On the other hand, how many known exploits exist for VirtualBox? What's the track record of exploits?
Admittingly virtual machine exploits may become a problem in future. Right now, Whonix provides more security out of the box. Whonix right now, advertises and educates the security by isolation principle.
Anyone seriously looking into Whonix for security will read the Documentation, the Security Guide and the Advanced Security Guide and find out about Physical Isolation. Whonix is an appetizer for the Isolating Proxy Concept and Security by Isolation.
A secure replacement for VirtualBox is already in development. Qubes OS is already in a productive state, it only lacks hardware support and it's being worked on. TorVM for Qubes (qubes-tor) was inspired by Whonix. (See Comparison with Others.)
The responsible thing to do from security perspective would have been in past, to switch from Windows to GNU/Linux and nowadays it would be to switch to Qubes OS. If you are most serious about Tor security, using Whonix with Qubes OS + physical isolation would be the most secure way.
Many users are still on Windows or Linux. Whonix can right now fill the void and improve real world security. They are better using Whonix, which is up to date, actively maintained and developed than any seriously outdated projects like JanusVM.
Whonix can not serve all target audiences. The more security educated/interested people will use things like Physical Isolation or qubes-tor. Hardcore security educated/interested people will probably build their own custom hardened solutions, but can still profit from Whonix's research and source code. Those more hardened solutions, such as the Hardened Gentoo Whonix-Gateway are more difficult to use and can therefore not be the default for Whonix.
Will there be a Whonix Live CD or DVD?
Unless someone joins the project and contributes, this won't happen in near future.
Whonix developer Patrick Schleizer has limited knowledge about Live CD/DVD creation. At the moment Whonix is a rather simple project. Many things, get delegated to upstream. VirtualBox features to run on various platforms, Debian provides a fine operating system, hardware support is delegated to the host operating system and VirtualBox, Tor is providing a fine anonymizer. Creating a Live CD /DVD would be difficult, especially the hardware support. Whonix is also too big and that would be very difficult to fix, see #Why are the Whonix images so big? above. Patrick Schleizer lacks experience about Live CD/DVD deployment.
A clean way to do it would be to contribute to Tails instead, see Tails wishlist: Two-layered virtualized system. A similar feature was already implemented in Liberte Linux, but ultimately rejected (reference).
For an alternative also see the next question below.
Is there something like Whonix Live?
Whonix runs fine when the host operating system is installed on external media.
It's the user's responsibility to honor that advice.
Why can't I ping the Whonix-Gateway?
Whonix-Gateway is firewalled (see /usr/bin/whonix_firewall or in Whonix source code) and does not answer to ping (-like) commands for security reasons. In most cases, you don't need to ping the Gateway.
If you really want to ping the Gateway or really want some uber special setup you can test wise clear all firewall rules with the dev_clearnet script (or hack Whonix's firewall to not load at all). It's only for experts and you need to comment out the exit 0 at the beginning.
You should add full disk encryption to Whonix!
Short: No, you should add full disk encryption to your host!
Long: It is technically impossible to ship Whonix with an encrypted disk for several reasons.
While you can change the password for a luks/TrueCrypt/whatever volume, only the password for the masterkey gets replaced. The masterkey itself remains unchanged. (The masterkey is NOT some kind of backdoor, it's just how things work. Otherwise you would have to re-encrypt each time you want to change the password.)
In Whonix the masterkey would be known to everyone who downloads and changing the password wouldn't change the masterkey.
So all that could be added would be an option to encrypt it with a freshly and locally created masterkey (and user chosen password) after user downloads Whonix.
But there are two problems. There is no "encrypt after installing" software for Linux, like there is TrueCrypt for Windows.
The other one is that the host can swap to the disk and therefore leak stuff to the perhaps unencrypted host disk.
Therefore the only secure solution is applying full disk encryption on the host, as recommended in the Advanced Security Guide#Full Disk Encryption.
Speed up the Whonix-Gateway? Speed up Tor?
Is there a way to configure the number of nodes in a circuit and to allow selection according to their speeds?
Remember, Whonix is based on Debian, KDE, VirtualBox and Tor. It is nothing very special. Therefore Whonix does not limit Tor and your options in any way.
If you learn how to configure Tor in such a way in Debian command line, you also learned how to do it in Whonix-Gateway. While it's possible to learn it yourself and do manually, this is not recommended in Whonix-Gateway since also the Tor developers don't recommend it.
For these reasons there are no instructions in Whonix documentation how to do it. If you find general instructions the only thing changing would be that you do it in Whonix-Gateway instead on the host.
Please also see the next question below.
Does Whonix modify Tor?
Tor's configuration file has been adapted for Whonix, you can check it on Whonix-Gateway in
/usr/share/tor/tor-service-defaults-torrc. (In Whonix 9, this is done by the anon-gw-anonymizer-config package.) There are no patches to Tor. The normal Debian Tor package is being used in Whonix.
Whonix tries to be as less special as possible to ease security auditing of Whonix.
Any changes to the Tor routing algorithm should be proposed, discussed and eventually implemented upstream in Tor on torproject.org. And if discussion fails, a Tor fork could be created. Tor has already been forked at least once.
Doing such changes directly in Whonix would limit discussions about Whonix to the security of the modified routing algorithm. To allow further exploration of Whonix's security, Whonix developer Patrick Schleizer believes, it is required to be as agnostic as possible about all parts of Whonix.
Why doesn't Whonix improve Tor?
Please see the question above.
Creating Whonix is difficult and time consuming enough. Improving Tor is left to the people who are better at this job. Any bugs/suggestions related to torproject.org will of course be reported. Happens.
Can you improve Tor?
Any improvements to Tor should be proposed upstream. If Patrick Schleizer finds a bug or has a suggestion it will be proposed upstream on torproject.org. Happens.
For reasons why there isn't an improved version of Tor in Whonix see the question #Does Whonix modify Tor? above.
Anyone unhappy with Tor should provide patches upstream and as last resort fork it. Hypothetically, if the fork gets better respected than the original project, then Whonix will of course seriously consider switching.
No, this isn't a good idea for many reasons.
Whonix is an anonymity distribution gluing together concepts, which are generally respected by educated people and known to work reliably. It's not a browser project trying to create a secure browser such as "Privacy Browser - solves all browser fingerprinting problems". Whonix does not have the manpower to create such a browser. In theory, and even if it had, it would make more sense to create a new project "Privacy Browser" and when it gets better than Tor Browser to use, re-configure Whonix to use "Privacy Browser" instead of Tor Browser.
Whonix includes Tor Browser and with only minor differences.
Last, but definitively not least, Whonix shares the same Fingerprint as other Tor Browser Bundle users, which is good for anonymity.
How difficult is it to develop Whonix?
This is just Patrick Schleizer's opinion and feeling.
Whonix source code isn't rocket science. In comparison to other things it's very simple.
I think it's best to make a comparison table.
Legend: 10 * equals very difficult.
1 * equals very easy.
********** Hand written binary code. ********* Cryptographic algorithms development ********* Rocket science ********* Compiler development ******** Assembly language ******** Kernel development ******** Reverse engineering ******* Tor core development ****** Programming languages such as C/C++. ***** Using Hardened Gentoo **** Scripting language *** Whonix related anonymity/privacy research ** Writing Whonix documentation ** Writing Whonix bash scripts * Using a computer
What is clearnet?
This term has two meanings.
- Connecting to the regular internet not using Tor (or other anonymity networks), and/or
- Connecting to regular servers (which are not Tor hidden services) (using Tor or not)
Can I use DNSCrypt in Whonix?
Yes, see Secondary DNS Resolver.
Why not use DNSCrypt as default for Whonix?
DNSCrypt may have good use cases for clearnet. In context of Whonix it's not useful and should not be installed and activated by default for everyone. It does not do what you may think, does not magically solve all DNS related security issues, does not implement end-to-end DNS encryption to the destination server. (That conceptually can not work. If you knew the IP of the destination server in advance, you wouldn't require DNS in the first place.) The server will still see all DNS requests in cleartext. This is only a short version for the many reasons, why it should not be activated by default for everyone.
More reasons: Tor is about distributing trust. Tor's DNS server change as circuits change, thus trust is distributed. Circuits are stream isolated (for pre-installed applications) and change every ten minutes. As far as I know, there are 27 open resolvers supporting the protocol.
Public resolvers supporting DNSCrypt have not given reasons to distrust them yet. Even we trusted the people running DNSCrypt servers, their servers would have to be trusted as well and that's not wise to let DNS security for all Whonix users depend on few servers. It's also about load balancing. If Whonix was to use a DNSCrypt supporting server by default and that server decides to forbid connections from the Tor network (due to the Tor network used to abuse their servers with DDOS or for whatever reasons) or if the servers go down for maintenance, DNS would break for all Whonix users.
Can I use DNSCrypt on the host, in my router, for clearnet?
Yes, if you want. Also read the entry below.
Does DNSCrypt on the host or in my router, harm anonymity when using Tor/Whonix?
Short answer: No.
Long answer: No, DNSCrypt on the host or in your router only affects your clearnet activities. Tor assumes your local network and ISP to be totally unsafe and untrustworthy. Neither Tor nor Whonix are affected by DNS settings on your host or in your router.
Whether DNSCrypt is useful for your clearnet activities or not - that isn't clear. There are pro and contra arguments. It's useful when using foreign or untrusted Wifi networks (shared with others), since they could modify and/or read your DNS requests. Other than that, you will just shift the trust from one party (ISP) to another (DNSCrypt supporting DNS server, ex: OpenDNS). If the DNSCrypt supporting DNS server leaks your network address and logs your queries as part of their business, then it might be worse than your ISP. Which one should be trusted more, your ISP or a 3rd party provider - you tell me.
What's the difference of installing a VPN on the host versus installing on Whonix-Gateway?
This entry assumes, you already decided to use a VPN.
If you did that after reading the VPN / Tunnel Support documentation, and decided you want to use a VPN, continue reading, otherwise you can skip this FAQ entry.
If the VPN is installed on the host:
- all Whonix traffic goes: user -> VPN -> Tor -> destination
- all host traffic goes through the VPN: user -> VPN -> destination
- When Whonix-Gateway ever gets compromised, this is a tiny bit more secure compared to having the VPN installed on Whonix-Gateway.
If the VPN is installed on Whonix-Gateway:
- all Whonix traffic goes: user -> VPN -> Tor -> destination
- all host traffic goes in the clear: user -> destination
When making the decision, you must ask yourself...
What do you want to hide from your ISP? All traffic? Then install the VPN on the host.
What should your VPN provider be able to see? All traffic? Then install the VPN on the host.
Should your VPN provider only be able to see Tor traffic but not your clearnet traffic? Then install the VPN on Whonix-Gateway.
Does Whonix/Tor protect you from the NSA or other three letter agencies?
If you are under active surveillance:
Whonix can do nothing against miniature cameras or microphones in your room etc.
If you are under passive surveillance just like anyone (PRISM):
That depends if Tor protects from such threats. The answer to that is not clear:
And even if Tor was a whole lot better, you can never prove a negative. So it's better to hesitate to any broad claims as it would be skeptical if any other project claimed that.
Also Whonix does not make such broad claims. For a related statement about three letter agencies, also see: Technical Introduction#With more technical terms
check.torproject.org says "Sorry. You are not using Tor."
When you see this when using Whonix, probably everything is okay. You can make sure everything is okay if you want.
check.tpo) fails in some cases to detect Tor exit relays. It's a bug in
check.tpo, which The Tor Project should fix. Whonix can do nothing about it.
You could use (using the Tor Browser Bundle on the host) ExoneraTor: a website that tells you whether a given IP address was a Tor relay or a search engine to find out if the given IP address is or was a Tor exit relay.
If the IP you are seeing is different from your own real external IP address, it's another strong sign that everything is fine.
If I do X - can this leak DNS and/or my real external IP/location?
Nothing you do inside Whonix-Workstation can cause IP/DNS leaks as long you leave Whonix-Gateway unchanged (besides documented stuff, which goes ok, such as bridges, hidden services, updates).
However, there are still ways you could shoot your own foot. It might be pseudonymous rather than anonymous, you may de-anonymize yourself by doing things you should not do, things like Secondary_DNS_Resolvers may lead to DNS related identity correlation or the application you are using may be hostile to you, such as in the example of Skype.
If you think, it uses too much RAM or generally prefer a terminal version of Whonix-Gateway, you can use reduce Whonix-Gateway's RAM to 128 MB and RAM Adjusted Desktop Starter will automagically boot into a terminal version of Whonix-Gateway.
When using Whonix with KVM, thanks to dynamic memory management the RAM overhead might be a non-issue. By manually enabling these features you may profit from this already today. Eventually at release time of Whonix 10 or above and using KVM, Whonix will enable this by default.
Whonix aims to become as accessible in usability as possible. Sorry, if you're a Linux geek and were happy with the older non-graphical version of Whonix-Gateway , but you're not the only target audience. Whonix is also an attempt to get more casual users  using Tor, because the more people use Tor, the better the anonymity Tor can provide becomes.
In the older non-graphical version of Whonix-Gateway  it was difficult for users who never used Linux before to do tasks such as upgrading or configure obfuscated bridges etc. Many things are simpler and more encouraging in a graphical desktop environment. Such as:
- setting up bridges / flashproxies
- auditing logs
- auditing iptables
- auditing the system architecture in general
- running Tests
- running Leak Tests
- editing Tor configuration file /etc/tor/torrc
- editing firewall settings folder /etc/whonxi_firewall.d
- reading status messages (whonixcheck and timesync)
- changing Tor circuit.
- copying and pasting (configuration) commands, (error) messages and logs
- running tshark / wireshark
- tunneling only Whonix-Gateway's traffic through a VPN
And big black text-only window (terminal) looks scary. A graphical desktop environment is also a prerequisite for further planed improvements, such as a Whonix Controller, which will be a graphical Whonix Controller, where you have buttons such as
- "create hidden blog", and then you end up with a preconfigured blog
- "enable TorChat"
- "backup hidden service keys"
- Better Circumvention User Interface
- and so forth.
Also terminal-only environments are often unusable by users with disabilities. That's why recent Whonix versions  feature an optional graphical desktop environment.
If you think, the graphical Whonix-Gateway uses too much disk size and/or you want to do non-originally intended things, such as running Whonix completely in RAM, sorry to say. Whonix has never been developed with low size, low RAM or low system requirements in mind. See also #Why are the Whonix images so big? and #Will there be a Whonix Live CD or DVD?.
Advanced users can build Whonix from source code and use a build configuration to create a terminal-only version of Whonix-Gateway. (Refer to Build Documentation in case that is of interest to you.)
Last but not least, if there was a Release Manager contributing to The Whonix Project or at least someone willing to build terminal-only versions of Whonix-Gateway (which is not about developing, only about running the build script and uploading), we could easily provide a terminal-only version of Whonix-Gateway. As long very few people are contributing to The Whonix Project, this won't be possible.
See also Other Desktop Environments for workarounds/alternatives.
Is there a substitute for Whonix's lack of an Amnesic feature / Live CD/DVD? Forensics?
Many people suggested workarounds such shredding Whonix's hard disk images, having a zip archive of Whonix's hard disk images and restoring them every time they are using Whonix, restoring a fresh snapshot every time they use Whonix, running Whonix completely in ramdisks, using Full Disk Encryption and so forth.
These aren't substitutes for having an amnesic system. Not storing sensitive data on hard disks in the first place is much safer than dealing with it after the fact. In that regard, amnesic live systems are superior, because they do exactly this by design.
Never storing data unencrypted in the first place is much safer than trying to wipe it later. Using Full Disk Encryption is very useful. Still, this isn't an applicable stopgap as long as Whonix doesn't offer an amnesic version for every person in all cases. In some areas in the world, having encrypted disks isn't wise.
You should be very cautious about disk forensics claims. We don't know about swap or other strange things operating systems and harddrives are doing nowadays. We are not experts in forensics. Just have a basic understanding of it and know to be cautious. Check out Data Remains on USB and SSDs After Secure Erase and wear leveling. Ordinary hard disks also sometimes mark sectors as bad an never release their data. (?) See also forensics wiki to learn some more about the possibilities of forensics.
See also Forensic Analysis of the Tor Browser Bundle on OS X, Linux, and Windows to get an idea of what kinds of disk traces may be leftover.
No matter how clever the setup sounds, nothing can beat an amnesic system. At bare minimum, before making any claims:
- Make an image of the hard drive.
- Run Whonix, do some stuff.
- Make again an image of the hard drive.
- Compare the images.
Without performing these basics steps, the setup may sound clever, but may not work out so well against actual forensics. So if you are concerned about local forensics, at bare minimum, use full disk encryption. When established Open Source encryption solutions such as Linux dmcrypt are rightly used, they usually hold their promises. Again, it's not as good as an amnesic system. If being forced to surrender the password is of concern to you, Whonix may not be the right tool for you. Again, without anyone doing actual forensics, be careful with any claims or assumptions how well data may be gone.
Feedback & Suggestions
Thank you! Software projects flourish on community feedback. We hear and consider every suggestion.
Please be patient as we address the competing priorities and challenges of our ambitious goal. As Whonix's resources grow, we'll be able to get more done.
New Identity and Tor circuits
The behavior of "new identity" in context of TorButton and arm often misunderstood. First of all, there are various ways to issue a issue a "new identity". Here is a list:
- Tor Browser - TorButton
- Tor Browser - Get New Identity without Tor ControlPort Access
- and probably others
They got one in common. They send a Tor ControPort protocol command "signal newnym" to Tor's ControlPort. Tor circuit lifetimes the result of "signal newnym" is it often misunderstood. "signal newnym" uses a fresh circuit for new connections.
Note, although chances are good that you are getting a new Tor exit relay, a new IP, a new circuit does not guarantee a new Tor exit relay. Tor may only have replaced the middle relay while using the same Tor exit relay. This is by design and Tor default.
"signal newnym" won't interfere with long living connections such as for example an IRC connection.
When you open https://check.torproject.org in your browser, then issue "signal newnym" using Arm, then reload https://check.torproject.org it may still show the same IP. This is probably because the browser didn't close the connection to https://check.torproject.org in the first place. When you repeat that experiment with a small modification, chances are good you might see a new Tor exit IP. Open https://check.torproject.org in your browser, then issue "signal newnym" using Arm, then close Tor Browser, then start Tor Browser again. then open https://check.torproject.org again, you might see a new Tor exit relay IP.
Please note, "new identity" in most cases really only means "signal newnym". There are no guarantees about unlinking all sorts of protocol (browser etc.) states so you appear as a different identity. Tor Browser's TorButton New Identity Feature attempts this, but it's not perfect yet, for details see Tor Browser - TorButton New Identity Feature documentation.
- Our attack surface is still very small, no network listening services, just a few selected applications.
- This is actually also a disadvantage, because that is the opposite of an amnesic system, which also many users prefer.
- See linked comment.
[...] Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less dangerous it will be that you are one of them. Convince other people to use Tor, too!
- Since 6 and above
Log in | OpenID | Contact | Impressum | Datenschutz | Haftungsausschluss | Investors | Donate