Actions

FAQ

(Redirected from FAQ2)


Contents

Alternative Operating Systems[edit]

Why isn't OpenBSD Used?[edit]

This FAQ entry addresses the suggestion that Whonix should be based on OpenBSD rather than Debian. The opinion provided below is based on the perspective of Whonix developers. [1]

The OpenBSD FAQ states: source (w)

OpenBSD is thought of by many security professionals as the most secure UNIX-like operating system, as the result of a never-ending comprehensive source code security audit.

The landing page for OpenBSD also claims: [2]

Only two remote holes in the default install, in a heck of a long time!

These contentions are debatable and beg the question, "Who are those many security professionals and how thoroughly is the code reviewed?".

According to bststats.org (w), OpenBSD has very few users. Although bdstats is not representative of the total population of OpenBSD users due to the opt-in data collection program, 17 users at the time of writing is a very small figure. By comparison, TrueOS has 9,172 users in early 2018.

If OpenBSD cannot attract a critical mass of users, then ordinary crackers, hackers and the security research community are unlikely to gravitate to the distribution in contrast to more popular operating systems. At the same time targeted attacks become easier, because people who are paid to find exploits can find them more easily. Limited human resources inevitably means the code will remain more vulnerable to security flaws, since they are less likely to be identified.

As an example, see security vulnerability - NTP not authenticated. This six year old bug affects everyone using the distribution, but it does not appear anyone is stepping forward to fix it. The suggested solution was to authenticate the connection to the NTP server, but this would not be possible in Whonix for several reasons. The Whonix design focuses on distributing trust, and not using only one NTP server. Further, Whonix depends on free services which are available to anyone, ruling out a solution that requires a personal server. Even if Whonix used authenticated NTP, it has been pointed out [3] that the clock could not be moved more than 600 seconds. This is better than nothing, but still inadequate for adversaries who are capable of moving the clock more than 600 seconds, harming anonymity/privacy in the process (see Dev/TimeSync for further details).

In addition, previously the OpenBSD website was not reachable over SSL. [4] Therefore, at that time users were unable to securely view the OpenBSD site, since a man-in-the-middle attack would have been trivial to perform.

OpenBSD simply lacks innovative security improvements which are available in modern platforms like Qubes OS, despite their grandiose claims.

Why isn't FreeBSD Used?[edit]

This FAQ entry addresses the suggestion that Whonix should be based on FreeBSD rather than Debian. The opinion provided below is based on the perspective of Whonix developers. [5]

It is difficult and time consuming to try and list all the disadvantages of using FreeBSD, such as highlighting non-existent security features. The onus is on FreeBSD proponents to manually search for relevant features (or lack thereof) and present an objective case for its adoption.

To avoid presenting information that will quickly become out-of-date or that may insult FreeBSD adherents, it is better to avoid definitive security statements and instead ask appropriate questions which might affect the usability, security, anonymity and wide-scale adoption of Whonix. For instance:

  • Does FreeBSD have a secure-by-default update mechanism?
  • By default, will every (new) user download come from an existing signed repository?
    • If not, what special settings are required?
    • Are users expected to run their own repository?
  • Does FreeBSD defend against outdated metadata; for example, can a man-in-the-middle use a roll back or freeze attack against the repository?
  • Does FreeBSD defend against various attacks on package managers? (w)
  • Does FreeBSD defend against attacks on the software update process by using the TUF threat model (w)?


Research which might provide a strong case for FreeBSD does not exclude the possibility of weaknesses or missing security features. The best way to determine the strength of the platform and its relative resilience is to directly ask the developers of that project. Honest replies can reasonably be expected from vibrant, open source communities.The only problem is, the Linux/BSD ecosystems have hundreds of distributions and it is a daunting prospect to rank their merits in this way.

Ultimately, the burden of proof falls on FreeBSD advocates to prove that it is the most secure distribution available, and not Whonix developers. Properly researched contributions that answer the questions above would be a good start, and possibly approaching FreeBSD developers directly. Alternatively, research into why various aforementioned protections are not necessary to improve security would also be welcomed. Until claims about FreeBSD are substantiated, one should not take offense that it has not already been adopted.

Why isn't OpenWRT Used?[edit]

OpenWRT is not used for the same reasons outlined above. Further, in early 2018 OpenWRT does not have signed packages.

Why isn't SubgraphOS Used?[edit]

Whonix has taken the decision not to use the Subgraph project for several reasons:

  • Basing Whonix on Subgraph would tie our future with the viability of the Subgraph project. It is not ideal to rely on an OS in alpha status, particularly when the Debian alternative is rock solid and has decades of development behind it.
  • The plentiful Subgraph bugs would become Whonix bugs, and developers would depend on Subgraph for fixes.
  • Subgraph chose different programming languages (like Golang) that are unfamiliar to lead Whonix developers, making customization or modification very difficult.
  • No full source code release to date (early 2018). [6]
  • The publicly available software exists in a form that is not easily packaged. This would pose a significant maintenance burden for the Whonix team.
  • Arbitrary limitations are in place, such as repository choices. This can of course be changed, but it is an example of wasted effort in patching the base OS to adapt to our vision.
  • Subgraph has some undesirable feature additions that add no value. Whonix cannot benefit from Subgraph's manpower if the goals for the development roadmap are fundamentally different.
  • To date, there has been no cooperation from the Subgraph project developers to correct any of the issues outlined above.
  • Whonix Developer HulaHoop has also noted that Subgraph features totally rely on the GNOME desktop environment. This is undesirable because it is visually unappealing, has an over-simplified interface, and would require any "cloud integration" elements to be removed. Configuring GNOME to approach the specifications already achieved with KDE in Whonix would require a lot of effort. Further, Wayland and Flatpak will inevitably reach KDE in the future.

Clock Skew / Time Synchronization[edit]

How Do I Fix an Incorrect Host Clock?[edit]

As noted in the wiki:

When the user powers on Whonix-Gateway and the host time is grossly inaccurate, it will not be able to connect to the Tor network. After booting Whonix-Gateway, it is recommended to check that the host time is no more than 1 hour in the past or more than 3 hours in the future, otherwise Tor cannot establish circuits.

In Whonix, a correct host time is also critical to prevent or partially mitigate TimeSync Attacks such as: [8]

  • Presenting outdated or vulnerable updates and https certificates.
  • Potential denanonymization when connected to more than one adversary controlled website.
  • Linking of all sessions to the same pseudonym.


Users experiencing Tor connection problems in Whonix should follow these instructions to set a correct host and/or Whonix-Gateway clock.

Compromise Indicators[edit]

Am I Compromised?[edit]

If the user notices trivial changes on their system - such as a duplicate deskop icon - it is not evidence of a hack or leak. Similarly, if warning or error messages appear that are difficult to understand, in most cases there is no need for panic. If something unexpected occurs such as the appearance of a "htaccess file in home directory", or graphical glitches emerge in Arm, then it is more likely a harmless bug and/or usability issue rather than a compromise.

Skilled attackers do not leave such obvious traces of their breach. An infection by tailored malware is more plausible in this scenario, and virtually impossible to detect by reading random messages in system logs. Even malware that is bought off-the-shelf (malware building toolkits) are unlikely to be discovered by cursory inspections. [9] Rootkit technology is no doubt a standard feature of the various programs.

Strange files, messages or other system behavior could feasibly relate to an attacker wanting the user to find something. However, the likelihood of this kind of harassment is considered low. Script kiddies ("skiddies") are unskilled attackers who uses scripts or programs to conduct attacks on computer systems and networks, most often with juvenile outcomes. For example, they might use programs to remotely control poorly-secured Windows desktops, trolling their victims from an open, forced chat window, opening their DVD drive, and so on. It is improbable that skiddies can achieve similar exploits against Linux, Xen or BSD platforms. [10] Sophisticated attackers generally avoid detection, unless the user is perhaps unlucky enough to be a victim of Zersetzung (a psychological warfare technique).

Every forum post and support request requires time that could otherwise be directed to Whonix development. Unless the user believes there is a serious and credible problem, there is no need for a new post. Developers and the Whonix community at large do not have enough time to explain every message that Linux might report. In most cases, they are not important and outside the control of Whonix developers.


If you are reading this page, then it is safe to assume being anonymous (less unique), and remaining so is of great interest. Users with a serious intention to research these issues are encouraged to assist in accordance with their skills. Testing, bug reporting or even bug fixing are laudable endeavors. If this process is unfamiliar, understand that about thirty minutes is required per message / identifier to ascertain if the discovered result [11] is a false positive, regression, known or unknown issue.

To date, none of the various leak testing websites running inside Whonix-Workstation were ever able to discover the real (external), clearnet IP address of a user during tests. This held true even when plugins, Flash Player and/or Java were activated, despite the known fingerprinting risks. Messages such as "Something Went Wrong! Tor is not working in this browser." [12] (from about:tor) or "Sorry. You are not using Tor." (from check.torproject.org) are in most cases non-issues. If the real, external IP address can be revealed from inside Whonix-Workstation, then this would constitute a serious and heretofore unknown issue (otherwise not).

It is unhelpful to ask questions in forums, issue trackers and on various mailing lists with concerns that have already been discussed, or which are known issues / false positives. In all cases, please first search thoroughly for the result that was found. Otherwise, the noise to signal ratio increases and Whonix development is hindered. Users valuing anonymity don't want this, otherwise this would violate the aforementioned assumption.

If something is identified that appears to be a Whonix-specific issue, please first read the Whonix Free Support Principle before making a notification.

Related:

DNSCrypt[edit]

Can I Use DNSCrypt in Whonix?[edit]

DNSCrypt is possible in Whonix; see Secondary DNS Resolver. [13]

Why not Use DNSCrypt by Default in Whonix?[edit]

DNSCrypt may have good use cases for clearnet activities. However, it is not useful in Whonix and therefore should not be installed and activated by default for everyone. Although some users may have high expectations, DSNCrypt does not magically solve all DNS-related security issues, nor does it implement end-to-end DNS encryption to the destination server. [14] Most important of all, the server will still see all DNS requests in cleartext. [15]

There are several other reasons why DNSCrypt is not activated by default. Firstly, Tor distributes trust because the DNS server changes as circuits are rotated. For pre-installed applications, circuits are also stream-isolated and change every ten minutes by default. Notably, in early 2018 there are 78 open resolvers that support the protocol.

Public resolvers supporting DNSCrypt have not yet acted in a way to cause mistrust. However, even if the operators were absolutely trustworthy, complete confidence is also needed in their servers - it is unwise to let the DNS security for all Whonix users depend on a few servers. Another consideration is load balancing. If Whonix relied upon a DNSCrypt supporting server by default, DNS would break for all users if that server ever decided to forbid connections from the Tor network [16] or if the servers went down for maintenance.

For more detailed information about DNSCrypt, refer to these related forum posts.

Can I Use DNSCrypt on the Host or Router for Clearnet?[edit]

This configuration is possible; read the next section before proceeding.

Does DNSCrypt on the Host or Router Harm Anonymity when Using Tor/Whonix?[edit]

The short answer to this question is no. The longer answer is DNSCrypt on the host or in the router only affects clearnet activities. Tor assumes in advance that a user's local network and ISP are completely unsafe and untrustworthy. Tor and Whonix are unaffected by DNS settings that are made on the host or in the router.

It is debatable whether DNSCrypt is useful or not for clearnet activities since there are various pros and cons. It is useful when using foreign or untrusted Wi-Fi networks that are shared with others, since DNS requests could potentially be modified or read. That said, trust is just shifted from the ISP to a DNSCrypt supporting DNS server, such as OpenDNS. If the DNS server supporting DNSCrypt leaks a user's network address and/or logs queries as part of their business model, then it might actually be worse than using the ISP! It is hard to mount an argument for which party is more trustworthy, the ISP or a third party provider.

Linux Distributions[edit]

Is the Linux User Experience Comparable to Commercial Operating Systems?[edit]

When users interact with a Linux operating system like Whonix, they come with certain expectations in regards to their overall experience. For the majority, expectations are based on their familiarity with Windows or macOS, since they dominate the desktop and laptop markets. [17] These commercial platforms pre-install a wide variety of popular and fully-featured applications, and the graphical user interface (GUI) is easy to use and intuitive. As a consequence, the seamless integration of new system software packages is the rule rather than the exception.

Windows and macOS users are now accustomed to an integrated experience where "everything just works". Attempts to provide Linux users with an equivalent experience have proven to be very difficult and the problem seems insurmountable. Many find the Linux GUI difficult to use and counterintuitive. There are software applications that are similar in design to those found in Windows or macOS, but they often lack many of the same features [18] or do not fully integrate with other packages. For newcomers to Linux, it might be difficult to understand how applications with similar design goals can have vastly different cross-platform functionality. Only by comparing the structural differences between a typical corporate hierarchy and a Linux distribution's collaborative effort can the discrepancies be explained.

The following table provides a simplified comparison of the major organizational structural differences.

Table: Linux Distribution vs. Commercial Operating System

Linux Distributions Commercial Operating Systems
Software Based on packages from many independent projects which develop software according to their own design goals Centralized (in-house) development with unified design goals
Funding Sources Donations, volunteer payments, grants, corporate sponsorship, professional services Revenue from software licensing [19] [20]
Funding Amount Unprofitable, most are underfunded and depend on volunteers Profitable, billion dollar profits are the norm
Authority to Issue Directives None, can only ask third party projects nicely CEO issues directives
Human Resources Community-based volunteers (limited time and human resources) In Windows' case, over 120,000 employees [21]
Popularity ~ 1.7 per cent of desktop operating system market [22] Windows: ~ 82 per cent of the desktop operating system market [22]

macOS: ~ 13 per cent of the desktop operating market [23]

User Experience Fragmented Unified

Software Comparison[edit]

As shown in the table, Linux distributions are based on many third party projects which develop software according to their own design goals. For instance, an application might be initially developed by a volunteer for Windows and optimized for that platform. Later on, another volunteer joins the project, forks the application, and ports it to the Linux platform. When these projects develop software, they do not necessarily prioritize the design goals to suit compatibility with Linux distributions.

Linux distributions can only pick software packages that are already available, meaning the selected packages might fall short of the design goals. Moreover, unlike a traditional company, distributions are not structured with a large number of paid employees. Neither do they have the authority to issue directives to third party projects to make desirable software changes. If a distribution needs package changes from an independent project, there are a few options but they all require time and patience: [24]

  • Try to understand the perspective of the third party project.
  • Politely ask the project if they would be willing to make the changes.
  • Submit code that makes sense from their point of view.
  • Patch and/or fork their software.
  • Use an alternative package from a different project.

In contrast, commercial operating systems are based on software expressly designed to provide a fully-unified user experience. While Linux distributions rely on third party packages, commercial platforms are developed in large companies with a strict corporate hierarchy. In these companies, the CEO can issue a directive to developers to make any change needed to improve the integrated experience. Any developer who lacks the necessary skills or refuses to make changes is likely to be terminated for non-compliance. The human resources department (representing the CEO) will not tolerate delays in software development, as it might threaten profits.

Funding Comparison[edit]

Linux distributions are based on Libre Software which can be used freely by anyone. Without a software licensing fee, options to generate a reliable funding stream for development are severely limited. Unless funding is available to hire a large contingent of full-time employees, it is nearly impossible to provide users with a unified experience. Instead, distributions rely primarily on the goodwill of developers who volunteer their time to integrate and maintain software packages. Without a salary, the time developers can devote to the task is necessarily reduced. Although this problem is attributable to the restricted funding sources available, it has less impact for sizeable or popular distributions due to:

  • Donations or volunteer payment-based funding.
  • Selling professional services such as technical support, training and consulting.
  • Developmental grants.
  • Corporate sponsorship.

On the other hand, proprietary operating systems like Windows are funded through the sale of software licenses and are not limited in their ability to generate funding. Licensing generates billions of dollars in revenue which is used to employ a large number of full-time developers. This in turn allows these employees to focus on developing the software packages from the ground up, while remaining focused on the primary design goal: maintaining and improving the "Windows user experience" that the community has come to expect.

Unified Linux Experience[edit]

Based on the preceding sections, it is unrealistic to expect any Linux distribution to provide a user experience identical to Windows or macOS. Linux has gradually improved the quality and consistency of the user experience on various devices, particularly for larger and more popular distributions like Debian, Fedora and Ubuntu. However, it is impossible for most (if not all) distributions to replicate the quality found on commercial platforms. In the case of smaller distributions like Whonix, very limited human resources mean it is out of the question. Instead, developers must spend a large portion of their time on core functionality development.

Consequences[edit]

One obvious impact is that Whonix developers have limited time to answer support requests. Therefore, users are recommended to follow the advice outlined in the Free Support Principle chapter before asking for specific help. In addition, users are asked to document any steps that were used to solve problems in the forums and/or wiki, thereby supporting the co-developer concept which has been adopted by the Whonix project. [25]

Live Operating System[edit]

Why not Use a Live CD/DVD as the Whonix-Workstation Operating System?[edit]

This option was previously discussed in depth and it was decided that Live CD/DVDs are not suitable for Whonix-Workstation.

Advantages:

  • Often actively maintained.
  • Stabilized.
  • Hardened GNU/Linux distribution.
  • Advanced features.


Disadvantages:

  • No timely security updates.
  • Limited persistence.
  • Inflexible design.


Another serious disadvantage of Live CD/DVDs in the context of an anonymity-oriented OS is that they often have their own method of Tor enforcement included. In Whonix, this would result in a Tor over Tor scenario.

Will there be a Whonix Live CD or DVD?[edit]

Qubes-Whonix

The most promising mid term possibility may be running Qubes-Whonix on Qubes OS Live DVD/USB, which is currently in Alpha. [26] Unfortunately, at the time of writing Live-mode is no longer supported or maintained by Qubes. [27] Nevertheless, if this is further developed in the future, only limited changes are required on the Whonix side. The primary responsibility for hardware support and Live operating system development rests upon Qubes developers, with whom the Whonix team has a strong, collaborative, working relationship.

Non-Qubes-Whonix

This will not be available in the near future unless a developer steps forward, joins the Whonix team, and begins contributing code. Lead Whonix developer Patrick Schleizer has limited knowledge about Live CD/DVD creation and deployment, and completing this project would be difficult, particularly for hardware support. At the moment Whonix is a rather simple project, and many things are delegated upstream. For instance, there are various supported platforms, Debian provides a fine operating system, hardware support is delegated to the host operating system and supported platform, and Tor is providing a world class anonymizer. Another related problem is the large size of the Whonix images at present, making it very difficult to fit neatly on a Live CD/DVD. [28]

A workable alternative for testers is outlined in the next section below.

Is there Something like Whonix Live?[edit]

Starting with Whonix 14, Non-Qubes-Whonix users can optionally run Whonix as a live system. Booting into live mode will make all writes go to RAM instead of the hard disk. Everything that is created / changed / downloaded in the VM during that session will not persist after shutdown. This also holds true for malicious changes made by malware, so long as it did not break out of the virtual machine.

Alternatively, users can follow the recommendations to run Whonix with the dedicated host operating system installed on external media.

Tor[edit]

How do I Configure a Bridge?[edit]

Instructions for configuring a bridge in Whonix can be found here.

Whonix has Slowed Tor Connections Dramatically![edit]

This is likely an incorrect assumption. Since Whonix does not modify the Tor package directly, nor attempt to improve the Tor routing algorithm, any sudden drop in network speed is almost certainly related to:

  • User (mis)configurations relating to a VPN, proxy or other relevant settings.
  • Tor network anomalies.
  • Tor guards which are:
    • Malicious.
    • Overloaded.
    • Under attack.
    • Misconfigured.
  • A change in the Tor guard selection which has resulted in poor throughput due to capacity issues.


Before posting about the issue in forums, first use one of the following two methods to create a test Whonix-Gateway with a different set of guards.


a) Easy: Whonix-Gateway Clone [29]

  • Create a clone of the slow Whonix-Gateway (sys-whonix) and name it Whonix-Gateway-test VM (sys-whonix-test-vm). [30]
    • Virtualbox: follow these instructions to create a VM snapshot.
    • Qubes-Whonix: Right-click on sys-whonix -> Clone VM
  • Regenerate the Tor State File.
  • Retest the speed of Tor connections.


b) Moderate Difficulty: Manual Regeneration of the Tor State File [31]

Copy the Whonix-Gateway Tor state folder to a temporary folder by running the following commands in Konsole.

sudo systemctl stop tor@default
sudo mv /var/lib/tor /tmp
sudo systemctl restart tor@default

Retest the speed of Tor connections. Afterwards, to restore the Tor state folder to its original settings, run the following commands in Konsole.

sudo systemctl stop tor@default
sudo rm -r /var/lib/tor
sudo mv /tmp/tor /var/lib
sudo systemctl restart tor@default

Interpreting the Test Results

There is no guarantee the test VM / new Tor state will be faster. However, if there is a significant difference in speed between the test and normal Whonix-Gateway VMs / Tor state, then this can be attributed to the Tor guards that are normally in use. This also means there is no bug in Whonix.

If the test VM / new Tor state does not speed up, the user may have selected Tor guards with poor throughput, or it could be a bug in Whonix. Before reporting the problem in the forums, regenerate the Tor state file and test the Tor throughput again. If it is still slow, then this may indicate a Whonix bug or other issue.

It is strongly discouraged to use the Whonix-Gateway-test VM / new Tor state (with a new Tor guard set) for activities other than testing, even if it is faster. It is feasible that adversaries might try to induce the user to switch their guards. By switching, the probability that a new chosen guard set is adversary-controlled increases, aiding end-to-end correlation attacks that deanoymize connections.

Whonix is Preventing Tor from Bootstrapping![edit]

See the entry above. Bootstrapping problems can relate to the Tor guard in operation, so changing the Tor guard might resolve the issue.

If that is ineffective, users can also:

  • Confirm minimum system requirements have been met for Whonix.
  • Confirm the accuracy of the VM clock with sdwdate.
  • Remove any changes that were made to the Whonix-Gateway (sys-whonix) torrc configuration, such as bridges, pluggable transports, seccomp, connection padding and so on.
  • Test Tor functionality on the host.
  • In Qubes-Whonix, test Tor functionality in a non-Whonix AppVM.
  • Increase the amount of RAM available to Whonix-Gateway (sys-whonix).

Why Waste Network Bandwidth by Downloading Operating System Updates over Tor?[edit]

The short answer is this option was discussed with The Tor Project and Whonix was granted permission to do so.

Interested readers who want to learn more should review the following:

Can I Speed Up Tor or the Whonix-Gateway?[edit]

Is there a way to configure the number of nodes in a circuit and to allow selection according to their speeds?


Users who already know how to configure Tor in this fashion using the command line in vanilla Debian can follow the same procedure in Whonix-Gateway. This is not an endorsement for making these manual Tor changes because it is not recommended by Tor developers and thus the Whonix team. [33] This is also the reason there are no instructions in the Whonix documentation to manipulate Tor nodes in this way.

That said, if general instructions were found describing how to achieve this on the host, then the same procedure could simply be repeated in Whonix-Gateway.

Does Whonix Modify Tor?[edit]


Although Whonix does not modify Tor, the configuration file has been adapted for Whonix. To inspect the relevant files, check both /etc/tor/torrc and /usr/share/tor/tor-service-defaults-torrc on Whonix-Gateway. [34] Tor is not patched and the normal Tor deb package is used in Whonix. This is installed from either deb.torproject.org, or sdscoq7snqtznauu.onion if the user has "onionized" Tor Project updates.

Any changes to the Tor routing algorithm should be proposed, discussed and eventually implemented upstream in Tor on torproject.org. [35] If proposed changes are not adopted by The Tor Project, then the option to create a Tor fork [36] is available. Tor has already been forked at least once.

A general Whonix design principle is to keep the Tor process as uniform as possible, in order to simplify any security audits. Diverging from this practice would introduce unnecessary complexity, possibly worsen fingerprinting or degrade anonymity, and limit Whonix discussions to the security impacts of the modified routing algorithm. For these reasons, the Whonix team is strongly disinclined to make any direct changes to the Tor package.

Can Whonix Improve Tor?[edit]

As outlined in the previous section, Whonix will not implement any changes to Tor directly and any suggested improvements or bug fixes are proposed upstream on torproject.org. This already happens on occasion. Creating Whonix is a difficult and time consuming endeavor, so Tor improvements are better left to dedicated, skilled developers who are more knowledgeable in this area.

Skilled coders can always provide upstream patches to Tor, or as a last resort, fork [36] it. Hypothetically, if a fork [36] developed a greater following than the original project due to proven security / anonymity benefits, then Whonix would seriously consider making a switch.

What is Clearnet?[edit]

This term has two meanings:

  1. Connecting to the regular Internet without the use of Tor or other anonymity networks; and/or
  2. Connecting to regular servers which are not onion services, irrespective of whether Tor is used or not.

check.torproject.org says "Sorry. You are not using Tor."[edit]

See Browser Tests.

New Identity and Tor Circuits[edit]

The behavior of "New Identity" in the context of TorButton and Arm is often misunderstood. First of all, there are various ways to issue a issue a "New Identity":


In all cases, the "New Identity" function sends the protocol command "signal newnym" to Tor's ControlPort. This clears the browser state, closes tabs, and obtains a fresh Tor circuit for future requests. [37]


The impact of "signal newnym" on Tor circuit lifetimes is often misunderstood. "signal newnym" uses a fresh circuit for new connections. Sometimes Tor only replaces the middle relay while using the same Tor exit relay. This is by design and the Tor default. Further, "signal newnym" does not interfere with long-lived connections like an IRC connection.

Interested readers can verify the effect of "signal newnym" as follows:

  1. Open https://check.torproject.org in Tor Browser.
  2. Issue "signal newnym" using Arm.
  3. Reload https://check.torproject.org.
  4. In some cases it will still show the same IP address, probably because the browser did not close the connection to https://check.torproject.org in the first place.


Now repeat this experiment with a small modification which should result in a new Tor exit IP address:

  1. Open https://check.torproject.org in Tor Browser.
  2. Issue "signal newnym" using Arm.
  3. Close Tor Browser, then restart it.
  4. Open https://check.torproject.org again, and a new Tor exit relay IP address is (likely) visible.


New Identity is not yet perfect and there are open bugs; this is not a Whonix-specific issue. "signal newnym" is not a guaranteed method of unlinking various protocol states (like the browser) so the user absolutely appears to be a different identity. [38] Tor Browser's TorButton New Identity feature attempts this, but it is not yet perfect.

In general for greater security, it is better to completely close Tor Browser and restart it. In Qubes-Whonix, the safest option is using a Whonix-Workstation Qubes/DisposableVM and closing it and recreating a new one after critical activities.

Trust[edit]

Why Should I (not) Trust Whonix?[edit]

See Trust for a long answer.

User Support and Input[edit]

Feedback and Suggestions[edit]

The Whonix project is highly receptive to genuine feedback and suggested improvements from users. Software projects flourish from community input, and every suggestion is noted and considered.

The Whonix community is asked to remain patient. The development cycle involves a number of competing priorities and challenges which must be overcome to achieve ambitious roadmap goals. Further, there is also an existing backlog of unresolved bugs and feature requests to address.

As Whonix resources grow over time, development activity and responsiveness to user input will increase in kind.

What does Unsupported Mean?[edit]

This feature is either undocumented, untested, or unsupported. Please help us implement this feature by becoming a maintainer.

Virtualizers[edit]

Is VirtualBox an Insecure Choice?[edit]

Update:

Although VirtualBox is not an ideal choice, fortunately other platforms are supported:


For greater security, users with suitable hardware and sufficient skill are recommended to prefer Qubes-Whonix (a bare-metal hypervisor) over Type 2 hypervisors like VirtualBox and KVM.

The primary reason Whonix supports VirtualBox is because it is a familiar, cross-platform virtualizer which can attract more users to open source (free/Libre) software, Tor, and Linux in general. By remaining highly accessible, Whonix:

  • Increases the scope of potential growth in the user base.
  • Attracts greater attention as a suitable anonymity-focused operation system.
  • Increases the likelihood of additional human resources and monetary contributions.
  • Allows novice users to easily test Whonix and learn more about security and anonymity practices.
  • Improves the relative security and anonymity of Tor / Tor Browser users by offering a virtualized solution.


Old statement:

If you would like to see the old statement, please press on expand on the right.

Whonix in VirtualBox vs Tor / Tor Browser / Torified Applications on the Host

It is recognized that VirtualBox is not an ideal choice; see Dev/Virtualization Platform. However, there are different goals to bear in mind - Whonix is primarily focused on protecting a user's IP address / location.

A common refrain of critics is that VirtualBox is "too weak". This is a theoretical concern and does not have any practical implications at present, since Whonix in VirtualBox is actually more secure than running Tor, Tor Browser or torified applications on the host in many cases; see Whonix Security in the Real World.

It must be remembered that there are no alternatives for a large segment of the population who do not have sufficiently powerful hardware to run Qubes-Whonix, or who are technically incapable of running KVM. In this case, it is safer for them to run Whonix in VirtualBox, rather than continuing to utilize Tor on the host. For example, Whonix helps to protect against future proxy bypass bugs or software which does not honor proxy settings.

The strength of Whonix and virtualization in general is adherence to the security by isolation principle. VirtualBox critics need to objectively consider how many exploits currently exist for VirtualBox and the track record of exploits. Admittedly, virtual machine exploits may become far more problematic in the future, but at present Whonix is considered to provide more security out of the box running in VirtualBox, than not.

Platforms with Improved Security

Anybody seriously considering Whonix for improved security should refer to the Documentation, particularly the Security Guide, Advanced Security Guide and available supported platforms other than VirtualBox. Whonix is a poster child for the Isolating Proxy Concept and Security by Isolation.

Many users still default to running Tor on their Windows or Linux host. Whonix is immediately available to this cohort to substantially improve their real world security. Indeed, Whonix is the only up-to-date OS designed to be run inside a VM and paired with Tor, which is actively maintained and developed. Other similar projects like JanusVM are seriously outdated and no longer actively maintained. [39]

Whonix cannot serve all target audiences. Users seeking a higher security solution will prefer other supported platforms, like Qubes-Whonix. "Hardcore" users may prefer to build their own custom hardened solutions, while still profiting from Whonix's research and source code. Hardened solutions like the Hardened Gentoo Whonix-Gateway are more difficult to use and therefore cannot be set as the default installation for Whonix.

Virtual Private Networks[edit]

Should I Install a VPN on the Host or Whonix-Gateway?[edit]

This entry presumes the user has already decided to utilize a VPN. If not, this FAQ entry may be skipped.

VPN Installed on the Host VPN Installed on Whonix-Gateway VPN Installed on both the Host and Whonix-Gateway
All Whonix Traffic Routing User -> Host's VPN -> Tor -> Internet User -> Gateway's VPN -> Tor -> Internet User -> Host's VPN -> Gateway's VPN -> Tor -> Internet
All Host Traffic Routing User -> Host's VPN -> Internet User -> Internet User -> Host's VPN -> Internet
Whonix-Gateway Compromise Host's VPN Affords Protection Nil Protection Host's VPN Affords Protection

To decide the best configuration in your circumstances, consider:

  • Is it necessary to hide all traffic from the ISP? [40] Then install the VPN on the host.
  • Should the VPN provider be able to see all traffic? [40] Then install the VPN on the host.
  • Should the VPN provider be limited to seeing Tor traffic, but not clearnet traffic? Then install the VPN on Whonix-Gateway.

Whonix-specific[edit]

Design and Development[edit]

Why Use a 32-bit Operating System Instead of 64-bit?[edit]

Whonix 13

Whonix does not uniformly use a 32-bit operating system; it is dependent on the supported platform in use. In the current stable release:


Until now, the decision to support a 32-bit build for Non-Qubes-Whonix has primarily related to compatibility. 32-bit software runs on both 32-bit and 64-bit hosts, while 64-bit builds cannot be created or used if running a 32 bit kernel. [41] Further, 64-bit software is more memory (RAM) intensive, which could be problematic for running 3 operating systems on older systems (Whonix-Gateway, Whonix-Workstation, and the host OS). [42] However, this does not prevent advanced users from building Whonix from source code and using --arch amd64 as per the build documentation to create 64-bit builds.

Whonix 14

In Whonix 14, slated for release in mid-2018, only 64-bit builds will be available for download across all platforms. [43] This decision is based on several factors:

  • Distributions are increasingly dropping support for 32-bit systems (including Debian). [44]
  • Only a small minority of users are stuck with older hardware that will not support 64-bit builds. [45]
  • It is a significant maintenance burden for Whonix to maintain both 32-bit and 64-bit builds for Non-Qubes-Whonix. That is, Whonix would need to maintain 10 images, instead of the current 6 images.
  • Non-Qubes-Whonix users who rely on 32-bit (i686) hardware will still be able to use Whonix 14, by using the upgrade instructions instead of downloading new images. [46] [47] [48]


If a maintainer steps up to contribute, it may be possible to have both 32 and 64-bit downloads for Non-Qubes-Whonix in the future.

How is Whonix Different from Tails?[edit]

See Comparison with Others.

Why not Merge with Tails and Collaborate?[edit]

The following is a subjective opinion by lead Whonix developer Patrick Schleizer. [49] Feedback, corrections, and suggested improvements are welcome.

Tails is a respected project with similar goals to Whonix - improved anonymity, privacy and security. Tails has existed for many years and has multiple developers, significant experience and a complete working infrastructure. Whonix and Tails developers already cooperate to some degree and discuss things of mutual interest to both projects on various developers mailing lists like whonix-devel, tails-devel and secure-os.

Whonix and Tails Collaboration

Several parts of Whonix are based on Tails. For example, the development of sdwdate in Whonix was reliant upon Tail's invention of tails_htp. Whonix also profits from Tails' previous efforts to upstream packaging and other changes in Debian, current and historical discussions in various forums, Tails research, design documents, experience, feedback and so on.

Other examples of Tails and Whonix cooperation include:


Why Whonix is a Separate Project

Even though Tails is highly valued by Whonix developers, it may not be clear to the reader why Whonix remains a separate project and not just a contributor to Tails. There are several reasons for this decision: Whonix cannot be merged into Tails by the Whonix team on technical, skill and political grounds; implementing features or changes in Tails is an unfamiliar process; and it is unknown when/if Whonix priorities will be implemented in Tails - but it is known how to solve these in a separate project (at least with appropriate user documentation).

Further examples are outlined in the table below. Note that some of these items may already be partially or fully solved in Tails, but it is has been kept to justify the decision at that time not to merge with Tails.

TODO Broken since migration to whonix.org. Ignore for now.

(Previous) Tails TODO Whonix Instructions
Remember installed packages By design, everything persists. [51]
Applications Audit By design, protocol leaks can not lead to deanonymization.
Two-layered, virtualized system By design, this is achieved by using either VMs or Physical Isolation
VPN support Features#VPN / Tunnel support
JonDo over Tor JonDonym
Freenet over Tor Freenet
obfsproxy Bridges
Hide Tor from your ISP Hide Tor and Whonix from your ISP
I2P over Tor I2P
Transparent Proxy as a fallback mechanism By design, everything not configured to use a SocksPort will automatically use Tor's TransPort.
Use Tor Browser Tor Browser
Stream Isolation Stream Isolation
Evaluate web fingerprint Same as Tor Browser.
Unsafe browser fingerprint Logging in to captive portals
Location Hidden/IP Hidden Servers Location/IP Hidden Servers
VoIP VoIP
... ...

Political and Design Considerations

There are also significant differences in political and design decisions which prohibit a merger:

  • As a code contributor to Tails, Patrick Schleizer would need to accept decisions made via internal Tails decision-making processes. Whonix would lose the autonomy to simply modify anything in line with personal preferences or favored solutions. [52] At the time Whonix was created, Patrick Schleizer did not favor a Live DVD/USB approach and personally found improving Tails to be far more difficult than starting a fresh project.
  • Source Code Merge Policy:
    • Whonix: A comprehensive merge policy has not yet been developed. This would be ideal, but it is not compulsory to formulate such a design or associated documentation.
    • Tails: In Patrick Schleizer's opinion, the Tails merge policy is too strict. This is not a complaint or critique. No doubt there are good reasons for that decision, and it should be noted that Tails is still a popular and effective solution for many users. Anyone who does not agree has the freedom to contribute to another project or to start a new project, leading Patrick Schleizer to make use of that freedom.
  • Another major design difference is Tails' reliance on a Live DVD/USB which inherits some restrictions and limitations. Tails must fit on a DVD/USB, while Whonix does not have this requirement. Whonix also has higher hardware requirements, but therefore more space to implement features. As a consequence, initially fewer people are able to use Whonix, but this situation will improve in the future as available hardware improves. The Whonix design is fluid and new designs (both theoretical and practical) are being discovered over time. Depending on user feedback and general interest, eventually a Live DVD or Blu-ray might be created in Whonix.
  • Patrick Schleizer has found it easier to cooperate with the security by isolation focused operating system Qubes OS, which resulted in Qubes-Whonix.

How is Whonix Different from Tor Browser?[edit]

See Comparison with Others.

How Difficult is Whonix Development?[edit]

The following information is an opinion expressed by lead developer Patrick Schleizer, which is based on several years of Whonix development and related activities.

Consider the following comparison table. Whonix source code is relatively simple when compared with activities like the development of cryptographic algorithms and hand written binary code.

Legend: One star (*) = very easy; 10 stars (**********) = very difficult.

* Using a computer.
** Writing Whonix bash scripts.
** Writing Whonix documentation.
*** Whonix-related anonymity and privacy research.
**** Scripting language.
***** Using Hardened Gentoo.
****** Programming languages such as C/C++.
******* Core Tor development.
******** Reverse engineering software.
******** Kernel development.
******** Assembly language.
********* Compiler development.
********* Aeronautical science.
********* Cryptographic algorithms development.
********** Hand written binary code.

Images[edit]

Why are Whonix Images so Large?[edit]

Currently the size of the Whonix-Gateway and Whonix-Workstation is 1.7 GB and 2.0 GB, respectively. This is much larger than other "Tor-VM" or "Tor-LiveCD/DVD" projects, which sometimes depend on specially "stripped-down" or minimal distributions like TinyCore, DSL, and Puppy Linux. From Whonix 14, zerofree has been used to reduce the size of the binary images by approximately 35 per cent.

Minimal Distribution Disadvantages

The primary reason for the large size of the images is that small/er distributions do not meet Whonix requirements; namely the upstream distribution must have a proactive security policy. In addition:

  • Most minimal distributions are small projects. Consequently, there is no dedicated security team that audits packages and quickly releases security patches.
  • Whonix requires a distribution that cryptographically signs all updates. [53]
  • The security of minimal distributions is premised on reducing the potential attack surface, and not much else. Whonix also has a small attack surface, due to only installing a few selected applications and not having any network listening services by default. However, on the upside a full distribution supports MAC, kernel patches, IDS and much more.
  • Large, established projects have many users and developers, and the many eyeballs on the code implies greater trustworthiness.
  • Debian has a significant number of security features that are unavailable in smaller distributions.
  • For further reading on this topic, see Operating System.


Maintenance and Usability Concerns

Since Whonix is based on Debian, it is a complete, anonymity-oriented, general purpose operating system. This greatly improves usability in comparison to minimal systems which lack a host of features.

There are several other benefits of relying on Debian, rather than a minimal distribution:

  • A wider range of use cases is supported, such as hosting onion services. In contrast, small distributions usually have limited repositories.
  • Debian has comprehensive documentation about topics like security and hardening, unlike many small distributions.
  • Creating a slim system increases the maintenance burden, because it is difficult and requires significant development time. This is not, and should not be the primary focus of the Whonix team.
  • Minimal projects do not usually focus on anonymity, privacy and security-related matters; the core competence of the Whonix project.
  • Attempts to slim down systems inevitably results in numerous "strange bugs". Users who are familiar with Debian or Ubuntu would then question why Whonix is broken or lacks full functionality.


It should be noted that by increasing usability, Whonix actually improves security over time. This stems from a larger user pool, a more prominent profile in the press, increased development activity, and additional security audits and research. On the contrary, a slimmed down system would only attract specialists or experts. [54]

An interesting analogy is Mixminion, which was once touted as an alternative to Tor. [55] Due to Mixminion being a high latency remailer, with cover traffic and protection against traffic confirmation (end-to-end correlation attacks), it should theoretically have been more secure than Tor. The only problem was that Mixminion did not attract a critical mass of users. Without a sizable population to help disguise traffic, the putative anonymity benefits were seriously degraded - making it no more or less (in)secure than Tor. [56]

Absence of a Live Whonix CD/DVD

The final reason Whonix images are large, is that the project is not (yet) focused on the anonymity-oriented Live CD/DVD market. Without the restriction of needing to fit on a CD/DVD, there is no necessity to balance functionality with available space and security. Being a general purpose anonymous operating system has its benefits - default or optional functionality can be increased at whim. For example, integrating Bitcoin into Whonix would be quite simple, apart from the documentation burden.

Patches[edit]

Patches are Welcome[edit]

Volunteer contributions to Whonix are most welcome. All proposed patches are carefully reviewed and merged if appropriate. Volunteers with the requisite coding ability should refer to the current backlog of open Whonix issues and consult with developers before undertaking any significant body of work.

Often, proposed improvements or fixes to the Whonix platform have not yet implemented due to differing developer priorities, limited human resources, and/or the inordinate amount of time required to develop a particular feature or solution. In a minority of cases, the Whonix team is unsure how to resolve a bug, or how to implement a specific change / feature. [57]

It is generally unhelpful to debate the priorities laid out in the future Whonix roadmap, as this diverts energy from core development. Some major suggestions like the availability of a Live Whonix CD/DVD might become available in the long-term, or might never eventuate.

Security[edit]

Does Whonix Guarantee my IP Address and Location are Safe when Using Skype?[edit]

This answer has been moved to the VoIP page.

Full Disk Encryption Should be Added to Whonix![edit]

This assumption is incorrect. In short, it is more effective to add Full Disk Encryption to the host to protect against theft or robbery of personal information or data.

The interested reader can refer to Encrypted Guest Images for further details.

You Should Disable JavaScript by Default![edit]

Whonix has not changed default JavaScript settings in Tor Browser for several reasons:

  • Whonix is not a "secure browser" project - the focus is on creating a stable, reliable anonymity distribution which aligns with best practice security and privacy principles, informed by educated researchers in the field.
  • Possible fingerprinting or security issues with default settings in Tor Browser are the domain of core Tor developers.
  • Whonix has limited manpower, meaning the resources do not exist to create a more secure browser, even if it was desirable. [58]
  • Tor Browser is not significantly modified for the same reasons Whonix does not modify or attempt to improve Tor. [59]
  • Having Whonix share the fingerprint of other Tor Browser users is good for anonymity.


As noted in the Tor Browser chapter, disabling JavaScript by default may worsen fingerprinting:

The take-home message is disabling all JavaScript with white-list based, pre-emptive script-blocking may better protect against vulnerabilities (many attacks are based on scripting), but it reduces usability on many sites and acts as a fingerprinting mechanism based on the select sites where it is enabled. On the other hand, allowing JavaScript by default increases usability and the risk of exploitation, but the user also has a fingerprint more in common with the larger pool of users.

Experienced Tor developer Mike Perry has provided justification for enabling JavaScript by default in a tor-talk mailing list topic; see "Tor Browser disabling Javascript anonymity set reduction". In summary, Tor Button and Tor Browser patches handle the most serious JavaScript concerns, such as IP address / location bypass problems. [60]

Due to the loss in functionality, disabling JavaScript by default might place Whonix users in a small subset of the Tor Browser population. The JavaScript behavior of the broader Tor Browser population is an open research question, so it safest to avoid a possible reduction in the anonymity set of Whonix users. Users should remember that the degree of fingerprinting that is possible will also rely on Tor Browser's security slider settings. Ultimately the user is free to turn JavaScript on or off, depending on their security, anonymity and usability preferences.

Does Whonix / Tor Provide Protection from Advanced Adversaries?[edit]

Targeted Surveillance


Whonix cannot provide protection against advanced attack tools which have the capability to penetrate all types of OSes, firewalls, routers, VPN traffic, computers, smartphones and other digital devices. Implants are capable of surviving across reboots, software / firmware upgrades, and following the re-installation of operating systems. [61]

Once infected in this way, it is virtually undetectable and no solution can be readily found, except throwing away the hardware and moving on from the targeted physical / network location. Encryption, Tor / Tor Browser, other anonymity tools, "secure" hardware configurations and so on are helpless against these attacks, which are increasingly automated and being scaled up in size. For example, the American IC prefers using the TURBINE system for this purpose.

The following is just a small sample of the hundreds of advanced implants and tools currently in use. Needless to say, advanced adversaries can achieve almost any outcome they like: [62] [63] [64]

  • Exfiltrate or modify information / data including removable flash drives (SALVAGERABBIT).
  • Log keystrokes or browser history (GROK, FOGGYBOTTOM).
  • Surreptitiously turn on cameras or microphones (CAPTIVATEAUDIENCE, GUMFISH).
  • Exploit VPN and VOIP data (HAMMERCHANT, HAMMERSTEIN).
  • Block certain websites (QUANTUMSKY).
  • Corrupt downloads (QUANTUMCOPPER).
  • Present fake or malware-ridden servers (FOXACID, QUANTUMHAND). [65]
  • Launch malware attacks (SECONDDATE).
  • Upload and download data from an infected machine (VALIDATOR).
  • Detect certain targets for attack (TURMOIL). [66]
  • Collect images of computer screens (VAGRANT).
  • Collect from LAN implants (MINERALIZE).
  • Image the hard drive (LIFESAFER).
  • Jump air-gaps (GENIE).
  • Inject ethernet packets onto targets (RADON).
  • And much, much more.


The take-home message is that current hardware and software solutions provide multiple attack vectors which are impossible to completely close. Air-gapped solutions which have never been connected to the Internet may provide security for targeted individuals, but Internet-connected devices should be considered completely unsafe.

Passive Surveillance

Users should be aware that passive surveillance systems will attempt to intercept, record, categorize and attribute all data that can be feasibly collected, including straight off the Internet backbone. These systems are designed to hoover up everything, irrespective of whether it is browsing history, emails, chat / video, voice data, photographs, attachments, VoIP, file transfers, video conferencing, social networking, logins, or user activity meta-data.


Consistent use of anonymous handles, strong encryption, Tor / Tor Browser, and world class open source anonymity tools and platforms may provide partial protection against passive surveillance programs, such as:


Be aware that this claim comes with an important caveat - it depends on whether Tor (and other software / hardware solutions) provide adequate protection or not. The answer to that question is not clear. Whonix has adopted a skeptical mindset and only makes conservative claims, because it is impossible to prove a negative. For a related statement about advanced adversaries, refer to the following technical introduction.

Can Certain Activities Leak DNS and/or the Real External IP Address / Location?[edit]

No activity conducted inside Whonix-Workstation can cause IP/DNS leaks so long as Whonix-Gateway is left unchanged or only documented changes are made like configuring bridges, establishing onion services, and running updates.

However, certain behaviors can degrade anonymity or inadvertently expose a user's real identity or location. For instance:

Is there a Whonix Amnesic Feature / Live CD / Live DVD? What about Forensics?[edit]

As noted in the Whonix Live entry, Whonix 14 allows non-Qubes-Whonix users to optionally run Whonix as a live system. Writes go to RAM instead of the HDD/SSD, and everything that is created, changed or downloaded in the VM during that session does not persist after shutdown. However, neither non-Qubes-Whonix or Qubes-Whonix is an amnesic system by default.

For reasons why a Whonix Live CD/DVD is currently unavailable, refer to these earlier entries.

Forensic Considerations

In the past, a number of ideas have been put forward to try and make Whonix an amnesic system:

  • Shredding the Whonix hard disk images.
  • Having a zip archive of Whonix hard disk images and restoring them every time Whonix is used.
  • Restoring a fresh snapshot every time Whonix is used.
  • Running Whonix completely in ramdisks.
  • Using full disk encryption.
  • And so on.


Unfortunately, none of these methods are a substitute for a true amnesic system. Amnesic live systems have a superior design insofar as sensitive (or unencrypted) data is never stored on storage media in the first place. It is manifestly unsafe to try and deal with data by wiping it after it has already been stored, and this is a poor design principle to implement.

Using full disk encryption is still useful to protect against forensic analysis, but in some parts of the world this is illegal or draws unwanted attention. Therefore, full disk encryption is not an applicable stopgap for some Whonix users and this cohort requires an amnesic version of Whonix in all instances.

The reader should always be cautious regarding claims made about the ability to defeat disk forensics. For example, the Whonix team are not experts in matters related to:


Even carefully designed setups fail to approach the efficiency of an amnesic system. At a bare minimum, before any strong claims can be made about anti-forensics, the following steps should be undertaken:

  1. Make an image of the HDD/SSD.
  2. Run Whonix and perform a range of normal user activities.
  3. Make another image of the HDD/SSD.
  4. Compare the images.


Unless these basics steps are performed, the setup may seem ingenious but fail against contemporary forensic tools. Users concerned about local forensics should at least use full disk encryption. When established open source encryption solutions like Linux dmcrypt are used correctly, they live up to their promises. However, always remember this approach is inferior to an amnesic system, particularly if the user can be forced to surrender their password under certain circumstances. If that is a legitimate concern, then Whonix may not be the right tool and alternatives like Tails should instead be investigated.

Stability[edit]

Whonix Crashes because of PAE?[edit]

See PAE crash.

Versioning[edit]

What is the Difference Between the stable, stable-proposed-updates, testers and developers Repositories?[edit]

Whonix currently provides four repository choices:

  • Whonix stable APT repository: recommended for most users. The production level packages focus on providing the most reliable Whonix experience.
  • Whonix stable-proposed-updates APT repository: recommended for testers and only briefly tested by Whonix developers. It also contains stable upgrades, but it can break apt-get during an upgrade, requiring terminal commands to rectify the problem. After testing by a wider audience, these packages migrate to the stable repository. [70]
  • Whonix testers APT repository: As above, except it does not have stable upgrades. [71]
  • Whonix developers APT repository: As above, except it includes untested changes. These changes may eventually migrate to the testers repository if the Whonix team is confident these changes will not break the update system.


Users can easily change their repository in the Whonix-Gateway or Whonix-Workstation by following these instructions.

Due to the Whonix design, a user's security is unlikely to be materially affected by preferring the "beta" (stable-proposed-updates) or "alpha" (testers, developers) repositories over the default stable one. The terms alpha and beta are avoided because they have generally lost their meaning in the software field; many applications remain in alpha or beta status for years, even though they work perfectly well. [72]

Whonix Gateway[edit]

Why can't I Ping the Whonix-Gateway?[edit]

The Whonix-Gateway does not respond to ping or similar commands because it is firewalled for security reasons; see /usr/bin/whonix_firewall or refer to the Whonix source code. In most cases it is unnecessary to ping the Whonix-Gateway anyhow.

If a user insists on pinging the Whonix-Gateway or has a unique setup that requires it, then this can be tested by clearing all firewall rules with the dev_clearnet script. Alternatively, a script can be run to try and unload / remove every iptables rule, or the Whonix firewall can be hacked to not load at all. The latter method is only for experts and it is necessary to comment out the exit 0 at the beginning.

Graphical Whonix-Gateway?[edit]

Qubes-Whonix:
Does not apply.

Non-Qubes-Whonix:


If a user believes the Whonix-Gateway is using too much RAM or generally prefers a terminal version of Whonix-Gateway, the allocated RAM can be reduced to 256 MB and RAM Adjusted Desktop Starter will automatically boot into a terminal version of Whonix-Gateway.

When Whonix is used in combination with KVM, dynamic memory management of the RAM overhead might be a non-issue. By manually enabling these features it is possible to immediately profit. Eventually, a later Whonix release where KVM is in use might enable this by default.

Whonix aims to be as accessible and usable as possible. Linux experts who were content with the older non-graphical version of Whonix-Gateway [73] may not appreciate the change, but Whonix is aimed at a broad audience. Whonix is also an attempt to recruit more casual users[74] [75] to Tor, because the more people who use Tor, the better the anonymity that is provided[76].

In the older, non-graphical version of Whonix-Gateway [77] it was difficult for users who had never used Linux before to complete tasks like upgrading or configuring obfuscated bridges. Many activities are simpler and easily accessible in a graphical desktop environment, such as:

  • Setting up bridges / flashproxies.
  • Auditing logs.
  • Auditing iptables.
  • Auditing the system architecture in general.
  • Running Tests.
  • Running Leak Tests.
  • Editing the Tor configuration file /etc/tor/torrc.
  • Editing the firewall settings folder /etc/whonxi_firewall.d.
  • Reading status messages (whonixcheck and sdwdate).
  • Changing the Tor circuit.
  • Copying and pasting (configuration) commands, (error) messages and logs.
  • Running tshark / wireshark.
  • Tunneling only Whonix-Gateway's traffic through a VPN.


A black, text-only window (terminal) is intimidating for normal users. A graphical desktop environment is also a prerequisite for further planed improvements, such as a Whonix Controller. The proposed graphical Whonix Controller will provide buttons such as:


Also, terminal-only environments are often unusable for users with disabilities. This is another reason why recent Whonix versions [78] feature an optional graphical desktop environment.

Users do not have many options if they believe the graphical Whonix-Gateway uses too much disk space and/or they want to achieve activities that Whonix was not designed for, such as running Whonix completely in RAM. Whonix was never developed with low installation size, low RAM, or low system requirements in mind. See also: Why are Whonix Images so Large? and Will there be a Whonix Live CD or DVD?

Advanced users can build Whonix from source code and use a build configuration to create a terminal-only version of Whonix-Gateway; refer to Build Documentation if that is of interest.

Last but not least, a terminal-only version of Whonix-Gateway could be easily provided if the role of Release Manager was filled. This requires someone willing to build terminal-only versions of Whonix-Gateway, which is not strictly about development since it only requires running the build script and uploading it. Until more people are contributing to The Whonix Project, this won't be possible due to resource constraints.

See also Other Desktop Environments for workarounds and alternatives.

Footnotes[edit]

  1. Last updated in January 2018.
  2. https://www.openbsd.org/
  3. https://twitter.com/feldpos/status/493426189282054144
  4. A Tor onion service is still not available.
  5. Last updated in January 2018.
  6. https://github.com/subgraph/subgraph-os-issues/issues/153
  7. Subgraph is a Debian derivative.
  8. Unfortunately Whonix cannot prevent against attacks which replay an old Tor consensus or which attempt to reveal onion services.
  9. Interested readers can verify these claims by researching off-the-shelf malware building toolkits. They are dangerous to install for inexperienced users, but there is a wealth of information online such as screenshots and video tutorials.
  10. It is unclear if script kiddie programs are readily available for attacking non-Windows users.
  11. From a browser test website, in a log file and so on.
  12. https://forums.whonix.org/uploads/default/original/1X/c2c9bb5dc7efee7a933dd00d3bf0c30c29c99daa.png
  13. This is not a recommendation to use it.
  14. Conceptually, end-end DNS encryption is illogical. If the IP address of the destination server was known in advance, then DNS would not be required in the first place.
  15. https://security.stackexchange.com/questions/162601/what-are-the-privacy-advantages-of-a-dns-encryption-service-such-as-dnscrypt
  16. Due to the Tor network abuse such as DDOS attacks on their servers.
  17. Around 95 per cent combined.
  18. Like Skype.
  19. For example, recent Windows earnings can be found here.
  20. Most desktop computers sold worldwide come with Windows pre-installed, generating significant revenue from licensing.
  21. [1]
  22. http://gs.statcounter.com/os-market-share/desktop/worldwide/
  23. If options or features require a substantial time investment, it may be infeasible for a distribution with limited resources to implement the desired changes.
  24. Users can contribute in a range of ways, such as by helping to answer questions in the forums.
  25. See also: https://groups.google.com/forum/?_escaped_fragment_=topic/qubes-users/IQdCEpkooto#!topic/qubes-users/IQdCEpkooto
  26. https://www.qubes-os.org/downloads/
  27. This situation might change in future if additional human resources become available. Check this wiki entry at a later date and also read: https://forums.whonix.org/t/whonix-live-mode
  28. This is less useful for Whonix debugging.
  29. Alternatively follow the instructions to use Multiple Whonix Gateways.
  30. This is more useful for Whonix debugging.
  31. Click here for an overview of all answers.
  32. Deferring to their expertise on the possible adverse anonymity effects.
  33. Changes to the configuration file are made by the anon-gw-anonymizer-config package.
  34. This means changes occur for all Tor users, and not a subset relying on a particular distribution.
  35. 36.0 36.1 36.2 https://en.wikipedia.org/wiki/Fork_(software_development)
  36. https://blog.torproject.org/blog/torbutton-141-released
  37. See tbb-linkability and tbb-fingerprinting.
  38. In response to whether JanusVM was safe to use, Roger Dingledine of The Tor Project stated in 2011: "No, not safe. Probably has been unsafe to use for years."
  39. 40.0 40.1 All traffic generated by the host and all applications running on the host. For example, Firefox, NTP, and anything else. This also includes traffic generated by Whonix.
  40. https://www.whonix.org/wiki/Template:Build_Documentation_64bit
  41. KVM improves RAM usage through page sharing, however the documentation states there are good reasons for not enabling it by default. VirtualBox does not have a similar feature.
  42. https://phabricator.whonix.org/T91
  43. https://www.phoronix.com/scan.php?page=news_item&px=Debian-686-For-i386-CPUs
  44. For example, in Tails, less than 10% of users had 32-bit kernels in late 2016.
  45. This is because none of the Whonix packages were made 64-bit only.
  46. https://phabricator.whonix.org/T688#13700
  47. https://forums.whonix.org/t/state-of-offical-64-bit-builds/399
  48. Last updated in January 2018.
  49. https://github.com/Whonix/onion-grater
  50. This is actually a disadvantage, because that is the opposite of an amnesic system, which many users may prefer.
  51. One major advantage of free software is developers are free to disagree about a project's direction, leading to the creation of a fork.
  52. This is always desirable, particularly when updating over untrusted exit relays.
  53. This does not mean Whonix cannot be significantly hardened, customized or reduced in size by those with specialist knowledge.
  54. Consider this interesting statement from Tor developer Roger Dingledine: Mixminion vs Tor.
  55. This is also the reason development was discontinued.
  56. Some of these relate to cross-platform problems which are not Whonix-specific.
  57. Even if the manpower existed, it would make more sense to establish a new "Privacy Browser" project, rather than merge its development with Whonix. At a later stage, the theoretically more secure browser could then be bundled with the Whonix platform.
  58. Whonix includes Tor Browser by default, with only minor differences.
  59. Although there are unresolved tbb-fingerprinting and tbb-linkability issues.
  60. For example, BIOS is a favorite target of IC operatives for persistence.
  61. https://theintercept.com/2014/03/12/nsa-plans-infect-millions-computers-malware/
  62. https://www.washingtonpost.com/world/national-security/powerful-nsa-hacking-tools-have-been-revealed-online/2016/08/16/bce4f974-63c7-11e6-96c0-37533479f3f5_story.html
  63. https://www.schneier.com/blog/archives/2013/10/code_names_for.html
  64. A popular attack against Tor Browser users.
  65. This relies on selector types like machine IDs, attached devices, cipher keys, network IDs, and various user-specific leads such as cookies.
  66. Both of these methods shift trust to a single provider, rather than distributing it. In the case of the DNS resolver, it may lead to identity correlation or weaken safeguards against potentially hostile applications; for example, see Skype.
  67. Developers have a basic understanding and just know to be cautious.
  68. This issue requires further investigation.
  69. Users should make a VM clone for this repository just in case it breaks. That way changes can be rolled back if necessary.
  70. Users should make a VM clone for this repository just in case it breaks. That way changes can be rolled back if necessary.
  71. The software versioning nomenclature normally has alpha and beta with values below 1.0
  72. Version 0.5.6
  73. https://forums.virtualbox.org/viewtopic.php?f=3&t=57532
  74. See linked comment.
  75. Quote:

    [...] Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less dangerous it will be that you are one of them. Convince other people to use Tor, too!

  76. Version 0.5.6
  77. From Whonix 6 onward.

Random News:

Did you know that Whonix could provide protection against backdoors? See Verifiable Builds. Help is wanted and welcomed.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)