Network, Browser and Website Fingerprint
In this chapter, the term fingerprint refers to the specific way Whonix ™ behaves on the Internet. Those specificities could be used to determine whether a particular user is running Whonix ™ or not.
As explained on the Warning page, the default Whonix ™ configuration does not hide Tor use from network observers. However, the Whonix ™ design attempts to make Whonix ™ users indistinguishable from the rest of the Tor population, particularly Tor Browser Bundle (TBB)  users. If Whonix ™ and TBB  users have distinct fingerprints, then this information significantly degrades anonymity because the Whonix ™ user base is far smaller than the broader Tor population. 
This section briefly addresses possible Whonix ™ fingerprinting issues and how adversaries might use this information to verify Whonix ™ is in use.
Various types of information can be leaked about the user's browser, (host) operating system and hardware depending on the external party in question.
Entry Guards or Bridges
As noted in the Guard Fingerprinting chapter, using persistent Tor guards or bridges can threaten anonymity under certain circumstances:
While natural guard rotation is recommended, there are some corner cases in which an adversary could fingerprint the entry guards and de-anonymize a user. For instance:
- The same entry guards are used across various physical locations and access points.
- The same entry guards are used after permanently moving to a different physical location.
For example, if an adversary monitoring network activity observes a user connecting from multiple physical locations with persistent guards/bridges, then it can be reasonably assumed that all connections stem from the same person. Mitigating this risk requires techniques like using new Tor entry guards or configuring alternate bridges for different places.
Nick Mathewson from The Tor Project suggests additional precautions when moving networks: 
- Spoof the MAC address with randomized values on each move.
- Absolutely prevent non-Tor connections.
- Ensure a unique set of Tor entry guards (bridges) is utilized for each network you connect from. 
- Minimize the threat of stored Tor state files which record every network visited.
ISP or Local Network Administrators
Table: Fingerprinting Domains
Firstly, Whonix ™ solely generates Tor activity on the network. All traffic from both the Whonix-Workstation ™ (
In contrast, usually TBB  users have additional network activity outside of Tor, either from another web browser or other applications. This means the proportion or volume of Tor activity might be feasible identifiers to predict whether a user is running Whonix ™ or the TBB . It is probably harder for the ISP to determine whether a single user is solely generating Tor traffic (and potentially using Whonix ™) if:
|Tor Entry Guards||Whonix ™ uses an unmodified version of Tor,  so entry guards are used as the default mechanism to connect to the Tor network.  Consequently, a Tor user will maintain the same relay as the first hop for an extended period,  which is a security feature.|
|Time Synchronization||When Whonix ™ is started, the system clock is synchronized to make sure it slightly differs from the host clock via |
|Website Traffic Fingerprinting||Website traffic fingerprinting is also an open Tor research question, which is unspecific to Whonix ™.  A related and unresearched issue is whether fingerprinting risks also apply to other traffic, such as |
|Network Stack Hardening||Various security hardening [archive] (disabling TCP timestamps, ICMP redirections, firewalling invalid packages, ...). Security hardening unfortunately is a conflicting goal with ISP or Local Network fingerprinting resistance. Security hardening has been prioritized.|
|Random ISN Generation||Prevent de-anonymization of Tor onion services [archive] through Tirdad kernel module for random ISN generation [archive]. De-anonymization resistance unfortunately is a conflicting goal with ISP or Local Network fingerprinting resistance. Resistance against de-anonymization has been prioritized.|
|Whonix-Host||Whonix-Host once available will be exclusively generate Tor traffic in its default configuration.  This is different from for example a Windows 10 host operating system running Tor Browser.|
In conclusion, the ability of the ISP or local network administrator to distinctly identify users who utilize Tor Browser Bundle, Whonix ™, Tails, a custom transparent Tor proxy or similar project, depends on how different a system is configured. Anonymity/security/privacy focused operating systems will inevitably differ from other Tor users using popular operating systems. For example, a user using Tails or Whonix ™ will have a different network fingerprint than a Windows 10 user that emits its usual phone home traffic and using the Tor Browser Bundle. This is a necessary trade-off to make to advance the state of technological privacy from the status quo.
Seeing improvement in this area is unlikely. It would require choosing and emulating a popular or the most popular host operating system in combination with the most popular way to use Tor, which is probably Tor Browser on Windows 10. It is infeasible to emulate the Windows 10 network fingerprint and convince an ISP or local network observer without actually running the real setup. There are many reasons to not use Windows. Even after lots of effort, no negative could be proven that it was good enough.
Related, on the wiki page, Hide Tor use from the Internet Service Provider it has been concluded, "censorship circumvention, possible" but "hiding Tor is impractical" where a global passive adversary recording and storing all traffic is concerned.
It is impossible to Hide Tor use from the Internet Service Provider (ISP). It has been concluded this goal is difficult beyond practicality.
- The browser name and version.
- CSS media queries:
- Window dimensions.
- Desktop size.
- Widget size.
- Display type.
- A list of available extensions.
- Timezone. 
- Available fonts.
- User agent.
- Video card in use. 
- CPU and interpreter speed.
- Browser history. 
- Via exploited plugins:
- Leak the non-Tor IP address.
- Interface addresses and other machine information.
- List all plugins to fingerprint the user.
- Retrieve unique plugin identifiers.
- Read / store identifiers related to HTTP auth, DOM storage, cached scripts, client certificates and TLS session IDs.
- Browser cache.
To make it difficult to distinguish Whonix ™ and TBB  users, TBB  is included on the platform. Therefore, Whonix ™ should provide the same information as TBB  in order to generate very similar fingerprints.
Website Traffic Fingerprinting
"Website fingerprinting" is a category of attack where an adversary observes a user's encrypted data traffic, and uses traffic timing and quantity to guess what website that user is visiting. In this attack, the adversary has a database of web pages, and regularly downloads all of them in order to record their traffic timing and quantity characteristics, for comparison against encrypted traffic, to find potential target matches. This attack is carried out by an adversary external to the Tor network observing traffic between a user and Tor relay or bridge.
 The observer won't know the exact contents of the page (such as user names, passwords, etc.), but the observer can know with reasonable certainty that a specific website (such as for example
google.com) has been visited.
Per the blog post [archive] by The Tor Project, such an attack on clearnet sites visited through Tor is impractical and has a very high rate of false positives because of the sheer variety of traffic going through Tor and the vast number of webpages, however attacks against visiting Onion services might be more practical as the classifier leverages real-time ad network bidding and DNS to further narrow down the possible set of pages accessed to the Onion-space and further still, picking out which one. Onion service padding is deployed to mitigate this.
This attack should not be confused with end-to-end correlation attacks performed by malicious Entry guards set up by Tor-relay level adversaries.
Whonix ™ Fingerprint Comparison
- TBB stands for Tor Browser Bundle [archive]. It is included in Whonix ™, see Tor Browser.
- Certainly less than 50,000 users, although an exact figure [archive] is yet to be published.
- tor-dev: entry guards and linkability [archive]
- Note: this is not a recommendation for non-persistent guards because a hostile DHCP server might provide new IPs until a hostile guard is chosen.
- In case of Default/Download version, it is the host's task to establish an online connection. In the case of Physical Isolation, it is the gateway's task to establish an online connection.
- This comes with the attendant risk of the user confusing one browser with another.
- Whonix ™ uses an unmodified version of Tor
- https://www.torproject.org/docs/faq#EntryGuards [archive]
- Typically the entry guards are rotated after a few months.
- https://github.com/Whonix/anon-gw-anonymizer-config [archive]
- Stream Isolation
- It is unknown if an ISP can detect whether a user has many different Tor circuits open. On the other hand, Tor seems to only open X entry guards and maintain them for a period, thus not opening as many entry guards as streams.
- See Tor Browser Design [archive] for further exploration of this issue.
- Should Whonix host be fully torified by default? [archive]
- Via the date object.
- Via WebGL
- Quote research paper by University of Waterloo, Website Fingerprinting: Attacks and Defenses [archive]:
Website fingerprinting attacks allow a local, passive eavesdropper to determine a client's web activity by leveraging features from her packet sequence. These attacks break the privacy expected by users of privacy technologies, including low-latency anonymity networks such as proxies, VPNs, or Tor. As a discipline, website fingerprinting is an application of machine learning techniques to the diverse field of privacy. To perform a website fingerprinting attack, the eavesdropping attacker passively records the time, direction, and size of the client's packets. Then, he uses a machine learning algorithm to classify the packet sequence so as to determine the web page it came from.
- https://forums.whonix.org/t/new-low-cost-traffic-analysis-attacks-and-mitigations/8708 [archive] forum discussion
- https://blog.torproject.org/critique-website-traffic-fingerprinting-attacks [archive]
Whonix ™ Fingerprint wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix ™ Fingerprint wiki page Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <email@example.com>
This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)