Network Fingerprint


In this chapter, the term fingerprint refers to the specific way Whonix behaves on the Internet. Those specificities could be used to determine whether a particular user is running Whonix or not.

As explained on the Warning page, the default Whonix configuration does not hide Tor use from network observers. However, the Whonix design attempts to make Whonix users indistinguishable from the rest of the Tor population, particularly Tor Browser Bundle (TBB) [1] users.

If Whonix and TBB [1] users have distinct fingerprints, then this information significantly degrades anonymity because the Whonix user base is far smaller than the broader Tor population. [2]

This section briefly addresses possible Whonix fingerprinting issues and how adversaries might use this information to verify Whonix is being used.

Fingerprinting Information[edit]

Various types of information can be leaked about the user's browser, (host) operating system and hardware depending on the external party in question.

Visited Websites[edit]

Destination websites can retrieve a lot of information about a user's browser and system, while advanced adversaries have even greater capabilities. [3] This information can include:

  • The browser name and version.
  • CSS media queries:
    • Window dimensions.
    • Desktop size.
    • Widget size.
    • Display type.
    • DPI.
  • A list of available extensions.
  • Timezone. [4]
  • Available fonts.
  • User agent.
  • Video card in use. [5]
  • CPU and interpreter speed.
  • Browser history. [6]
  • Via exploited plugins:
    • Leak the non-Tor IP address.
    • Interface addresses and other machine information.
    • List all plugins to fingerprint the user.
    • Retrieve unique plugin identifiers.
  • Read / store identifiers related to HTTP auth, DOM storage, cached scripts, client certificates and TLS session IDs.
  • Browser cache.

To make it difficult to distinguish Whonix and TBB [1] users, TBB [1] is included on the platform. Therefore, Whonix should provide the same information as TBB [1] in order to generate very similar fingerprints.

ISP or Local Network Administrators[edit]

The capabilities of the ISP or local network administrator are difficult to ascertain with complete certainty. This is still a general research question for The Tor Project, and not Whonix developers. It is also impossible to prove a negative.

Tor Enforcement[edit]

Firstly, Whonix solely generates Tor activity on the network. All traffic from both the Whonix-Workstation (whonix-ws-14) and Whonix-Gateway (whonix-gw-14) such as TBB [1], updates, and timesync pass through Tor. Establishing an online connection is the task of the host, so the host [7] is most likely using DHCP to obtain a local IP address.

In contrast, usually TBB [1] users have additional network activity outside of Tor, either from another web browser or other applications. This means the proportion or volume of Tor activity might be feasible identifiers to determine whether a user is running Whonix or the TBB [1]. It is probably harder for the ISP to determine whether a single user is solely generating Tor traffic (and potentially using Whonix) if:

  • The Internet connection is shared with other users that do not run Whonix.
  • A browser is also used on the host. [8]

Tor Entry Guards[edit]

Whonix uses an unmodified version of Tor, [9] so entry guards are used as the default mechanism to connect to the Tor network. [10] Consequently, a Tor user will maintain the same relay as the first hop for an extended period, [11] which is a security feature.

One addition which is unique to Whonix is the configured torrc [12] for the Stream Isolation[13] security feature.

Time Synchronization[edit]

When Whonix is started, the system clock is synchronized to make sure it slightly differs from the host clock via TimeSync. whonixcheck also issues some network traffic to check for updates and news, which all passes through different circuits. This behavior might be specific to Whonix. [14]

Website Traffic Fingerprinting[edit]

Website traffic fingerprinting is also an open Tor research question, which is unspecific to Whonix. [15] A related and unresearched issue is whether fingerprinting risks also apply to other traffic, such as apt-get traffic.


The ability of the ISP or local network administrator to distinctly identify users who utilize TBB, Whonix, Tails, a custom transparent Tor proxy or similar project, depends on how well Tor actually works. As Whonix is exclusively generating Tor activity on the network and relies on Tor to obfuscate that traffic, the answer depends on Tor itself and resolution of open research questions.

Entry Guards or Bridges[edit]

As noted in the Guard Fingerprinting chapter, using persistent guards or bridges can threaten anonymity under certain circumstances:

While natural guard rotation is recommended, there are some corner cases in which an adversary could fingerprint the entry guards and de-anonymize a user. For instance:

  • The same entry guards are used across various physical locations and access points.
  • The same entry guards are used after permanently moving to a different physical location.

For example, if an adversary monitoring network activity observes a user connecting from multiple physical locations with persistent guards/bridges, then it can be reasonably assumed that all connections stem from the same person. Mitigating this risk requires techniques like using new Tor entry guards or configuring alternate bridges for different places.

Nick Mathewson from The Tor Project suggests additional precautions when moving networks: [16]

  • Spoof the MAC address with randomized values on each move.
  • Absolutely prevent non-Tor connections.
  • Ensure a unique set of Tor entry guards (bridges) is utilized for each network you connect from. [17]
  • Minimize the threat of stored Tor state files which record every network visited.

Whonix Fingerprint Comparison[edit]

Further Reading[edit]


  1. 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 TBB stands for Tor Browser Bundle. It is included in Whonix, see Tor Browser.
  2. Certainly less than 50,000 users, although an exact figure is yet to be published.
  3. Information that is leaked depends on the browser in use, JavaScript settings, Tor Browser's security slider settings, whether it is a malicious attack or not, and other factors.
  4. Via the date object.
  5. Via WebGL
  6. For example, using CSS and JavaScript to perform history disclosure attacks.
  7. In case of Default/Download version, it is the host's task to establish an online connection. In the case of Physical Isolation, it is the gateway's task to establish an online connection.
  8. This comes with the attendant risk of the user confusing one browser with another.
  9. Whonix uses an unmodified version of Tor
  11. Typically the entry guards are rotated after a few months.
  13. Stream Isolation
  14. It is unknown if an ISP can detect whether a user has many different Tor circuits open. On the other hand, Tor seems to only open X entry guards and maintain them for a period, thus not opening as many entry guards as streams.
  15. See Tor Browser Design for further exploration of this issue.
  16. tor-dev: entry guards and linkability
  17. Note: this is not a recommendation for non-persistent guards because a hostile DHCP server might provide new IPs until a hostile guard is chosen.


Whonix Fingerprint wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Fingerprint wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.

Random News:

Want to make Whonix safer and more usable? We're looking for helping hands. Check out the Open Issues and development forum.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)