Jump to: navigation, search


This page contains changes which are not marked for translation.


In this context we use the term fingerprint to refer to the specificities in the way Whonix behaves on Internet. Those specificities could be used to determine whether a particular user is using Whonix or not.

As explained on our Warning page, when using Whonix it is possible to know that you are using Tor. But Whonix tries to make it as difficult as possible to distinguish Whonix users from other Tor users, especially Tor Browser Bundle (TBB[1]) users. If it were possible to determine whether your are a Whonix user or a TBB[1] user, this provides more information about you and in consequence reduces your anonymity.

This section explains some issues regarding the fingerprint of Whonix and how this could be used to identify you as a Whonix user.

For the websites that you are visiting[edit]

The websites that you are visiting can retrieve a lot of information about your browser. That information can include its name and version, window size, list of available extensions, timezone, available fonts, etc.

To make it difficult to distinguish Whonix users from TBB[1] users, Whonix includes TBB[1] and therefore should provide the same information as the TBB[1] in order to have similar fingerprints.

For your ISP or local network administrator[edit]

This is difficult (impossible?) to say with 100% certainty, since part of this is still a general Tor (not Whonix!) research question. It is also impossible to prove a negative.

Whonix is itself exclusively generating Tor activity on the network. Both, all traffic from Whonix-Workstation (TBB[1], updates, timesync, etc.) and Whonix-Gateway (updates, timesync) goes through Tor. Getting online activity is the task of the host, so the host [2] is most likely using DHCP to obtain a local IP address. Usually TBB[1] users also have network activity outside of Tor, either from another web browser or other applications. So the proportion or amount of Tor activity could be used to determine whether a user is using Whonix or the TBB[1]. If you are sharing your Internet connection with other users that are not using Whonix or if you also use a browser on the host [3], it is probably harder for your ISP to determine whether a single user is generating only Tor traffic and so maybe using Whonix.

Whonix uses the entry guards mechanism of Tor. With the entry guard mechanism [4], a Tor user always uses the same relay as first hop, which is a security feature. Whonix uses an unmodified version of Tor[5], but a configured torrc[6] for the Stream Isolation[7] security feature.

When starting, Whonix synchronizes the system clock to make sure it differs from the host clock and is not too much off (TimeSync[8]). whonixcheck[9] issues some network traffic to check for updates and news, all goes through different circuits, which might be specific to Whonix. (Unchecked theory, it is unknown if an ISP can guess "oh, this Tor user opens many different Tor circuits." On the other hand, Tor seems to open only X entry guards and keep them for a while, thus not opening as many entry guards as streams.)

There is also the general Tor research question Website traffic fingerprinting[10]. (Not a Whonix specific issue!) No one ever researched yet, if that also applies to other traffic[11].

In conclusion, if your ISP or local network administrator can determine someone is using the official Tor Browser Bundle from The Tor Project, Whonix, a custom transparent Tor proxy or similar project, depends on how well Tor actually works. Since Whonix is itself exclusively generating Tor activity on the network and relies on Tor to obfuscate that traffic, it really depends on Tor and these are open research questions.

For your Entry Guard or Bridge[edit]

TODO: To be written.

tor-dev: entry guards and linkability


Comparison with Others#Fingerprint

See Also[edit]

Protocol-Leak-Protection and Fingerprinting-Protection


  1. 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 TBB stands for Tor Browser Bundle. It is included in Whonix, see Tor Browser.
  2. In case of Default/Download version, it is the host's task to get online. In case of PhysicalIsolation it is the Gateway's task to get online.
  3. Which would come with the risk of the user confusing one browser for another.
  4. https://www.torproject.org/docs/faq#EntryGuards
  5. Whonix uses an unmodified version of Tor
  6. https://github.com/Whonix/anon-gw-anonymizer-config/blob/master/etc/tor/torrc.anondist
  7. Stream Isolation
  8. TimeSync
  9. whonixcheck
  10. See Tor Browser Design for Website traffic fingerprinting.
  11. Such as apt-get traffic.


Whonix Fingerprint wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Fingerprint wiki page Copyright (C) 2012 - 2017 Patrick Schleizer <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.

Random News:

Please help us to improve the Whonix Wikipedia Page. Also see the feedback thread.

Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)