Easy[edit]

Qubes-Whonix users need to install persistent software in the Whonix-Workstation TemplateVM(s). Using apt-get in the AppVM will only install software for the current session, with changes being lost when the VM is shut down.

A primary Whonix goal is to greatly reduce the risk posed by (additional) software installations that are not exclusively designed to work with Tor.

Users can install any software inside Whonix-Workstation using apt-get, since it is based on Debian. However, this is not a recommendation for installing additional software.

Whonix is currently the most secure platform for running Tor-unsafe applications like Adobe Flash; see the operating system comparison.

The Whonix software page lists:

• Pre-installed Whonix applications which are available for different tasks.
• Recommended software for different user activities.
• Safety advice.
• Installation instructions.

Prefer Packages from Debian Stable Repository[edit]

Users who decide to install new software after considering the risks should preference Debian's Stable repository, rather than the Testing / Unstable or third party repositories. Generally avoid manually installing packages (even trusted ones), since they tend not to get updated by the user in a timely fashion.

The Debian FAQ provides a strong rationale for using the stable repository:

Stable is rock solid. It does not break and has full security support. But it not might have support for the latest hardware.

If security or stability are at all important for you: install stable. period. This is the most preferred way.

Since there is typically over 1 year between releases you might find that stable contains old versions of packages. However, they have been tested in and out. One can confidently say that the packages do not have any known severe bugs, security holes etc., in them. The packages in stable integrate seamlessly with other stable packages. These characteristics are very important for production servers which have to work 24 hours a day, 7 days a week.

On the other hand, packages in testing or unstable can have hidden bugs, security holes etc., Moreover, some packages in testing and unstable might not be working as intended.

Also, Debian Backports should be used conservatively:

Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!

GUI Applications with Root Rights[edit]

Never login as root user (sudo su) or run GUI applications using sudo application. This will fail and is a limitation inherited from Debian. If a user attempts this action, error messages like those below will appear.

No protocol specified

cannot connect to X server :0

As a KDE user (Whonix default) use kdesudo application. Otherwise, use gksudo application. For example.

Open /etc/tor/torrc in an editor with root rights.

kdesudo kwrite /etc/tor/torrc

sudo nano /etc/tor/torrc

More Security[edit]

Introduction[edit]

• Users are free to install their favorite software packages. Almost any application can be installed, with a few exceptions for programs that are impossible to torify.
• Users are protected from IP and DNS leaks (see above for details).
• Users have some protection against protocol leaks and fingerprinting, but this is far from perfect.

• Users must still try to prevent any other protocol leaks using the "Torify: How-to" guide, but most of those are mitigated by Whonix.
• When updating with apt-get, information about which software packages and versions have been installed will leak unless Tor hidden services are used for repositories, see software updaters. This information cannot be directly linked to any other activity like web browsing, because the Whonix apt-get uwt wrapper forces it to pass through its own circuit. However, there are still risks that updates could be correlated with the same pseudonym. ^{[1] [2]}
• If additional software is installed, this increases the attack surface of the platform. ^[3]

For greater security when updating, follow the guidelines below.

Extra care is needed when adding extra custom repositories, especially Personal Package Archives (PPAs). Single developers are more easily pressured and/or likely to have malicious intent than the main distribution repositories.

Please read the protocol leak and fingerprinting protection entry first. Information highlighted includes the fact that many leaks, such as DNS and IP-related leaks, do not apply to Whonix and so on.

The Torify: How-to contains documentation about protocol leaks and how to mitigate them.

Also see Transparent Proxy Leaks, which is particularly relevant for Microsoft Windows.

How-to: Install or Update with Utmost Caution[edit]

1. Stop all activities and shutdown any open applications like Tor Browser.
2. Change the Tor circuit (this step may not apply if the user is running a hidden service). ^[4]
3. Update using apt-get after a random delay. By default, a new Tor circuit is generated after 10 seconds.
4. Change the Tor circuit again.
5. Continue user activities after another random delay period.

Whonix-Workstation is Firewalled[edit]

Note: This is just an informational resource for users interested in server software or other advanced / uncommon applications.

The presence of a Whonix-Gateway's firewall means for Whonix-Workstation:

• Incoming connections are not supported.
  • However, if outgoing connections are made, then incoming connections are accepted for web browsing, IRC, or other relevant applications.
  • Server ports ("open ports") are blocked.
  • The Ident Protocol / web server listening port is not reachable, unless it is explicitly configured.
• Hidden Services can be hosted.
• The firewall is found on the Whonix-Gateway: /usr/bin/whonix_firewall
• Standard DNS requests on UDP port 53 are redirected to Tor's DnsPort. ^[5]

Also note:

• Tor does not support UDP. This is not a Whonix issue.
• Tor only partially supports IPv6, although full implementation is likely in the near term. ^[6] This is not a Whonix issue. ^[7]
• All traffic from Whonix-Workstation and Whonix-Gateway is routed over Tor. ^{[8] [9] [10] [11]} Users should read the footnotes on the left-hand side.

Whonix's firewall on the Whonix-Gateway is very restrictive. It can be made even more restrictive by activating #OptionalFeatureNr.3# within the firewall script. It is possible to limit which outgoing ports are redirected to Tor's TransPort. Depending on what the user is trying to achieve, it could also be useful to remove all SocksPorts.

Related:

• Whonix-Workstation Firewall
• Ports

Advanced[edit]

Backports[edit]

1. Boot the Whonix-Workstation (whonix-ws) TemplateVM

2. Add jessie-backports to sources.list

In the Whonix-Workstation (whonix-ws) TemplateVM, run.

sudo su -c "echo -e 'deb http://http.debian.net/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

Or alternatively use the .onion mirror.

sudo su -c "echo -e 'deb http://vwakviie2ienjx6t.onion/debian jessie-backports main' > /etc/apt/sources.list.d/jessie-backports.list"

3. Use Apt-pinning Before Installing Dependencies

4. Update the Package Lists

sudo apt-get update

5. Install the Chosen Software

sudo apt-get -t jessie-backports install packagename

• Replace packagename with the package you actually want to install.

Package Reinstallation[edit]

As per the free support principle, package reinstallation uses normal Debian processes.

The example below shows how the iceweasel package would be reinstalled. The user can substitute iceweasel with many other packages, so long as they do not have too many dependencies. The instructions are not suitable with any packages that are required for connectivity such as tor, because the reinstallation would be very difficult and is currently unsupported.

Even in the case of the iceweasel package, dependency complications emerge. The anon-workstation-packages-recommended package also depends on iceweasel. Further, the whonix-workstation package depends on anon-workstation-packages-recommended.

Update the package lists and upgrade before starting this procedure. See updates for instructions.

Purge the package you want to reinstall.

sudo apt-get purge iceweasel

The output will show something like the following.

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  anon-workstation-packages-recommended* iceweasel* whonix-workstation*
0 upgraded, 0 newly installed, 3 to remove and 0 not upgraded.
After this operation, 90.8 MB disk space will be freed.
Do you want to continue? [Y/n] 
(Reading database ... 100681 files and directories currently installed.)
Removing whonix-workstation (3:2.9-1) ...
Removing anon-workstation-packages-recommended (3:2.9-1) ...
Removing iceweasel (38.4.0esr-1~deb8u1) ...
Removing 'diversion of /usr/bin/firefox to /usr/bin/firefox.real by iceweasel'
Purging configuration files for iceweasel (38.4.0esr-1~deb8u1) ...
Processing triggers for hicolor-icon-theme (0.13-1) ...
Processing triggers for menu (2.1.47) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for desktop-file-utils (0.22-1) ...
Processing triggers for qubes-core-agent (3.0.20-1+deb8u1) ...
Processing triggers for mime-support (3.58) ...

The packages anon-workstation-packages-recommended and whonix-workstation have been inadvertently uninstalled due to technical limitations. ^[12] These packages will be reinstalled later.

Delete the user configuration folder if that is desired. In this iceweasel example, the user configuration folder would be the following (it differs depending on the package).

rm -r ~/.mozilla

Now reinstall the iceweasel package and the additional packages that were purged. The --no-install-recommends parameter below is optional.

sudo apt-get install --no-install-recommends iceweasel anon-workstation-packages-recommended whonix-workstation

Related to: Whonix Debian Packages.

Foreign Sources[edit]

In most cases, the extensive software range available from the official Debian repositories should be enough to meet the user's needs. Thousands of programs can be installed within a couple of steps. These packages are constantly maintained for bug/security fixes and tightly integrated to provide a stable distribution. However, the Linux software scene is very dynamic and sometimes software will be wanted that has not yet been packaged in Debian.

In these cases it may be necessary to install software from separate sources; either from third party repositories, as a stand-alone precompiled .deb binary, or directly compiled source packages. ^[13]

Risks[edit]

The use of foreign sources should be kept to a minimum, as it may cause problems. Note this is simply a warning about the possible worst case scenario and not an absolute outcome of installing third party software.

Security Issues[edit]

Keep in mind that foreign sources pose important security implications for the user's system. Installing software is tantamount to granting root privileges to the developers. Software originating from dubious sources could replace important system components with malicious versions that allow backdoors or Trojan horses to be installed on the system.

In general, the installation of software is a matter of trust. The fact is that users have to trust every software source they install. This trust is two-fold: firstly that the developers have integrity, and secondly that the community will notice any suspicious code, which might indicate compromise of the developers' machines. ^[14]

Dependency Hell[edit]

Manually installed packages can contain library versions not available in the standard repositories. This causes problems with dependency resolution when installing additional software from the official repository. Individual applications are less critical in this context, but when important system libraries in the third-party software are considered, complications are inevitable.

Depending on how severe the complications, upgrades to the next version of the operating system might fail and it could become unbootable or have other stability issues.

Mitigation[edit]

Users can reduce security risks and eliminate the risk of making the workstation unusable by using Multiple Whonix-Workstations.

Footnotes[edit]

1. ↑ For example, if a user announced somewhere that they utilized software X and also have a specific application set x, y, and z installed, this information may become available to an adversary. If circuit-isolated apt-get passes through any Tor exit relays, mirrors or ISPs controlled by the adversary, then they may guess it is the same pseudonym which is running it. In that case the adversary gets a list of the user's installed packages, and can run a stale mirror attack (only if the user has a custom Ubuntu build), or may try other attacks against apt-get.
2. ↑ As per the previous note, this threat equally applies to users who run a hidden service with a specific set of server software, for example apache, mediawiki, phpbb, and others.
3. ↑ https://en.wikipedia.org/wiki/Attack_surface
4. ↑ One option is using Arm. Navigate to the Whonix-Gateway (sys-whonix in Qubes-Whonix) and select Arm - Tor Controller. Press n for a "New Identity", or alternatively: Press "m" for the menu -> Scroll down to New Identity -> Press enter.
5. ↑ If the DNS server is changed in Whonix-Workstation's /etc/resolv.conf, this will probably have no effect. The reason is the firewall on Whonix-Gateway will redirect all those requests to Tor's DnsPort. The working exception to this rule is when users tunnel / encrypt DNS requests (DNSCrypt, httpsdnsd), as per the secondary DNS resolver instructions.
6. ↑ The only missing elements at the time of writing were: automatic client connections and inter-relay connections via IPv6. Bridges are fully supported.
7. ↑ https://phabricator.whonix.org/T509
8. ↑ Since Whonix 0.2.1, Whonix-Gateway traffic is also routed over Tor. In this way, use of Whonix is hidden from persons or systems observing the network.
9. ↑ To preserve the anonymity of a user's Whonix-Workstation activities, it is not necessary to torify Whonix-Gateway's own traffic.
10. ↑ For reader interest: If DNS settings on Whonix-Gateway are changed in /etc/resolv.conf, this only affects Whonix-Gateways's own DNS requests issued by applications using the system's default DNS resolver. By default, no applications issuing network traffic on Whonix-Gateway use the system's default DNS resolver. All applications installed by default on Whonix-Gateway that issue network traffic (apt-get, whonixcheck, timesync) are explicitly configured, or forced by uwt wrappers, to use their own Tor SocksPort (see Stream Isolation).
11. ↑ Whonix-Workstation's default applications are configured to use separate Tor SocksPorts (see Stream Isolation), thereby not using the system's default DNS resolver. Any applications in Whonix-Workstation that are not configured for stream isolation - for example nslookup - will use the default DNS server configured in Whonix-Workstation (via /etc/network/interfaces), which is the Whonix-Gateway. Those DNS requests are redirected to Tor's DnsPort by Whonix-Gateway's firewall. Whonix-Gateway's /etc/resolv.conf does not affect Whonix-Workstation's DNS requests.
12. ↑ Whonix_Debian_Packages#Technical_Stuff
13. ↑ https://www.debian.org/doc/manuals/debian-faq/ch-pkg_basics.en.html
14. ↑ With reproducible package builds on the horizon, the security risk from the second factor will be minimal in the future.

https | (forcing) onion
Share: Twitter | Facebook | Google+

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)