Jump to: navigation, search




The NSA's opinion on JonDoNym:[1]

(S//REL) Open Source Multi-Hop Networks

(S//REL) Jondo Anonymous Proxy (JAP)

(S//REL) Championed by German University (Dresden)

(S//REL) (Mostly?) Open source software - some Docs in German (S//REL) Uses a technology known as Cascades

  • (S//REL) Each cascade is set of 2 or 3 Mixes
  • (S//REL) All internal traffic encrypted
  • (S//REL) Free service AN.ON: 5 Cascades
  • (S//REL) Premium service JonDoNym: 10 Cascades

(S//REL) Countries: BG, CA, CH, CZ, DE, DK, FR, GB, IT, LU, US, (S//REL) Less than 50 mixes total

(S//REL) Open Source Multi-Hop Networks

(S//REL) Jondo Anonymous Proxy (JAP)

(S//REL) Comparison with Tor

• (S//REL) Not nearly as well studied

  • (S//REL) Much smaller contained development community

• (S//REL) More centralized structure (all mixes centrally approved)

• (S//REL) Not as diverse geographically or scalable

  • (S//REL) Not as well used or publicized

(S//REL) Not analyzed in great detail here at NSA (or FVEY?) (TS//SI//REL) Much better chance for Global Adversary (SIGINT :-))

  • (TS//SI//REL) Sessionization of DNI still would be a problem

Whonix developer Patrick Schleizer's JonDonym opinion

JonDonym is an alternative anonymity network which will be compared with Tor in this Introduction chapter. It is easy to tunnel JonDonym over Tor inside Whonix-Workstation which we go into in the next chapter. In theory, Tor on Whonix-Gateway could be replaced with JonDo.

The JonDonym network[2] is much smaller than the Tor network. At time of writing (February 2012, snapshot random week day, random time), there were 5 two hop free mix cascades, 11 three hop premium mix cascades and 1 test/experimental free one hop service.

The two hop free mix cascades had 1940 users with a maximum available capacity of 2750 users. 1367 users were using the test/experimental free one hope service which didn't advertise a maximum user capacity. From 16 to 63 users used one of the 11 three hop premium mix cascades and no maximum user restriction was advertised. There were 350 premium users in total.

In comparison, according to Tor metrics page (on that day the Tor network had on that day had ~3000 relays. (~1000 had the guard flag and ~900 hard the entry guard flag, i.e. where useable in that position.) ~500.000 users were using the Tor network on that day.

The path (circuit), Tor client chooses is non-predictable and changes every 10 minutes while in comparison to JonDonym, for example a user who has chosen the Speedy-Sektor free two hop mix cascade, will have a predictable entry and exit until the user manually changes it. That goes for all mix cascades. If someone knows the entry or exit, the whole path the client is using through the network is known.

The Tor network is run by volunteers from many different countries. There is no formal process to apply as a Tor node and no verification of identity for Tor node admins. Anyone can download the Tor software and volunteer a node. Therefore there are legit and malicious nodes.

In comparison to JonDonym, mix servers are operated by independent and non interrelated organizations or private individuals who all publish their identity[3]. The operators have to abide by strict provisions which prohibit saving connection data or exchanging such data with other operators.

While private data such as usernames and passwords have been already sniffed by Tor exit relays on unencrypted or sslstripped connections, no such headline about JonDonym. Tor clearly states, that unencrypted connections can be sniffed by Tor exit relays. (Exit Nodes Eavesdropping) Trusting in JonDonym is more like trusting in their policy and server administration skills. Neither the mix server administration nor the JonDo software can prevent a man-in-the-middle attack between the mix server and the destination server.

JonDonym might be faster than Tor.

Quoted from the JonDonym Law enforcement page [4]:

JonDonym does not make it impossible to uncover individual users, as there is no such thing as a 100% security. However, such a disclosure is by magnitudes more difficult than for other VPN or proxy services, as this would require the cooperation of several states and organizations.
JonDonym is no technology for preventing law enforcement on the internet. In very serious cases, it is possible to uncover the abuse of Mix services. User connections may be individually observed, if all operators of a Mix cascade get such an official order, valid in their respective country (in Germany accourding to §100a/b StPO).
A respective legal obligation may moreover force some Mix operators to retain certain connection data. In contrast to surveillance (where this is often not allowed), the operator has to make this transparent to the users of his JonDonym Mixes via JonDo. Usually, such a data retention does neither comprise target addresses (websites) nor contents, but IP addresses of users only. At the moment no JonDonym mix operator retain connection data.
However, the independence of JonDonym operators vastly lowers the danger of an illegitimate law enforcement done by non-democratic states or arbitrary individual public officers. Any disclosure basically needs the cooperation of all operators of a Mix cascade. This was never realized for premium mix cascades in the past.
Surveillance reports
Each year, we will publish a short report of all surveillance actions that were taken and have been reported to us by the operators.
In 2012 there has been one surveillance court order to all German mix operators and JonDos GmbH. It concerned one JonDonym account number which was known to the law enforcement agency before start of surveillance. No premium cascade and no free cascade was able to provide the requested communication data because not all operators of any cascade got a court order.
If single mix operators inform JonDos GmbH about a surveillance court order then that does not mean JonDonym as a whole has been under surveillance or JonDos GmbH was involved. Rather, single operators had to comply with these orders.

In summary there where surveillance court orders for the last four years, but until now, no JonDonym user has ever been de-anonymized. The Tor network also suffers from legal attacks, there have been some raids of Tor exit servers, which also didn't and couldn't lead to de-anonymization. Both networks, when correctly used, i.e. not de-anonymizing oneself by posting private information, without connecting once without going through the anonymity network, without proxy bypass, without viruses, following documentation and so on, ever had any news headlines about network compromise.

The JonDo developers, although they are selling a product, seem to be honest about their network. They are also generally friendly (Whonix is allowed to re-use their documentation content under Open Source license with or without modification to improve Whonix documentation) and are also constructively participating the Tor bug tracker. It will be interesting if and what they answer will be on the thread "ip-check.info some false values and confuses TBB users" (w).

The JonDonym receives much less attention from security researchers compared to Tor.

In some aspects JonDonym is more/less secure than Tor. Depends on your threat model Reading network comparison and law enforcement yourself may be worth reading.

Tunneling JonDonym over Tor makes sense in some cases. I wouldn't do it for a longer amount of time, as it adds a permanent exit server. (See Tor plus VPN or proxy for background.)

Conclusion: if you want to download something, which you can not download over SSL (and if there are also no hash sums or signatures), the JonDo exit might be, in your threat model, more trustworthy than a random Tor exit. However, you could also try to use a specific Tor exit from someone you trust.


According JonDo, is it safe to tunnel JonDonym over Tor (user -> Tor -> JonDonym -> Internet)?

According to JonDo, yes.

Quoted from the JonDonym network comparison page[5]:

[...] making surfing considerably slower but, in some individual cases, even more secure than with JonDonym alone.

According to the JonDonym page, chapter Access to the Tor network with JonDo[6], JonDo natively supports to get tunneled over Tor. This also implies, that the JonDo developers do not argue, that tunneling JonDo through Tor is any less safe. Having such an option helps JonDo users to tunnel through Tor (user -> Tor -> JonDonym -> Internet). You won't need this option in Whonix, since all traffic originating from Whonix-Workstation, will be tunneled through Tor first in any case. Enabling that JonDo option is inside Whonix-Workstation is discouraged, since it would lead in Tor over Tor.

Connecting to Tor before JonDonym[edit]


It is possible to run JonDonym inside Whonix-Workstation.
User -> Tor -> JonDonym -> Internet

In case you want to do that, it is recommended to read the following two related wiki articles:

You can tunnel JonDonym over Tor. This could be useful, to circumvent Tor bans. But note Tor Plus VPN or Proxy (it adds a permanent exit relay, like explained and the article). Not many changes are required. Either download and install it as usual. You need 'JonDo – the IP changer', either as the gui or console version.

Or you could try to install from their GNU/Linux repository. They have their own documentation page about the JonDo repository. Whonix is based on Debian Wheezy. The only difference when using their repository instructions is, that your distribution is wheezy and not maverick.

For better security, it is recommended to download their signing key over https with your browser, i.e. where it says "The repository is signed with the OpenPGP key 0xF1305880" right click on 0xF1305880 and save as. Save it in your home folder and use "gpg --import 0xF1305880". Downloading the key from a keyserver with apt-key would be less secure.[7]

Free vs Premium Accounts[edit]

Free accounts can connect only to ports 80 and 443 and provide only a https proxy interface, no socks. [8] Premium accounts to any port and support socks. Full comparison: https://anonymous-proxy-servers.net/en/premium.html

JonDo Https Proxy Test[edit]

This works also with JonDo free accounts.

UWT_DEV_PASSTHROUGH=1 curl --tlsv1.2 --proto =https --proxytunnel --proxy https://check.torproject.org

JonDo Socks Proxy Test[edit]

This requires JonDo premium, a paid account.

Try this test command.

UWT_DEV_PASSTHROUGH=1 curl --tlsv1.2 --proto =https --socks5-hostname socks5h:// https://check.torproject.org

If you see the following, it indicates, that the local JonDo has not opened a listener. Probably you have not started JonDo yet or configured it to use a non-default port?

curl: (7) couldn't connect to host

If you see the following, you likely are only using a free account. Therefore socks is not available to you.

curl: (7) Unable to receive initial SOCKS5 response.

JonDoFox vs Tor Browser[edit]

You must make an informed decision, if you prefer to use JonDoFox or the Tor Browser.

A quick thought tells me, that blending in with JonDo users, i.e. using JonDoFox in this case would make more sense - could be wrong. No special settings would be required in this case.

If you want to use the Tor Browser for surfing -> user -> Tor -> JonDonym -> destination server, you have to change the proxy settings in Tor Button. start Tor Browser, open Tor Button settings, choose custom proxy settings, http port 4001 and leave all other fields expect no proxy for free. You can check http://ip-check.info/ if it is working.


If you are interested in a development discussion about JonDo(Fox) getting pre-installed on Whonix, see Dev/JonDo.

Connecting to JonDonym before Tor[edit]

Testers only!

It is possible to configure Tor to use JonDo as proxy to establish the following tunnel:
User -> JonDonym -> Tor -> Internet

If you want to do this, apply the following instructions.

Qubes-Whonix only! Non-Qubes-Whonix is unsupported.

No JonDo premium account required. Works with JonDo free.

In case you want to do that, it is recommended to read the following related wiki article: Tunnels/Introduction

For current limitations, see also blog post / forum discussion:

Create a new standalone ProxyVM called JonDo-Gateway.

Install JonDo in your new JonDo-Gateway ProxyVM. To do that, the following instructions will install JonDo from JonDo's Debian APT repository:
https://anonymous-proxy-servers.net/en/help/firststeps2.html Installation method using chapter Using the repository at command line is recommended.

After you installed JonDo in your JonDo-Gateway ProxyVM, test if JonDo's https proxy is functional.

curl --tlsv1.2 --proto =https --proxytunnel --proxy https://check.torproject.org


You need to enable the extended view.

Config -> user interface -> extended view.

You must make JonDo listen on all interfaces so it will be reachable from sys-whonix. Under network, __un__check:
[ ] Allow access to JAP/JonDo from localhost only (recommended)

In JonDo-Gateway ProxyVM, The iptables rules must be unloaded.

If using Qubes, disable qubes-iptables and qubes-firewall systemd services. Non-Qubes users can skip this.

sudo systemctl mask qubes-iptables
sudo systemctl stop qubes-iptables
sudo systemctl mask qubes-firewall
sudo systemctl stop qubes-firewall

Open ~/fw-unload in an editor.

If you are using a graphical environment, run.

kwrite ~/fw-unload

If you are using a terminal (Konsole), run.

nano ~/fw-unload



## Copyright (C) 2012 - 2015 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

set -o pipefail

error_handler() {
  echo "ERROR!" >&2
  exit 1

trap "error_handler" ERR

[ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait"
[ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait"

$iptables_cmd -P INPUT ACCEPT
$iptables_cmd -P FORWARD ACCEPT
$iptables_cmd -P OUTPUT ACCEPT

$iptables_cmd -F
$iptables_cmd -X
$iptables_cmd -t nat -F
$iptables_cmd -t nat -X
$iptables_cmd -t mangle -F
$iptables_cmd -t mangle -X
$iptables_cmd -t raw -F
$iptables_cmd -t raw -X

$ip6tables_cmd -P INPUT ACCEPT
$ip6tables_cmd -P OUTPUT ACCEPT
$ip6tables_cmd -P FORWARD ACCEPT

$ip6tables_cmd -F
$ip6tables_cmd -X
$ip6tables_cmd -t mangle -F
$ip6tables_cmd -t mangle -X
$ip6tables_cmd -t raw -F
$ip6tables_cmd -t raw -X

exit 0


Make ~/fw-unload executable.

chmod +x ~/fw-unload

Unload all iptables firewall rules.

sudo ~/fw-unload

After firewall unload, run the following command to see if all firewall rules are really unloaded.

sudo iptables-save | sed -e 's/\[[0-9:]*\]/[0,0]/' -e '/^#/d'

The output should show.


IP Forwarding in the JonDo-Gateway ProxyVM could/should be disabled since it is not required. TODO: document how

Shut down sys-whonix. Set sys-whonix NetVM to JonDo-Gateway. Restart sys-whonix.

In sys-whonix. Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps.

sudo nano /etc/tor/torrc

Add the following. is just an example. You need to replace with the IP of your JonDo-Gateway ProxyVM. You could run the following command within sys-whonix to find out the IP of your JonDo-Gateway ProxyVM. qubesdb-read /qubes-gateway



Reload Tor.

After editing /etc/tor/torrc, Tor must be reloaded for changes take effect.

Note: If Tor does not connect after completing all these steps, then a user mistake is the most likely explanation. Recheck /etc/tor/torrc and repeat the steps outlined in the sections above. If Tor then connects successfully, all the necessary changes have been made.

For Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named 'sys-whonix') -> Reload Tor

For graphical Whonix-Gateway, complete the following steps.

Start Menu -> Applications -> Settings -> Reload Tor

For terminal-only Whonix-Gateway, press on Expand on the right.

Complete the following steps.

Reload Tor.

sudo service tor@default reload

Check Tor's daemon status.

sudo service tor@default status

It should include a a message saying.

Active: active (running) since ...

In case of issues, try the following debugging steps.

Check Tor's config.

sudo -u debian-tor tor --verify-config

The output should be similar to the following.

Sep 17 17:40:41.416 [notice] Read configuration file "/etc/tor/torrc".
Configuration was valid

In sys-whonix, test if Tor is able to the https proxy that JonDo is providing.

UWT_DEV_PASSTHROUGH=1 curl --tlsv1.2 --proto =https --socks5-hostname socks5h:// https://check.torproject.org

Done. Tor will use JonDo as proxy.

JonDonym as Tor replacement (JonDoBOX)[edit]

Was just a development idea with some progress. Moved to Dev/Inspiration.

Footnotes / References[edit]

  1. https://search.edwardsnowden.com/docs/InternetAnonymity20112014-12-28nsadocs
  2. https://anonymous-proxy-servers.net
  3. https://anonymous-proxy-servers.net/en/help/certificates.html
  4. https://anonymous-proxy-servers.net/en/law_enforcement.html (w)
  5. https://anonymous-proxy-servers.net/en/help/jondonym.html
  6. https://anonymous-proxy-servers.net/en/help/services_tor.html
  7. Less secure using the short key fingerprint as in JonDo documentation. Using the long key fingerprint should be equally secure.
  8. https://anonymous-proxy-servers.net/en/help/otherApplications.html
  9. Socks proxy test - premium only.
    curl --tlsv1.2 --proto =https --socks5-hostname socks5h:// https://check.torproject.org


Gratitude is expressed to JonDos for permission to use material from their website. (w) (w) [1] The "Whonix JonDonym" wiki page contains content from the JonDonym documentation Network page.

Random News:

Have you contributed to Whonix? If so, feel free to add your name and highlight what you did on the Whonix authorship page.

Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself.
  1. Broken link: https://anonymous-proxy-servers.net/forum/viewtopic.php?p=31220#p31220