Actions

Dev/Operating System

From Whonix

< Dev(Redirected from Operating System)

Introduction[edit]

This chapter applies to the host(s), Whonix-Gateway ™ and Whonix-Workstation ™.

Whonix ™ Example Implementation is currently based on Debian. There were development discussions about switching to BSD, Alpine Linux or other secure operating systems.

Whonix ™ can't protect against malicious code inserted into upstream operating system infrastructure. Debian ensures some chain of trust as it requires contributors to sign commits.

Why not Use a Live CD/DVD as the Whonix-Workstation ™ Operating System?[edit]

This option was previously discussed in depth and it was decided that Live CD/DVDs are not suitable for Whonix-Workstation ™.

Advantages:

  • Often actively maintained.
  • Stabilized.
  • Hardened GNU/Linux distribution.
  • Advanced features.

Disadvantages:

  • No timely security updates.
  • Limited persistence.
  • Inflexible design.

Another serious disadvantage of Live CD/DVDs in the context of an anonymity-oriented OS is that they often have their own method of Tor enforcement included. In Whonix ™, this would result in a Tor over Tor scenario.

Why don't you use <your favorite most secure operating system> for Whonix ™?[edit]

Generally[edit]

Why do you use Debian, and not...

The operating system must have

  • acceptable usability
  • must be somewhat popular, because only that leads to sufficient public scrutiny and enough available documentation.
  • For redistribution of Whonix ™, there are no legal/trademark issues such as with Ubuntu, see #Ubuntu Legal Issues chapter below for details.
  • Must have a secure operating system updater (package manager), i.e. must not fall through the TUF Threat Model (w). Not having a secure updater is very dangerous (w).
  • Source based distributions take a long time for upgrading and installation of packages, which users complain about. The same or even better security characteristics can be reached with deterministic (reproducible) builds.

Debian is a good compromise of security and usability.

By the way, this chapter won't only include examples which fall through Whonix ™ threat model.

Ubuntu[edit]

Ubuntu Introduction[edit]

Ubuntu is not used as Whonix-Gateway ™/Workstation operating system for legal reasons (see below) and was lately negatively perceived due to privacy issues[1], so it is recommended against to use it as host operating system as well.

Whonix ™ 0.4.4 and above based on Debian. Previously Whonix ™ was based on Ubuntu. From technical perspective, Ubuntu was a good choice, see About Ubuntu if you are interested. The switch was due to Ubuntu Trademark issues, see below.

Ubuntu Legal Issues[edit]

About Ubuntu Trademark and Ubuntu terms generally are complicated. Since Whonix ™ changes are beyond a remix (as defined by Ubuntu Licensing), Whonix ™ would either to have to ask for a license, which they reserve to revoke. Such a legally insecure state is not acceptable. Or Whonix ™ would have to rebrand Ubuntu. It would be possible in theory, but in practice it would require a lot work to remove all Ubuntu strings. Even new apt mirrors would be required, which is much beyond the manpower of the Whonix ™ project.

References:

Debian is much more Libre without any legal issues. According to Debian project leader Stefano Zacchiroli (in private mail), there are no trademark issues as long as the derivative does not claim to be Debian. This is also clarified in Debian trademark policy which is easy to comply with.

Derivatives of Debian are even encouraged to use Debian infrastructure, see Derivatives/Guidelines. Debian even supports derivatives. There is a lot documentation, see Derivatives and even a debian-derivatives mailing list.

Mac OS X[edit]

Mac OS X can not be used for legal reasons. Even if that were not a problem, it is still a proprietary, closed source operating system, We don't like their attitude and how they (not) communicate with the security community. Also see: Apple Took 3+ Years to Fix FinFisher Trojan Hole.

Fedora[edit]

Fedora yet did not fall through Whonix ™ threat model and could be considered as host and future or alternative Whonix-Gateway ™/Workstation operating system. Also Qubes OS, an operating system focusing on security by isolation, is based on Fedora. Started considering it, help welcome, see Dev/Fedora.

Qubes[edit]

Implemented as Qubes-Whonix ™.

Gentoo / Hardened Gentoo[edit]

Insecure package manager. Back then bug reports got closed down without much regard.

In this regard, Hardened Gentoo does not differ from Gentoo.

Due to the way these bug reports were handled, Gentoo was removed from the candidates of secure base operating systems.

Why not use a minimal Linux distribution? See Why are the Whonix ™ images so big? There might be more secure operating systems, such as Hardenend Gentoo, but in Patrick's opinion mortal users are unlikely to learn how to use them. More paranoids (and others) are welcome to use them for example as host operating system and leave feedback. Patches/ports welcome! [2]

Alpine Linux[edit]

Alpine Linux on first sight appears to have interesting security features. But they don't package Tor yet. Other than that, we didn't look thoroughly into it.

At first sight it looks like alpine's package manager suffers from the same issues as gentoo's. (Being vulnerable to indefinite freeze and downgrade attacks.) TODO research

The question to ask is "Does the package manager pass the TUF Threat Model?"

The Update Framework (TUF) - Attacks and Weaknesses:

(Made by similar people who created this research:
http://www.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html
which resulted as far as I understand in greatly improved package manager security in many distributions.)

One can ask the TUF people, who are in my experience very friendly and helpful, for their opinion on their mailing list:
https://groups.google.com/forum/#!forum/theupdateframework

Arch Linux[edit]

TODO: Check its package manager security. (See above.)

SubgraphOS[edit]

There are several reasons why Whonix ™ has decided not to use the Subgraph project platform.

Table: Whonix ™ Rationale

Domain Reasoning
Development
  • Future Roadmap: Basing Whonix ™ on Subgraph would tie our future to the viability of another project. It is not ideal to rely on an OS in alpha status, particularly when the Debian alternative is rock solid and has decades of development behind it.
  • Features: Subgraph has some undesirable feature additions that add no value. Whonix ™ cannot benefit from Subgraph's manpower if the goals for the development roadmap are fundamentally different.
  • Bugs: The plentiful Subgraph bugs would become Whonix ™ bugs and developers would depend on them for fixes.
  • Programming Language: Subgraph chose different programming languages (like Golang) that are unfamiliar to lead Whonix ™ developers, making customization or modification very difficult.
  • Desktop Environment: Whonix ™ Developer HulaHoop has noted that Subgraph features completely rely on the GNOME desktop environment. This is undesirable because it is visually unappealing, has an over-simplified interface and would require any "cloud integration" elements to be removed. Configuring GNOME to approach the specifications already achieved in Whonix ™ would require a lot of effort. [3]
Source Code / Software
  • Code Availability: No full source code release to date (mid-2019). [4] [5]
  • Packaging: The publicly available software exists in a form that is not easily packaged. This would pose a significant maintenance burden for the Whonix ™ team.
  • Constraints: Arbitrary limitations are in place, such as repository choices. This can of course be changed, but it is an example of wasted effort in patching the base OS to adapt to our vision.
  • Meta-packages: There is no Subgraph meta package that can be installed using "sudo apt-get install subgraph-os" / "debootstrap Subgraph OS" in order to convert vanilla Debian into Subgraph OS. [6]
Collaboration To date, there has been no cooperation from the Subgraph project developers to correct any of the issues outlined in this section.

OpenBSD[edit]

This FAQ entry addresses the suggestion that Whonix ™ should be based on OpenBSD rather than Debian. The opinion provided below is based on the perspective of Whonix ™ developers. [7]

The OpenBSD FAQ states: source (w)

OpenBSD is thought of by many security professionals as the most secure UNIX-like operating system, as the result of a never-ending comprehensive source code security audit.

The landing page for OpenBSD also notes: [8]

Only two remote holes in the default install, in a heck of a long time!

To OpenBSD's credit, they have a solid reputation for taking security seriously. For example, the development team has adopted these principles: [9]

  • A strong focus on cryptographic approaches towards fixing security problems.
  • Full disclosure of security bugs and speedy fixes.
  • An auditing team of 6-12 members (including ex-corporate security researchers) continuously searches for and fixes security holes; a process underway since 1996. [10]
  • Development of new technologies, such as additional memory protections.
  • Shipping the OS in a "Secure by Default" mode with all non-essential services disabled.
  • Contributing to research -- a number of security papers have been written by OpenBSD team members.

Despite these strengths, the primary downside to adopting OpenBSD relates to the estimated size of the user base:

  • bsdstats.org (w), suggests OpenBSD has few users. While bsdstats is not representative of the total population of OpenBSD users due to the opt-in data collection program, 9 systems at the time of writing is a very small figure. By comparison, TrueOS has over 15,000 users in 2019.
  • Although unscientific, DistroWatch also shows OpenBSD attracts far less interest than popular Linux distributions.
  • OpenBSD is estimated to have less than 10 percent of total BSD market share. [11]
  • Estimates of BSD market share across all categories (desktops, servers etc.) is tiny.

One valid concern is that if a critical mass of users does not gravitate to OpenBSD, then naturally less human resources ("eyeballs") in the population will be searching for, identifying, and remedying security flaws. While the audit team is skilled, a relatively small number of people must inspect code across an entire operating system. As a result, this could potentially aid targeted attacks or other exploits. [12] [13]

In comparison, alternatives like Debian have a large user/contributor base, a similar focus on security, renowned stability, and a solid reputation in security-critical environments such as web servers. [14] It is also strongly contested that BSD variants have innovative security improvements that provide greater protection than modern platforms like Qubes OS; see Qubes Security.

FreeBSD[edit]

This FAQ entry addresses the suggestion that Whonix ™ should be based on FreeBSD rather than Debian. The opinion provided below is based on the perspective of Whonix ™ developers. [15]

It is difficult and time consuming to try and list all the disadvantages of using FreeBSD, such as highlighting non-existent security features. The onus is on FreeBSD proponents to manually search for relevant features (or lack thereof) and present an objective case for its adoption.

To avoid presenting information that will quickly become out-of-date or that may insult FreeBSD adherents, it is better to avoid definitive security statements and instead ask appropriate questions which might affect the usability, security, anonymity and wide-scale adoption of Whonix ™. For instance:

  • Does FreeBSD have a secure-by-default update mechanism?
  • By default, will every (new) user download come from an existing signed repository?
    • If not, what special settings are required?
    • Are users expected to run their own repository?
  • Does FreeBSD defend against outdated metadata; for example, can a man-in-the-middle use a roll back or freeze attack against the repository?
  • Does FreeBSD defend against various attacks on package managers? (w)
  • Does FreeBSD defend against attacks on the software update process by using the TUF threat model (w)?

Research which might provide a strong case for FreeBSD does not exclude the possibility of weaknesses or missing security features. The best way to determine the strength of the platform and its relative resilience is to directly ask the developers of that project. Honest replies can reasonably be expected from vibrant, open source communities.The only problem is, the Linux/BSD ecosystems have hundreds of distributions and it is a daunting prospect to rank their merits in this way.

Ultimately, the burden of proof falls on FreeBSD advocates (and not Whonix ™ developers) to prove that it is the most secure distribution available. Properly researched contributions that answer the questions above would be a good start, along with possibly approaching FreeBSD developers directly. Alternatively, research into why various aforementioned protections are not necessary to improve security would also be welcomed. Until claims about FreeBSD are substantiated, one should not take offense that it has not already been adopted.

OpenWRT[edit]

OpenWRT is not used for the same reasons outlined above. Further, in early 2018 OpenWRT does not have signed packages.

Tails[edit]

How is Whonix ™ Different from Tails?[edit]

See Comparison with Others.

Why not Merge with Tails and Collaborate?[edit]

The following is a subjective opinion by lead Whonix ™ developer Patrick Schleizer. [16] Feedback, corrections and suggested improvements are welcome.

Tails is a respected project with similar goals to Whonix ™ - improved anonymity, privacy and security. Tails has existed for many years and has multiple developers, significant experience and a complete working infrastructure. Whonix ™ and Tails developers already cooperate to some degree and discuss things of mutual interest to both projects on various developers mailing lists like whonix-devel, tails-devel and secure-os.

Whonix ™ and Tails Collaboration[edit]

Several parts of Whonix ™ are based on Tails. For example, the development of sdwdate in Whonix ™ was reliant upon Tail's invention of tails_htp. Whonix ™ also profits from Tails' previous efforts to upstream packaging and other changes in Debian, current and historical discussions in various forums, Tails research, design documents, experience, feedback and so on.

Other examples of Tails and Whonix ™ cooperation include:

  • onion-grater - a whitelisting filter for dangerous Tor control protocol commands - was developed by Tails developer anonym with Whonix ™ in mind. Whonix ™ then forked the Python code to add a few necessary improvements. [17]
  • Tails has expressed interest in using Anon Connection Wizard in the future.
Why Whonix ™ is a Separate Project[edit]

Even though Tails is highly valued by Whonix ™ developers, it may not be clear to the reader why Whonix ™ remains a separate project and not just a contributor to Tails. There are several reasons for this decision: Whonix ™ cannot be merged into Tails by the Whonix ™ team on technical, skill and political grounds; implementing features or changes in Tails is an unfamiliar process; and it is unknown when/if Whonix ™ priorities will be implemented in Tails -- but it is known how to solve these in a separate project (at least with appropriate user documentation).

Further examples are outlined in the table below. Note that some of these items are partially or nearly solved in Tails, but it is has been kept to justify the prior decision not to merge projects.

Table: Whonix ™ and Tails Design and Functionality Comparison

Tails Issue Tracker (TODO) Whonix ™ Design / Instructions
Remember installed packages By design, everything persists [18]
Applications Audit By design, protocol leaks cannot lead to deanonymization
Two-layered, virtualized system By design, this is achieved by either software compartmentalization (VMs) or Physical Isolation
VPN support VPN / Tunnel support
JonDo over Tor JonDonym
Freenet over Tor Freenet
obfsproxy [19] Bridges
Can I hide the fact that I am using Tails? Hide Tor and Whonix ™ from your ISP
I2P over Tor [20] I2P
Transparent Proxy as a fallback mechanism By design, everything not configured to use a SocksPort will automatically use Tor's TransPort
Use Tor Browser Tor Browser
Stream Isolation [21] Stream Isolation
Evaluate web fingerprint [22] Same as Tor Browser
Unsafe browser fingerprint Logging in to captive portals
Location Hidden/IP Hidden Servers Location/IP Hidden Servers
VoIP VoIP
... ...
Political and Design Considerations[edit]

There are also significant differences in political and design decisions which prohibit a merger:

  • As a code contributor to Tails, Patrick Schleizer would need to accept decisions made via internal Tails decision-making processes. Whonix ™ would lose the autonomy to simply modify anything in line with personal preferences or favored solutions. [23] At the time Whonix ™ was created, Schleizer did not favor a Live DVD/USB approach and personally found improving Tails to be far more difficult than starting a fresh project.
  • Source Code Merge Policy:
    • Whonix: A comprehensive merge policy has not yet been developed. This would be ideal, but it is not compulsory to formulate such a design or associated documentation.
    • Tails: In Schleizer's opinion, the Tails merge policy is too strict. This is not a complaint or critique. No doubt there are good reasons for that decision and it should be noted that Tails is still a popular and effective solution for many users. Anyone who does not agree has the freedom to contribute to another project or to start a new project, leading Schleizer to make use of that freedom.
  • Another major design difference is Tails' reliance on a Live DVD/USB which inherits some restrictions and limitations. Tails must fit on a DVD/USB, while Whonix ™ does not have this requirement. Whonix ™ also has higher hardware requirements, but therefore more space to implement features. As a consequence, initially fewer people are able to use Whonix ™, but this situation will improve in the future as available hardware improves. The Whonix ™ design is fluid and new designs (both theoretical and practical) are being discovered over time. Depending on user feedback and general interest, eventually a Live DVD or Blu-ray might be created in Whonix ™.
  • Schleizer has found it easier to cooperate with the security by isolation focused operating system Qubes OS, which resulted in Qubes-Whonix ™.

Debian[edit]

General[edit]

Whonix ™ is based on Debian.

Reasons for being based on Debian:

  • stable distribution
  • exists for years
  • will likely still be around in 10 years
  • attempts to sow dissent failed [24]
  • massive architecture support [25]
  • secure package manager
  • As per checksec.sh --kernel, reports good kernel protection: GCC stack protector support, enforce read-only kernel data, restrict /dev/mem and /dev/kmem access are all enabled.
  • http://snapshot.debian.org, hosted and signed by a trusted third party (Debian) [26], allows implementation of robust build scripts [27] and Verifiable Builds
  • config-package-dev allows creation of robust configuration packages
  • grml-debootstrap is a tool that allows creation of bootable raw images
  • Debian is working on ReproducibleBuilds
  • huge knowledgeable community of Debian and their derivative users (stackexchange, debian forums, askubuntu and many more)
  • Debian Developers are very approachable at conferences
  • Tor has ties to Debian.
  • No legal/trademark issues.

Related statements from the FAQ reasoning why Debian is the base for Whonix ™ Example Implementation:

General explanation, why so many distributions are based on Debian:

Also interesting:

Related:

Why is Whonix ™ based on Debian Stable, not Debian Testing?[edit]

  • Sometimes severe bugs are introduced in Debian testing, such as the AppArmor bug, which prevented Tor from starting for everyone until a workaround was applied.
  • Sometimes bugs are introduced which break Whonix ™ build script, such as this bug related to mount, which breaks grml-debootstrap and therefore Whonix ™ build script or this kpartx bug.
  • Often other disturbing bugs are introduced, such as the grub bug (not able to reproduce and report upstream yet), non-functional VirtualBox Guest Additions or issues with shared folders.
  • Sometimes packages get entirely removed from Debian testing, such as enigmail wasn't available for a while in Debian testing. This is confusing and constantly creating support requests.
  • Too often, too many packages are upgraded (not just security fixes) (costs lots of time to keep up, bandwidth, system load).
  • obfs3 (obfsproxy 0.2.3) is available again in torproject's repository.
  • Quote, Debian Security FAQ:

If you want to have a secure (and stable) server you are strongly encouraged to stay with stable.

  • Debian stable receives security fixes faster than Debian testing. For example, by 12/15/2016 Debian jessie was Debian stable and Debian stretch was Debian testing. CVE-2016-1252 was fixed in Debian stable but not in Debian testing, see Debian security tracker by 12/15/2016.

Popularity Contest[edit]

The Debian popularity-contest (popcon) package does not get installed on Whonix ™. Installing it gets prevented by the anon-banned-packages package.

popcon readme | popcon faq | popcon bugs | popularity contest mailing list | popularity contest mailing list: Drop atime and ctime for privacy reasons possible?

Some privacy considerations and reasons why it is not installed:

  • The connection would obviously need to go over its own Tor circuit (stream isolation). At the moment popcon tries to go through http and if it fails (no internet connectivity) it goes into the mail queue. (sendmail) Sendmail probably works though TransPort, but we don't know if it can be torified for proper stream isolation.
  • (From the popcon readme) "Each popularity-contest host is identified by a random 128bit uuid (MY_HOSTID in /etc/popularity-contest.conf)." - This would allow to enumerate a quite good guess about the amount number of Whonix ™ users. We are not sure if sourceforge could already have an insight about that (due to Whonix ™ News File downloads, see whonixcheck) or about any other negative implications.
  • MY_HOSTID would probably get created at Whonix ™ build time and all Whonix ™ users would have the same MY_HOSTID, which would make it useless. A new MY_HOSTID would have to be created at first boot of Whonix ™.
  • Popcon runs at a random day. Good.
  • If the machine is powered on: it runs at 6:47, which is bad, because a local adversary (ISP or hotspot) could guess popcon runs over Tor which would likely be a Whonix ™ user.
  • If the machine is powered off at 6:47, it sends the report later, only if anachron is installed. It shouldn't run instantly after powering on, also for fingerprinting reasons. The time would have to be truly randomized.
  • The transmission is not encrypted, see popularity-contest should encrypt contents and it is not planned to encrypt it. Malicious Tor exit relays could modify the transmission, but this is only a minor issue. Such malicious Tor exit relays could send fake transmissions on their own.
  • It is questionable if and if yes, how long Debian will accept popularity contest transmissions from Tor exit relays. There is potential for electoral fraud.

For these reasons it is not a good idea to add popcon to Whonix ™. If you have suggestions or a different view, please get in contact.

Comparison of Hardening Compile Flags[edit]

Debian jessie:

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/bin/curl

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   /usr/bin/gpg

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/bin/gpg2

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   /bin/sed

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /bin/grep

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/bin/tor

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   /bin/bash

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   /usr/bin/gwenview

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
No RELRO        Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib/iceweasel/iceweasel

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   /usr/lib/icedove/icedove

Securix (a derivative of Hardened Gentoo):

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/bin/curl

Error: Not an ELF file: /usr/bin/gpg: symbolic link to gpg2

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/bin/gpg2

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /bin/sed

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /bin/grep

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/bin/tor

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /bin/bash

TODO
  /usr/bin/gwenview

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/firefox/firefox

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Full RELRO      Canary found      NX enabled    PIE enabled     No RPATH   No RUNPATH   /usr/lib64/thunderbird/thunderbird

See Also[edit]

Footnotes[edit]

  1. Privacy in Ubuntu 12.10: Amazon Ads and Data Leaks
  2. Examples of usability issues.
    emerge firefox
    * There is NOT at least 4 GiB disk space at "/var/tmp/portage/www-client/firefox-31.5.0/temp"
    

    What to do? Increase tmpfs size as per http://wiki.gentoo.org/wiki/Portage_TMPDIR_on_tmpfs.

  3. Previously, the future availability of Wayland and Flatpak in KDE was listed as a Whonix ™ advantage, however XFCE is now the default desktop environment.
  4. https://github.com/subgraph/subgraph-os-issues/issues/153
  5. https://github.com/subgraph/subgraph-os-issues/issues/250
  6. Subgraph is a Debian derivative.
  7. Last updated in 2019.
  8. https://www.openbsd.org/
  9. https://www.openbsd.org/security.html
  10. This has resulted in the discovery of entire new classes of security problems.
  11. https://en.wikipedia.org/wiki/Comparison_of_BSD_operating_systems#Popularity
  12. One example previously cited is this years old bug which remains unfixed: security vulnerability - NTP not authenticated. Possibly limited human resources has impacted this bug which affects everyone using the distribution.
  13. This bug would also impact Whonix ™ -- the suggested solution was to authenticate the connection to the NTP server, but this would not be possible for several reasons:
    • The Whonix ™ design focuses on distributing trust and not using only one NTP server.
    • Further, Whonix ™ depends on free services which are available to anyone, ruling out a solution that requires a personal server.
    • Even if Whonix ™ used authenticated NTP, it has been pointed out that the clock could not be moved more than 600 seconds. This is better than nothing, but still inadequate for adversaries who are capable of moving the clock more than 600 seconds, harming anonymity/privacy in the process (see Dev/TimeSync for further details).
  14. In fact, Debian's popularity and large contributor base has resulted in its adoption in around one-third of all Linux web servers and led to an expansive software library of over 50,000 packages.
  15. Last updated in January 2018.
  16. Last updated in September 2018.
  17. https://github.com/Whonix/onion-grater
  18. This is actually a disadvantage for anonymity because it is the opposite of an amnesic system, which many users prefer.
  19. Bridges were not natively supported by Tails when Whonix ™ was founded.
  20. The I2P feature was removed in Tails 2.11 due to the developer effort required.
  21. Tails has basic stream isolation functionality compared to Whonix ™.
  22. See also: https://tails.boum.org/doc/about/fingerprint/ The bundling of uncommon extensions in Tor Browser like uBlock Origin increase the likelihood of fingerprinting Tails users specifically.
  23. One major advantage of free software is developers are free to disagree about a project's direction, leading to the creation of a fork.
  24. Debian is Free. Imagine how much money that must cost proprietary competiors from whom not all of them necessarily play by the law.
  25. Not just i386, amd64 and perhaps arm. Should any platform become "evil", Debian as the universal operating system offers options and is most likely to port to new platforms.
  26. From perspective of Whonix ™.
  27. Build script won't break due to upstream repository changes.

No comments for now due to spam. Use Whonix forums instead.


Random News:

We are looking for video production specialists to help create demonstration, promotional and conceptual videos or tutorials.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.