Security Reviews and Feedback
This is a list of notable reviews and feedback about the security of Whonix ™.
- https://corelight.blog/2019/07/18/profiling-whonix/ [archive]
- Not an audit of Whonix ™ but an audit of software which is based on Whonix ™: ”SecureDrop [archive] Journalist Workstation environment for submission handling [archive] is based on Qubes-Whonix.”, Third party audit of integrated SecureDrop Workstation completed [archive]
- cursory check of TorBOX by creator of JanusVM [archive] (TorBOX was later renamed to Whonix ™.)
- Quote [archive] rustybird, author of corridor, a Tor traffic whitelisting gateway [archive]
Happy to report no leaks observed, ever.
- [tor-talk] Operating system updates / software installation behind Tor Transparent Proxy"
- [tor-talk] Obtain real IP behind Tor transparent proxy; was: Operating system updates / software installation behind Tor Transparent Proxy
- [tor-talk] Risk with transparent proxy mode [was Re:Operating system updates / software installation behind Tor Transparent Proxy] - Summary: coderman (developer of TorVM / JanusVM) had some concerns, which could be cleared. "Looks fine from a cursory check."
- Older places of people talking about Whonix ™
- A section to collect everyone discussing Whonix ™ anywhere. It is nice to see what people think and say about Whonix ™. If they don't give feedback directly, we still have a secondary feedback source. Most links are found through googeling "TorBOX" or "https://trac.torproject.org/projects/tor/wiki/doc/TorBOX [archive]".
- Dev/ArchivedDiscussion/QUESTIONS [archive]
- Whonix ™ on wilderssecurity.com [archive]; few threads
- ra's blog [archive]; Search for "TorBOX that they have".; Negative feedback.
- LulzSec / AntiSecOp: Want to be a ghost on the internet? [archive] or google for 'Want to be a ghost on the internet?'; Whonix ™ (TorBOX) is a part of their instructions.
- seclist.us: Whonix ™ V-0.1.3 - Multi-VM anonymity setup using Tor's Transparent Proxy [archive]
- reddit [archive] (This only applied to 0.1.3, was announced, workaround provided and fixed since 0.2.0)
- October 2012 - Whonix ™ 0.4.5 release announcement
- October 2012 - Discussions:
- Wilders Security Forum: Anonymous operating system Whonix ™ [archive] - Summary: only questions, no concern.
- Are hardware serial numbers hidden in TAILS? [archive]
- Qubes OS Mailing List: qubes vs whonix virtualization solution [archive] - Summary: Qubes OS would be safer than VirtualBox. True. Other than that, no complaints.
- Qubes OS Mailing List: Whonix: VirtualBox vs Qubes OS [archive] Summary: agreed, that Qubes OS would be safer than VirtualBox.
- OLD Whonix ™ User Help Forum [archive]
None, but that doesn't mean anything. There is no audit of Tails, Liberté Linux, etc. either. At the time of writing there were no public published audits for Debian, Ubuntu, Qubes OS, etc. either.
We are not aware of any serious research about any of such distributions in anonbib [archive]. No expert such as Bruce Schneier [archive] for cryptography exists for security-focused operating system review.
Audit is a word. But what does audit actually mean? Every audit that is being made has a previously defined, limited scope. There are no all-encompassing audits.
More food for thought on audits. As an example, has GNU wget been audited? What is an audit? Is it an professional company, providing software security audits as a service? Some kind of certification? There is no such entity in the Freedom Software Open Source ecosystem at time of writing. There are no quality seals for Linux distributions.
If you know examples, please get in contact or edit this section. Would it be reasonable to expect a reputable organization or individual making statements such as "GNU wget has been audited and no security vulnerabilities were found"? It usually happens the other way around. When someone reviews the source code and finds nothing wrong, nothing will be reported. On the other hand, if a vulnerability has been found, that's worth some fame. However, anyone who claimed beforehand to have found no security issues wouldn't get better reputation. On the contrary, look bad for previously making statements about not having found security issues.
If you make an audit, please edit this section or get in contact so it will be linked here.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat applies.
Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)