Security Reviews and Feedback
- 1 Security Reviews and Feedback
- 1.1 Audits
- 1.2 Official expert review
- 1.3 Vulnerabilities
- 1.4 Official Whonix Online Profiles
- 1.5 First public discussions
- 1.6 Older TorBOX article
- 1.7 Older places of people talking about Whonix
- 1.8 October 2012 - Whonix 0.4.5 release announcement
- 1.9 October 2012 - Discussion
- 1.10 Press
- 1.11 Newer
Security Reviews and Feedback
If you want to get listed here or feel something is missing, please just hit the edit button or get in contact.
Official expert review
None, but that doesn't mean anything. There is nothing of that kind about Tails or Liberté Linux as well. Is there even something of that kind about Debian, Ubuntu or Qubes OS?
More food for thought on the audit, users are sometimes asking for. Has GNU wget been audited? What is an audit? Is it an professional company, providing software security audits as a service? Some kind of certification? In the Open Source world, adrelanos hasn't found such a thing. If you know examples, please get in contact or edit this section. Do you expect to come someone reputable come up, say something like "I carefully audited GNU wget and haven't found any security vulnerabilities"? It looks like it works quite the other way around. When someone audits the code and finds nothing wrong, nothing will be reported. On the other hand, if a vulnerability has been found, that's worth some fame. The one who claimed beforehand to have found nothing, however, wouldn't get better reputation.
If you make an audit, please edit this section or get in contact so it will be linked here.
Any vulnerabilities in Debian packages, which Whonix is based on, also affect(ed) Whonix.
- On 2012-04-02 on old TorBOX homepage in old TorBOX 0.1.3 a vulnerability was reported by (now) Whonix developer adrelanos. See Old News, 2012-04-02 in History. FIXED
- No other vulnerabilities have been ever reported by third parties.
Official Whonix Online Profiles
There are some Official Whonix Online Profiles.
First public discussions
There are a few older threads on the Tor Talk Mailing List about the security of Whonix / transparent proxy.
- [tor-talk] Operating system updates / software installation behind Tor Transparent Proxy"
- [tor-talk] Obtain real IP behind Tor transparent proxy; was: Operating system updates / software installation behind Tor Transparent Proxy
- [tor-talk] Risk with transparent proxy mode [was Re:Operating system updates / software installation behind Tor Transparent Proxy] - Summary: coderman (developer of TorVM / JanusVM) had some concerns, which could be cleared. "Looks fine from a cursory check."
Older TorBOX article
Older places of people talking about Whonix
A section to collect everyone discussing Whonix anywere. It's nice to see what people think and say about Whonix. If they don't give feedback directly, we still have a secondary feedback source. Most links are found through googeling "TorBOX" or "https://trac.torproject.org/projects/tor/wiki/doc/TorBOX".
Old questions on torproject.org:
- Whonix on theprivatebay.de; (adrelanos) Interesting but pointless imo. 6 seeders right now in total. People should not even trust us but they trust the packager of that torrent. We are not against sharing through torrent. It's all Free Software. As long we do not offer trusted and gpg signed builds, however I recommend against downloading through torrent.
- Whonix on wilderssecurity.com; few threads
- ra's blog; Search for "TorBOX that they have".; Negative feedback.
- LulzSec / AntiSecOp: Want to be a ghost on the internet? or google for 'Want to be a ghost on the internet?'; Whonix (TorBOX) is a part of their instructions.
- seclist.us: Whonix V-0.1.3 - Multi-VM anonymity setup using Tor's Transparent Proxy
- reddit (This only applied to 0.1.3, was announced, workaround provided and fixed since 0.2.0)
October 2012 - Whonix 0.4.5 release announcement
- on tor-talk Mailing List - Summary: no answers.
- on debian-derivatives Mailing list - Summary: Mentioned, that if VirtualBox gets exploited, it's game over. This is true and already mentioned in the attack matrix.
October 2012 - Discussion
- Wilders Security Forum: Anonymous operating system Whonix - Summary: only questions, no concern.
- Are hardware serial numbers hidden in TAILS?
- Qubes OS Mailing List: qubes vs whonix virtualization solution - Summary: Qubes OS would be safer than VirtualBox. True. Other than that, no complaints.
- Qubes OS Mailing List: Whonix: VirtualBox vs Qubes OS Summary: agreed, that Qubes OS would be safer than VirtualBox.
- OLD Whonix User Help Forum
- lwn.net: Whonix for anonymity
- techcrash.net: Whonix, OS anonymous
- signalnetworks.co.uk: Whonix- The all Tor anonymous platform
- The Register: Devs cook up 'leakproof' all-Tor untrackable platform
- Which Linux distro is best for protecting your privacy?
- How to Anonymize Everything You Do Online
- theintercept.com: With Virtual Machines, Getting Hacked Doesn’t Have To Be That Bad
- tomshardware.com: Security-Focused Qubes OS 3.0 With Integrated Whonix Template Now Available
Sorry, we didn't add any more recent ones. There were simply to many to list them all in time.
Impressum | Datenschutz | Haftungsausschluss
Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.