Protection against Real World Attacks
Indicators of Compromise
If you are reading this page, then it is safe to assume being anonymous (less unique), and remaining so is of great interest. Users with a serious intention to research these issues are encouraged to assist in accordance with their skills. Testing, bug reporting or even bug fixing are laudable endeavors. If this process is unfamiliar, understand that about thirty minutes is required per message / identifier to ascertain if the discovered result  is a false positive, regression, known or unknown issue.
To date, none of the various leak testing websites running inside Whonix-Workstation ™ were ever able to discover the real (external), clearnet IP address of a user during tests. This held true even when plugins, Flash Player and/or Java were activated, despite the known fingerprinting risks. Messages such as "Something Went Wrong! Tor is not working in this browser."  (from about:tor) or "Sorry. You are not using Tor." (from check.torproject.org) are in most cases non-issues. If the real, external IP address can be revealed from inside Whonix-Workstation ™, then this would constitute a serious and heretofore unknown issue (otherwise not).
It is unhelpful to ask questions in forums, issue trackers and on various mailing lists with concerns that have already been discussed, or which are known issues / false positives. In all cases, please first search thoroughly for the result that was found. Otherwise, the noise to signal ratio increases and Whonix development is hindered. Users valuing anonymity don't want this, otherwise this would violate the aforementioned assumption.
If something is identified that appears to be a Whonix ™-specific issue, please first read the Whonix Free Support Principle before making a notification.
Detection of System Changes
If trivial changes are noticed on your system -- such as a duplicate deskop icon -- this is not evidence of a hack or leak. Similarly, if warning or error messages appear that are difficult to understand, in most cases there is no need for panic. If something unexpected occurs such as the appearance of a "htaccess file in home directory", or graphical glitches emerge in Arm, then it is more likely a harmless bug and/or usability issue rather than a compromise.
Skilled attackers do not leave such obvious traces of their breach. An infection by tailored malware is more plausible in this scenario and this is virtually impossible to detect by reading random messages in system logs. Even malware that is bought off-the-shelf (malware building toolkits) are unlikely to be discovered by cursory inspections.  Rootkit technology is no doubt a standard feature of the various programs.
Strange files, messages or other system behavior could feasibly relate to an attacker wanting the user to find something. However, the likelihood of this kind of harassment is considered low. Script kiddies ("skiddies") are unskilled attackers who uses scripts or programs to conduct attacks on computer systems and networks, most often with juvenile outcomes. For example, they might use programs to remotely control poorly-secured Windows desktops, trolling their victims from an open, forced chat window, opening their DVD drive and so on. It is improbable that skiddies can achieve similar exploits against Linux, Xen or BSD platforms.  Sophisticated attackers generally avoid detection, unless the user is unlucky enough to be a victim of Zersetzung (a psychological warfare technique).
Every forum post and support request requires time that could otherwise be directed to Whonix ™ development. Unless there is genuine evidence of a serious and credible problem, there is no need for a new post. Developers and the Whonix ™ community at large do not have enough time to explain every message that Linux might report. In most cases, they are not important and outside the control of Whonix ™ developers.
Whonix ™ Protection against Real World Attacks
IP leaks(w) have been reported when using ordinary proxification methods. However, since Whonix ™ prevents information leaks, using BitTorrent will not leak a user's real external IP address (see File Sharing). The reason is Whonix-Workstation ™ (
anon-whonix) has no knowledge of the external, ISP-facing IP address.
Flash and Java
Whonix ™ prevents information leaks from browser plugins since it has no knowledge of the real external IP address. This protection also applies to Flash-based applications used by advanced adversaries. Nevertheless, it is not recommended to install browser plugins such as Flash when anonymity is the goal.  See Browser Plugins for further details.
A security bug was reported in Nautilus file manager that allows an attacker to disguise a malicious script as a
.desktop file.  In this attack, an adversary tricks the user into downloading the
.desktop file from a website or sends the file in an email. Once the file is on the target's computer, the file (PDF, ODT) only has to be opened by the user for the script to execute.
This security bug was used to craft an exploit which was able to break the Subgraph OS security model. Since Subgraph does not contain Nautilus in an Oz sandbox,  once the malicious script was executed, it would have enabled access to much of the user's data; PGP keys, SSH keys, stored email, documents, password databases, MAC addresses and nearby Wi-Fi access points.
This sensitive information could be used by attackers to deanonymize the user,  but Whonix ™ defeats this attack and others like it. Since Whonix-Workstation ™ (
anon-whonix) is isolated from the host and Whonix-Gateway ™ (
sys-whonix), even if a malicious
.desktop script is executed, no information can be gathered about the external IP address, hardware serials or sensitive data outside of Whonix-Workstation ™ (
anon-whonix). Once Subgraph developers were informed of the vulnerability, the Nautilus package was patched on the platform. 
An attack(w) was published that targets P2P applications in order to trace and profile Tor users. Whonix ™ defeats this attack and others like it because Whonix-Workstation ™ (
anon-whonix) has no knowledge of the external IP address. Furthermore, Whonix ™ provides extended protection by using Stream Isolation.
A bug was found in Pidgin source code that would have leaked the real IP address.  Whonix ™ did not exist when this bug was discovered. Nevertheless, the security by isolation model adopted by Whonix ™ prevents this kind of leak from occurring. Notably, this bug only existed in the developmental source code and it was patched before the release date.
Targeted Clock Skew Correlation
This type of correlation allows an adversary to acquire the time stamp of an Onion Service http header and measure the skew (clock skewing)(w). The adversary then compares the acquired time stamp against Tor relays or other publicly reachable web servers. If the time skew of the Onion Service server matches any publicly reachable servers or Tor relays, it is very likely the Onion Service is hosted on the same server.
Whonix ™ defeats this and other time attacks since it uses sdwdate. This program connects to a variety of servers (likely to be hosted on different hardware) at random intervals and extracts time stamps from the http headers. Using the sclockadj option, time is gradually adjusted thus preventing bigger clock jumps that could confuse logs, servers, Tor, i2p, etc.  
Tails reported that Thunderbird leaked(w) the real external IP address. Although Whonix ™ did not exist when this bug was discovered, it would have been impossible for the real external IP address to leak, since Whonix-Workstation ™ (
anon-whonix) has no knowledge of it. In fairness to Tails, this kind of leak is now considered unlikely since they no longer use transparent torification. 
Tor Browser Bundle
- A severe bug(w) was discovered in FireFox which related to WebSockets bypassing the SOCKS proxy DNS configuration.  Whonix ™ defeats this bug since Whonix-Gateway ™ (
sys-whonix) forces all traffic through the Tor network or it is blocked. At worst, a proxy bypass would have emitted traffic through Tor's TransPort. In this scenario, the only information that could leak is the IP address of another Tor Exit Relay, which would not affect anonymity.
- A security bug was reported in version 7.0.2 that allowed systems with GVfs/GIO support to bypass Firefox proxy settings using a specially crafted URL, leading to an IP address leak. Since Whonix-Gateway ™ (
sys-whonix) forces all traffic through Tor, and information leaks are blocked, Whonix ™ users were not affected by this bug.
- A defect was discovered which allowed an adversary to use targeted clock skew correlation to identify a user. Since Tor Browser transmits TLS "Hello Client"
gmt_unix_timethere are two scenarios in which these transmissions could be used to track users.
- In the first scenario an adversary either compromises NTP servers or uses a man-in-the-middle to intercept NTP server replies and introduces a unique clock skew. Since "Hello Client" transmissions are visible to ISPs that host Tor Exit Relays as well as destination servers, an adversary could use clock skew correlation to track users' movements.
- In the second scenario, a user visits a clearnet website under adversary control without Tor Browser and the unique clock skew of the TLS "Hello Client"
gmt_unix_timeis recorded. Afterwards, the user visits the same or a different adversary-controlled website using Tor Browser. If both clock skews match, this could indicate the two visitors were the same person. At the very least this would significantly degrade anonymity. Since Whonix ™ uses sdwdate and not NTP to keep time, these instances of targeted clock skew correlation and many like it are defeated.
- From a browser test website, in a log file and so on.
- Interested readers can verify these claims by researching off-the-shelf malware building toolkits. They are dangerous to install for inexperienced users, but there is a wealth of information online such as screenshots and video tutorials.
- It is unclear if script kiddie programs are readily available for attacking non-Windows users.
- The Subgraph OS sandbox framework is known as Oz, which is unique to the platform. It is designed to isolate applications from each other and the rest of the system.
- To be fair, when this bug was reported Subgraph OS was still in Alpha status.
- All data inside Whonix-Workstation ™ (
anon-whonix) would be available to the attacker and aid deanonymization.
- To be fair, when this attack was first described Whonix ™ did not exist.
- Since Whonix-Workstation ™ (
anon-whonix) is unaware of the MAC address.
No comments for now due to spam. Use Whonix forums instead.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)