Jump to: navigation, search

Security in Real World

Flash Leak Test SocksPort and TransPort
Flash Leak Test both TransPort
  • Flash and Java - Whonix prevents information leaks from browser plugins since it has no knowledge of the real external IP address. This protection also applies to Flash-based applications used by advanced adversaries. Nevertheless, it is not recommended to install browser plugins such as Flash when anonymity is the goal.[1] See Browser Plugins for further details.
  • Skype- Whonix will not leak a user's IP address / location while using Skype or other VoIP protocols, although it is fairly difficult to anonymize voice over these channels.
  • BitTorrent - IP leaks(w) have been reported when using ordinary proxification methods. However, since Whonix prevents information leaks, using BitTorrent will not leak a user's real external IP address (see File Sharing). The reason is Whonix-Workstation has no knowledge of the external, ISP-facing IP address.
  • Thunderbird - Tails reported Thunderbird leaks(w) the real external IP address. Although Whonix did not exist when this bug was discovered, it would have been impossible for the real external IP address to leak, since Whonix-Workstation has no knowledge of the external IP address. To be fair to Tails, these kinds of leaks are now considered unlikely since they no longer use transparent torification.[2]
  • Pidgin - a bug was found in Pidgin source that would have leaked the real IP address. Whonix did not exist when this bug was discovered. Nevertheless, the security by isolation model adopted by Whonix prevents these kinds of leaks from occurring. It should be noted that this bug only existed in the developmental source code and it was patched before the release date.source(w)
  • Tor Browser Bundle- a severe bug(w) was discovered in FireFox which related to WebSockets bypassing the SOCKS proxy DNS configuration.[3] This bug is defeated since Whonix-Gateway forces all traffic through the Tor network or it is blocked. At worst, a proxy bypass would have emitted traffic through Tor's TransPort. The only information that could have leaked is the IP address of another Tor Exit Relay, which would not affect anonymity.
  • Targeted Clock Skew Correlation - this type of clock skew correlation allows an adversary to acquire the time stamp of an Onion Service http header and measure the skew. (clock skewing)(w) The adversary then compares the acquired time stamp against Tor relays or other publicly reachable web servers. If the time skew of the Onion Service server matches any publicly reachable servers or Tor relays, it is very likely the Onion Service is hosted on the same server. Whonix defeats this and other time attacks since it uses sdwdate. This program connects to a variety of servers (likely to be hosted on different hardware) at random intervals and extracts time stamps from the https headers. Using sclockadj option, time is gradually adjusted thus preventing bigger clock jumps that could confuse logs, servers, Tor, i2p, etc.[4] [5]
  • P2P- an attack(w) was published that targets P2P applications in order to trace and profile Tor users. Whonix defeats this attack and others like it because Whonix-Workstation has no knowledge of the external IP address. Furthermore, Whonix provides extended protection by using stream isolation.
  • Tor Browser Bundle (Old)- an attack was observed in the wild that exploited a JavaScript vulnerability in Firefox. [6] The observed version of the attack collected the hostname and MAC address of the victims' computers, and sent that information to a remote web server. This threat is partially mitigated nowadays by the development of a security slider in the Tor Browser Bundle, which easily prevents the execution of JavaScript code completely with the correct settings.
  • Tor Browser Bundle- a security bug was reported in version 7.0.2 that allowed systems with GVfs/GIO support to bypass Firefox proxy settings using a specially crafted URL, leading to an IP address leak. Since Whonix-Gateway forces all traffic through Tor, and information leaks are blocked, Whonix users were not affected by this bug.
  • Tor Browser Bundle - A defect was discovered which would allow an adversary to use targeted clock skew correlation to identify a user. Since Tor Browser transmits TLS "Hello Client" gmt_unix_time there are two scenarios in which these transmissions could be used to track users.
    • In the first scenario an adversary either compromises NTP servers or uses a man-in-the-middle to intercept NTP server replies and introduces a unique clock skew. Since ISPs that Tor Exit Relays reside in as well as destination servers can see "Hello Client" transmissions, an adversary can use clock skew correlation to track users movements.
    • With the second scenario, a user visits a clearnet website under adversary control without Tor Browser, the unique clock skew of the TLS "Hello Client" gmt_unix_time is recorded. Afterwards, the user visits the same or a different adversary controlled website using Tor Browser. If both clock skews were to match, this could indicate the two visitors where one in the same. At the very least this would significantly reduce anonymity. Since Whonix uses sdwdate and not NTP to keep time, these instances of targeted clock skew correlation and many like it are defeated.

Random News:

Interested in becoming an author for the Whonix blog or writing about anonymity, privacy and security? Please get in touch!

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)
  1. https://www.whonix.org/wiki/Comparison_with_Others#Flash_.2F_Browser_Plugin_Security
  2. https://mailman.boum.org/pipermail/tails-dev/2012-September/001704.html
  3. https://trac.torproject.org/projects/tor/ticket/5741
  4. https://github.com/Whonix/sdwdate
  5. To be fair, when this attack was first described Whonix did not exist.
  6. JavaScript was enabled by default in Tor Browser at the time this exploit was discovered.