Tunnel/Whonix Developer's view of JonDonym

From Whonix

Whonix Developer View of JonDonym [1]

JonDonym is an alternative anonymity network which will be compared with Tor in this Introduction chapter. It is easy to tunnel JonDonym over Tor inside Whonix-Workstation ™ and in theory, Tor on Whonix-Gateway ™ could be replaced with JonDo.

The JonDonym network[2] is much smaller than the Tor network. At time of writing (February 2012 [archive], snapshot random week day, random time), there were 5 two hop free mix cascades, 11 three hop premium mix cascades and 1 test/experimental free one hop service.

The two hop free mix cascades had 1940 users with a maximum available capacity of 2750 users. 1367 users were using the test/experimental free one hope service which didn't advertise a maximum user capacity. From 16 to 63 users used one of the 11 three hop premium mix cascades and no maximum user restriction was advertised. There were 350 premium users in total.

In comparison, according to Tor metrics page (on that day [archive] the Tor network had on that day had ~3000 relays. (~1000 had the guard flag and ~900 hard the entry guard flag, i.e. where useable in that position.) ~500.000 users were using the Tor network on that day [archive].

The path (circuit), Tor client chooses is non-predictable and changes every 10 minutes while in comparison to JonDonym, for example a user who has chosen the Speedy-Sektor free two hop mix cascade, will have a predictable entry and exit until the user manually changes it. That goes for all mix cascades. If someone knows the entry or exit, the whole path the client is using through the network is known.

The Tor network is run by volunteers from many different countries. There is no formal process to apply as a Tor node and no verification of identity for Tor node admins. Anyone can download the Tor software and volunteer a node. Therefore there are legit and malicious nodes.

In comparison to JonDonym, mix servers are operated by independent and non interrelated organizations or private individuals who all publish their identity[3]. The operators have to abide by strict provisions which prohibit saving connection data or exchanging such data with other operators.

While private data such as usernames and passwords have been already sniffed by Tor exit relays on unencrypted or sslstripped connections, no such headline about JonDonym. Tor clearly states, that unencrypted connections can be sniffed by Tor exit relays. (Exit Nodes Eavesdropping) Trusting in JonDonym is more like trusting in their policy and server administration skills. Neither the mix server administration nor the JonDo software can prevent a man-in-the-middle attack between the mix server and the destination server.

JonDonym might be faster than Tor.

Quoted from the JonDonym Law enforcement page [4]:

JonDonym does not make it impossible to uncover individual users, as there is no such thing as a 100% security. However, such a disclosure is by magnitudes more difficult than for other VPN or proxy services, as this would require the cooperation of several states and organizations.

JonDonym is no technology for preventing law enforcement on the internet. In very serious cases, it is possible to uncover the abuse of Mix services. User connections may be individually observed, if all operators of a Mix cascade get such an official order, valid in their respective country (in Germany accourding to §100a/b StPO).

A respective legal obligation may moreover force some Mix operators to retain certain connection data. In contrast to surveillance (where this is often not allowed), the operator has to make this transparent to the users of his JonDonym Mixes via JonDo. Usually, such a data retention does neither comprise target addresses (websites) nor contents, but IP addresses of users only. At the moment no JonDonym mix operator retain connection data.

However, the independence of JonDonym operators vastly lowers the danger of an illegitimate law enforcement done by non-democratic states or arbitrary individual public officers. Any disclosure basically needs the cooperation of all operators of a Mix cascade. This was never realized for premium mix cascades in the past.

Surveillance reports

Each year, we will publish a short report of all surveillance actions that were taken and have been reported to us by the operators.

In 2012 there has been one surveillance court order to all German mix operators and JonDos GmbH. It concerned one JonDonym account number which was known to the law enforcement agency before start of surveillance. No premium cascade and no free cascade was able to provide the requested communication data because not all operators of any cascade got a court order.


If single mix operators inform JonDos GmbH about a surveillance court order then that does not mean JonDonym as a whole has been under surveillance or JonDos GmbH was involved. Rather, single operators had to comply with these orders.

In summary there where surveillance court orders for the last four years, but until now, no JonDonym user has ever been de-anonymized. The Tor network also suffers from legal attacks, there have been some raids of Tor exit servers, which also didn't and couldn't lead to de-anonymization. Both networks, when correctly used, i.e. not de-anonymizing oneself by posting private information, without connecting once without going through the anonymity network, without proxy bypass, without viruses, following documentation and so on, ever had any news headlines about network compromise.

The JonDo developers, although they are selling a product, seem to be honest about their network. They are also generally friendly (Whonix is allowed to re-use their documentation content under Open Source license with or without modification to improve Whonix documentation) and are also constructively participating the Tor bug tracker. It will be interesting if and what they answer will be on the thread " some false values and confuses TBB users [archive]" (w [archive]).

The JonDonym receives much less attention from security researchers compared to Tor.

In some aspects JonDonym is more/less secure than Tor. Depends on your threat model Reading network comparison [archive] and law enforcement [archive] yourself may be worth reading.