- 1 Introduction
- 2 Trusting Downloaded Images
- 3 OpenPGP
- 4 Verifiable Builds
- 5 Whonix Updates
- 6 Appendix
- 7 Footnotes / References
- 8 License
Trust is a very problematic issue. This is the essence of why security is difficult in every field, including general computing and Internet communication. A skeptical user might ask themselves the following questions before relying upon Whonix for sensitive activities on a daily basis:
- Can Whonix and its developers be trusted?
- Are backdoors present in Whonix that can take control over a computer or exfiltrate data?
- Does Whonix generate compromised encryption keys to enable government spying?
- How trustworthy and sincere are the stated anonymity goals of the Whonix project?
Opinions will vary widely, but the reasoning process used to reach the conclusion should be closely examined. It is important that both trust and distrust are based on facts, and not gut feelings, instincts, paranoid conceptions, unfounded hearsay or the words of others.
It is unsurprising that the Whonix project and other anonymity platforms / tools claim to be honest, but written assurances are worthless. For an informed decision, it is worth looking at the bigger Whonix picture: core components, affiliations, project track record, and how reasonable trust might be established.
Free Software and Public Scrutiny
Whonix and other free software makes it possible to check the source code to determine how a software distribution functions and what it consists of. Suitably skilled individuals can thoroughly audit the code to search for the presence of any malicious code, like a backdoor. In addition, software can be manually built from source code and the result compared against any versions that are pre-built and already being distributed, like the Whonix ova images that can be downloaded from . This comparison can determine whether any malicious changes were made, or if the distributed version was actually built with the source code.
Naturally most people do not have the requisite knowledge, skills or time to properly audit software. However, the public scrutiny of popular, open source software implies a certain degree of trustworthiness. The axiom attributed to Linus Torvalds  -- "Given enough eyeballs, all bugs are shallow" -- is a reasonable assumption in user communities that are large, vibrant, and focused on fixing security vulnerabilities quickly.  The free software community has a strong tradition of publicly reporting and resolving serious issues, and a large pool of developers and beta testers can help to identify and remedy problems. 
Trusting Debian GNU/Linux
Nearly all the software shipped in Whonix comes from the Debian GNU/Linux distribution. Debian's packages are heavily scrutinized as it is one of the largest Linux distributions at present. Debian is also one of the most popular distributions for derivative platforms; Ubuntu Linux is a Debian derivative, and the same applies to all Ubuntu derivatives such as Linux Mint.
The sheer number using Debian's software packages and the large developer pool inspecting software integrity are significant factors in Debian's favor. Debian regularly identifies and patches serious security issues like the infamous SSH PRNG vulnerability , but backdoors or other purposeful security holes have never been discovered to date. Debian's focus on security is further evidenced by their Security Audit team which constantly searches for new or unfixed security issues. 
Whonix anonymity is based on Tor, which is developed by The Tor Project. Tor is a mature anonymity network with a substantial user base, and it has developed a solid reputation after more than 15 years of development. Tor's distributed trust model makes it difficult for any single entity to capture a user's traffic and identify them on a consistent basis.
Tor and its general development are subject to heavy public scrutiny by academics, security professionals and a host of developers.  For example, there is a body of Tor research related to potential attack vectors on onion routing and the adequacy of current defenses, and the source code has undergone several external audits. Like any software project, numerous security issues have been identified and resolved over the years, but a purposeful backdoor has never been discovered.  Theories about deliberate backdoors in Tor are considered highly speculative and lacking any credible basis.
In one sense, Whonix is the simple union of Debian and Tor and a mechanism to glue them together. If a user already trusts Debian and The Tor Project, then a method for assessing Whonix trustworthiness is also necessary.
As outlined earlier, Whonix is free software which makes the source code available for inspection. In the main, Whonix is comprised of specifications for which Debian software packages should be installed and their appropriate configuration. Unfortunately, Whonix does not receive the kind of attention that is dedicated to Debian or Tor, and a formal, external audit has not yet taken place.
With a relatively small development team and estimated user base, the "many eyeballs" theory may work against Whonix at present. However, the source code is comparably small and devoid of complexities, meaning the project is in relatively good shape compared to many other similar projects. Interested readers can learn more about the Whonix specification and design here. 
With the aforementioned factors in mind, it is now possible for the reader to make an informed decision about the trustworthiness of Whonix.
Trusting Downloaded Images
Don't trust 'us'! You don't know us. Never trust people you don't know, especially not on the internet. Even if you decided to blindly trust Whonix developer Patrick Schleizer for some strange reason, well, Patrick feels honored, but since Whonix is/could become a high profile target, it is a bad idea to assume, that Patrick's build machine is clean from sophisticated targeted attacks.
You can trust these binary images to some extent if you can verify that you get exactly the same code as hundreds of other users (you can check sourceforge how often the builds where downloaded) and no one found and publicly reported any security issue. In order to verify that, beginning from Whonix 0.4.5 OpenPGP signatures are uploaded.
Sourceforge ensures some trust and integrity of the hash file through TLS (check the certificate), unfortunately only for users who are registered and logged in.
Binary releases and source code tags for releases are OpenPGP signed by Whonix developer Patrick Schleizer. The Whonix project exists since 2012-01-11. (Earlier project names were TorBOX and aos (History).)
Verifiable Builds allow auditors to check if there is hidden code inside Whonix.
If that's not good enough, you are very much welcome to build your own Whonix images using the BuildDocumentation. It is easy.
OpenPGP: Usually you get a fingerprint on a web site (insecure, or secured with the broken TLS) and then download that from a key server (insecure, or secured with the broken TLS). Unless you have attended any key signing parties and have a trust path to everyone you need to connect with, OpenPGP is only as secure as TLS!
To mitigate this, it is recommended to check OpenPGP fingerprint from multiple "secure" sites. Bonus points for using different authentication systems. For example: https://www.torproject.org/docs/signing-keys.html.en AND http://idnxcnkne4qt76tg.onion/docs/signing-keys.html.en. Note that onion services do not offer very strong authentication. A powerful adversary is more likely than not able to impersonate an onion service, but together with multiple sources it becomes increasingly costly and improbably that a single adversary can impersonate all of them.
Binary downloads are OpenPGP signed by Whonix developer Patrick Schleizer. The source code is available from github over TLS, you can git clone over https. Each release git tag is OpenPGP signed by Whonix developer Patrick Schleizer. If desired, you can request signed git development tags from Patrick Schleizer.
Whonix developer (w), named proper in past (w), renamed itself to adrelanos (w), published its OpenPGP key on 05/29/12 (w) (wiki history (w)). Revealed its identity on 01/18/14. (w) Patrick Schleizer posted its OpenPGP key transition message on 01/18/14 signed by his old and his new key. (w)
The OpenPGP key ensures, should the Whonix infrastructure ever be compromised by a powerful adversary (domain takeover etc.), that the original Whonix developers can at least prove, that they are the same people who owned the infrastructure.
Even if you distrust Whonix developers, OpenPGP verifying binary downloads or git tags is still useful. If you want to audit Whonix, you should ensure, that you actually got your download from Whonix developers and that no third party tampered with it. Examples:
- An attacker could modify source codes on github (w)
- sourceforge hacked (w)
- sourceforge mirror hacked (w)
Verifiable .ova Releases
|Warning: Deprecated. A dedicated maintainer is required.|
|Warning: This feature only adds security if people actually use it! Don’t assume that someone else will do it for you!|
Whonix has a feature which allows the community to check that Whonix .ova  releases are verifiably created from the project's own source code. This is called verifiable builds. This only proves that the person and machine  building Whonix have not added anything malicious, such as a backdoor.  It doesn't prove there are no backdoors present in Debian. This isn't possible, because neither Debian  nor any other operating system provides deterministic builds yet. 
This feature does not attempt to prove there aren't any vulnerabilities present  in Whonix or Debian. Fatal outcomes are still possible via: a remotely exploitable  bug in Whonix or Debian, a flaw in Whonix's firewall which leaks traffic, or code phoning home  the contents of your hard drive. A precondition to improve security with this feature is community efforts in auditing Whonix and Debian source code to check for possible backdoors and vulnerabilities. In summary, this feature is useful and potentially improves security, but it isn't a magical solution for all computer security and trust issues. The following table will help you understand what this feature can achieve.
|Whonix||Tails||Tor Browser||Qubes OS TorVM||Corridor|
|Deterministic Builds ||No||No (Planned) ||Yes ||No||Not Applicable |
|Based on a Deterministically Built  Operating System||No ||No ||Not Applicable||No ||No |
|Verifiably no backdoor in the project's own source code||Invalid ||Invalid ||Invalid ||Invalid ||Invalid |
|Verifiably vulnerability  free||No ||No ||No ||No ||No |
|Verifiably no hidden source code  in upstream distribution/binaries ||No ||No ||No ||No ||No |
|Project's binary builds are verifiably created from project's own source code (no hidden source code  in the project's own source code)||No (Deprecated) ||No||Yes||No||Not Applicable |
Some readers might be curious why Whonix is verifiable, while Debian and other distributions are not. In short, this is because Whonix is uncomplicated by comparison. To oversimplify it: Whonix is just a collection of configuration files and scripts, and the source code does not contain any compiled code and so on. In contrast, Debian is a full operating system, without which Whonix wouldn't exist. 
This feature was first made available in Whonix 8. Only users who download a new image can profit from this feature.  It is not possible to audit versions older than Whonix 8 with this script. 
This is just an introduction. See Verifiable Builds for the full page.
Verifiable Whonix Debian Packages
|Warning: Deprecated. A dedicated maintainer is required.|Since Whonix 7.5.2, all Whonix Debian Packages have been deterministically built. This means if you build Whonix Debian Packages 7.5.2 from source code, then download 7.5.2 from the Whonix Debian repository, you can simply diff the checksum (for example the sha512sum) of those files and they should match. This has been deprecated because of a dpkg bug. The estimate of the Installed-Size can be wrong by a factor of 8, or a difference of 100MB.  Different underlying file systems cause different file sizes, leading to checksums not matching. This has been deprecated because it is difficult to implement before Debian Stretch and/or the experimental Debian reproducible toolchain being merged into Debian stable.
This is just an introduction. See Verifiable Builds#Verifiable Whonix Debian Packages for the full page.
Whonix provides an optional updater since Whonix 6.
- When building from source code, since Whonix 7.3.3, Whonix's APT Repository is disabled by default.
- For the Default-Download-Version, Whonix's APT Repository is enabled by default. While building Whonix using the build script, Whonix's APT repository has been added to /etc/apt/sources.list.d/whonix.list and Whonix's (adrelanos's) APT repository OpenPGP signing key has been added to apt-key by the whonix_repository tool.
- Qubes/Install: enabled by default
- When building from source code: enabled by default. To disable:
When Whonix's APT Repository is enabled and updated Whonix debian packages are uploaded to Whonix's APT repository, next time you are upgrading your system using "sudo apt-get update && sudo apt-get dist-upgrade", those packages will automatically get installed. If this is not what you want, this can be disabled. Below is a security discussion about the implications.
Alternatively, you can update Whonix from source code.
At the moment, Whonix developer Patrick Schleizer is the only one holding the Whonix APT repository OpenPGP signing key.
When it comes to trust, there is a big difference if you are building Whonix from source code or if you are using the Default-Download-Version. When you build Whonix using the build script and verified the source code to be non-malicious and reasonable bug free, Whonix developers have no way to access your system. With Whonix's APT repository enabled however, Whonix developers holding a Whonix repository signing key could always release a malicious update and gain full access on your machines.
When using the Default-Download version, on one hand, when not using Whonix's APT repository, Whonix developers could sneak in a backdoor into the binary builds (download version) (the rest of this page above goes into this subject), which is worse enough. And on the other hand, while using Whonix's APT repository, Whonix developers could sneak in a backdoor at any time. Also notable, while the binary builds contain binary packages (which are downloaded from Debian repository while building), which makes it easier to sneak a backdoor in, the Whonix deb packages do not contain any compiled code yet (only configuration files, scripts, comments) (which might change with a malicious update). As long as there is no compiled code inside Whonix deb packages, it might be easier for auditors, to catch a backdoor in updated deb packages (unless its a targeted attack) compared to the binary builds (download version).
When Whonix's APT repository is disabled, there is no updater and the situation is the same as in Whonix 0.5.6 and below.
- *: one star.
- one star: bad
- more stars: better
- 4 stars: best
|Whonix-Default-Download with Whonix APT Repository||Whonix-Default-Download without Whonix APT Repository||Building from Source Code and using Whonix APT Repository||Building from Source Code without using Whonix APT Repository|
The least secure and most convenient way is to use Whonix is using Whonix-Default-Download and to leave Whonix's repository enabled.
It is a bit safer to use Whonix-Default-Download version and to disable Whonix's APT repository. When updated Whonix deb packages are released, download them manually, verify them manually and install them manually. Big security bonus points for verifying the deb package contents before installing them. You'll get most security, if you build Whonix from source code and also build update packages from source code. Big security bonus points for verifying the source code before building Whonix.
What Digital Signatures Prove
Most people, even programmers, often confuse the basic ideas behind digital signatures. Most people should read this section, even if it looks trivial at first sight.
Digital Signatures show that someone who had access to the private key has made a signature. It is an indication, that its contents have not been tampered (so, integrity is preserved) and can indicate, that a given file is authentic.
Digital Signatures do not prove any other property, e.g. that the file is not malicious. In fact there is nothing that could stop people from signing a malicious program (and it happens from time to time in reality).
The point is, of course, that people need to choose to trust some people, e.g. Linus Torvalds, Microsoft, etc. and assume that if a file(s) was indeed signed by those individuals, then indeed it should not be malicious and buggy in some horrible way. But the decision of whether to trust certain people (e.g. those behind the Whonix Project) is beyond the scope of digital signatures. It is more of a sociological and political decision.
However, once we make a decision to trust somebody (e.g. The Whonix Project and the files released by them), then the digital signatures are useful, because they make it possible to limit our trust only to those few people we chose, and not to worry about all the Bad Things That Can Happen In The Middle between us and them (i.e. the vendor), like e.g.: server compromises, dishonest IT staff at the hosting company, dishonest staff at the ISPs, WiFi attacks, etc.
If we verify all the files we download from the vendor, we don't need to worry about all the above bad things, because we would easily be able to detect when the file(s) has been tampered (and not execute/install/open them).
However, for the digital signatures to make any sense, one should ensure that the public keys we use for signature verification are indeed the original ones. Anybody can generate a OpenPGP key pair that would pretend to be for "Whonix Project", but only the key pair that Patrick Schleizer generated is the legitimate one. Securely obtaining Whonix signing key is documented on a later page, Whonix Signing Key.
TLS/SSL/HTTPS with the CA model is flawed. We don't trust it and you shouldn't either. Even if all the implementation details (revocation not working, every CA can issue certs for anything, including "*") were sorted out, having to trust a 3rd party is a no go. But, we still have to rely on it to some extent for that lack of a widely used web of trust or other alternative.
Evil Developer Attack
This is only a theoretical attack, as far as we know. We are not aware that it ever happened to any software project. This is not a Whonix specific problem. It applies to all open source software projects, but more to those where the developers stay anonymous. Examples for such anonymously developed software projects are TrueCrypt, Tails, I2P...
The attack works like this: 1. Start a new software project. Alternatively join an existing software project. 2. Behave well, publish your sources. Gain trust. 3. Build binaries directly from your sources and offer them for download. 4. Make a great product, get a lot of users. 5. Continue to develop it. 6. Make a second branch of your sources and add malware. 7. Continue to publish your clean sources, but offer your malicious binaries for download. 8. Done! You infected a lot of users.
It is very difficult for end users to notice this attack. Of course, if all users would be added to a botnet, there would be news about this incident very soon and everyone would know. On the other hand, if the backdoor is barely used, it may remain secret for a long time.
The myth, that open source software is automatically more secure than closed source, is still strong and widespread. Yes, open source has advantages but certainly not for this threat model. Who checks if the binaries are made from the proclaimed source and publishes the results? That is called deterministic builds.  It is quite difficult to achieve that. If you are interested on how complex it is, also google 'trusting trust'.
All that is very difficult and it all comes back to trust. How can you trust developers? Even if they are not anonymous, you still do not know them and can not trust them? And even if you know them, can you trust them not to have made any mistakes?
These are serious questions to think about. Whonix is also affected by this issue, just like TrueCrypt, Tails, I2P, etc. Most projects (such as TrueCrypt) do not even inform about this fact. Whonix is just an ordinary software project, unfortunately we are unable to fix all problems in the world.
Whonix doesn't distribute any binaries, only redistributes unmodified upstream binaries, shell scripts, we do not create our own binaries. That's what we claim, but it is a lot easier to verify than if we were distributing our own binaries from source code we wrote. Users should worry about the motives and internal security of everyone contributing to torproject.org, all of the distro devs and maintainers and the hundreds of upstream devs and contributors. Trusted computing base size of a modern operating system today is so ridiculously big and so many people are involved we'd be really surprised if none of the "bugs" were intentional. And then there's the hardware. You think that even AMD could understand an Intel chip or vice versa? Of course one can't compare an anonymous contributor with no investment but time with a multi-national company. On the other hand, in comparison, detection here is just ridiculously simple (diff the hash sums), while finding and then proving that something is not a bug but a backdoor in a compiler, well designed source code let alone a CPU is impossible. Anonymous or not no longer matters these days. We are in a more or less open "cyber war" or that's what media and lawmakers want us to believe. Fact is, today players are backed by governments, they can use their real identities without fear of repercussion, fake IDs can be created, trustworthy people can be coerced into giving up their OpenPGP and ssh keys if projects even make use of any strong authentication. Judging by the lack of signatures on many open source upstream and even downstream downloads I'm sure many lack any internal security enforcement and still trust DNS to provide authenticity and clear text to provide integrity. About open source, yeah, you can bet Apple, Google and Microsoft have better internal security than the global open source community. However that doesn't make their code trustworthy or says anything about whether closed or open is more secure...
Whonix Developer OpenPGP Guidelines
All long term Whonix developers, are encouraged to:
- Create a 4096/4096 RSA/RSA OpenPGP key.
- Get the latest gpg.conf (which comes with Whonix-Workstation) for stronger hashes, no-emit-version, etc.
- Store the private key inside an encrypted file.
- Make a backup of that encrypted file.
- Remember the password, check yourself regularly.
- Also upload the encrypted file to some (free) online cloud hosting, in case of thief, fire, tornado, etc.
- Since the project started in 2012, we believe the earlier developer published its OpenPGP public key, the less likely is it, that the developer is attempting an evil developer attack.
Other Projects Discussing Trust
- Tails is a live CD or live USB that aims at preserving your privacy and anonymity. Tails about trust. (w)
- I2P (anonymizing network) does also talk about development attacks. (w)
- Qubes OS: What do the Digital Signatures Prove and What They DO NOT Prove (w)
- Miron’s Weblog: Attack Scenarios on Software Distributions (w)
- list of incidents of compromised servers: On distributing binaries (w)
Footnotes / References
- Creator of the Linux kernel.
- On the flip-side, there is no guarantee that just because software is open to review, that sane reviews will actually be performed. Further, people developing and reviewing software must know the principles of secure coding.
- https://lists.debian.org/debian-security-announce/2008/msg00152.html (w)
- Debian also participates in security standardization efforts and related overarching projects.
- And undoubtedly advanced adversaries.
- That said, a skilled, malicious coder is far more likely to introduce subtle errors that open non-obvious attack vectors.
- This is a good starting point to understand how Whonix works.
- Due to build machine compromise.
- Whonix is based on Debian.
- Some Debian developers are steadily working on this long-term project, see: Reproducible Builds.
- Open Source software does not automatically prevent backdoors, unless the user creates their own binaries directly from the source code. People who compile, upload and distribute binaries (including the webhost) could add hidden code, without publishing the backdoor. Anybody can claim that a certain binary was built cleanly from source code, when it was in fact built using the source code with a hidden component. Those deciding to infect the build machine with a backdoor are in a privileged position; the distributor is unlikely to become aware of the subterfuge. Deterministic builds can help to detect backdoors, since it can reproduce identical binary packages (byte-for-byte) from a given source. For more information on deterministic builds and why this is important, see:
- See Tails Roadmap.
- See Deterministic Builds Part One: Cyberwar and Global Compromise and Deterministic Builds Part Two: Technical Details.
- Corridor only uses shell scripts.
- To be fair, there are no deterministically built operating systems yet. It is a difficult process and takes a lot of effort to complete. While Debian has almost 20,000 reproducible packages in early 2017, this work has been ongoing since 2013 and is far from done.
The first form of backdoor is a vulnerability (bug) in the source code. Vulnerabilities are introduced either purposefully or accidentally due to human error. Following software deployment, an attacker may discover the vulnerability and use an exploit to gain unauthorized access. Such vulnerabilities can be cleverly planted in plain sight in open source code, while being very difficult to spot by code auditors. Examples of this type of backdoor include:
- An attempt to backdoor the kernel.
- The Debian SSL debacle; many argued that this wasn't a bug but in fact a backdoor, as it hadn't been spotted for several years.
It is therefore impossible to claim that non-trivial source code is backdoor free, because backdoors can be hidden as vulnerabilities. Auditors scrutinizing the source code can only state an opinion about the quality of the source code, and eventually report vulnerabilities if/when they are identified. Assertions that source code is free of computer viruses (like trojan horses) is the only reasonable assertion that can be made.
- Although theoretically possible, there are no mathematically proven bug free operating systems yet.
- The upstream distribution is the distribution on which the project is based. Whonix and Tails are based on Debian, thus Debian is their upstream distribution. QubesOS TorVM is based on Qubes OS, which is itself based on Fedora and Xen.
- See Trust#Verifiable Builds.
- Whonix relies on the great work of Debian and other upstream projects.
- Because in order to implement the verifiable builds feature, lots of non-deterministic, auto-generated files are removed at the end of the build process and re-created during first boot.
- Not possible doesn't mean impossible here, but it would require significant effort.
- This bug has now been resolved.
- See SSL.
Whonix Trust wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Trust wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <email@example.com>
This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.
Thanks to Qubes OS (Permission) (w). The "What do the Digital Signatures Prove and What They DO NOT Prove" chapter contains content from the Qubes OS: What do the Digital Signatures Prove and What They DO NOT Prove page.
https | (forcing) onion
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.