- 1 Introduction
- 2 How can I trust the download images?
- 3 OpenPGP
- 4 Verifiable Builds
- 5 Whonix Updates
- 6 Appendix
- 7 Footnotes / References
- 8 License
Trust is a very problematic issue, and that's the essence of why security is difficult in every field, including computers and Internet communication. Do you trust Whonix and its developers? Do you think we have planted backdoors in Whonix so we can take control of your computer, or that we make Whonix generate compromised encryption keys in order to enable the government to spy on you? Do you simply trust our word on that we are legit?
No matter what your opinion is in this matter you should ask how you reached that conclusion. Both trust and distrust need to be established based on facts, not gut feeling, paranoid suspicion, unfounded hearsay or our word. Of course, we claim to be honest, but written assurances are worthless. In order to make an informed decision you must look at the greater picture of what Whonix is comprised of, our affiliations, and possibly how others trust us.
Free software and public scrutiny
Free software, like Whonix, enables its users to check exactly what the software distribution consists of and how it functions since the source code must be made available to all who receive it. Hence a thorough audit of the code can reveal if any malicious code, like a backdoor, is present. Furthermore, with the source code it is possible to build the software, and then compare the result against any version that is already built and being distributed, like the Whonix ova images you can download from sourceforge.net. That way it can be determined whether the distributed version actually was built with the source code, or if any malicious changes have been made.
Of course, most people do not have the knowledge, skills or time required to do this, but due to public scrutiny anyone can have a certain degree of implicit trust in Free software, at least if it is popular enough that other developers look into the source code and do what was described in the previous paragraph. After all, there is a strong tradition within the Free software community to publicly report serious issues that are found within software.
Trusting Debian GNU/Linux
The vast majority of all software shipped in Whonix comes from the
Debian GNU/Linux distribution. Debian is the Linux distribution whose software packages are arguably under the deepest public scrutiny. Not only is Debian itself one of the largest Linux distros, but it's also one of the most popular distros to make derivatives from. Ubuntu Linux, for instance, is a Debian derivative, and the same goes transitively for all of its derivatives, like Linux Mint. Thus there are countless people using Debian's software packages, and countless developers inspect their integrity. Very serious security issues have been discovered (like the infamous
Debian SSH PRNG vulnerability, but backdoors or other types of intentionally placed security holes have never been found to our knowledge.
Whonix anonymity is based on Tor, which is developed by
The Tor Project. The development of Tor is under a lot of public scrutiny both academically (research on attacks and defenses on onion routing) and engineering-wise (Tor's code has gone through several external audits, and many independent developers have read through the sources for other reasons). Again, security issues have been reported, but nothing malicious like a backdoor -- we would argue that it's only uninformed conspiracy theorists that speculate about deliberate backdoors in Tor these days. Furthermore, Tor's distributed trust model makes it hard for a single entity to capture an individual's traffic and effectively identify them.
One could say that Whonix is the union of Debian and Tor. What we do, essentially, is gluing it all together. Hence, if you trust Debian and The Tor Project, what remains to establish trust for Whonix is to trust our "glue". As has been mentioned, Whonix is Free software, so its source code is completely open for inspection, and it's mainly comprised by a specification of which Debian software packages to install, and how they should be configured. While Whonix surely doesn't get the same amount of attention as Debian or Tor,
we do have some eyes on us from especially the Tor community, and also some of the general security community (see our audits page. Given that Whonix source code is comparably small and devoid of complexities, we're in a pretty good spot compared to many other projects of similar nature. Our specification and design document (See Design.) is a good starting point to understand how Whonix works, by the way.
With all this in light (which you ideally also should try to verify), you should be able to make an informed decision on whether or not you should trust our software.
How can I trust the download images?
Don't trust 'us'! You don't know us. Never trust people you don't know, especially not on the internet. Even if you decided to blindly trust Whonix developer Patrick Schleizer for some strange reason, well, Patrick feels honored, but since Whonix is/could become a high profile target, it's a bad idea to assume, that Patrick's build machine is clean from sophisticated targeted attacks.
You can trust these binary images to some extent if you can verify that you get exactly the same code as hundreds of other users (you can check sourceforge how often the builds where downloaded) and no one found and publicly reported any security issue. In order to verify that, beginning from Whonix 0.4.5 OpenPGP signatures are uploaded.
Sourceforge ensures some trust and integrity of the hash file through TLS (check the certificate), unfortunately only for users who are registered and logged in.
Binary releases and source code tags for releases are OpenPGP signed by Whonix developer Patrick Schleizer. The Whonix project exists since 2012-01-11. (Earlier project names were TorBOX and aos (History).)
Verifiable Builds allow auditors to check if there is hidden code inside Whonix.
If that's not good enough, you are very much welcome to build your own Whonix images using the BuildDocumentation. It is easy.
OpenPGP: Usually you get a fingerprint on a web site (insecure, or secured with the broken TLS) and then download that from a key server (insecure, or secured with the broken TLS). Unless you have attended any key signing parties and have a trust path to everyone you need to connect with, OpenPGP is only as secure as TLS!
To mitigate this, it is recommended to check OpenPGP fingerprint from multiple "secure" sites. Bonus points for using different authentication systems. For example: https://www.torproject.org/docs/signing-keys.html.en AND http://idnxcnkne4qt76tg.onion/docs/signing-keys.html.en. Note that hidden services do not offer very strong authentication. A powerful adversary is more likely than not able to impersonate a hidden service, but together with multiple sources it becomes increasingly costly and improbably that a single adversary can impersonate all of them.
Binary downloads are OpenPGP signed by Whonix developer Patrick Schleizer. The source code is available from github over TLS, you can git clone over https. Each release git tag is OpenPGP signed by Whonix developer Patrick Schleizer. If desired, you can request signed git development tags from Patrick Schleizer.
Whonix developer (w), named proper in past (w), renamed itself to adrelanos (w), published its OpenPGP key on 05/29/12 (w) (wiki history (w)). Revealed its identity on 01/18/14. (w) Patrick Schleizer posted its OpenPGP key transition message on 01/18/14 signed by his old and his new key. (w)
The OpenPGP key ensures, should the Whonix infrastructure ever be compromised by a powerful adversary (domain seizure/takeover etc.), that the original Whonix developers can at least prove, that they are the same people who owned the infrastructure.
Even if you distrust Whonix developers, OpenPGP verifying binary downloads or git tags is still useful. If you want to audit Whonix, you should ensure, that you actually got your download from Whonix developers and that no third party tampered with it. Examples:
- An attacker could modify source codes on github (w)
- sourceforge hacked (w)
- sourceforge mirror hacked (w)
|Warning: This feature only adds security if people like you actually use it! Don’t assume that someone else is doing it for you!|
Whonix has a feature which allows the community to check that Whonix .ova releases are verifiably created from project's own source code. We call this verifiable builds. This only proves that the person and machine building Whonix has added nothing malicious, such as a backdoor. It doesn't prove, that there are no backdoors in Debian. This isn't possible, because neither Debian nor any other operating system provides deterministic builds yet. Rather this feature is no attempt to proof, that there aren't any vulnerabilities in Whonix's or Debian. A remotely exploitable bug in Whonix or Debian, a flaw in Whonix's firewall leaking traffic or code phoning home the contents of your harddrive would still be fatal. A precondition so this feature can improve overall security is, that the community is auditing Whonix's and Debian's source code for being free of backdoors and vulnerabilities in the first place. In summary, we believe this feature is useful and can improve security, but however isn't a magical answer to all computer security and trust questions. The following table hopefully helps understanding what this feature achieves.
|Whonix||Tails||Tor Browser||Qubes OS TorVM||corridor|
|Deterministic Builds||No||No||Yes ||No||Not applicable. |
|Based on a Deterministically Built Operating System||No ||No ||No ||No ||No |
|Verifiably no backdoor in the project's own source code||Invalid ||Invalid ||Invalid ||Invalid ||Invalid |
|Verifiably vulnerability free||No ||No ||No ||No ||No |
|Verifiably no hidden source code in upstream distribution/binaries||No ||No ||No ||No ||No |
|Project's binary builds verifiably created from project's own source code (no hidden source code in the project's own source code)||Yes ||No||Yes||?||Not applicable. |
You might be curious, why Whonix is verifiable while neither Debian nor any other operating system is? This is because Whonix is very simple, to oversimplify it: Whonix is just a collection of configuration files and scripts, i.e. Whonix's source code does not contain any compiled code etc. On the other hand, Debian is a full operating system. And of course, without the great work of the Debian project and all the upstream projects, Whonix wouldn't exist.
This is just an introduction. See Verifiable Builds for the full page.
Verifiable Whonix Debian Packages
Since Whonix 7.5.2, all Whonix Debian Packages are deterministically built. This means, if you build Whonix Debian Packages 7.5.2 from source code, then download 7.5.2 from Whonix's Debian repository, you can simply diff the checksum (for example the sha512sum) of those files and they should match.
This is just an introduction. See Verifiable Builds#Verifiable Whonix Debian Packages for the full page.
Whonix provides an optional updater since Whonix 6.
- When building from source code, since Whonix 7.3.3, Whonix's APT Repository is disabled by default. If you are extra paranoid want to delete all Whonix APT Repository related code, get into Whonix source code folder and delete the following two files, see footnote. 
- For the Default-Download-Version, Whonix's APT Repository is enabled by default. While building Whonix using the build script, Whonix's APT repository has been added to /etc/apt/sources.list.d/whonix.list and Whonix's (adrelanos's) APT repository OpenPGP signing key has been added to apt-key by the whonix_repository tool.
When Whonix's APT Repository is enabled and updated Whonix debian packages are uploaded to Whonix's APT repository, next time you are upgrading your system using "sudo apt-get update && sudo apt-get dist-upgrade", those packages will automatically get installed. If this is not what you want, this can be disabled. Below is a security discussion about the implications.
Alternatively, you can update Whonix from source code.
At the moment, Whonix developer Patrick Schleizer is the only one holding the Whonix APT repository OpenPGP signing key.
When it comes to trust, there is a big difference if you are building Whonix from source code or if you are using the Default-Download-Version. When you build Whonix using the build script and verified the source code to be non-malicious and reasonable bug free, Whonix developers have no way to access your system. With Whonix's APT repository enabled however, Whonix developers holding a Whonix repository signing key could always release a malicious update and gain full access on your machines.
When using the Default-Download version, on one hand, when not using Whonix's APT repository, Whonix developers could sneak in a backdoor into the binary builds (download version) (the rest of this page above goes into this subject), which is worse enough. And on the other hand, while using Whonix's APT repository, Whonix developers could sneak in a backdoor at any time. Also notable, while the binary builds contain binary packages (which are downloaded from Debian repository while building), which makes it easier to sneak a backdoor in, the Whonix deb packages do not contain any compiled code yet (only configuration files, scripts, comments) (which might change with a malicious update). As long as there is no compiled code inside Whonix deb packages, it might be easier for auditors, to catch a backdoor in updated deb packages (unless its a targeted attack) compared to the binary builds (download version).
When Whonix's APT repository is disabled, there is no updater and the situation is the same as in Whonix 0.5.6 and below.
- *: one star.
- one star: bad
- more stars: better
- 4 starts: best
|Whonix-Default-Download with Whonix APT Repository||Whonix-Default-Download without Whonix APT Repository||Building from Source Code and using Whonix APT Repository||Building from Source Code without using Whonix APT Repository|
The least secure and most convenient way is to use Whonix is using Whonix-Default-Download and to leave Whonix's repository enabled.
It's a bit safer to use Whonix-Default-Download version and to disable Whonix's APT repository. When updated Whonix deb packages are released, download them manually, verify them manually and install them manually. Big security bonus points for verifying the deb package contents before installing them. You'll get most security, if you build Whonix from source code and also build update packages from source code. Big security bonus points for verifying the source code before building Whonix.
What do Digital Signatures Prove and What They DO NOT Prove
Most people, even programmers, often confuse the basic ideas behind digital signatures. Most people should read this section, even if it looks trivial at first sight.
Digital Signatures can prove, that a given file is authentic, i.e. that is has been indeed created by a person that signed it, and that its contents have not been tampered (so, integrity is preserved).
Digital Signatures do not prove any other property, e.g. that the file is not malicious. In fact there is nothing that could stop people from signing a malicious program (and it happens from time to time in reality).
The point is, of course, that people need to choose to trust some people, e.g. Linus Torvalds, Microsoft, etc. and assume that if a file(s) was indeed signed by those individuals, then indeed it should not be malicious and buggy in some horrible way. But the decision of whether to trust certain people (e.g. those behind the Whonix Project) is beyond the scope of digital signatures. It's more of a sociological and political decision.
However, once we make a decision to trust somebody (e.g. The Whonix Project and the files released by them), then the digital signatures are useful, because they make it possible to limit our trust only to those few people we chose, and not to worry about all the Bad Things That Can Happen In The Middle between us and them (i.e. the vendor), like e.g.: server compromises, dishonest IT staff at the hosting company, dishonest staff at the ISPs, WiFi attacks, etc.
If we verify all the files we download from the vendor, we don't need to worry about all the above bad things, because we would easily be able to detect when the file(s) has been tampered (and not execute/install/open them).
However, for the digital signatures to make any sense, one should ensure that the public keys we use for signature verification are indeed the original ones. Anybody can generate a OpenPGP key pair that would pretend to be for "Whonix Project", but only the key pair that I (Patrick Schleizer) generated is the legitimate one. Securely obtaining Whonix signing key is documented on a later page, Whonix Signing Key.
TLS/SSL/HTTPS with the CA model is flawed. We don't trust it and you shouldn't either. Even if all the implementation details (revocation not working, every CA can issue certs for anything, including "*") were sorted out, having to trust a 3rd party is a no go. But, we still have to rely on it to some extent for that lack of a widely used web of trust or other alternative.
Evil developer attack
This is only a theoretical attack, as far as we know. We are not aware that it ever happened to any software project. This is not a Whonix specific problem. It applies to all open source software projects, but more to those where the developers stay anonymous. Examples for such anonymously developed software projects are TrueCrypt, Tails, i2p...
The attack works like this: 1. Start a new software project. Alternatively join an existing software project. 2. Behave well, publish your sources. Gain trust. 3. Build binaries directly from your sources and offer them for download. 4. Make a great product, get a lot of users. 5. Continue to develop it. 6. Make a second branch of your sources and add malware. 7. Continue to publish your clean sources, but offer your malicious binaries for download. 8. Done! You infected a lot of users.
It is very difficult for end users to notice this attack. Of course, if all users would be added to a botnet, there would be news about this incident very soon and everyone would know. On the other hand, if the backdoor is barely used, it may remain secret for a long time.
The myth, that open source software is automatically more secure than closed source, is still strong and widespread. Yes, open source has advantages but certainly not for this threat model. Who checks if the binaries are made from the proclaimed source and publishes the results? That is called deterministic builds.  It is quite difficult to achieve that. If you are interested on how complex it is, also google 'trusting trust'.
All that is very difficult and it all comes back to trust. How can you trust developers? Even if they are not anonymous, you still do not know them and can not trust them? And even if you know them, can you trust them not to have made any mistakes?
These are serious questions to think about. Whonix is also affected by this issue, just like TrueCrypt, Tails, i2p, etc. Most projects (such as TrueCrypt) do not even inform about this fact. Whonix is just an ordinary software project, unfortunately we are unable to fix all problems in the world.
Whonix doesn't distribute any binaries, only redistributes unmodified upstream binaries, shell scripts, we do not create our own binaries. That's what we claim, but it's a lot easier to verify than if we were distributing our own binaries from source code we wrote. Users should worry about the motives and internal security of everyone contributing to torproject.org, all of the distro devs and maintainers and the hundreds of upstream devs and contributors. Trusted computing base size of a modern operating system today is so ridiculously big and so many people are involved we'd be really surprised if none of the "bugs" were intentional. And then there's the hardware. You think that even AMD could understand an Intel chip or vice versa? Of course one can't compare an anonymous contributor with no investment but time with a multi-national company. On the other hand, in comparison, detection here is just ridiculously simple (diff the hash sums), while finding and then proving that something is not a bug but a backdoor in a compiler, well designed source code let alone a CPU is impossible. Anonymous or not no longer matters these days. We are in a more or less open "cyber war" or that's what media and lawmakers want us to believe. Fact is, today players are backed by governments, they can use their real identities without fear of repercussion, fake IDs can be created, trustworthy people can be coerced into giving up their OpenPGP and ssh keys if projects even make use of any strong authentication. Judging by the lack of signatures on many open source upstream and even downstream downloads I'm sure many lack any internal security enforcement and still trust DNS to provide authenticity and clear text to provide integrity. About open source, yeah, you can bet Apple, Google and Microsoft have better internal security than the global open source community. However that doesn't make their code trustworthy or says anything about whether closed or open is more secure...
Whonix developer OpenPGP guidelines
All long term Whonix developers, are encouraged to:
- Create a 4096/4096 RSA/RSA OpenPGP key.
- Get the latest gpg.conf (which comes with Whonix-Workstation) for stronger hashes, no-emit-version, etc.
- Store the private key inside an encrypted file.
- Make a backup of that encrypted file.
- Remember the password, check yourself regularly.
- Also upload the encrypted file to some (free) online cloud hosting, in case of thief, fire, tornado, etc.
- Since the project started in 2012, we believe the earlier developer published its OpenPGP public key, the less likely is it, that the developer is attempting an evil developer attack.
Other Projects Discussing Trust
- Tails is a live CD or live USB that aims at preserving your privacy and anonymity. Tails about trust. (w)
- I2p (anonymizing network) does also talk about development attacks. (w)
- Qubes OS: What do the Digital Signatures Prove and What They DO NOT Prove (w)
- Miron’s Weblog: Attack Scenarios on Software Distributions (w)
- list of incidents of compromised servers: On distributing binaries (w)
Footnotes / References
- https://lists.debian.org/debian-security-announce/2008/msg00152.html (w)
- Due to build machine compromise.
- Whonix is based on Debian.
- Some Debian developres are working on it, see Reproducible Builds.
- Open Source does not automagically prevent backdoors, unless the user creates its own binaries from source code itself. The ones who compile, upload and distribute (also the webhost) the binaries could add a hidden code without publishing the backdoor code. Nothing prevents one to claim, that a certain binary has been built from a clean source code, while the binary was actually built by the source code plus the backdoor code. Also the ones who may have infected the build machine with a backdoor are in position to add a backdoor without the distributor being aware of it. Deterministic builds can detect backdoors. For more information on deterministic builds and why this is important, see:
- See Deterministic Builds Part One: Cyberwar and Global Compromise and Deterministic Builds Part Two: Technical Details.
- Just shell scripts.
- To be fair, there are no deterministically built operating system yet. It would take lots of effort to create one and its far from easy. When you search through the websites / mailing list archives of Open Source operating systems, you notice, that there is not even yet awareness of this issue.
A backdoor can either be a vulnerability as in a bug in the source code. Vulnerabilities can get introduced by accident (human error) or on purpose. Once the software has been deployed and the vulnerability has been found, it might happen, that an attacker uses an exploits to gain unauthorized access. Such vulnerabilities (or purposely planted backdoors) can, with cleverness, be planted in Open Source code plain sight, while being very difficult and unlikely to be spotted by people looking at the code. Examples:
- An attempt to backdoor the kernel.
- Some argued, the Debian SSL debacle, wasn't a bug, but a backdoor (no one has spot vulnerability in the source code for years!).
Therefore it is impossible to claim that non-trivial source code is backdoor free, because a backdoors can be hidden as vulnerabilities. Auditors scrutinizing the source code can only state their opinion about the quality of the source code and eventually report a vulnerability. It can only be reasonably easily checked, if the source code is free of computer viruses (for example, trojan horses), not backdoors.
- Although possible (in theory?), there are no mathematically proven bug free operating systems yet.
- The upstream distribution is the distribution on which the project is based on. Whonix and Tails are based on Debian, thus Debian is their upstream distribution. QubesOS TorVM is based on Qubes OS, which itself is based on Fedora and Xen.
- See Trust#Verifiable Builds.
- Not possible doesn't mean impossible here. Would just involve lots of work.
- Because in order to implement the verifiable builds feature, we need to get rid of lots of non-deterministic auto-generated files at the end of the build process and to re-create them during first boot.
rm --verbose whonix_shared/usr/share/whonix/postinst.d/70_whonix_apt_key rm --verbose whonix_shared/usr/bin/whonix_repository ## Not really necessary. rm --verbose man/whonix_shared/whonix_repository.8.ronn rm --verbose whonix_shared/etc/whonix.d/30_aptrepository_default
You have to do this every time you are upgrading Whonix from source code.
- See SSL.
Whonix Trust wiki page Copyright (C) Amnesia <amnesia at boum dot org> Whonix Trust wiki page Copyright (C) 2012 -2014 Patrick Schleizer <firstname.lastname@example.org> This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code. This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.
Thanks to Qubes OS (Permission) (w). The "What do the Digital Signatures Prove and What They DO NOT Prove" chapter contains content from the Qubes OS: What do the Digital Signatures Prove and What They DO NOT Prove page.
Log in | OpenID | Contact | Impressum | Datenschutz | Haftungsausschluss