- 1 Introduction
- 2 How can I trust the download images?
- 3 OpenPGP
- 4 Verifiable Builds
- 5 Whonix Updates
- 6 Appendix
- 7 Footnotes / References
- 8 License
Trust is a very problematic issue, and that's the essence of why security is difficult in every field, including computers and Internet communication. Do you trust Whonix and its developers? Do you think we have planted backdoors in Whonix so we can take control of your computer, or that we make Whonix generate compromised encryption keys in order to enable the government to spy on you? Do you simply trust our word on that we are legit?
No matter what your opinion is in this matter you should ask how you reached that conclusion. Both trust and distrust need to be established based on facts, not gut feeling, paranoid suspicion, unfounded hearsay or our word. Of course, we claim to be honest, but written assurances are worthless. In order to make an informed decision you must look at the greater picture of what Whonix is comprised of, our affiliations, and possibly how others trust us.
Free software and public scrutiny
Free software, like Whonix, enables its users to check exactly what the software distribution consists of and how it functions since the source code must be made available to all who receive it. Hence a thorough audit of the code can reveal if any malicious code, like a backdoor, is present. Furthermore, with the source code it is possible to build the software, and then compare the result against any version that is already built and being distributed, like the Whonix ova images you can download from sourceforge.net. That way it can be determined whether the distributed version actually was built with the source code, or if any malicious changes have been made.
Of course, most people do not have the knowledge, skills or time required to do this, but due to public scrutiny anyone can have a certain degree of implicit trust in Free software, at least if it is popular enough that other developers look into the source code and do what was described in the previous paragraph. After all, there is a strong tradition within the Free software community to publicly report serious issues that are found within software.
Trusting Debian GNU/Linux
The vast majority of all software shipped in Whonix comes from the
Debian GNU/Linux distribution. Debian is the Linux distribution whose software packages are arguably under the deepest public scrutiny. Not only is Debian itself one of the largest Linux distros, but it is also one of the most popular distros to make derivatives from. Ubuntu Linux, for instance, is a Debian derivative, and the same goes transitively for all of its derivatives, like Linux Mint. Thus there are countless people using Debian's software packages, and countless developers inspect their integrity. Very serious security issues have been discovered (like the infamous
Debian SSH PRNG vulnerability, but backdoors or other types of intentionally placed security holes have never been found to our knowledge.
Whonix anonymity is based on Tor, which is developed by
The Tor Project. The development of Tor is under a lot of public scrutiny both academically (research on attacks and defenses on onion routing) and engineering-wise (Tor's code has gone through several external audits, and many independent developers have read through the sources for other reasons). Again, security issues have been reported, but nothing malicious like a backdoor -- we would argue that it is only uninformed conspiracy theorists that speculate about deliberate backdoors in Tor these days. Furthermore, Tor's distributed trust model makes it hard for a single entity to capture an individual's traffic and effectively identify them.
One could say that Whonix is the union of Debian and Tor. What we do, essentially, is gluing it all together. Hence, if you trust Debian and The Tor Project, what remains to establish trust for Whonix is to trust our "glue". As has been mentioned, Whonix is Free software, so its source code is completely open for inspection, and it is mainly comprised by a specification of which Debian software packages to install, and how they should be configured. While Whonix surely doesn't get the same amount of attention as Debian or Tor,
we do have some eyes on us from especially the Tor community, and also some of the general security community (see our audits page. Given that Whonix source code is comparably small and devoid of complexities, we're in a pretty good spot compared to many other projects of similar nature. Our specification and design document (See Design.) is a good starting point to understand how Whonix works, by the way.
With all this in light (which you ideally also should try to verify), you should be able to make an informed decision on whether or not you should trust our software.
How can I trust the download images?
Don't trust 'us'! You don't know us. Never trust people you don't know, especially not on the internet. Even if you decided to blindly trust Whonix developer Patrick Schleizer for some strange reason, well, Patrick feels honored, but since Whonix is/could become a high profile target, it is a bad idea to assume, that Patrick's build machine is clean from sophisticated targeted attacks.
You can trust these binary images to some extent if you can verify that you get exactly the same code as hundreds of other users (you can check sourceforge how often the builds where downloaded) and no one found and publicly reported any security issue. In order to verify that, beginning from Whonix 0.4.5 OpenPGP signatures are uploaded.
Sourceforge ensures some trust and integrity of the hash file through TLS (check the certificate), unfortunately only for users who are registered and logged in.
Binary releases and source code tags for releases are OpenPGP signed by Whonix developer Patrick Schleizer. The Whonix project exists since 2012-01-11. (Earlier project names were TorBOX and aos (History).)
Verifiable Builds allow auditors to check if there is hidden code inside Whonix.
If that's not good enough, you are very much welcome to build your own Whonix images using the BuildDocumentation. It is easy.
OpenPGP: Usually you get a fingerprint on a web site (insecure, or secured with the broken TLS) and then download that from a key server (insecure, or secured with the broken TLS). Unless you have attended any key signing parties and have a trust path to everyone you need to connect with, OpenPGP is only as secure as TLS!
To mitigate this, it is recommended to check OpenPGP fingerprint from multiple "secure" sites. Bonus points for using different authentication systems. For example: https://www.torproject.org/docs/signing-keys.html.en AND http://idnxcnkne4qt76tg.onion/docs/signing-keys.html.en. Note that hidden services do not offer very strong authentication. A powerful adversary is more likely than not able to impersonate a hidden service, but together with multiple sources it becomes increasingly costly and improbably that a single adversary can impersonate all of them.
Binary downloads are OpenPGP signed by Whonix developer Patrick Schleizer. The source code is available from github over TLS, you can git clone over https. Each release git tag is OpenPGP signed by Whonix developer Patrick Schleizer. If desired, you can request signed git development tags from Patrick Schleizer.
Whonix developer (w), named proper in past (w), renamed itself to adrelanos (w), published its OpenPGP key on 05/29/12 (w) (wiki history (w)). Revealed its identity on 01/18/14. (w) Patrick Schleizer posted its OpenPGP key transition message on 01/18/14 signed by his old and his new key. (w)
The OpenPGP key ensures, should the Whonix infrastructure ever be compromised by a powerful adversary (domain takeover etc.), that the original Whonix developers can at least prove, that they are the same people who owned the infrastructure.
Even if you distrust Whonix developers, OpenPGP verifying binary downloads or git tags is still useful. If you want to audit Whonix, you should ensure, that you actually got your download from Whonix developers and that no third party tampered with it. Examples:
- An attacker could modify source codes on github (w)
- sourceforge hacked (w)
- sourceforge mirror hacked (w)
|Warning: Deprecated. A dedicated maintainer is required.|
|Warning: This feature only adds security if people actually use it! Don’t assume that someone else will do it for you!|
Whonix has a feature which allows the community to check that Whonix .ova  releases are verifiably created from the project's own source code. This is called verifiable builds. This only proves that the person and machine  building Whonix have not added anything malicious, such as a backdoor.  It doesn't prove there are no backdoors present in Debian. This isn't possible, because neither Debian  nor any other operating system provides deterministic builds yet. 
This feature does not attempt to prove there aren't any vulnerabilities present  in Whonix or Debian. Fatal outcomes are still possible via: a remotely exploitable  bug in Whonix or Debian, a flaw in Whonix's firewall which leaks traffic, or code phoning home  the contents of your hard drive. A precondition to improve security with this feature is community efforts in auditing Whonix and Debian source code to check for possible backdoors and vulnerabilities. In summary, this feature is useful and potentially improves security, but it isn't a magical solution for all computer security and trust issues. The following table will help you understand what this feature can achieve.
|Whonix||Tails||Tor Browser||Qubes OS TorVM||Corridor|
|Deterministic Builds ||No||No (Planned) ||Yes ||No||Not Applicable |
|Based on a Deterministically Built  Operating System||No ||No ||Not Applicable||No ||No |
|Verifiably no backdoor in the project's own source code||Invalid ||Invalid ||Invalid ||Invalid ||Invalid |
|Verifiably vulnerability  free||No ||No ||No ||No ||No |
|Verifiably no hidden source code  in upstream distribution/binaries ||No ||No ||No ||No ||No |
|Project's binary builds are verifiably created from project's own source code (no hidden source code  in the project's own source code)||No (Deprecated) ||No||Yes||No||Not Applicable |
Some readers might be curious why Whonix is verifiable, while Debian and other distributions are not. In short, this is because Whonix is uncomplicated by comparison. To oversimplify it: Whonix is just a collection of configuration files and scripts, and the source code does not contain any compiled code and so on. In contrast, Debian is a full operating system, without which Whonix wouldn't exist. 
This feature was first made available in Whonix 8. Only users who download a new image can profit from this feature.  It is not possible to audit versions older than Whonix 8 with this script. 
This is just an introduction. See Verifiable Builds for the full page.
Verifiable Whonix Debian Packages
|Warning: Deprecated. A dedicated maintainer is required.|Since Whonix 7.5.2, all Whonix Debian Packages have been deterministically built. This means if you build Whonix Debian Packages 7.5.2 from source code, then download 7.5.2 from the Whonix Debian repository, you can simply diff the checksum (for example the sha512sum) of those files and they should match. This has been deprecated because of a dpkg bug. The estimate of the Installed-Size can be wrong by a factor of 8, or a difference of 100MB.  Different underlying file systems cause different file sizes, leading to checksums not matching. This has been deprecated because it is difficult to implement before Debian Stretch and/or the experimental Debian reproducible toolchain being merged into Debian stable.
This is just an introduction. See Verifiable Builds#Verifiable Whonix Debian Packages for the full page.
Whonix provides an optional updater since Whonix 6.
- When building from source code, since Whonix 7.3.3, Whonix's APT Repository is disabled by default.
- For the Default-Download-Version, Whonix's APT Repository is enabled by default. While building Whonix using the build script, Whonix's APT repository has been added to /etc/apt/sources.list.d/whonix.list and Whonix's (adrelanos's) APT repository OpenPGP signing key has been added to apt-key by the whonix_repository tool.
- Qubes/Install: enabled by default
- When building from source code: enabled by default. To disable:
When Whonix's APT Repository is enabled and updated Whonix debian packages are uploaded to Whonix's APT repository, next time you are upgrading your system using "sudo apt-get update && sudo apt-get dist-upgrade", those packages will automatically get installed. If this is not what you want, this can be disabled. Below is a security discussion about the implications.
Alternatively, you can update Whonix from source code.
At the moment, Whonix developer Patrick Schleizer is the only one holding the Whonix APT repository OpenPGP signing key.
When it comes to trust, there is a big difference if you are building Whonix from source code or if you are using the Default-Download-Version. When you build Whonix using the build script and verified the source code to be non-malicious and reasonable bug free, Whonix developers have no way to access your system. With Whonix's APT repository enabled however, Whonix developers holding a Whonix repository signing key could always release a malicious update and gain full access on your machines.
When using the Default-Download version, on one hand, when not using Whonix's APT repository, Whonix developers could sneak in a backdoor into the binary builds (download version) (the rest of this page above goes into this subject), which is worse enough. And on the other hand, while using Whonix's APT repository, Whonix developers could sneak in a backdoor at any time. Also notable, while the binary builds contain binary packages (which are downloaded from Debian repository while building), which makes it easier to sneak a backdoor in, the Whonix deb packages do not contain any compiled code yet (only configuration files, scripts, comments) (which might change with a malicious update). As long as there is no compiled code inside Whonix deb packages, it might be easier for auditors, to catch a backdoor in updated deb packages (unless its a targeted attack) compared to the binary builds (download version).
When Whonix's APT repository is disabled, there is no updater and the situation is the same as in Whonix 0.5.6 and below.
- *: one star.
- one star: bad
- more stars: better
- 4 stars: best
|Whonix-Default-Download with Whonix APT Repository||Whonix-Default-Download without Whonix APT Repository||Building from Source Code and using Whonix APT Repository||Building from Source Code without using Whonix APT Repository|
The least secure and most convenient way is to use Whonix is using Whonix-Default-Download and to leave Whonix's repository enabled.
It is a bit safer to use Whonix-Default-Download version and to disable Whonix's APT repository. When updated Whonix deb packages are released, download them manually, verify them manually and install them manually. Big security bonus points for verifying the deb package contents before installing them. You'll get most security, if you build Whonix from source code and also build update packages from source code. Big security bonus points for verifying the source code before building Whonix.
What do Digital Signatures Prove and What They DO NOT Prove
Most people, even programmers, often confuse the basic ideas behind digital signatures. Most people should read this section, even if it looks trivial at first sight.
Digital Signatures show that someone who had access to the private key has made a signature. It is an indication, that its contents have not been tampered (so, integrity is preserved) and can indicate, that a given file is authentic.
Digital Signatures do not prove any other property, e.g. that the file is not malicious. In fact there is nothing that could stop people from signing a malicious program (and it happens from time to time in reality).
The point is, of course, that people need to choose to trust some people, e.g. Linus Torvalds, Microsoft, etc. and assume that if a file(s) was indeed signed by those individuals, then indeed it should not be malicious and buggy in some horrible way. But the decision of whether to trust certain people (e.g. those behind the Whonix Project) is beyond the scope of digital signatures. It is more of a sociological and political decision.
However, once we make a decision to trust somebody (e.g. The Whonix Project and the files released by them), then the digital signatures are useful, because they make it possible to limit our trust only to those few people we chose, and not to worry about all the Bad Things That Can Happen In The Middle between us and them (i.e. the vendor), like e.g.: server compromises, dishonest IT staff at the hosting company, dishonest staff at the ISPs, WiFi attacks, etc.
If we verify all the files we download from the vendor, we don't need to worry about all the above bad things, because we would easily be able to detect when the file(s) has been tampered (and not execute/install/open them).
However, for the digital signatures to make any sense, one should ensure that the public keys we use for signature verification are indeed the original ones. Anybody can generate a OpenPGP key pair that would pretend to be for "Whonix Project", but only the key pair that Patrick Schleizer generated is the legitimate one. Securely obtaining Whonix signing key is documented on a later page, Whonix Signing Key.
TLS/SSL/HTTPS with the CA model is flawed. We don't trust it and you shouldn't either. Even if all the implementation details (revocation not working, every CA can issue certs for anything, including "*") were sorted out, having to trust a 3rd party is a no go. But, we still have to rely on it to some extent for that lack of a widely used web of trust or other alternative.
Evil developer attack
This is only a theoretical attack, as far as we know. We are not aware that it ever happened to any software project. This is not a Whonix specific problem. It applies to all open source software projects, but more to those where the developers stay anonymous. Examples for such anonymously developed software projects are TrueCrypt, Tails, I2P...
The attack works like this: 1. Start a new software project. Alternatively join an existing software project. 2. Behave well, publish your sources. Gain trust. 3. Build binaries directly from your sources and offer them for download. 4. Make a great product, get a lot of users. 5. Continue to develop it. 6. Make a second branch of your sources and add malware. 7. Continue to publish your clean sources, but offer your malicious binaries for download. 8. Done! You infected a lot of users.
It is very difficult for end users to notice this attack. Of course, if all users would be added to a botnet, there would be news about this incident very soon and everyone would know. On the other hand, if the backdoor is barely used, it may remain secret for a long time.
The myth, that open source software is automatically more secure than closed source, is still strong and widespread. Yes, open source has advantages but certainly not for this threat model. Who checks if the binaries are made from the proclaimed source and publishes the results? That is called deterministic builds.  It is quite difficult to achieve that. If you are interested on how complex it is, also google 'trusting trust'.
All that is very difficult and it all comes back to trust. How can you trust developers? Even if they are not anonymous, you still do not know them and can not trust them? And even if you know them, can you trust them not to have made any mistakes?
These are serious questions to think about. Whonix is also affected by this issue, just like TrueCrypt, Tails, I2P, etc. Most projects (such as TrueCrypt) do not even inform about this fact. Whonix is just an ordinary software project, unfortunately we are unable to fix all problems in the world.
Whonix doesn't distribute any binaries, only redistributes unmodified upstream binaries, shell scripts, we do not create our own binaries. That's what we claim, but it is a lot easier to verify than if we were distributing our own binaries from source code we wrote. Users should worry about the motives and internal security of everyone contributing to torproject.org, all of the distro devs and maintainers and the hundreds of upstream devs and contributors. Trusted computing base size of a modern operating system today is so ridiculously big and so many people are involved we'd be really surprised if none of the "bugs" were intentional. And then there's the hardware. You think that even AMD could understand an Intel chip or vice versa? Of course one can't compare an anonymous contributor with no investment but time with a multi-national company. On the other hand, in comparison, detection here is just ridiculously simple (diff the hash sums), while finding and then proving that something is not a bug but a backdoor in a compiler, well designed source code let alone a CPU is impossible. Anonymous or not no longer matters these days. We are in a more or less open "cyber war" or that's what media and lawmakers want us to believe. Fact is, today players are backed by governments, they can use their real identities without fear of repercussion, fake IDs can be created, trustworthy people can be coerced into giving up their OpenPGP and ssh keys if projects even make use of any strong authentication. Judging by the lack of signatures on many open source upstream and even downstream downloads I'm sure many lack any internal security enforcement and still trust DNS to provide authenticity and clear text to provide integrity. About open source, yeah, you can bet Apple, Google and Microsoft have better internal security than the global open source community. However that doesn't make their code trustworthy or says anything about whether closed or open is more secure...
Whonix developer OpenPGP guidelines
All long term Whonix developers, are encouraged to:
- Create a 4096/4096 RSA/RSA OpenPGP key.
- Get the latest gpg.conf (which comes with Whonix-Workstation) for stronger hashes, no-emit-version, etc.
- Store the private key inside an encrypted file.
- Make a backup of that encrypted file.
- Remember the password, check yourself regularly.
- Also upload the encrypted file to some (free) online cloud hosting, in case of thief, fire, tornado, etc.
- Since the project started in 2012, we believe the earlier developer published its OpenPGP public key, the less likely is it, that the developer is attempting an evil developer attack.
Other Projects Discussing Trust
- Tails is a live CD or live USB that aims at preserving your privacy and anonymity. Tails about trust. (w)
- I2P (anonymizing network) does also talk about development attacks. (w)
- Qubes OS: What do the Digital Signatures Prove and What They DO NOT Prove (w)
- Miron’s Weblog: Attack Scenarios on Software Distributions (w)
- list of incidents of compromised servers: On distributing binaries (w)
Footnotes / References
- https://lists.debian.org/debian-security-announce/2008/msg00152.html (w)
- Due to build machine compromise.
- Whonix is based on Debian.
- Some Debian developers are steadily working on this long-term project, see: Reproducible Builds.
- Open Source software does not automatically prevent backdoors, unless the user creates their own binaries directly from the source code. People who compile, upload and distribute binaries (including the webhost) could add hidden code, without publishing the backdoor. Anybody can claim that a certain binary was built cleanly from source code, when it was in fact built using the source code with a hidden component. Those deciding to infect the build machine with a backdoor are in a privileged position; the distributor is unlikely to become aware of the subterfuge. Deterministic builds can help to detect backdoors, since it can reproduce identical binary packages (byte-for-byte) from a given source. For more information on deterministic builds and why this is important, see:
- See Tails Roadmap.
- See Deterministic Builds Part One: Cyberwar and Global Compromise and Deterministic Builds Part Two: Technical Details.
- Corridor only uses shell scripts.
- To be fair, there are no deterministically built operating systems yet. It is a difficult process and takes a lot of effort to complete. While Debian has almost 20,000 reproducible packages in early 2017, this work has been ongoing since 2013 and is far from done.
The first form of backdoor is a vulnerability (bug) in the source code. Vulnerabilities are introduced either purposefully or accidentally due to human error. Following software deployment, an attacker may discover the vulnerability and use an exploit to gain unauthorized access. Such vulnerabilities can be cleverly planted in plain sight in open source code, while being very difficult to spot by code auditors. Examples of this type of backdoor include:
- An attempt to backdoor the kernel.
- The Debian SSL debacle; many argued that this wasn't a bug but in fact a backdoor, as it hadn't been spotted for several years.
It is therefore impossible to claim that non-trivial source code is backdoor free, because backdoors can be hidden as vulnerabilities. Auditors scrutinizing the source code can only state an opinion about the quality of the source code, and eventually report vulnerabilities if/when they are identified. Assertions that source code is free of computer viruses (like trojan horses) is the only reasonable assertion that can be made.
- Although theoretically possible, there are no mathematically proven bug free operating systems yet.
- The upstream distribution is the distribution on which the project is based. Whonix and Tails are based on Debian, thus Debian is their upstream distribution. QubesOS TorVM is based on Qubes OS, which is itself based on Fedora and Xen.
- See Trust#Verifiable Builds.
- Whonix relies on the great work of Debian and other upstream projects.
- Because in order to implement the verifiable builds feature, lots of non-deterministic, auto-generated files are removed at the end of the build process and re-created during first boot.
- Not possible doesn't mean impossible here, but it would require significant effort.
- This bug has now been resolved.
- See SSL.
Whonix Trust wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Trust wiki page Copyright (C) 2012 - 2018 Patrick Schleizer <email@example.com>
This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.
Thanks to Qubes OS (Permission) (w). The "What do the Digital Signatures Prove and What They DO NOT Prove" chapter contains content from the Qubes OS: What do the Digital Signatures Prove and What They DO NOT Prove page.
Impressum | Datenschutz | Haftungsausschluss
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.