Voice over IP (VoIP)
- 1 Introduction
- 2 Mumble
- 3 Tox
- 4 Warnings
- 5 VoIP Software List
- 6 Sources
- 7 Footnotes
Voice over IP (VoIP) is: 
...a technology that allows you to make voice calls using a broadband Internet connection instead of a regular (or analog) phone line. ... VoIP services convert your voice into a digital signal that travels over the Internet. If you are calling a regular phone number, the signal is converted to a regular telephone signal before it reaches the destination. VoIP can allow you to make a call directly from a computer, a special VoIP phone, or a traditional phone connected to a special adapter.
VoIP software is complex and has a large attack surface. Several threat classes have been identified in the literature: social threats; eavesdropping, interception and modification of session contents; denial of service attacks; unauthorized access to VoIP equipment; and a sudden interruption of services. 
Anonymizing VoIP is somewhat difficult, but still possible. It is easy to hide the IP address with Whonix ™, but the voice recognition component and slow Tor network speed (latency) are definite obstacles. Depending on your threat model, pseudonymous use of VoIP might be appropriate; this involves hidden voice communications that take place with known contacts. Consider the factors in the table below before deciding to use VoIP in Whonix ™.
Table: Factors affecting VoIP Anonymity
|VoIP Domain||Description||IP Anonymity||Full Anonymity |
|Tor + VOIP + Known Participants||
|Tor + VOIP + Unknown Participants||
|Tor + VoIP + Artificial Voice||
|Whistleblowing [archive]: Tor + VoIP||
||Yes||With scrambler: Maybe|
Software and Configuration
Some fully-functioned and reliable Libre VoIP software is already available, such as Linphone [archive] and Jitsi [archive].  Unfortunately it is not possible to communicate directly over Tor using a VoIP server, because all session initiation protocol (SIP)-based clients use UDP and Tor developers closed the related support ticket years ago.  
The best workaround for SIP clients at present is to Tunnel UDP over Tor. The main downside of this method is that phone calls over Tor are slower and less convenient compared to ordinary networks. The reason is even when UDP packets are tunneled over Tor, the restrictions of the underlying TCP protocol still apply. To account for delays, push-to-talk [archive] is a reliable communication method in this configuration -- it has similarities to using a walkie-talkie [archive]. The Guardian Project [archive] recommends that 'prowords' (procedure words)  such as "Roger" are used to acknowledge the end of transmission (speech, sentence). 
When configuring the chosen software, it is safer to delegate encryption to Tor by utilizing onion services for both the caller and receiver. If that is not possible, then only use VoIP clients which support end-to-end encryption protocols like SRTP [archive] or ZRTP [archive].  This recommendation comes with warnings:
- Never use a Variable Bit Rate (VBR) [archive] codec because ZRTP cannot protect it.
- Authentication strings must be compared with the other party during the initial call. If the strings do not match then this signals an active man-in-the-middle attack is underway and the call should be terminated.
Servers and Privacy
Even with end-to-end encryption, VoIP servers servers can log call signalling metadata. This is not a major threat if:
- VoIP IDs are anonymously registered (no personal data is required for signing up).
- All parties only and always connect over Tor and have never used (or will use) accounts over clearnet.
- All calls are encrypted end-to-end.
- No communications occur with anonymous strangers.
In this case it is unlikely a malicious server could cause much harm from logging or other actions. 
Other than the factors outlined in this introduction section, no additional anonymity or security problems have been identified for VoIP. That said, this configuration is less tested in Whonix ™ so the performance and voice quality could be quite variable. If this activity is necessary, then it is recommended to test the performance of VoIP software for yourself and to provide feedback about the experience.
Mumble is: 
... a low-latency, high quality voice chat program for gaming. It features noise suppression, encrypted connections for both voice and instant messaging, automatic gain control and low latency audio with support for multiple audio standards. Mumble includes an in-game overlay compatible with most open-source and commercial 3D applications. Mumble is just a client and uses a non-standard protocol. You will need a dedicated server to talk to other users. Server functionality is provided by the package "mumble-server".
- The software is open source and packaged in Debian, as well as for all major operating systems.
- Client to server encryption is supported. 
- The communication is high quality and low latency. 
- It is possible to check nobody is wiretapping the connection (MITM) by verifying client/server certificates. 
- Push to talk is supported. 
- The interface is similar to Team Speak [archive], but without its disadvantages.
- It supports TCP mode  which is necessary because the Tor network does not support UDP yet.
To use Mumble, one party must act as a server while everyone else can act as a client. If the server administrator runs the server on its local machine and also wants to connect to the server, then local (
127.0.0.1) connections are recommended since it is faster than connecting to the onion service domain.
Group chats pose a greater risk since there is no end-to-end encryption. This means if the server is compromised, all conversations are no longer private. However, if only two parties use Mumble for communications, then end-to-end encryption protects against this threat.
When one of the two communicating parties hosts a mumble server as a Tor onion service and the other party connects over Tor, encryption is already provided by Tor. This means Mumble's own encryption is not required and so long as a server password is set (see below), this configuration should be secure. 
Mumble Server Instructions
Newcomers are recommended to first read the introduction to Onion Services and to learn about security benefits compared to regular 'clearnet' connections. This wiki resource is also useful if configuring a hidden web server on the same
.onion domain, since it helps users to grasp basic operations and test them.
Update the package lists.
sudo apt-get update
sudo apt-get install mumble
Start menu →
Configure Mumble to suit your preferences.
Next, enable Force TCP mode.
Go to Configure →
Check "Advanced" →
Check "Force TCP mode" →
Follow these steps to add a new server. 
- Servername: anything - this can be same as the .onion domain name
- Address: enter your .onion domain name or if the mumble server is running in your own Whonix-Workstation ™, choose
- Port: 64738
- Username: anything
It is now possible to connect to the server.
Mumble (and mumble-server) connections pass through Tor's TransPort, but this should not have a negative anonymity impact. The reason is connections to and from onion services are stream-isolated. 
Security-conscious, free software developers consider browsers as a poor and dangerous option for implementing privacy-critical software. Browsers have a large attack surface (numerous security holes) and lack adequate process isolation, which can lead to the theft of private encryption keys if malicious code is run.
Tox   looks like a promising solution for secure, encrypted communications. The official client implementation is based on the Toxcore protocol library, which is very feature-rich and has a variety of functions besides VoIP. By default, Tox does not attempt to cloak your IP address from authorized contacts. However, Tox connections can be tunneled through Tor, allowing communication with others even if they are not anonymous.  Desktop and mobile client versions have been developed for every major OS platform. 
To learn more or to install this software, refer to this entry.
Does this mean if I combine Whonix ™ with proprietary software like Skype, that my IP address and location will be safe?
Yes, the IP address and location remain hidden. Skype was tested to work in Whonix ™ several years ago, but it appears to have stopped working around 2013/14.  Developers have very little interest in testing or providing functional Skype instructions, because it is strongly recommended against. As gnu.org [archive] notes: "Skype contains spyware [archive]. Microsoft changed Skype specifically for spying [archive]."
- Microsoft has long delayed providing a secure end-to-end encrypted communication channel until the announcement of the non-default "Conversations" option in 2018. 
- After Microsoft purchased Skype in 2010 they changed the architecture, leading observers to note this would increase the ease of surveillance. Client-side encryption was replaced with server-side encryption, allowing unencrypted data to be disseminated when requested. 
- Skype is closed source software and inherently distrusted based on Microsoft's behavior. For example it was revealed in 2013 that Skype had a program entitled "Project Chess", which was exploring legal and technical issues in making communications available to law enforcement and other agencies.  
- Company executives lied in 2012 when they denied giving government agency access to customer communications.
- Skype has a long history of serious security flaws and conducting unannounced spying, such as reading BIOS data from the PC and accessing the Firefox profile folder during execution (where passwords are stored). 
None of these issues are related to Whonix ™ or Tor; the blame falls squarely on the company producing the software. At best, Skype usage can only be considered pseudonymous rather than anonymous, particularly since it acts like malware. It would be completely unsurprising if Skype linked all account names inside Whonix-Workstation ™ to the same pseudonym.
As well as the threat posed by Skype's design, behavior and parent company, there are additional risks to this non-free software:
- Accounts: if you log into an account without Tor, even once, then it should be considered non-anonymous. It is virtually certain logs are retained that can link Tor and non-Tor use together.
- Always follow the wiki recommendations to not mix anonymity modes.
- Communication partner: if the other party did not create their account over Tor, or has not exclusively paired the account with Tor, then it is easy to verify your identity.
- Encryption: as noted above, the encryption architecture is weak by default and the Skype authority is unworthy of trust -- consider the encryption broken at the outset. Always remember you do not control the encryption keys and the closed source software is hostile to privacy by design.
- Voice recognition: as noted in the introduction, today's sophisticated software can easily identify you, even if Skype encryption is not broken.
In conclusion, Skype cannot be used for truly (pseudo-)anonymous activites, even though it does not leak the IP address/location. This means it is useful for circumvention only. Anybody capable and willing to communicate with partners who exclusively create and use accounts over Tor have far better options available.
Whonix has consistently advised against TORFone [archive] -- a fork of SpeakFreely [archive] -- since the developer in 2013 recommended against using the software:  "I did not think this project as a finished product for practical use." At that time, the project received an overall poor review in the mailing list thread.
It is unclear whether the situation has improved over the last several years, but the software is under active development based on the number of recent commits. Any reader who is interested in testing TORFone in Whonix ™ is encouraged to report their experience here.
USB Webcam Passthrough
Avoid this course of action -- the firmware of USB devices could be flashed by malware and cross infect the host.
VoIP Software List
There is a Comparison of VoIP software [archive] page on Wikipedia. Any client that is chosen should be open source and if onion services are not being used on both ends of the communication (where Tor handles the encryption), then it should also support voice encryption such as ZRTP.
- https://www.fcc.gov/general/voice-over-internet-protocol-voip [archive]
- See: Voice over IP: Risks, Threats and Vulnerabilities [archive]
- No information is available to uniquely identify the VoIP user.
- The language structure and syntax might be unique.
- For more than a decade, government agencies have been recording private phone calls to identify individuals by their unique voiceprint, while also recording and transcribing personal conversations, see: Finding Your Voice [archive] for a detailed description based on intelligence disclosures.
- See: Wikipedia: Comparison of VoIP Software [archive] to research alternatives.
- https://trac.torproject.org/projects/tor/ticket/7830 [archive]
- This does not mean it will not be supported in the future, but the wait could be lengthy.
- https://en.wikipedia.org/wiki/Procedure_word [archive]
- Once your calling partner hears "Roger", it is understood that it is safe to answer and then also terminate the answer with "Roger" or "Out" when leaving the conversation.
- ZRTP has been implemented in Jitsi as GNU ZRTP4J, and in Linphone as oRTP.
- https://zfoneproject.com/faq.html#vbr [archive]
- https://www.webcitation.org/6RrGGaAho [archive]
- Research has found [archive]:
... in encrypted phone calls using a certain combination of technologies, preselected phrases can be spotted up to 50 percent of the time on average, and up to 90 percent of the time under optimal conditions. ... Variable-bit-rate encoding, Wright says, adjusts the size of data packets being sent over the Internet based on how much information they actually contain. For example, when the person on one end of a VoIP call is listening rather than speaking, the packets sent from that person’s computer shrink significantly. Also, packets containing certain sounds, such as “s” or “f,” can take up less space than those containing more-complex sounds, such as vowels.
Encrypting the packets after they’ve been compressed scrambles their contents, making them look like gibberish. But it doesn’t change their size, which is what would give away information to potential eavesdroppers.
- Apart from trying to exploit [archive] random Tor users.
- https://packages.debian.org/buster/mumble [archive]
- https://sourceforge.net/projects/mumble/ [archive]
- https://github.com/mumble-voip/mumble [archive]
- https://www.mumble.com/mumble-server-support.php [archive]
- https://wiki.mumble.info/wiki/FAQ/English [archive]
- Is Mumble encrypted? [archive]:
Your whole communication to and from the server is always encrypted. This encryption is mandatory and cannot be disabled. The so-called control channel, which transports your chat messages and other non-time critical information, is encrypted with TLS using 256 bit AES-SHA. The voice channel carrying speech and positional audio is encrypted with OCB-AES 128 bit. You and the server authenticate to each other using digital certificates like they are used for secured connections in Web-browsers.
- Although some voices are reported to sound 'metallic' or 'robotic'.
- https://wiki.mumble.info/wiki/FAQ/English#How_can_I_verify_that_there_is_nobody_wiretapping_my_connection_.28MITM.29.3F [archive]
- https://www.mumble.com/support/mumble-server-push-to-talk.php [archive]
- https://ccm.net/faq/26187-mumble-force-tcp-mode [archive]
- Alternatively, the interested reader can learn more about Mumble certificates for defense in depth, as well as using channel passwords instead of server passwords and so on.
- https://wiki.mumble.info/wiki/Murmurguide#Connecting_to_Murmur_Server [archive]
- See Stream Isolation for further information on TransPort, SocksPort, stream isolation and related issues.
- https://wiki.tox.chat/users/faq#what_is_tox [archive]
- https://tox.chat [archive]
- https://wiki.tox.chat/users/tox_over_tor_tot [archive]
- https://wiki.tox.chat/clients [archive]
- https://community.skype.com/t5/Security-Privacy-Trust-and/Is-Skype-blocking-TOR-exit-nodes/td-p/1706941 [archive]
- https://www.wired.com/story/skype-end-to-end-encryption-voice-text/ [archive]
- https://en.wikipedia.org/wiki/Skype_security [archive]
- Increasing the ease with which the company and other parties could spy on the communications of hundreds of millions of people. Even with "Conversations" set, Microsoft still has access to a host of metadata.
- Microsoft routinely releases data to law enforcement agencies upon request, including users' geographical locations.
- https://www.schneier.com/blog/archives/2013/06/new_details_on.html [archive]
- Snowden leaks also confirm Skype became part of the PRISM [archive] program on 6 February, 2011.
- https://en.wikipedia.org/wiki/Skype_security#Flaws_and_potential_flaws [archive]
- Quote Silver Needle in the Skype [archive] (w [archive]):
Skype can’t work without a TCP connection
But Skype can work without UDP
Blocking UDP is not sufficient
- Refer to the "Skype over Tor" section here: guardianproject.info: Voice over Tor? [archive] (w [archive])
- https://lists.torproject.org/pipermail/tor-talk/2013-February/027215.html [archive]
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.
Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)