Jump to: navigation, search


This page contains changes which are not marked for translation.

Other languages:
Deutsch • ‎English • ‎español


Even though we're doing our best to offer you good tools to protect your privacy while using a computer, there is no magic or perfect solution to such a complex problem. Understanding well the limits of such tools is a crucial step in, first, deciding whether Whonix is the right tool for you, and second, helping you making a good use of it.

Tor exit relays can eavesdrop on communications[edit]

Tor is about hiding your location, not about encrypting your communication.

Instead of taking a direct route from source to destination, communications using the Tor network take a random pathway through several Tor relays that cover your tracks. So no observer at any single point can tell both where the data came from and where it is going.

A Tor connection usually goes through 3 relays with the last one establishing the actual connection to the final destination

The last relay on this circuit, called the exit relay, is the one that establishes the actual connection to the destination server. As Tor does not, and by design cannot, encrypt the traffic between an exit relay and the destination server, any exit relay is in a position to capture any traffic passing through it.

For example, in 2007, a security researcher intercepted thousands of private e-mail messages sent by foreign embassies and human rights groups around the world by spying on the connections coming out of an exit relay he was running. See Wired: Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise. (w).

To protect yourself from such attacks you should use end-to-end encryption.

Whonix includes many tools to help you using strong encryption while browsing, sending email or chatting in Documentation. [1]

Whonix makes it clear that you are using Tor[edit]

Tor tries to prevent attackers from learning what destination websites you connect to.

Unless you are using the Optional Configuration Hide the fact, that you are using Tor/Whonix from your ISP, your ISP or your local network administrator can easily check that you're connecting to a Tor relay, and not a normal web server for example.

Unless you are using the Optional Configuration Tunnel Proxy/SSH/VPN through Tor, the destination server you are contacting through Tor can know whether your communication comes out from a Tor exit relay by consulting the publicly available list of exit relays that might contact it. For example using the Tor Bulk Exit List tool of the Tor Project.

So unless you are using Optional Configurations to prevent this, using Whonix doesn't make you look like any random Internet user. The anonymity provided by Tor and Whonix works by trying to make all of their users look the same so it is not possible to identify who is who amongst them.

Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less dangerous it will be that you are one of them. Convince other people to use Tor, too! [2]

Whonix might make it clear you are using Whonix[edit]

Even though Whonix developers designed Whonix not to reveal the fact that you are a Whonix user to your ISP, there might still be unknown methods to find out who you are.

In case you care about that, see also the Optional Configuration Hide the fact, that you are using Tor/Whonix from your ISP.

Man-in-the-middle attacks[edit]

A man-in-the-middle attack (MitM) is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

Illustration of a man-in-the-middle attack

While using Tor, man-in-the-middle attacks can still happen between the exit relay and the destination server. The exit relay itself can also act as a man-in-the-middle. For an example of such an attack see MW-Blog: TOR exit-node doing MITM attacks (w).

Again, to protect yourself from such attacks you should use end-to-end encryption and while doing so taking extra care at verifying the server authenticity.

Usually, this is automatically done through SSL certificates checked by your browser against a given set of recognized certificate authorities. If you get a security exception message such as this one you might be victim of a man-in-the-middle attack and should not bypass it unless you have another trusted way of checking the certificate's fingerprint with the people running the service.

This Connection is Untrusted

How do I tell if my connection to a website is secure? (w)

The eff has a fantastic interactive illustration who can see what when (not) using Tor and when (not) using SSL.

But on top of that, the certificate authorities model of trust on the Internet is susceptible to various methods of compromise.

For example, on March 15, 2011, Comodo, one of the major SSL certificates company, reported that a user account with an affiliate registration authority had been compromised. It was then used to create a new user account that issued nine certificate signing requests for seven domains: mail.google.com, login.live.com, www.google.com, login.yahoo.com (three certificates), login.skype.com, addons.mozilla.org, and global trustee. [3]

Later in 2011, DigiNotar, a Dutch SSL certificate company, incorrectly issued certificates to a malicious party or parties. Later on, it came to light that they were apparently compromised months before or perhaps even in May of 2009 if not earlier. Rogues certificates were issued for domains such as google.com, mozilla.org, torproject.org, login.yahoo.com and many more. [4]

This still leaves open the possibility of a man-in-the-middle attack even when your browser is trusting an HTTPS connection.

There are alternatives to SSL, worth checking out if they may be useful for you. Unfortunately, they cannot be used as a drop-in replacement. Tools providing connection security include Monkeysphere, Convergence, Perspectives Project and Tor hidden services[5].

On the one hand, by providing anonymity, Tor makes it more difficult to perform a man-in-the-middle attack targeted at one specific person with the blessing of a rogue SSL certificate. But on the other hand, Tor makes it easier for people or organizations running exit relays to perform large scale MitM attempts, or attacks targeted at a specific server, and especially those among its users who happen to use Tor.

In all cases, you are advised to use additional message encryption for encrypting your mails, chats and so on. Tools such as encrypted messengers (Covered on the Chat page.), GPG (wikipedia), KGpg and Mozilla Thunderbird with TorBirdy and enigmail (gpg add-on) may be useful.


Confirmation attacks[edit]

Quoted from Tor Project: "One cell is enough to break Tor's anonymity"[7] [8]:

The Tor design doesn't try to protect against an attacker who can see or measure both traffic going into the Tor network and also traffic coming out of the Tor network. That's because if you can see both flows, some simple statistics let you decide whether they match up.

That could also be the case if your ISP (or your local network administrator) and the ISP of the destination server (or the destination server itself) cooperate to attack you.

Tor tries to protect against traffic analysis, where an attacker tries to learn whom to investigate, but Tor can't protect against traffic confirmation (also known as end-to-end correlation), where an attacker tries to confirm a hypothesis by monitoring the right locations in the network and then doing the math.

Persistent Tor Entry Guard Relays can make you trackable Across Different Physical Locations[edit]

What are Tor Entry Guards? If this is an unfamiliar term, please press on Expand on the right.

Current practical, low-latency, anonymity designs like Tor fail when the attacker can see both ends of the communication channel. For example, suppose the attacker controls or watches the Tor relay a user chooses to enter the network, and also controls or watches the website visited. In this case, the research community is unaware of any practical, low-latency design that can reliably prevent the attacker from correlating volume and timing information on both ends.

Mitigating this threat requires consideration of the Tor network topology. Suppose the attacker controls, or can observe, C relays from a pool of N total relays. If a user selects a new entry and exit relay each time the Tor network is used, the attacker can correlate all traffic sent with a probability of (c/n)2. For most users, profiling is as hazardous as being traced all the time. Simply put, users want to repeat activities without the attacker noticing, but being noticed once by the attacker is as detrimental as being noticed more frequently. Mathematically speaking, choosing many random entry and exit points to the network prevents the user from escaping profiling by this kind of attacker with end-to-end capabilities.

The solution to this problem is "entry guards". Each Tor client selects a few relays at random to use as entry points, and only uses those relays for the first hop. If those relays are not controlled or observed, the attacker can't use end-to-end techniques and the user is secure. If those relays are observed or controlled by the attacker, then they see a larger fraction of the user's traffic — but still the user is no more profiled than before. Thus, entry guards increase the user's chance of avoiding profiling (on the order of (n-c)/n), compared to the former case.

You can read more at An Analysis of the Degradation of Anonymous Protocols, Defending Anonymous Communication Against Passive Logging Attacks, and especially Locating Hidden Servers.

Restricting entry nodes may also help to defend against attackers who want to run a few Tor nodes and easily enumerate all of the Tor user IP addresses. [9] However, this feature won't become really useful until Tor moves to a "directory guard" design as well.

Source and License, see footnote: [10]

Persistent Tor entry guards are beneficial for security and used by Tor, Whonix, Tor Browser Bundle (TBB) and other software. However, in some situations it is safer to not use the usual guard relay.

The guard relays picked by the Tor client can lead to fingerprinting of Tor use across different physical locations and access points. In some corner cases like the example described below, this may cause a user to be deanonymized. The risk of this attack is less severe now that upstream (The Tor Project) has moved from using three guard relays to a single one.

Consider the following scenario. You run Tor from a home address, but you soon attend a prominent event or protest in a nearby city. At that location, you decide to anonymously blog about what transpired. The fact that the Tor client is using the same entry guard normally correlated with your home address is problematic. Network adversaries have a high certainty that the "anonymous" posts from the city location are related to the same person who connected to that specific guard relay from their home. The relative uncommonness of Tor usage exacerbates the problem of potential deanonymization.

This adversary technique is similar to tracking users via MAC addresses. Therefore, if this is a realistic threat in your personal situation, it is recommended to also randomize your MAC address.

Forum discussion:

For more information, see the advanced topic Tor#Non-Persistent_Entry_Guards.

Whonix doesn't encrypt your documents by default[edit]

The documents that you might save inside Whonix will not be encrypted by default. The Advanced Security Guide recommends to fully encrypt the host.

It is likely that the files you may create will keep tracks that they were created using Whonix. (Under research.)

Whonix is not amnesic[edit]

Unlike Tails, Whonix is not an Amnesic Live CD. If you install Whonix on your computer this will leave local traces on the harddrive, that you installed Whonix on that device. Any files you create will still exist after powering off or rebooting unless you securely wiped all signs of their previous existence.

There are no special measures to limit what is written to disk. This includes (non exhaustive list) user created files, backup files, temporary files, swap, chat history, browser history and so on. Whonix acts like an ordinary installed operating system. It can also not be prevented, that the host memory swaps to the host disk. There is a Recommendation to use multiple VM Snapshots and it is recommended to apply Full Disk Encryption on the host.

For more information on this topic, see also: Is there a substitute for Whonix's lack of an Amnesic feature / Live CD/DVD? Forensics?"

Whonix doesn't clear the metadata of your documents[edit]

Numerous file formats store hidden data or metadata inside of the files. Text processors or PDF files could store the name of the author, the date and time of creation of the file, and sometimes even parts of the editing history of the file. those hidden data depend on the file format and the software used.

Image file formats, like TIFF of JPEG, probably take the prize in this field. Those files, created by digital cameras or mobile phones, contain a metadata format called EXIF which can include the date, time and sometimes the GPS coordinates of the picture, the brand and serial number of the device which took it as well as a thumbnail of the original image. Image processing software tend to keep those data intact. The internet is full of cropped or blurred images for which the EXIF thumbnail still contains the full original picture.

Whonix doesn't clear the metadata of your files for you. Yet, it is still within the Whonix' design goal to help you do that. For example, Whonix already comes with MAT, which is a Metadata Anonymisation Toolkit.

Whonix doesn't encrypt the Subject: and other headers of your encrypted e-mail messages[edit]

Please note that the Subject: as well as the rest of the header lines of your OpenPGP encrypted e-mail messages are not encrypted. This is not a bug of Whonix or the OpenPGP (w) protocol; it is for backwards compatibility with the original SMTP protocol. Unfortunately no RFC standard exists yet for Subject encryption.

If you are looking for an e-mail client supporting OpenPGP encryption (enigmail), Mozilla Thunderbird with TorBirdy is recommended.

Tor doesn't protect you from a global adversary[edit]

A global passive adversary would be a person or an entity able to monitor at the same time the traffic between all the computers in a network. By studying, for example, the timing and volume patterns of the different communications across the network, it would be statistically possible to identify Tor circuits and thus matching Tor users and destination servers.

It is part of Tor's initial trade-off not to address such a threat in order to create a low-latency communication service usable for web browsing, Internet chat or SSH connections.

For more expert information see Tor Project: The Second-Generation Onion Router, (w) part 3. Design goals and assumptions.

Whonix doesn't magically separate your different contextual identities[edit]

It is usually not advisable to use the same Whonix-Workstation to perform two tasks or endorse two contextual identities that you really want to keep separate from another. For example hiding your location to check your email and publishing anonymously a document.

First, because Tor tends to reuse the same circuits, for example amongst a same browsing session. Since the exit relay of a circuit knows both the destination server (and possibly the content of the communication if not encrypted) and the address of the previous relay it received the communication from, it makes it easier to correlate the several browsing requests as part of a same circuit and possibly made by a same user. If you are facing a global adversary as described above, it might then also be in position to do this correlation.

Second, in case of a security hole or a misuse in using Whonix or one of its application, information about that Whonix-Workstation could be leaked. That could reveal that the same person was behind the various actions made inside that Whonix-Workstation.

The solution to both threats is either following the Recommendation to use multiple VM Snapshots and/or to use multiple Whonix-Workstations every time you're using a new identity, if you really want to isolate them better.

arm's "New Identity" button forces Tor to use new circuits but only for new connections: existing connections might stay open. Plus, apart from the Tor circuits, other kind of information can reveal your past activities, for example the cookies stored by your browser. So this feature of arm is not a solution to really separate contextual identities.

Whonix doesn't make your passwords stronger[edit]

Tor allows you to be anonymous online; Whonix ensures that the whole operating system is forced through Tor (and many other extra Security features, see Design). But again, neither of both are magic spells for computer security.

If you use weak passwords, they can be guessed by brute-force attacks with or without Whonix in the same way. To know if your passwords are weak and learn good practices to create better password, you can read Wikipedia: Weak Passwords (w).

Whonix doesn't secure your host[edit]

Whonix can only be as secure as the host is. Of course you can simply use Whonix on top of your every day operating system as probably many people do. You will be much safer if you follow the recommendation to use a dedicated host operating system.

Avoid non-Free Software[edit]

For system security it is strongly advised to not install proprietary, non-free software. Instead, use of free software is recommended. As free software pioneer Richard Stallman puts it:

  • "[...] If you run a nonfree program on your computer, it denies your freedom; the main one harmed is you. [...]"
  • "Every nonfree program has a lord, a master -- and if you use the program, he is your master.“
  • "To have the choice between proprietary software packages, is being able to choose your master. Freedom means not having a master. And in the area of computing, freedom means not using proprietary software."

Open Source software like Linux is more secure than closed source software. The public scrutiny of security by design has proven to be superior to security through obscurity. This aligns the software development process with Kerckhoffs' principle - the basis of modern cipher-systems design. This principle asserts that systems must be secure, even if the adversary knows everything about how they work. Generally speaking, Libre Software projects are much more open and respectful of the privacy rights of users. Libre Software projects also encourage security bug reports, open discussion, public fixes and review.

For more information on installing free, third-party Libre software consult the Install_Software#Foreign_Sources page for advice. See also: Is It Ever a Good Thing to Use a Nonfree Program?

Related: Why will Whonix always be Free as in Freedom, Free as in Price?

Always Verify Signatures[edit]

For system security it is strongly advised to avoid installation of unsigned software. Always make sure, that signing keys and signatures check out and/or use mechanisms that heavily simplify this process such as apt-get upgrades. Signatures are not a magic bullet, though. Learn What do Digital Signatures Prove and What They DO NOT Prove.

Only Whonix-Workstation is designed for anonymous activity[edit]

Easy: All anonymous activity should only happen inside Whonix-Workstation. Nowhere else.

Explanation: The host operating system (the operating system running the virtualizer, the system you used before ever downloading Whonix) will NOT be torified. Never do any anonymous tasks on your host.

The Whonix-Gateway's only purpose is running Tor and the firewall. In most cases there is no need to modify things on the Gateway. Minor modifications such as setting up bridges are documented.

Whonix doesn't improve security/anonymity outside of Whonix[edit]

Obviously, Whonix can't stop people from looking over your shoulder or stop (mobile) providers from pinpointing your location if you gave it to a website for (mobile) phone verification.

Whonix doesn't prevent you from shooting your own feet[edit]

If you login to your personal Facebook account, which is bound to your real name, you are obviously not anonymous!

This will be substantiated on the later page Non technical steps staying anonymous.

Whonix doesn't defeat Stylometry[edit]

Whonix does not obfuscate your writing style.

This will be substantiated on the later page Anonymous Surfing, Posting and Blogging.

Whonix does not protect against social engineering.[edit]

Whonix does not protect against social engineering[11] hacks. One example of such a hack would be convincing you to send a copy of your logs from the Whonix-Gateway. Another example would be convincing you to give away logs/information about your host machine. The best tool in maintaining anonymity is knowledge that comes from research and experience.

Whonix does not (yet)...[edit]

Whonix is currently alpha quality software and missing features, some of them security related. Some of the following will probably never get "fixed" or implemented because they are impossible to do in a software only project.

Whonix in its current form does not:

  • Encrypt your stuff.
  • Wipe RAM on shut down. See Idea #30076: Enhancy Privacy/Security, Wipe RAM on shut down, reboot and trigger.
  • Wipe video RAM on shut down. See Tails -erase video memory on shutdown.
  • Make weak passwords stronger.
  • Protect against local adversaries, who for example can mount cold boot and evil maid attacks.
  • Protect you if you don't read our Documentation or do stupid things or change default settings without knowing what you are doing.
  • Automatically apply security updates. This was a conscious decision because automated updates also come with their own set of security problems. However, you will be notified about updates on Whonix-Workstation by whonixcheck.
  • Protect against global network adversaries.
  • Protect against hardware or software backdoors.
  • Automatically protect against MAC address fingerprinting on public networks.
  • Protect against the more skilled software attacks, unless you use [PhysicalIsolation].
  • By default, protect you if Tor is somehow broken. You can improve that to some extent (with caveats) by chaining Tor with SSH, proxies or VPNs.
  • By default, hide the fact that you are using Tor, though there is an optional feature, Hide the fact you are using Tor/Whonix.
  • Use all the possible hardening options like full PIE and grsecurity. It doesn't use AppArmor profiles for everything.
  • Obfuscate your writing style, defeat Stylometry.
  • Have deterministic builds, see Dev/Archived Discussions. Also Tor itself does not have deterministic builds yet, see Bug 3688.
  • This list might be incomplete. Please read the rest of the Documentation (and perhaps Design as well) to if you want an overview about security, what's in and what not.

If you want to help us improve the security of Whonix, please join the discussions on Dev/Archived Discussions or on the developer mailing list.

Whonix is a work in progress[edit]

Whonix, as well as all the software it includes, are under continuous development and might contain programming errors or security holes. Stay tuned to Whonix development. Do not rely on it for strong anonymity.

The basic functionality is ready. You can use Whonix to browse the web and host hidden services, use email, IRC, ssh, etc. Development is still ongoing and more features are being added to Whonix. If you want join the development process or want to see what issues are still open, see our Whonix github issues tracker.

From Whonix 0.4.5 release announcement (w):

 Whonix uses the best of both worlds, the Isolating Proxy concept [2]
and the Transparent Proxy concept. At the moment there are no known
anonymity leaks or proxy bypass problems. The principal design is less
vulnerable for any kind of leaks. At time of writing (October 2012) I
have been working on the theoretical concept and practical
implementation for 9 months, the basics have been developed by (at
least) three people, adrelanos, smarm and anonymous. [1] [2]

  Although Whonix has been developed with greatest care, a negative,
being leak free or being free from mistakes in the extended project
description [1], can not be proven. This is Whonix's first release
announcement. We hope skilled people look into the concept and
implementation and fail to find anonymity related bugs.

See also Whonix security in real world, Security Reviews and Feedback and Security Overview.


  1. Source: Tor FAQ: Can exit relays eavesdrop on communications? (w)
  2. Attribution: Two sentences in the "Whonix makes it clear that you are using Tor" chapter, have been forked from the Tor (w)website, which was licensed under a Creative Commons Attribution 3.0 United States License (w) at this point.
  3. Source: Comodo: The Recent RA Compromise (w)
  4. Source: The Tor Project: The DigiNotar Debacle, and what you should do about it (w)
  5. Hidden Services are automatically encrypted end-to-end. (More specific: Tor to Tor)
  6. Quoted from wikipedia Man-in-the-middle_attack (w) and Tor Project: Detecting Certificate Authority compromises and web browser collusion (w).
  7. https://blog.torproject.org/blog/one-cell-enough
  8. http://www.webcitation.org/6EUyo9u9N
  9. Even though the attacker can't discover the user's destinations in the network, they still might target a list of known Tor users.
  10. Source:
    torproject.org What are Entry Guards? (w)
    license (w):
    Content on this site is Copyright The Tor Project, Inc.. Reproduction of content is permitted under a Creative Commons Attribution 3.0 United States License (w). All use under such license must be accompanied by a clear and prominent attribution that identifies The Tor Project, Inc. as the owner and originator of such content. The Tor Project Inc. reserves the right to change licenses and permissions at any time in its sole discretion.
  11. https://en.wikipedia.org/wiki/Social_engineering_%28security%29


Whonix Warning wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Warning wiki page Copyright (C) 2012 - 2017 Patrick Schleizer <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.

Random News:

Want to help create awesome, up-to-date screenshots for the Whonix wiki? Help is most welcome!

Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself.