- 1 Introduction
- 2 Anonymous Identities
- 3 Attacks
- 4 Documents
- 5 Email
- 6 Fingerprinting
- 7 Platform Security
- 8 Software
- 9 Tor
- 10 Whonix Development
- 11 Footnotes
- 12 License
Whonix developers have done their utmost to provide solid tools which protect the online privacy of users, but no perfect solution exists to the complex anonymity problem. Before deciding whether Whonix is the right platform to use, it is crucial that each individual understands the limitations of the tools offered, and how to make best use of them.
Whonix does not Separate Different Contextual Identities
It is usually inadvisable to use the same Whonix-Workstation to perform more than one task, or when using two (or more) contextual identities that the user wishes to keep separate from each other. For example, it is poor operational security to use the same Whonix-Workstation to check email via Tor, while simultaneously publishing an anonymous document.
The first reason is Tor tends to reuse the same circuits, for example during the same browsing session. The Tor exit relay of a circuit knows both the destination server (and possibly the content of the communication if not encrypted) and the address of the previous relay it received the communication from. This makes it easier to infer that several browsing requests which took place on the same circuit are possibly correlated and originate from the same user. Global adversaries described later are in the perfect position to undertake this form of correlation analysis.
Secondly, if Whonix or one of its applications has a security hole or is misused, then information might leak from the Whonix-Workstation. That could reveal that the same person was behind the various activities conducted inside the Whonix-Workstation.
To address both threats, better isolation of new identities is required on every occasion they are used. Users are recommended to conduct one activity at a time, and implement one or more of the following solutions: 
|Arm's "New Identity" button sends the protocol command "signal newnym" to Tor's ControlPort. Users will likely receive a new Tor exit relay and a new IP address, but this is not guaranteed.|
Using this feature, Tor may only have replaced the middle relay while using the same Tor exit relay. Additionally, "signal newnym" will not interfere with long-lived connections like an IRC connection. Apart from the Tor circuits, other types of information can reveal the user's past activities, for example the cookies stored by the browser. Therefore, this arm feature is not a solution for properly separating contextual identities.
Whonix does not Protect Against Social Engineering
Whonix does not protect against social engineering attacks. These attacks rely on human cognitive biases and trick users into revealing passwords or other sensitive information that allows the compromise of a target system's security. 
Other examples of social engineering include convincing the user to send a copy of logs or other information from the Whonix-Gateway or host operating system machine. In all cases, after trust has been established between the attacker and the victim, and sufficient information has been gathered, an exploit will be executed to perform harmful actions such as stealing personal or financial information, sabotaging the user's system, deanonymizing the user and so on. 
The best tools in maintaining anonymity are the knowledge that comes from research and experience, and healthy skepticism towards scenarios that pose potential security threats.
Whonix does not Protect Against External Threats or User Mistakes
Obviously, Whonix cannot protect against external threats like people looking over the user's shoulder or gaining physical access to the machine in order to subvert the anonymity features of Tor and Whonix.
Neither can Whonix prevent users from shooting themselves in the foot, leading to inadvertent deanonymization. Users are strongly encouraged to read the list of non-technical steps to stay anonymous when using Tor, Tor Browser and Whonix. This list considers:
- Safe use of social networks.
- (Mobile) phone verification.
- Personal websites and links.
- Accounts previously used without Tor.
- Banking / financial provider accounts.
- Modes of anonymity.
- The risks posed by identifying data and online identities.
- When to use bridges.
- How to protect sensitive data and communications.
- Safe Tor networking considerations.
- The danger of random files and links.
- The difference between anonymity and pseudonymity.
- The danger of mixing clearnet and Tor simultaneously.
- The consequences of changing settings.
- Server connections.
Only Whonix-Workstation is Designed for Anonymous Activity
|All anonymous activity should only take place inside Whonix-Workstation and nowhere else.|
The host operating system - the operating system running the virtualizer, and the system which was used before downloading Whonix - is not "torified". Users should never undertake any anonymous tasks on the host system.
The Whonix-Gateway is solely designed to run Tor and act as a firewall. Users should not conduct any "anonymous" activities on the Gateway. Further, in most cases there is no need to modify settings on the Whonix-Gateway, except for minor modifications like setting up bridges which is already documented.
A man-in-the-middle attack (MitM) is a where an attacker makes independent connections with two parties and secretly relays (and potentially alters) messages between them. This is a form of active eavesdropping, since the two parties think they are communicating directly with each other and are unaware the conversation is being controlled by the attacker. 
Figure: Illustration of a MitM Attack
While using Tor, MitM attacks can still happen between the exit relay and the destination server. The exit relay itself can also act as a man-in-the-middle. For an example of such an attack see MW-Blog: TOR exit-node doing MITM attacks (w). It is worth reiterating that users can protect against such attacks by using end-to-end encryption and taking extra steps to verify the server's authenticity.
Normally a server's authenticity is automatically verified by the browser using SSL/TLS certificates which are checked against a set of recognized certificate authorities (CAs). If a user receives a security exception message like that seen in the figure below, then this could constitute a MitM attack. The warning should not be bypassed unless the user has another trusted way of checking the certificate's fingerprint with the people running the service.
Figure: An Untrusted Connection
Mozilla has an educational resource to help users determine if their connection to a website is secure. (w) The Electronic Frontier Foundation (EFF) also has an excellent interactive illustration that provides an overview of HTTP / HTTPS  connections with and without Tor, and what information is visible to various third parties.
The Fallible Certificate Authority Model
Unfortunately, the vast majority of Internet encryption relies on the CA model of trust which is susceptible to various methods of compromise. Ultimately, encryption in and of itself does not solve the authentication problem in electronic communications, as seen in the actions of advanced adversaries who have targeted and undermined this central pillar upon which the Internet relies.
For example, Verisign was hacked successfully and repeatedly in 2010, with the likely conclusion being the attackers were able to forge certificates for an unknown number of websites.
A more glaring example was the confirmation by Comodo on March 15, 2011, that a user account with an affiliate registration authority had been compromised. This is a privacy and security disaster since Comodo is a major SSL/TLS company and the breach led to the creation of a new user account that issued nine certificate signing requests for seven domains: mail.google.com, login.live.com, www.google.com, login.yahoo.com (three certificates), login.skype.com, addons.mozilla.org, and global trustee. 
Later in 2011, DigiNotar, a Dutch SSL certificate company, incorrectly issued certificates to a malicious party or parties. It later emerged that DigiNotar was apparently compromised months before, or perhaps even in May of 2009, if not earlier. Rogues certificates were issued for multiple domains, including: google.com, mozilla.org, torproject.org, login.yahoo.com and many more. 
Considering the frequency of attacks and the passage of time, there is a distinct possibility that a user may be subject to a MitM attack even when the browser is trusting a HTTPS connection. 
There are alternatives to SSL/TLS which the user might consider, depending on their personal circumstances. Unfortunately, none of them can be used as a drop-in replacement for SSL/TLS. Tools providing connection security include: Monkeysphere, Convergence, Perspectives Project and Tor onion services. 
Using Tor does not magically solve the authentication problem. Tor's distinct advantage is that by providing anonymity, it is more difficult for attackers to perform a MitM attack with a rogue SSL/TLS certificate that is targeted at just one specific individual. However, the disadvantage of Tor is that it is easier for people or organizations running malicious Tor exit relays to perform a large scale MitM attempt. Further, malicious exit nodes could perform attacks targeted at a specific server, and especially those Tor users who happen to utilize the service.
In all cases, users are advised to use additional message encryption for email, chats and so on. It is unwise to rely on SSL/TLS alone. Relevant tools that may be useful include:
- Encrypted messengers.
- Mozilla Thunderbird with TorBirdy and Enigmail (gpg add-on) for email.
The Tor design doesn't try to protect against an attacker who can see or measure both traffic going into the Tor network and also traffic coming out of the Tor network. That's because if you can see both flows, some simple statistics let you decide whether they match up.
That could also be the case if your ISP (or your local network administrator) and the ISP of the destination server (or the destination server itself) cooperate to attack you.
Tor tries to protect against traffic analysis, where an attacker tries to learn whom to investigate, but Tor can't protect against traffic confirmation (also known as end-to-end correlation), where an attacker tries to confirm a hypothesis by monitoring the right locations in the network and then doing the math.
Whonix does not Encrypt Documents by Default
Documents created in Whonix may also have specific file signatures that reveal use of the platform. This issue is currently being researched.
Whonix does not Clear Document Metadata
Numerous file formats store hidden data or metadata inside of the files. For example, text processors or PDF files could store the author's name, the date and time of file creation, and sometimes even parts of the file's editing history. The extent of hidden data depends on the file format and the software that is used.
Image file formats like TIFF and JPEG are some of the worst offenders. For instance, when these files are created by digital cameras or mobile phones, they contain a metadata format called Exif whose defined tags can include:
- Date and time information.
- Occasionally GPS coordinates of the picture.
- Camera settings: camera model and make (including the serial number), orientation (rotation), aperture, shutter speed, focal length, metering mode and ISO speed information.
- A thumbnail for previewing the picture in file managers, on camera, or in photo editing software. Image processing software tend to keep Exif data intact.
- Copyright information.
Notably, the internet is full of cropped or blurred images where the Exif thumbnail still contains the full original picture. Specialist software is often required to remove Exif tags before safely publishing images. 
Users should always remember that Whonix does not clear file metadata automatically. However, Whonix comes bundled with MAT - the Metadata Anonymisation Toolkit - as part of the design goal to help protect users.
Whonix does not Encrypt Subject: and other Header Fields of Encrypted Emails
|Unless precautions are taken, the "Subject:" line and other header fields are not encrypted when using OpenPGP encrypted email.|
This weakness is not related to Whonix or the OpenPGP (w) protocol; it is for backwards compatibility with the original SMTP protocol. Unfortunately, no RFC standard exists yet for Subject line encryption.
Recently, TorBirdy v2.3 has implemented Enigmail features which enable encrypted email headers.  The new feature encrypts the Subject and References headers and moves them into the encrypted message body.
Users who require OpenPGP encryption with a suitable email client are recommended to use Thunderbird (Mozilla's email client) and Enigmail, which is a graphical front-end for using the GnuPG ("GPG") encryption program. The TorBirdy extension is also available to make Thunderbird connections take place over the Tor network.
Whonix may have an Unknown Signature
Developers have designed Whonix to be indistinguishable from standard use of the Tor network. However, there may be unknown fingerprinting methods available to ISPs and other network adversaries which identify Whonix users.
Users who are concerned about this issue should investigate optional configurations which can hide Tor/Whonix use from the ISP.
Whonix does not Defeat Stylometry
Whonix does not obfuscate a user's writing style. Consequently, unless precautions are taken, users are at risk from stylometric analysis based on their linguistic style. Research suggests only a few thousand words (or less) may be enough to positively identify an author, and there are a host of software tools available to conduct this analysis.
Whonix does not Improve Password Strength
Tor promotes online anonymity, while Whonix automatically forces desktop-wide activities through Tor (along with many extra security features). However, neither Tor or Whonix are one-click solutions for impregnable security or absolute anonymity.
If weak passwords (passphrases) are used, they can be easily determined by brute-force attacks, whether or not Whonix is installed. In essence, attackers systematically try all passwords until the correct one is found, or attempt to guess the key which is created from the password using a key derivation function (an exhaustive key search). This method is very fast for short and/or non-random passwords.
For greater security, users should generate strong and unique passwords by following the relevant recommendations in the Security Guide.
Whonix does not Secure the Host
The security of the Whonix platform is itself reliant upon the security of the host. Naturally, many users might simply choose to run Whonix on top of the every day operating system without making any additional changes. However, user safety is greatly enhanced by following the recommendation to use a dedicated host operating system solely for Whonix VMs. For even greater security, the dedicated host OS can be used on a computer solely bought for Whonix activities and which has never been used before for any other activities.
Avoid Non-free Software
- "[...] If you run a nonfree program on your computer, it denies your freedom; the main one harmed is you. [...]"
- "Every nonfree program has a lord, a master -- and if you use the program, he is your master.“
- "To have the choice between proprietary software packages, is being able to choose your master. Freedom means not having a master. And in the area of computing, freedom means not using proprietary software."
Open Source software like Linux and Whonix is more secure than closed source software. The public scrutiny of security by design has proven to be superior to security through obscurity. This aligns the software development process with Kerckhoffs' principle - the basis of modern cipher-systems design. This principle asserts that systems must be secure, even if the adversary knows everything about how they work. Generally speaking, Libre Software projects are much more open and respectful of the privacy rights of users. Libre Software projects also encourage security bug reports, open discussion, public fixes and review.
Always Verify Signatures
For greater system security, it is strongly recommended to avoid installing unsigned software. Always make sure that signing keys and signatures are correct and/or use mechanisms that heavily simplify and automate this process, like apt-get upgrades.
As a reminder, digital signatures are not a magic bullet. While they increase the certainty that no backdoor was introduced by a third party during transit, this does not mean the software is absolutely "backdoor-free". Learn more about this process and what digital signatures prove and do not prove.
Tor Exit Relays can Eavesdrop on Communications
|The Tor network hides a user's location, but does not automatically encrypt communications.|
Instead of taking a direct route from source to destination, communications using the Tor network take a random pathway through several Tor relays to help cover the user's tracks. This means observers at any single point cannot tell both where the data came from and where it is going.
Figure: How Tor Works
The last relay on the three-hop circuit is called the Tor exit relay. It is the critical relay that establishes the actual connection to the destination server. By design, Tor does not encrypt the traffic between a Tor exit relay and the final destination. This means any exit relay is in a position to capture any traffic passing through it. To protect against snooping by the Tor exit relay, users should always use end-to-end encryption. 
Malicious exit nodes have previously been used to spy on the sensitive communications of users. For example, in 2007, a security researcher monitored the connections coming out of an exit relay under their control and intercepted thousands of private e-mail messages sent by foreign embassies and human rights groups around the world. (w).
While browsing, sending email or chatting online, users are recommended to utilize the necessary tools bundled with Whonix to enforce strong encryption. See the Documentation for steps on how to remain safe. 
Whonix Makes Tor Use Obvious
Tor tries to prevent attackers from learning what destination websites a user connects to.
Unless an optional configuration has been set to hide the use of Tor/Whonix, both the ISP and a local network administrator can easily check if a user is connecting to a Tor relay and not a normal web server.
Unless the optional configuration Tunnel Proxy/SSH/VPN through Tor is set, the destination server contacted through Tor can learn whether the communication originates from a Tor exit relay by consulting the publicly available list of known exit relays. For example, The Tor Project Tor Bulk Exit List tool could be used for this purpose. 
Based on this information, Whonix users will not appear to be a random Internet user unless an optional configuration is used to prevent the telltale signs of Tor use. The strong anonymity provided by Tor and Whonix is based on trying to make all users look exactly the same, so it is not possible to identify a specific individual in the larger user pool.
Ultimately, stronger protection requires a social approach; the larger the pool of Tor users (in close proximity) and the more diverse their interests, the less likely it will be that an individual user can be identified. Convincing other people to use Tor will help the larger anonymity-minded community. 
Persistent Tor Entry Guard Relays can Enable Physical Location Tracking
What are Tor Entry Guards? If this is an unfamiliar term, please press on Expand on the right.
Many well known enhanced anonymity designs such as Tor, Whonix, and the Tor Browser Bundle (TBB) use persistent Tor guards. This decision is attributable to community-based research which demonstrates that persistent Tor entry guards benefit security and lower the probability of an adversary profiling a user.
|Note: Guard fingerprinting techniques are similar to methods that track users via MAC addresses. If this is a realistic threat, then MAC address randomization is also recommended.|
In general, users should not interfere with Tor guard persistence or the natural rotation of entry guards every few months. At the time of writing, the Tor client selects one guard node, but previously used a three-guard design. Guards have a primary lifetime of 120 days.  
|Warning: In some situations it is safer to not use the usual guard relay!|
While natural guard rotation is recommended, there are some corner cases in which an adversary could fingerprint the entry guards  and de-anonymize a user. For instance:
- The same entry guards are used across various physical locations and access points.
- The same entry guards are used after permanently moving to a different physical location.
Consider the following scenario. A user connects to Tor via a laptop at their home address. Soon afterwards, the same user attends a prominent event or protest in a nearby city. At that location, the user decides to anonymously blog about what transpired using the same laptop. This is problematic for anonymity, as the Tor client is using the same entry guard normally correlated with the user’s home address.
Network adversaries who are monitoring traffic have a high degree of certainty that the “anonymous” posts from the city location are related to the same person who connected to that specific guard relay at home. The relative uncommonness of Tor usage exacerbates the potential for de-anonymization.
There are several ways to mitigate the risk of guard fingerprinting across different physical locations. In most cases, the original entry guards can also be re-established after returning home:
- Configure Tor to use Alternate Bridges.
- If moving to a new location permanently, create Fresh Tor Entry Guards by Regenerating the Tor State File.
For more information, see the advanced topic Tor#Non-Persistent_Entry_Guards.
Tor cannot Protect Against a Global Adversary
A global, passive adversary is defined as a person or entity who is able to monitor the traffic between all the computers in a network at the same time. By studying, for example, the timing and volume patterns of the different communications across the network, it is statistically feasible to identify Tor circuits and thus match Tor users with destination servers.
In order to create a low-latency communication service which is usable for web browsing, Internet chat or SSH connections, The Tor Project has made a security trade-off and has not attempted to address such a threat.
Whonix is not Amnesic
Unlike Tails, Whonix is not an Amnesic Live CD. If Whonix is installed on a computer, local traces of the installation will be left on the device's HDD/SSD. Further, any created files will still exist after the computer is powered-off or rebooted, unless steps are taken to securely wipe the files to remove all signs of their existence.
Whonix has not implemented any special measures to limit what is written to disk and acts like an ordinary installed operating system. Therefore, there may be evidence of user activity in created files, backup files, temporary files, swap, chat history, browser history and so on.
|Users who rely on Whonix live in non-Qubes-Whonix should be aware that although writes go to RAM instead of the HDD/SSD, traces of activity may be left in swap files, core dumps or via other configurations. |
Unix-like operating systems also swap (move) memory pages between host RAM and the host disk, and this behavior cannot be prevented in Whonix because it is based on Debian. The danger is data leakage may occur and an unencrypted swap partition might reveal interesting data to an attacker or be used to store unencrypted copies of files in /tmp for later retrieval.  This is why the documentation recommends to use multiple VM Snapshots and apply Full Disk Encryption on the host. Encrypting everything, including data, system and swap partitions provides a higher level of security.
For more information on this topic, see: Is there a substitute for Whonix's lack of an Amnesic feature / Live CD/DVD? Forensics?"
Missing Whonix Features
Whonix is currently alpha quality software and missing some features, including those relating to security. While many issues listed below are planned for future implementation, a number will probably never get "fixed" because they are impossible to address in a software-only project.
Whonix in its current form does not:
- Encrypt a user's data, documents, files and so on.
- Wipe RAM on shut down. See Idea #30076: Enhancy Privacy/Security, Wipe RAM on shut down, reboot and trigger.
- Wipe video RAM on shut down. See Tails -erase video memory on shutdown.
- Make weak passwords stronger.
- Protect against local adversaries who could mount cold boot and evil maid attacks, or otherwise compromise a user's physical machine.
- Protect users who: fail to read the Documentation, engage in unsafe behaviors, or change default settings without knowing the implications.
- Automatically apply security updates. This was a conscious developer decision because automated updates also come with their own set of security problems. However, users are always notified about updates on Whonix-Workstation by whonixcheck.
- Protect against global network adversaries.
- Protect against hardware or software backdoors.
- Automatically protect against MAC address fingerprinting on public networks.
- Protect against highly skilled software attacks, unless physical isolation or Qubes-Whonix is utilized.
- Protect users by default if Tor is somehow broken. This situation is partially mitigated (with caveats) by chaining Tor with SSH, proxies or VPNs.
- Disguise the use of Tor by default, although an optional configuration is available to hide the fact Tor/Whonix is being used.
- Use all the possible hardening options like full PIE and grsecurity.
- Apply AppArmor profiles for every process or application.
- Obfuscate a user's linguistic style to defeat stylometric analysis.
- Have deterministic builds, see Dev/Archived Discussions. 
This list is likely incomplete. Users are encouraged to read the rest of the Documentation and perhaps the Design chapter to have a full overview of Whonix security, including the list of supported and unsupported features.
Users who want to help improve Whonix security should join the discussions on Dev/Archived Discussions, or on the developer mailing list.
Whonix is a Work in Progress
Whonix, as well as all the software it includes, are under continuous development and might contain programming errors or security holes. Users should stay tuned to Whonix development, and not rely on it for strong anonymity.
That said, Whonix has a strong foundational design since it uses both the Isolating Proxy and Transparent Proxy concepts. Over the last 5 years, no anonymity leaks or proxy bypass problems have been discovered. Whonix has been developed with great care, but it is impossible to ever prove that it is absolutely "leak-proof" or free of mistakes that degrade the goals of the extended project description. (w)
Basic functionality is built-in and Whonix can be used to browse the web and host onion services, use email, IRC, SSH, and a host of other activities. Development is still ongoing and more features are being added to Whonix. Contributors who want to join the development process are most welcome. A complete list of open issues is available on the Whonix issues tracker.
- Depending on personal circumstances and the Whonix platform in use.
- HTTPS here refers to encrypted connections, whether it is (inferior) SSL or TLS.
- Source: Comodo: The Recent RA Compromise (w)
- Source: The Tor Project: The DigiNotar Debacle, and what you should do about it (w)
- This is one reason why self-authenticating onion services (.onion) connections are superior to HTTPS, because they do not rely on the flawed CA system for confirmation of the destination server.
- Onion Services are automatically encrypted end-to-end. More specifically, connections remain within the Tor network at all times.
- Quoted from wikipedia Man-in-the-middle_attack (w) and Tor Project: Detecting Certificate Authority compromises and web browser collusion (w).
- For example, the XKeyscore program is actively targeting Exif information for collection.
- The preference in TorBirdy is
- For example, a HTTPS or onion service (.onion) connection.
- Source: Tor FAQ: Can exit relays eavesdrop on communications? (w)
- Tor also has an obvious network signature, since Tor traffic passes along these connections (circuits) in fixed-size cells of exactly 512 bytes.
- Attribution: Two sentences in this chapter have been forked from the Tor (w) website, which was licensed under a Creative Commons Attribution 3.0 United States License (w) at the time of writing.
- Even though the attacker can't discover the user's destinations in the network, they still might target a list of known Tor users.
torproject.org What are Entry Guards? (w)
Content on this site is Copyright The Tor Project, Inc.. Reproduction of content is permitted under a Creative Commons Attribution 3.0 United States License (w). All use under such license must be accompanied by a clear and prominent attribution that identifies The Tor Project, Inc. as the owner and originator of such content. The Tor Project Inc. reserves the right to change licenses and permissions at any time in its sole discretion.
- The risk of guard fingerprinting is less severe now that upstream (The Tor Project) has changed its guard parameters to decrease the de-anonymization risk.
- Prop 291 indicates a 3.5 month guard rotation.
- The Tor Project is currently considering shifting to two guards per client for better anonymity, instead of having one primary guard in use.
- The entropy associated with one, two or three guards is 9, 17 and 25 bits, respectively.
- Live mode does not yet meet the technical amnesic threshold.
- Although Tor now has deterministic builds, see Bug 3688.
Whonix Warning wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Warning wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <firstname.lastname@example.org>
This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.