Whonix and Tor
- 1 Why Whonix Uses Tor
- 2 Why Tor is Slow
- 3 Footnotes
- 4 License
Why Whonix Uses Tor
Whonix uses Tor because it is the best anonymity network available today.
The Whonix Project wants to enforce good security by default for our users. That is why a fundamental Whonix design is to force all outgoing traffic through the Tor anonymity network.
Virtual Private Networks (VPNs) are usually faster than Tor, but they are not anonymity networks. VPN administrators can log both where a user is connecting from and the destination website, breaking anonymity in the process.  Tor provides anonymity by design rather than policy, making it impossible for a single point in the network to know both the origin and the destination of a connection. Anonymity by design provides a higher standard, since trust is removed from the equation.
When using a VPN, an adversary can break anonymity by monitoring the incoming and outgoing connections of the limited set of servers. On the other hand, the Tor network is formed by over 6000 relays and 2000 bridges run worldwide by volunteers.  This makes it far more difficult to conduct successful, end-to-end correlation (confirmation) attacks, although not impossible.
Despite Tor's superiority to VPNs, poisoned Tor nodes pose a threat to anonymity. If an adversary runs a malicious Tor entry guard and exit node in a network of 7,000 relays (2,000 entry guards and 1,000 exit nodes), the odds of the Tor circuit crossing both are around one in 2 million. If an adversary can increase their malicious entry and exit relays to comprise 10 percent of the bandwidth, they could deanonymize 1 percent of all Tor circuits. 
Tor has the largest user base of all available anonymity networks. More than 2 million users connected to Tor daily in 2018. Tor's adoption by a substantial audience proves its maturity, stability and usability. It has also led to rapid development and significant community contributions.
Tor is equally used by journalists, law enforcement, governments, human rights activists, business leaders, militaries, abuse victims and average citizens concerned about online privacy.  This diversity actually provides stronger anonymity because it makes it more difficult to identify or target a specific profile of Tor user. Anonymity loves company. 
Technical Merits and Recognition
Tor has partnered with leading research institutions, and has been subjected to intensive academic research. It is the anonymity network which benefits from the most auditing and peer review.
An extract of a Top Secret appraisal by the NSA characterized Tor as "the King of high secure, low latency Internet anonymity" with "no contenders for the throne in waiting".
Relationship between the Tor Project and Whonix
- The Tor software is made by The Tor Project.
- The Tor network is run by a worldwide community of volunteers.
- Whonix is a completely separate project developed by a different developer team.
- Whonix is a complete operating system which uses Tor as its default networking application.
Many people use Tor outside of Whonix. Similarly, a significant number use Whonix for activities other than accessing the Internet through Tor, for example hosting onion services, tunnelling I2P through Tor, tunnelling VPNs or other anonymity networks through Tor, and more.
- Comparison Of Tor with CGI Proxies, Proxy Chains, and VPN Services.
- Review of different Anonymity Networks.
Why Tor is Slow
Users often complain that the Tor network is slow or has inconsistent speed. This section briefly describes some reasons for affected Tor throughput. Interested readers can also refer to the Tor Project FAQ and relevant research for a more detailed explanation.
Tor Circuits Lengthen the Connections
When navigating to clearnet resources, Tor provides anonymity by building circuits with three relays. So instead of connecting directly to the destination server, a connection is made between each relay of the circuit and this takes more time. In the case of onion services, a six-relay arrangement is used in the connection - three picked by the user and three picked by the onion service.
In addition to using multiple relays, Tor tries to build circuits with relays in different geographical locations. This necessarily causes connections to travel further and slows down the fetching of resources.
Relay Quality and Throughput
Tor relays are run by volunteers (and hostile actors) in a decentralized way. Consequently, relays do not have uniform quality; some are big and fast, while others are smaller and slower. While an increase in the number of relays would increase Tor's average throughput, performance variance will still remain high due to factors like overloaded guards or bad Tor circuits. Consistent, high-performing Tor connections requires both congestion control and load balancing issues to be solved. 
Misuse of the Tor Network
Some actors misuse the Tor network, either purposefully or due to a lack of knowledge. For instance, Tor is sometimes used to conduct DDoS attacks. By doing this, the Tor relays are the ones who actually suffer from the attack, instead of the intended target. Some people use peer-to-peer software (like BitTorrent) through Tor which slows down the network for all users. 
- Tor Congestion Control: Tor's mechanism does not work well in combining high-volume (bulk transfer) and low-volume (browsing) streams. Tor is not able to signal congestion to endpoints, leading to excessively large queuing at routers, resulting in variable latency. 
- Excessive User Load: Some users put excessive traffic load on the Tor network relative to their network contributions. Methods of limiting these effects and prioritizing other users need to be implemented. 
- Tor Network Capacity: As noted earlier, the total capacity of the Tor network is insufficient relative to unmet privacy demand. A significant boost in the overall number of relays is required. 
- Tor Load Distribution: Tor's current path selection algorithms do not effectively distribute the network load.  The properties of relays need to be more accurately estimated so relays do not become over or under-loaded, but unfortunately Bandwidth Authorities do not yet fully account for geographic diversity, and cannot handle rapid changes in relay capacity or load.  Further, the centralized status of Bandwidth Authorities means they are are vulnerable to DoS and manipulation.
- Tor Latency Failures: Tor is inefficient in handling connection failures or high / variable latency. Better heuristics to move away from bad circuits and a more uniform latency response is required.
- Directory Information Download Overhead: Users with low bandwidth (like those on cell phones) have to spend too much time downloading directory information. Tor protocols need to be optimized for efficiency.
- Promises made by VPN operators are meaningless, since they cannot be verified.
- Admittedly the network has an unknown proportion of malicious relay operators.
- A large file downloaded through BitTorrent can translate to several hours of browsing for the regular Tor Browser user.
- Roger Dingledine is the co-creator of the first alpha version of Tor.
- The Tor Project is considering adopting QUIC as a datagram transport with end-to-end congestion control.
- This may involve targeting specific user profiles (e.g. throttling certain protocols) so the original Tor design of high throughput and good latency properties can be realized.
- Economics suggests increased supply will lead to more users arriving to fill the void.
- The Tor Project is currently preparing to replace Bandwidth Authorities with a simplified system using central measurement servers.
- Capacity is currently estimated by observing the largest traffic burst seen in the past day. This bandwidth capacity is advertised in the directory information, leading clients to preference their path selection based upon a relay's estimated bandwidth.
Whonix Whonix and Tor wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Whonix and Tor wiki page Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <firstname.lastname@example.org>
This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.
Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.
Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint.