Feel free to discuss differences.
Please look over existing wiki entries and confirm accuracy:
Anonymity Operating System Comparison - Whonix ™ vs Tails vs Tor Browser Bundle
Frequently Asked Questions - Whonix ™ FAQ
As I mentioned in a previous thread, I think classification of Whonix as “Safe” as mentioned in one of the comparison tables for:
- Exploit + Unsafe Browser
- Exploit + Root exploit + Unsafe Browser
- Root exploit + Unsafe Browser
and even
- Protocol IP leak
are somewhat misleading and may cause the user to have a false sense of security.
When is Whonix really safe against the first 3 attacks? when the user does nothing. Has no activity. In this case, he has no risk anyway. Or when the user maintains a perfect alternate identity inside Whonix-Workstation.
But users do have some activity, and even for a very careful users, those activities by themselves, by the data saved, by the list of sites visited, by the list of people they communicates with, by the content of those communications, by all those and more - the user is certainly not safe from deanomyzation when there is a capable malware on Workstation.
Let’s take the example of Journalists communicating with a Snowden-like source, and using Whonix. If a malware is present on their Workstation, logging their keystrokes, clipboard, emails, chat etc, will this malware need their IP to deanonymize them, or their source? probably not.
All this applies for weak adversaries. Hackers.
When you deal with a strong attacker, with influence over the ISP, user’s IP will be easily inferred from time and nature of traffic. Actually there will be no need to wait for the user to do anything in this case beyond getting infected by the malware. The malware can send a unique pattern of traffic as soon as it enters the system. In seconds, a script running on the ISP will detect it and reveal the user’s IP.
All that can be done when host, firmware, hypervisor etc are still rock-solid.
I would say NO system is safe if a malware managed to gain a foot hold inside. None. This is important not for sake of comparisons, but as something users need to keep in mind when they conduct their business inside Whonix-Workstation. If you have a malware, you are lost.
Regarding “protocol IP leak”, in the case of weak adversaries, well, probably safe when we’re dealing with Whonix-Workstation. But not when we talk about Whonix-Gateway. And if you compromised the Gateway, not only you have the IP, you also see all Tor onion sites traffic in cleartext don’t you? is there any encryption between Workstation and Gateway? For some reason the whole issue of Whonix-Gateway security seem to be rarely discussed.
1 Like
Much of what you say is addressed. No system is perfect or 100% secure. This is repeated over and over again throughout the wiki.
In the following table,
“Fail” is defined as “IP/location of user is compromised.”.
“Safe” is defined as “IP/location of user is hidden behind Tor.”.Whonix protects against IP/location discovery through root exploits (Malware with root rights) on the Workstation [24]. This does not mean you should deliberately place yourself at risk to become infected with malware. Do not! It would still make all data inside Whonix-Workstation available to the attacker. Again, Whonix is not a perfect system. It cannot be. Whonix is not unbreakable. What Whonix does is increase the effort required by an attacker to find out the user’s real IP address, thus de-anonymizing the user. The following table visualizes the various defense layers provided by Whonix.
In some circumstances you are correct. Anonymity is not just about using Whonix/Tor/Tails. No system is safe. Whonix just makes it harder for an attacker to deanonymize a user.
Some of the avenues of deanymization you mentioned can be mitigated through the use of Qubes Disposable VMs. Granted not everyone has hardware that is compatible but it would most certainly prevent malware from gaining a foothold or gaining access to data from previous sessions (there is none)
If the hypervisor is exploited its game over. This is not something that is easy and an advanced adversary probably would not waste an exploit like that on “a” user.
This is mentioned briefly:
1 Like
I fully agree:
Good to know, in any way I am referring to the case I know, that of VirtualBox, which is from what I gather here, the solution used by vast majority of Whonix users.
It is reassuring to assume we are unimportant for advanced attackers and that may act as some sort of protection. With this reasoning one can dismiss many different theoretical attacks, I am not sure it is wise to do so. As someone commented here recently on the email PGP thread, some people actually use Whonix not just to feel all good and savvy but because they actually need it.
In any case, all the scenarios I described assume the hypervisor is NOT compromised:
this ncludes the paragraph you quoted - what I mean here is direct exploitation of Whonix-Gateway, not through the Workstation or the hypervisor.
I briefly went through that, and this apparently is not relevant to what I am asking:
This chapter is only important, if you do not use the Default/Download (host + VM + VM) version.
You should read it if you are using Physical Isolation, or for any custom, non-stock, configurations.
I speak about a standard configuration, in which Whonix-Gateway was directly exploited (either due to an upstream Debian vulnerability, a vulnerability in an application running on it, for example arm, or a vulnerability unique to Whonix-Gateway due to changes done by Whonix developers to the Debian packages/additional scripts that were added).
My question is, does Whonix-Gateway see the traffic that originates at the Whonix-Workstation’s Tor browser as clear text? for HTTPS sites, the SSL/TLS encryption will start at the browser so you have something in case the Gateway alone is exploited, but in any other case, does the Tor Broswer at the workstation apply the Tor encryption, or is this a job done at the Gateway? As far as I understand, it has to be done at the gateway, correct? the workstation doesn’t know the relays, so it can’t encrypt anything for them.
you can set up a similar method of a “disposable vm” with virtualbox by taking advantage of immutable drives. how you use them is up to you. depending upon your machine resources, there’s nothing preventing you from creating a whonix workstation for each individual app/task (browsing, mail, irc, instant messenger, etc.). it simply requires that you configure your workstations to a preferred state, convert the virtual drives to “immuitble” and then save a snapshot. after that, every time you start the workstation, it will boot from the saved snapshot.
2 Likes
I’f your Gateway was compromised it would not matter much if the Workstation traffic was encrypted or not. An attacker would only have to ping a server under their control from the Gateway (over clearnet). Now you are deanonymized.
If any of these are exploited its game over
- hypervisor
- Tor
- Whonix-Gateway
- host
I would like to answer your question but to be honest I’m not 100% sure of the answer.
I am not sure it’s relevant. Tor doesn’t prevent end-to-end corelation
attacks, see the Warning wiki page. What you’re describing is an
end-to-end corelation attack.
So it matters: in case the adversary cannot mount a regular end-to-end
corelation attack but can mount an aided end-to-end corelation attack
where the client endpoint is made more stand out by inducing a traffic
pattern.
The gateway can see the socks communication between the browser and Tor.
- In case of https: only https traffic
- http: cleartext
- onion: cleartext (see Onion Services wiki page at the bottom)
I wasn’t aware of that, thanks! it also seems to solve the problem of “no default revert to last snapshot”. As for creating different VMs for different tasks, requires a lot of thought of how to set it correctly.
Yes, what I did just now, is install tcpdump on the Gateway, then run:
sudo tcpdump -A -i eth1 -vvv
And I was able to clearly see the cleartext HTTP requests for HTTP sites and onion sites (including my username and password in an onion site login form, in a POST request).
A lot of thought has already gone into this topic. You’re just scratching the surface of virtualization with Whonix. Please spend some time with Qubes.
I like Tails. I think it’s great software, and a great introduction to Tor/OPSEC for the masses. It’s free software, debian-based, well supported and has a lot of ready-to-use utilities. It’s much better than your typical Windows 10 or macOS user running Tor Browser.
But let’s be real: by design, Whonix is much more secure. Any “simple” root exploit in Tails will immediately expose your real public IP address. Something as basic as this for instance (once the attacker has root rights):
service ferm stop && iptables -F && echo nameserver $(traceroute 8.8.8.8 | awk '{print $2}' | head -3 | tail -1) > /etc/resolv.conf && curl ipinfo.io
Whereas in Whonix, there is no way such a thing could happen. An infected Workstation could never reveal its true IP address, at least there are no known exploits to achieve that.
Regarding persistence/amnesia, it is trivial to erase the VM and clone or reimport a new VM for each new session, it is just a matter of a few minutes. It’s not a big deal. Moreover, you can keep an always up-to-date pair of Whonix VM and just clone them for each new session. With Tails, you are stuck with the version you have until a new release.
As for the sensitive files stored in the Workstation, nothing stops you from keeping them in another offline VM (be it in Qubes or with VirtualBox/KVM), even in an encrypted container, and copy-paste the important stuff when you need it (such as passwords, logins). Same thing with PGP: if you fear for the integrity of your private keys, run the encryption/decryption stuff in an offline VM. Don’t do it on your connected Workstation. Likewise, BTC transactions can be signed offline and broadcast on the Workstation with the public keys. I think it is good practice to never store sensitive files in a connected device/VM, even if it is (pseudo)anonymous.
I don’t see how it could be otherwise?
In my opinion, the biggest threat to Whonix users is the integrity of the host system. If it is compromised/spied on/keylogged, then it is basically game over. But if your host is a dedicated Linux OS (let’s say debian) on an encrypted USB key with the minimal number of software possible, never do anything else than using the virtualization software, etc., I would say it’s pretty safe.
you’re welcome. 
not too much thought. the issue is really just the resources of your machine. here’s a pontential set up.
- gateway - immutable drive.
** workstation or other - network access disabled - guest to host clipboard enabled. (use for password storage in keepassx or other).
** workstation - browser - immutable drive. (use as generic disposable browser)
** workstation - browser - immutable drive - host to guest clipboard enabled. (use as browser where you need to paste passwords for login sessions)
** workstation - email - immutable drive - host to guest clipboard enabled - create private gpg keys before snapshot - create additional “passthrough” virtual drive as storage for public keys you receive. (use as email client where you need to paste passwords. downloaded public keys will persist. can also set to save emails if desired.)
** workstation - irc - immutable drive - host to guest clipboard enabled - if using ssl certs, create before snapshot. (use as irc client where you need to paste passwords for login sessions)
** workstation - instant messenger - immutable drive - host to guest clipboard enabled - create otr fingerprints before snapshot. (use as chat client where you need to paste passwords for login sessions)
just one example. when you get to this level of isolation, qubes is better than virtualbox. but, a somewhat similar method to virtualization with disposible vms can be done with virtualbox. however, the above example would be more for fun than practical. if you can visualize how to work that, you’re better off using qubes if your hardware is supported by it.
3 Likes
Everybody keep focusing on the Workstation and brushing aside potential Gateway vulnerabilities. Why??
When I search for Debian vulnerabilities in cvedetails.com, there is a very long list there (probably patched by now but if they occurred in the past, there’s no reason to believe others won’t be discovered in the future). For example, vulnerability in curl (included in Whonix-Gateway).
That’s just debian. How many people pentest the specific settings of Whonix-Gateway or the packages added by Whonix developers? I think not many, a vulnerability there can persist for a long time before it is discovered.
Of course, Tails would be subject to the same issues. But I would be more careful before stating “in Whonix no such thing could happen”.
When you compare Tails with Whonix vulnerabilites, you can’t compare it just with the Workstation. You have to compare Tail’s vulnerabilities with those of everything that is a must used in Whonix: Workstation + Gateway + Hypervisor.
because majority of exploits likely deal with a host exploitation, which will be game over. if such exploit happens in your workstation, likely won’t happen in your gateway. and as far as drive by exploits are concerned, this is yet another reason to take advantage of immutable drives if you use virtualbox. not foolproof. but fairly solid.
I can agree with that. It’s more secure, but there’s a big difference between “less likely” and “could never happen”. And this does not require any exotic attacks on firmware or anything like that. One major fault in any of the Whonix-Gateway packages and user is done for.
Now we also have VirtualBox. As stated by Whonix documentation, Oracle have a bad history in revealing security issues, plus it isn’t open-source. Tails is all open source if I am not mistaken. Another point to Tails.
Then use Qubes OS, which you should do when you fear these kind of attacks anyway…
Why don’t you tell us how you might conduct a targeted attack on the Gateway? Network interface? Tor daemon? iptables? And what would be your solution? If you were an attacker would you rather spend time and money trying to find a remotely-exploitable bug in a network driver or phish for an idiot user to click on clickbait? And if you did happen to find a bug in a driver or libc or whatever - and this is a huge point - how would you know which Gateway to target? Why not target the user of interest directly in the Workstation without having to crack Tor first?
Sure, it’s possible to be a random victim of a non-targeted mass attack… but then so is everyone else - Tails, Subgraph, data centers, corporations, etc.
And how many of those are remotely exploitable and/or privilege escalation bugs? The malware ecosystem is very large. No usable exploits get left on the shelf.
An audit can be immensely useful. But what specifically would you like pentested? Whonix is a bunch of settings and scripts, that you can see and understand for yourself on Github. There are no binaries that need to be fuzzed. You can manually put Whonix together yourself and watch each piece go in. Start with a small Debian, add Tor, add the Whonix glue. Most hypothesized potential Whonix vulnerabilities are brought up by users who don’t really understand what Whonix is. (btw, the same could be said of Tails. but Tails also puts a lot more eggs in its only basket.)
Partially correct. Yes, the Gateway + the Workstation should be included in the Whonix attack surface. But what do you gain in your analysis by including the Gateway, since all of those components (again, minus some scripts) are also included in Tails? The Whonix Gateway, and by extension, the Tor daemon, strictly has less attack avenues when used with Whonix than when used with Tails. I don’t think Tails would argue with that. This comes at the expense of usability. Then there is an entirely orthogonal discussion of amnesia and forensics, in which Tails is superior (even when using various Whonix hypervisor non-persistence features).
It is incorrect to include the hypervisor as a vulnerability when comparing to Tails. The hypervisor adds a layer of defense, not increased attack surface in that comparison because the guest VM needs to be compromised first in order to attack the hypervisor. Like I said above, with Tails, you only have one OS that needs to be compromised for full access.
I already gave examples. Nothing new really. Stack or Buffer overflows. String functions vulnerabilities. Small unnoticed bugs in protocols or applications that run them.Things that get exploited every day. Every kind of system is a target.
You surely don’t think it ends with idiots downloading malware? yes, there are plenty of them, but those aren’t the valuable targets. If I’m an attacker, I’d very much want to find a bug in a system that’s probably popular with onion sites operators, or other high quality systems. Sure! such a vulnerability is worth a thousand idiots.
A huge point for you and for me, no doubt, but I hope you do realize many people do that successfully every day? and I don’t mean script kiddies…
If a bug in the system is available then all of them. Yes, today bots do the job. You still think about a 15 years old hacker in the basement or part timers? think expert hacking groups, well funded and determined.
Right, and the attacker should assume there’s an idiot at the other side, and satisfy himself with that. Exploits are written to make sure all the vulnerable systems are exploited regardless of idiots or not running them.
That’s correct, I didn’t say others aren’t vulnerable. My point is how to make the Gateway even more secure. For example, I saw in the docs there was an initiative to use Gentoo Hardened but I didn’t see anything recent.
I do sincerely hope you are aware that open source software isn’t immune to mistakes and vulnerabilities just because everything is there to be seen. I don’t imply that there are secret backdoors if that what you mean. Of course every input should be fuzzed in any way possible. Do you expect me instruct the professionals how to do their job? yes, also Tails is and should be subject to audits despite being open source, one of those audits appear on their site.
What are you talking about? Tails doesn’t use the Whonix Gateway. If there is a vulnerability specifically there, it is unique to Whonix. The components are not identical to those used in Tails. Some are obviously, others aren’t. I don’t talk generalities but specifics.
Wrong wrong wrong. As admitted above, if the hypervisor itself is compromised, everything is compromised. The guest doesn’t need to be compromised first. You still limit your thinking to some user clicking on a clickbait. The hypervisor can be infected, for example, by an attack on the download page (how many users verify VirtualBox properly?). Or it can affect any connection Virtualbox by itself maintains, even when there’s no traffic at the guests (for example, VirtualBox initiates its own connection to check for new versions right?). Or it can be attacked by anything that runs on the host. Ah yes, I didn’t include that, but Tails has no host. And if users run VirtualBox, probably many of them run Windows. Can windows affect Tails…? no, Tails has no other “host”. So, to be more precise, when we compare attack surface, it is Tails on one side, and:
- Whonix workstation (and everything the user installed on it, he is encouraged to do so!)
- Whonix gateway
- The hypervisor
- The host
on the other.
Failure of (1) will not reveal the IP, MAC, correct, but it will reveal many other sensitive info.
Failure of (2-4) may reveal it all.
QED. Cheers.
Ok, go ahead… Maybe we should start by patching those…
I don’t… that’s where it begins. Attackers have costs just like defenders.
Could’ve fooled me. Do a search for “major cyber intrusions”. See how many occurred because of user error and how many were due to master hacker exploiting a low-level library on their way to compromising a hypervisor. Yes, we don’t always hear about nation-state ops like Stuxnet - but we do hear about more and more of them - and it would be a safe guess to say that nation-states would rather use low-hanging fruit if they can.
You missed the point. Finding a vulnerability isn’t it. Rather, the second part of the sentence…
That would be ideal. Then it’d be so much easier to detect. Expert hacking groups don’t hack everyone to get to a target. (again, stuxnet). Surveillance is a different animal.
Whonix isn’t just open-source. It’s small and readable.
I don’t but that doesn’t seem to be stopping you. 
Well, if you want to go down the rabbit hole that there is nothing that can be trusted - like my polonium-laced pencil - then congratulations, I have no rebuttal. We usually have to make some assumptions - like not being compromised already. There is no system that can survive that so I’m not sure that helps or hurts your point of view.
2 Likes
Gentoo wouldn’t help you there either and it would be more helpful if you would point us to Vulnerabilities that do exist at this very moment and not just talk about how things get exploited without any example.
Also you could port everything whonix related to Gentoo and finish that work if you think that this would make the GW more secure.
Seems very broad and unspecific to me …
Thats why you download it of a official Repo and not from the Website, if you talk about a Windows OS then you got a lot more problems to worry about.
1 Like