I like the formatting. Keep it simple so everyone can understand it.
Maybe one change.
The Whonix lead developer digitally signed this file
and states the following:
If its only you singing the file.
I like the formatting. Keep it simple so everyone can understand it.
Maybe one change.
The Whonix lead developer digitally signed this file
and states the following:
If its only you singing the file.
Instead, how about:
The Whonix lead developer who digitally signed this file states the following:
Canary issue date: see the gpg signature time.
No warrants have ever been served on the Whonix Project; for example, to hand out the private signing keys or to introduce backdoors.
We plan to publish the next canary statement whenever the Whonix APT repository is re-signed. This occurs approximately every month. [Ref 1] [Ref 2]
This file should be signed with a detached OpenPGP signature by the Whonix lead developer.
Do not trust the contents of this file blindly - always verify digital signatures!
None.
Be mindful that Whonix has been designed under the assumption that all relevant infrastructure is permanently compromised. This means NO trust is placed in any of the servers or services which host or provide any Whonix-related data, particularly software updates, source code repositories, and Whonix downloads.
This canary scheme is not infallible. Signing the declaration makes it very difficult for a third party to produce arbitrary declarations, but this does not prevent the use of coercion, blackmail, compromise of the signer’s laptop or other measures to produce false declarations.
The news feeds quoted below (see Proof of freshness) confirm this canary could not have been created earlier than the issue date. This demonstrates a series of canaries was not created in advance.
This declaration is provided without any guarantee or warranty. It is not legally binding upon any parties in any form. The signer should never be held legally responsible for any statements made here.
(coming soon)
I haven’t seen this by anyone else except Qubes. And “Qubes does so” by itself isn’t an argument. Perhaps I should have asked Qubes for reasoning behind it? Well, the Whonix master key fingerprint will be visible when checking the gpg signature of the canary. If another (malicious) fingerprint would sign the canary they’d just change the contents of the file too. So yeah, an implicit assumption (not written anywhere before now but assumed) is that the one verifying the canary already know Whonix ™ Signing Key by heart. Maybe not by heart but they already need to know which identity/fingerprint is behind. For whom it makes sense to sign the canary.
Good point. The valid-until period is currently set to 1 month. (Debian uses 2 weeks.)
(On APT valid-until: Valid-Until field in Release files | Ganneff’s Little Blog)
( https://github.com/Whonix/Whonix/blob/master/aptrepo_remote/conf/distributions#L11 )
So I have to resign Whonix repository at less than 1 month before I signed it last time. I do it most times when I work on Whonix source code, and when I remember. So it’s infrequent. But we haven’t had outdated apt repository metadata for a while so that works quite well.
Not sure what you mean by that but by experience your suggestions are almost(?) always taken.
Please add.
Thanks. I edited that into my suggested canary text above.
At step 3, I noted there should also be two footnotes:
This canary looks good to go?
When it’s up with Proof of Freshness, we only need to change the wiki canary entry accordingly.
What I never understood, what made me doubt the usefulness of canaries, but also never asked in public:
What if the case trying to plan for here actually happens? What if there:
Then after the canary doesn’t get updated in time, the public could reasonably assume that a backdoor was added to Whonix.
In result: everyone who used Whonix from the time of the last canary issued (no backdoor version) until the canary expired (backdoor added in meanwhile) would be potentially compromised by the backdoor, depending on the type of backdoor.
That would be a very bad result indeed. But perhaps better to know after a month that one was compromised for a month than never knowing it? Is that the point of a canary?
“positives” (if it can be called that) in such worst case scenarios:
What lavabit actually did by shutting down their service seems a much better than what lavabit could have done if they just had a canary and let it expire.
Warrant canary still seems to me have a very narrow scope:
Note: The point of this post is gathering a better understanding possibly leading to a better implementation. Whonix canary will be implemented in near future either way.
While I don’t see how it applies to Whonix, (2) can certainly happen at cases authorities view the operation as illegal / supporting illegal activities: they take over the project while the project manager is required / coerced to cooperate. We have seen it happen with dark net markets.
I agree that a combination of all 3 is quite unlikely.
Of course. Some users didn’t have a chance of updating and will not be affected. They are saved. Others didn’t have potentially harmful material, yet. The rest will minimize the damage in any way they can and abstain from adding further compromising material or engage in communication that can compromise others.
Another point: there is some apparent contradiction between the principle of “perform updates as frequently as possible” and this canary concept. If indeed there is a canary (that is reliable in at least some scenarios), won’t it be better to update from Whonix sources only once a month, after it’s published (or you can look at it as possible negative of having a canary - users delay updates).
Or the way Truecrypt original devs shutdown shop by releasing a version that doesn’t encrypt.
Shutting down the website/code repos is indeed a more visible warning than any text notice.
Canary is now live.
Duplicated to github in case of whonix.org server issues.
Fixed.
Can you please change two things:
—===[ Whonix Canary #1 ]===—
Statements
References removed entirely because: No need to mention my internal process “of doing this most of the time whenever I resign Whonix repository”. Greatly simplified:
We plan to publish the next canary statement within 4 weeks.
Sorry, I didn’t get this one.
Actually, no, I don’t have numbering in mind.
Btw canary-template.txt lives here:
Pull requests welcome.
Actually it looks good now. +1
At time of writing, Whonix warrant canary is valid. However, it’s time to address some issues that recently came to mind.
Problem: Potential Maintenance Lapses:
Solution: Healing Warrant Canary
Recommended User Action in Case of Warrant Canary Issues:
Warrant Canary Issues could be:
Recommended User Action in Case of Warrant Canary Issues:
Enumerating Whonix project infrastructure we care about and in what circumstances its trustworthiness would be necessary:
1) whonix.org
server related:
By design - Distrusting Infrastructure - there is as little interesting as possible on whonix.org
. Although, some interesting things should not be received by any third parties. These are:
IPs on the whonix.org
server. (Related: IP Addresses and IP Addresses Logging
Policy)
User names, e-mail addresses, hashed passwords.
However, even if whonix.org
server was under complete surveillance, that would not wreck the functionality of the Whonix software.
2) Whonix
software related:
Priorities:
whonix.org
website.Possible Solutions:
whonix.org
serverwhonix.org
server as long as Whonix software is free ofCanary re-wording consideration:
Change from
- No warrants have ever been served on the Whonix Project;
for example, to hand out the private signing keys or to introduce
backdoors.
to
Definition “artifact”: Whonix software, Whonix downloads, Whonix
source code
- The Whonix Project has never added any backdoor to any artifact.
- The Whonix Project has never turned over any signing key.
- The Whonix Project has never knowingly signed any artifact containing any backdoor.
- The Whonix Project has never weakened, compromised, or subverted any of its cryptography.
Bad idea upon reflection.
Probably going for it.
Draft - Warrant Canary Draft
Was modified:
Dev/Warrant Canary Draft: Difference between revisions - Whonix
Giving more time for comments and if there are no major issues, going to change the actual canary.
Implemented.