I’m especially curious about the thing.
Let’s assume we have a not-Whonix, but Whonix-like configuration where 2 virtual machines have Tor proxy clients installed on both, and there is a Tor Browser in the one of. The browser still can be configured not to use Tor ever and behave just as secure non-anonymous browser, so, therefore, if we don’t want Tor-over-Tor scenario to accuse, we just change the browser proxy settings so they point to only one proxy client. Examples are:
network.proxy.socks.port;9150 - to use a proxy client in the same VM.
network.proxy.socks.port;9150 - to use a proxy client in the other VM.
Both cases will cause Tor Browser to connect only the one Tor client, thus initiating a normal 3-nodes paths and not giving Tor-over-Tor scenario a chance to appear.
Well, well. So, why the browser is configured to use socket file to understand proxying? That’s just useless. Why just don’t connect it directly to the gateway.ip.address:stream.isolation.port? I don’t ever wonder why such a wild “fix” is in usage. When I run Tor Browser through Burp Suite and that one thing prevents me from doing it while in common Debian Buster attached to Whonix Gateway it plays great only edited to follow the Burp HTTP intercepter before Tor network. It really pisses me off. And yes, I do know anonymous penetration testing talks are restricted on the forum. I don’t try to remain anonymous. I’m dealing with very nasty WAF that makes use of too advanced blocking technologies so I’m not able to enter the site again within the testing environment even after I terminated my browser. It’s important to use a lot of virtual machines which Qubes assists me with, but that Whonix architecture surprise pisses me all off.