Choosing between Kicksecure and Debian ?

What is better to use Kicksecure or Debian and then harden Debian using Whonix Docs?
Kicksecure is non-anonymous distribution and in case ISP can fingerprint you that you use Kicksecure, they can tell in 99% number of cases that you are using Whonix too. But if you use hardened Debian ISP will see that you use Debian, but Debian is used by a lot of people and if you use Whonix VM in Debian host. ISP can’t say if you use Whonix, they just see that you use Tor.
How easy is for them to fingerprint you and see what OS you use ?

1 Like

Kicksecure is based on Whonix research and documentation. Kicksecure is
Whonix minus Whonix related packages with only the security relevant

To start with Debian and then add hardening as per Whonix documentation
results in something similar to Kicksecure.


I read some of your previous post and you said
Probably ISP can fingerprint a user and see that user is using Kicksecure. Is there any option in Kicksecure - so for ISP it will look like user is using Debian ?

1 Like


Security vs fingerprinting is a conflicting goal unfortunately. Can’t maximize both at the same time. More secure settings are fingerprintable. Standing out form others.

The only solution would be to make as many people as possible use more secure settings so that nobody stands out anymore.


As a pure choice, between Kicksecure and Debian, it comes down to what you, as the user, want from your system.
If you want a relatively secure system but like implementing hardening solutions on your own, choose Debian.
If you want a system that is security-hardened out of the box, choose Kicksecure. Kicksecure is Debian-based, so you do not lose anything that “regular” Debian can do. You can still do everything that Debian can do, but you have the bonus of a pre-hardened system. In effect, you have an operating system that benefits from all the combined years of development, and research of the Whonix team.
Like Patrick said, fingerprinting is multi-faceted and complex. The larger of a userbase that Kicksecure has, the better. The fingerprinting becomes less and less effective as more users use the same system with the same settings.

1 Like

Do you mean a default Debian and hardened Debian can be fingerprinted as 2 different OS ? Or Kicksecure and hardened Debian fingerprinted as same os ?

What I can do to make Kicksecure less fingerprinted. Torify apt-get. What else ?

Most likely.

Likely no. Each hardening setting can have a different fingerprintable effect.

Nothing. It’s a lost cause. There’s no research, little researcher interest, let alone defenses.

Adversaries have an easier task. One fingerprintable mess up and you lost. Even in theory if there were defenses, you wouldn’t know of these are efficient.

This is quite similar to the lost cause of hiding Tor.

How about a VPN and kill switch always on or a VPN router behind real ISP ?
Assuming activities are only done in VM, never in Kicksecure as host system.

Will this layer not hide host system from real ISP ? (not VPN)

No. “IP was yesterday.” That’s no longer the only tracking mechanism.

Fingerprinting means characteristics other than IP. Details:

I watched some YouTube videos about active and passive windows fingerprinting.
Also Nmap is a powerful tool , it can leaks everything easily whether the targeted host is running windows or Linux.

Can Debian alongside kicksecure be used to separate identities to connect to open wifi at nearest location

Its hard to give an answer based on that, there are so many things in play like potential malware on the host system, mixing cookies when switching networks, 3d party apps that share data etc etc.

Best way would probably dual boot different hosts depending on what interface/network you are using. Alternatively pass though the private network to a VM where you handle your personal data.

Whonix and kicksecure wont help you if you don’t know how to stay secure while using the internet.

seems u didn’t understand my question
Even with two different dedicated devices one for ISP 1 other for isp2 there will be leaks due to windows fingerprinting , VPNs, hardened systems
that why whonix recommends using far distant public wifi