couple questions, New anon-whonix vs cloned anon-whonix ; new IP circuit with restart AppVM?


  1. does it matter if I clone vs create a new AppVM of anon-whonix ?

  2. I read the docs on running two simulataneously, and found it just a little ambiguous. ie.
    Multiple Whonix-Workstation ™

    The most safe thing to do is use only one Whonix-Workstation for one activity at a time.
    Leaving multiple Whonix-Workstations running at the same time
    introduces also new risks. One compromised Whonix-Workstation can
    perform various attacks. It is impossible to defeat all those attacks.
    Depending on the adversary’s skills and assumptions and your activity in
    other Whonix-Workstations, the attacker could correlate various running
    Whonix-Workstations to the same pseudonym.

    So, lets say I want to use Torbird in one anon-whonix and Tor browser in a 2nd anon-whonix and some web logins in a 3rd anon-whonix ; I’d really prefer to just leave all 3 running at the same time; I don’t have any adversarys that I know of per se…

and yes this is Qubes OS

  1. I understand I can ask for a new circuit in tor browser and get a new IP /circuit, but what effect does just stopping and starting the anon-whonix AppVM have?? a whole new circuit for the AppVM , eg if I want a new circuit for Torbird , must I shut down the AppVM to get one ?


I’m not expert, but I’ll have a crack and be corrected if I’m wrong.

1) Clone vs Create New AppVM of anon-whonix

Lets assume the worst case scenario. Some attacker hacked your existing anon-whonix AppVM and managed to create some form of persistence in your /user/home directory, which is the only persistent area in AppVMs.

By cloning it, you just cloned the attacker’s capabilities to a “fresh” instance of the Whonix-Workstation.

So, I’d say it does make a difference, assuming of course he/she didn’t already hack the TemplateVM somehow, which means you’d be totally screwed.

2) Multiple Whonix-Workstations

a) Running 3x anon-whonix vs One Activity at a Time

I think the idea Patrick was getting at is that if you got your ass hacked in one anon-whonix, it’s better not to run others simultaneously, because that’s when you start to get into covert channel attack territory.

That is, the attacker uses their foothold in say Torbirdy AppVM to launch some kind of attack on super-secret Email AppVM that is running at the same time.

By running one activity at a time, you are limiting this opportunity.

b) “New Circuit in Tor Browser”

The stock warning on “New Circuit in Tor Browser” is that it may not actually give you a new circuit that you thought you were getting.

In my pending Tor Browser entry edits (hint, hint mods ;-)), I’ve noted that this is far weaker than using “New Identity” (good) vs closing the Tor Browser session completely (best) since:

Warning: This feature does not attempt to clear Tor browsing session data or unlink activity, unlike the “New Identity” feature. If that action is really necessary to separate contextual identities, it is always safer to close and then restart Tor Browser.

You must remember what New Identity does / and what closing the browser completely achieves. New Identity for example:

Disables Javascript and plugins on all tabs and windows.
Stops all page activity for each tab.
Clears the Tor Browser state:
    OCSP state.
    Content and image cache.
    Site-specific zoom.
    Cookies and DOM storage.
    The safe browsing key.
    Google Wi-Fi geolocation token.
    Last opened URL preference (if it exists).
    Searchbox and findbox text.
    Purge session history.
    HTTP authentication.
    SSL session IDs.
    Crypto tokens.
    Site-specific content preferences.
    Undo tab history.
    Offline storage.
    Domain isolator state.
    NoScript's site and temporary permissions.
    All other browser site permissions.
Closes all remaining HTTP keep-alive connections.
Sends Tor the "newnym" signal to issue a new Tor circuit.

“New Tor Circuit” will only issue a new Tor circuit by comparison. So, if you are looking to unlink activities, it is dangerous to just use the “New Tor Circuit” function.

PS You have many adversaries whether you know it or not, just by using Tor.

Also in my pending Tor Browser edits:

Although the term adversary is not defined by The Tor Project, based on disclosures in recent years a list is likely to include: intelligence agencies (NSA, CIA etc.), federal and state police, homeland security and drug enforcement agencies, federal investigatory agencies (like the FBI), private security researchers, academics, undisclosed hacking groups, corporations, and others.

how would one get a new identity for the whole anon-whonix AppVM, not just a browser, ie if I’m using torbirdy by itself in a anon-whonix vm and feel i’ve done something that might allow it to be correlated with anon-whonix2 where i’m logged into to some website or just browsing

TJ, re: adversaries: yes, I know, I just meant to indicate, my level of need for anonymity re: what is preferred two VM with separate modes of 'net use simultaneously vs. using one and sharing tasks , seeing as i doubt i wanna open and close a VM everytime to use email

right now, If I CREATE a new 2nd anon-whonix ws and use torbird on it, everything is fine.
but if i try to run a 2nd ws with Tor Browser or Hexchat is lags badly and is not usable, so maybe the point is mute, if this is the only option ??

also have you connect to Hexchat via anon-whonix to the freenode? I can’t figure out the SASL stuff, despite reading the freenode docs on using the tor server and making the certificate in the .config/freenode/certs/etc …

apparently there might be some qubes users in freenode …


I guess if you want to separate out identities even further than just the browser (and use different Tor entry guards for other activities) this leads to Multiple-Gateway territory? See here:


Advantage is one Whonix-GW compromise does not lead to compromise of other activities using a different GW. Note the disadvantages though e.g. ISP might guess you are using different Tor data folders and different set of entry guards, problems around guard selection posing risks etc.

This is an open research question which @Patrick and @HulaHoop know far more about.

Note also known risks for multiple Whonix-WS configuration e.g. DDOSing, adversary stressing CPU and other computer components to check for correlation etc.

This is why it is just safer (and less convenient) to only do one thing at a time, in one Whonix-WS. Other configurations just introduce unknown risks. Even better is to do that one thing in a Disposable Whonix-WS, so the image is destroyed post-use (and post possible compromise).

Even Roger Dingledine wasn’t sure (when asked) of what is better re: Single GW and Multiple WS vs Multiple GW and Multiple WS mapped 1:1.

See a full discussion on these issues here (since you seem to be an advanced user):

Around HexChat etc. Sorry, I can’t help you, as I’ve never tried it.

oh yes, this looks like a new area to explore, hopefully I don’t break qubes again :slight_smile:

1 Like