this post details number of glaring security holes in Whonix and it’s current design, while most of Linux desktop is affected by this, the risks can be greatly reduced, massive performance gains and easier to audit
I am willing to develop a “testing sample” of how Whonix 2.0 should be, if approved I wont mind being maintainer. BUT first I have to explain major security issues and their resolution
if you look at modern desktop Linux with plenty of different flavors, you will see one thing in common, they all suck at security, they provide fake security with words “apparmor” “contained” when in reality these apps can access everything most of time.
linux kernel is huge, bloated attack surface but if that bloat is used, you can make very secure system examples!
Replacing pipewire and pulseaudio with Linux’s built-in ALSA
Removing D-Bus, Polkit, Gsd, Gvfsd and more useless daemons
switching to Busybox is more secure than normal Linux
switching to Doas is more secure than Sudo
Switching away from super insecure XFCE xOrg to Wayland window manager
Switching Debian with alpine due to more updated packages, more secure package manager, Musl which is more secure than Glibc, Musl is lighter (around 1 million code less) and handles memory a lot more securely
switching from Debian to alpine should pose no technical challenge as alpine has plenty of packages and is used by professional companies and is not amateur project
Enforcing either SELinux or apparmor strictly and for all apps, it’s better if app breaks than app hacks
having a custom app in workstation that only starts on first startup which has nice interface and lets user click for software he wants to install instead of bundling everything in the Whonix image, what if he don’t want bitcoin wallet? or VLC(backdoored btw)? what if he just wants tor browser only? this helps reduce Whonix size and attack surface quite alot
Whonix gateway should automatically set up it’s self without any user interaction, it should not even have a enviorment of any kind, user starts gateway then workstation thats it he dont setup gateway
Whonix could have app run on first startup that change passwords from changeme to something long random and secure without telling the user it, this can be option from the app chooser app to preserve freedom but with big warning
whonix live also based on alpine, with same exact setup except no apps but a preconfigured kvm whonix vms, encrypted host etc
i can be maintainer for future whonix 2.0 which i can start work on from now if you agree with my point
it can be provided in download page under some “experimental Whonix 2.0” or “experimental live Whonix 2.0” and dedicated forum section
this is just thought, because current whonix state is sorry but i dont blame, if whonix do this it will be more secure than qube os and tails!
Big potential for lots of theoretic debate but no actual progress being made.
ALSA… Help welcome.
Can you do the port to ALSA?
A good first contribution to show serious commitment would also be editing the wiki, the base distribution selection criteria as well as to compare any relevant distributions for it. → Criteria for Choosing a Base Distribution
Alpine Linux package manager security research task up for grabs: Alpine Linux
as far as i know all linux package managers are vulnerable to freezing attacks, i just meant secure as in less code even when compared to pacman. also i forgot to mention in post that alpine choice is due fact systemd is not there and systemd is big security risk because tons of code and services, while openrc is simpler and more secure
speaking of tuf, i’d like give some more information on apk (alpine package manager)
it seems to download .tar and checks file hash from database of latest files hashes which is signed by pgp
so downloads content can’t be tampered with, as for mitm, alpine provides mirrors with https support,
which means man in middle can’t modify modify (they alrdy can’t but extra layer good), they can’t give user different package due https or make them download outdated package.
this is of course considering the mirror it’s self is not malicious. if it was malicious, and the attacker gives different package or old package version, apk will attempt to check if hash matches list of hashes signed and fail since hash lists always have latest versions (hash lists while provided by same supposed malicious mirror, it is signed with latest hashes so mirror cannot modify, unless mirror had already saved the last signed hash lists but im not sure what will happen in that sceniro)
so this rules out 2 attacks from tuf, the modification of content and to some degree, downgrade packages, which leaves re-direction to another package, alpine linux will prompt you with package names before you hit y, so if user installs firefox and he gets vlc, he will have had to manually agree to installation, if he did miss the vlc name in terminal, he would find out he got attacked because he dont have firefox!
as for dependencies, i have no clue.
what i just said is not facts on stone, maybe i got alot of things wrong but so far apk seems just as good as pacman and maybe even apt
also i would like to add to not make this discussion strictly related to switch to alpine, the other issues i mentioned are, while more critical, everything i mentioned works hand-in-hand so one must avoid fixing one issue while leaving other
and lastly, i would like to add that the NSA leaks one of tools was specifically targeting busybox and alpine, but i guess they also now have tools for debian so its kinda irrelevant but worth noting
the gpg when signing files signs only the hash, not the file, this is true to all ciphers curves and rsa. u cannot sign a file large than key size for example 4096 key can only sign 4096 big files max
“(GPG) digital signatures combine a hash with a cryptographic process which ensures not only the integrity of the signed message (file, mail, …) but also the authenticity of this message. By mean of these digital signatures (usually asymmetric cryptography), you can be sure that the content you checked has not been tampered with and has been issued by the owner of the key (who has access to the private key).”
yeah its type mistake sorry english is not my first language
There will probably be way too many disagreements that I can foresee. Therefore I think your conditions cannot be met.
In case that isn’t an issue… Due to the huge extend of changes you’re suggesting it would be helpful if you’d establish a history as a contributor first. As mentioned, for the wiki improving Criteria for Choosing a Base Distribution would be good or a small non-controversial code contribution, bugfix, patch, feature.
Otherwise I think this forum thread has a high chance to result in a lot of discussion but no actual improvements.
alright i submitted already a whonix wiki edit related to “end-to-end” signing comparsion table, i removed it because it dont make sense. as when u sign files u actually sign hash
I actually don’t agree to that either. Signing the hash, perhaps but that’s getting into semantics. But signed debs… Well, see end-to-end signed debs. debsign, debsig and dpkg-sig. It’s about end-to-end signed packages (or hashes of these packages). Therefore shouldn’t be deleted from the criteria without replacement.
it might also be worth creating a whonix wiki page related to vlc and including info about fact a backdoor was mentioned in cia vault 7 leak
(ignoring fact it is included by default in whonix hmm)
also stating that a video player is not needed and users should use tor browser as video player might also be worth mentioning or just removing vlc all together from default builds and if someone wants vlc he can install it normally via terminal
