Current Whonix flaws and implementation musts for Whonix 2.0

this post details number of glaring security holes in Whonix and it’s current design, while most of Linux desktop is affected by this, the risks can be greatly reduced, massive performance gains and easier to audit

I am willing to develop a “testing sample” of how Whonix 2.0 should be, if approved I wont mind being maintainer. BUT first I have to explain major security issues and their resolution

if you look at modern desktop Linux with plenty of different flavors, you will see one thing in common, they all suck at security, they provide fake security with words “apparmor” “contained” when in reality these apps can access everything most of time.

linux kernel is huge, bloated attack surface but if that bloat is used, you can make very secure system examples!

  • Replacing pipewire and pulseaudio with Linux’s built-in ALSA
  • Removing D-Bus, Polkit, Gsd, Gvfsd and more useless daemons
  • switching to Busybox is more secure than normal Linux
  • switching to Doas is more secure than Sudo
  • Switching away from super insecure XFCE xOrg to Wayland window manager
  • Switching Debian with alpine due to more updated packages, more secure package manager, Musl which is more secure than Glibc, Musl is lighter (around 1 million code less) and handles memory a lot more securely
  • switching from Debian to alpine should pose no technical challenge as alpine has plenty of packages and is used by professional companies and is not amateur project
  • Enforcing either SELinux or apparmor strictly and for all apps, it’s better if app breaks than app hacks :slight_smile:
  • having a custom app in workstation that only starts on first startup which has nice interface and lets user click for software he wants to install instead of bundling everything in the Whonix image, what if he don’t want bitcoin wallet? or VLC(backdoored btw)? what if he just wants tor browser only? this helps reduce Whonix size and attack surface quite alot
  • Whonix gateway should automatically set up it’s self without any user interaction, it should not even have a enviorment of any kind, user starts gateway then workstation thats it he dont setup gateway
  • Whonix could have app run on first startup that change passwords from changeme to something long random and secure without telling the user it, this can be option from the app chooser app to preserve freedom but with big warning
  • whonix live also based on alpine, with same exact setup except no apps but a preconfigured kvm whonix vms, encrypted host etc

i can be maintainer for future whonix 2.0 which i can start work on from now if you agree with my point

it can be provided in download page under some “experimental Whonix 2.0” or “experimental live Whonix 2.0” and dedicated forum section

this is just thought, because current whonix state is sorry but i dont blame, if whonix do this it will be more secure than qube os and tails!

Big potential for lots of theoretic debate but no actual progress being made.

ALSA… Help welcome.

Can you do the port to ALSA?

A good first contribution to show serious commitment would also be editing the wiki, the base distribution selection criteria as well as to compare any relevant distributions for it. → Criteria for Choosing a Base Distribution

Alpine Linux package manager security research task up for grabs: Alpine Linux

as far as i know all linux package managers are vulnerable to freezing attacks, i just meant secure as in less code even when compared to pacman. also i forgot to mention in post that alpine choice is due fact systemd is not there and systemd is big security risk because tons of code and services, while openrc is simpler and more secure

to add to post more things whonix 2.0 should do:

  • switch to ash than bash
  • set readonly to .rc and .profile
  • not have xwayland installed when switching to wayland window manager

if the whonix 2.0 is based on alpine, no need to port alsa as all packages are compiled for alsa on alpine by default

1 Like

speaking of tuf, i’d like give some more information on apk (alpine package manager)

it seems to download .tar and checks file hash from database of latest files hashes which is signed by pgp

so downloads content can’t be tampered with, as for mitm, alpine provides mirrors with https support,

which means man in middle can’t modify modify (they alrdy can’t but extra layer good), they can’t give user different package due https or make them download outdated package.

this is of course considering the mirror it’s self is not malicious. if it was malicious, and the attacker gives different package or old package version, apk will attempt to check if hash matches list of hashes signed and fail since hash lists always have latest versions (hash lists while provided by same supposed malicious mirror, it is signed with latest hashes so mirror cannot modify, unless mirror had already saved the last signed hash lists but im not sure what will happen in that sceniro)

so this rules out 2 attacks from tuf, the modification of content and to some degree, downgrade packages, which leaves re-direction to another package, alpine linux will prompt you with package names before you hit y, so if user installs firefox and he gets vlc, he will have had to manually agree to installation, if he did miss the vlc name in terminal, he would find out he got attacked because he dont have firefox!

as for dependencies, i have no clue.

what i just said is not facts on stone, maybe i got alot of things wrong but so far apk seems just as good as pacman and maybe even apt

also i would like to add to not make this discussion strictly related to switch to alpine, the other issues i mentioned are, while more critical, everything i mentioned works hand-in-hand so one must avoid fixing one issue while leaving other

and lastly, i would like to add that the NSA leaks one of tools was specifically targeting busybox and alpine, but i guess they also now have tools for debian so its kinda irrelevant but worth noting

i noticed error in alpine wikipedia u sent

“end-to-end signed packages (not only repository metadata) (such as end-to-end signed .debs

this comparsion makes no sense as you cannot sign large files, you can only sign the files hash (metadata)

That’s a bold claim. Do you have any proof?

nsa and cia leaks mentioned a vlc backdoor

vault 7 leaks

Debian has valid-until which notices indefinite freeze attacks and prevents replay attacks.

Good to add to the comparison table. Criteria for Choosing a Base Distribution

Threat models usually include malicious / compromised mirrors and broken TLS.
TLS has many issues. → Transport Layer Security (TLS)

Large files can be signed for example with gpg. For example Whonix-CLI- is a large file. 1 GB+. And Whonix-CLI- is its signature.

Not Wikipedia. Whonix wiki. Not the same.

Only can be called Wikipedia, which is based on the MediaWiki webapp. The Whonix wiki is also based on MediaWiki.

1 Like

the gpg when signing files signs only the hash, not the file, this is true to all ciphers curves and rsa. u cannot sign a file large than key size for example 4096 key can only sign 4096 big files max

“(GPG) digital signatures combine a hash with a cryptographic process which ensures not only the integrity of the signed message (file, mail, …) but also the authenticity of this message. By mean of these digital signatures (usually asymmetric cryptography), you can be sure that the content you checked has not been tampered with and has been issued by the owner of the key (who has access to the private key).”

yeah its type mistake sorry english is not my first language

There will probably be way too many disagreements that I can foresee. Therefore I think your conditions cannot be met.

In case that isn’t an issue… Due to the huge extend of changes you’re suggesting it would be helpful if you’d establish a history as a contributor first. As mentioned, for the wiki improving Criteria for Choosing a Base Distribution would be good or a small non-controversial code contribution, bugfix, patch, feature.

Otherwise I think this forum thread has a high chance to result in a lot of discussion but no actual improvements.

1 Like

alright i just meant i could provide a “sample image” of how whonix should look like and u could develop whonix 2.0 based on that

and yes i will try helping with things, isn’t sdwdth ntp client need a write? i could do that

Yes but something smaller that needs little to no discussion would be better to establish a history as a contributor as a first time contribution.

1 Like

alright i submitted already a whonix wiki edit related to “end-to-end” signing comparsion table, i removed it because it dont make sense. as when u sign files u actually sign hash

I actually don’t agree to that either. Signing the hash, perhaps but that’s getting into semantics. But signed debs… Well, see end-to-end signed debs. debsign, debsig and dpkg-sig. It’s about end-to-end signed packages (or hashes of these packages). Therefore shouldn’t be deleted from the criteria without replacement.

it might also be worth creating a whonix wiki page related to vlc and including info about fact a backdoor was mentioned in cia vault 7 leak

(ignoring fact it is included by default in whonix hmm)

also stating that a video player is not needed and users should use tor browser as video player might also be worth mentioning or just removing vlc all together from default builds and if someone wants vlc he can install it normally via terminal