this post details number of glaring security holes in Whonix and it’s current design, while most of Linux desktop is affected by this, the risks can be greatly reduced, massive performance gains and easier to audit
I am willing to develop a “testing sample” of how Whonix 2.0 should be, if approved I wont mind being maintainer. BUT first I have to explain major security issues and their resolution
if you look at modern desktop Linux with plenty of different flavors, you will see one thing in common, they all suck at security, they provide fake security with words “apparmor” “contained” when in reality these apps can access everything most of time.
linux kernel is huge, bloated attack surface but if that bloat is used, you can make very secure system examples!
- Replacing pipewire and pulseaudio with Linux’s built-in ALSA
- Removing D-Bus, Polkit, Gsd, Gvfsd and more useless daemons
- switching to Busybox is more secure than normal Linux
- switching to Doas is more secure than Sudo
- Switching away from super insecure XFCE xOrg to Wayland window manager
- Switching Debian with alpine due to more updated packages, more secure package manager, Musl which is more secure than Glibc, Musl is lighter (around 1 million code less) and handles memory a lot more securely
- switching from Debian to alpine should pose no technical challenge as alpine has plenty of packages and is used by professional companies and is not amateur project
- Enforcing either SELinux or apparmor strictly and for all apps, it’s better if app breaks than app hacks
- having a custom app in workstation that only starts on first startup which has nice interface and lets user click for software he wants to install instead of bundling everything in the Whonix image, what if he don’t want bitcoin wallet? or VLC(backdoored btw)? what if he just wants tor browser only? this helps reduce Whonix size and attack surface quite alot
- Whonix gateway should automatically set up it’s self without any user interaction, it should not even have a enviorment of any kind, user starts gateway then workstation thats it he dont setup gateway
- Whonix could have app run on first startup that change passwords from changeme to something long random and secure without telling the user it, this can be option from the app chooser app to preserve freedom but with big warning
- whonix live also based on alpine, with same exact setup except no apps but a preconfigured kvm whonix vms, encrypted host etc
i can be maintainer for future whonix 2.0 which i can start work on from now if you agree with my point
it can be provided in download page under some “experimental Whonix 2.0” or “experimental live Whonix 2.0” and dedicated forum section
this is just thought, because current whonix state is sorry but i dont blame, if whonix do this it will be more secure than qube os and tails!