I am trying to understand the Fingerprint wiki. There is a recommendation to prevent non-Tor connections when moving between networks. I don’t understand what this achieves? I understand that any non-Tor connections that uniquely identify somebody (such as visiting obscurewebsite dot com or facebook dot com) should be prevented, but the recommendation seems to mean that we should disable all clearnet traffic. I am a Qubes user so this would mean even default sys-net traffic. If you were to do this then an ISP adversary would not be able to tell what OS you are using but only creating Tor traffic is a fingerprint equally as identifiable as the fingerprint of the OS default clearnet traffic.
I think the best you can do when moving networks is remove your state file but your OS will always be visible.
The only other reason I can think of for this recommendation is to prevent the attack where an adversary is able to link Tor and non-Tor traffic but this isn’t something specific to moving networks.
The recommendation is made on the Whonix wiki page, which is why I ask here.
Omit the part about Qubes traffic and sys-net, can you address the recommendation itself?
To me it seems to be recommending something that achieves nothing and could potentially actually harm one’s anonymity by reducing their networking fingerprint to a much smaller subset of users.
My recommended ammendments to the documentation would be “make no clearnet connections outside of the default connections that are necessary for the host operating system” and a note that “ideally no clearnet connections would be made at all but this is not the default behavior of many (any?) operating systems and so modifying your operating system to do this would give you a more unique fingerprint and worsen your anonymity”.
Yes making clearnet and Tor connections simultaneously is bad.
The problem with Network, Browser and Website Fingerprint is that it says “absolutely prevent non-Tor connections” as part of the moving networks precautions. It is not referring to the issue of connecting to the same server over both clearnet and Tor but to the issue of making two clearnet connections at different locations that would allow the adversary to determine they are the same person. Two people that both visit obscurewebsite dot com at different public wifi locations 10 miles apart would likely be the same person.
I’m recommending that you add a footnote to the documentation that clarifies that in cases where clearnet connections can’t be avoided (such as Qubes), these connections will leak to the adversary that users at both wifi locations are using the same operating system, but as long as no “obscure dot com” clearnet connections are made, they can’t infer that the people at the two wifi locations are the same. I think it would also make sense to add that even if you were to disable all clearnet traffic such as in the case of Qubes, the adversary would still have two people at public wifi locations 10 miles apart with an identical fingerprint, just that they wouldn’t be able to trivially determine what operating system that fingerprint was for.
The documentation in its current form is a bit misleading and I think it is the primary reason for a lot of the posts in these forums and Qubes forums trying to figure out how to disable all clearnet traffic. I know “this is Whonix, not Qubes”, but Qubes users are your primary users and this really isn’t asking much.
The citation is correct if you look at the original source.
Rewritten just now to say:
Nick Mathewson, co-founder of The Tor Project
Did you see who said that? Not a nobody. It’s an authoritative source. Hard / impossible to find more authoritative sources for this specific part of bleeding edge anonymity research. Like the content of the citation, agree with it or disagree. Optionally, on top of that, if you have an issue with write-up, I suggest going back to the original source / author.
Not sure what you mean by primary users. Most users of Whonix however are using Whonix for VirtualBox.
It’s possible to profile the particular chipset and/or driver used by a device based on the active probing algorithm used, and its parameters (e.g. channel probe order, how many probes sent per channel, time spend per channel). See for instance the paper A Characterization of Wireless NIC Active Scanning Algorithms.
Dealing with this may be impossible, or at least require re-writing all Linux wireless drivers so that the parameters can be changed so we cannot practically deal with this issue at this point.
Based on that it’s conceivable that even when using the “same” notebook, it might have minor differences such as a different hardware revision for the LAN card or WiFi chip. These minor differences might be fingerprintable through passive observing or active attacks such as injecting artificial delays and observing how the hardware reacts.
“they can’t infer that the people at the two wifi locations are the same.” is a pretty strong statement to make while no negative can be proven.
Does it even require “obsucre dot com”? Shouldn’t user habits what websites they visit over clearnet be sufficiently unique? Qubes update status, software versions? Number of installed packages? Amount of clearnet and/or torified (or unidentifiable) usual range of traffic being used? Particularities of hardware, software?
The XKeyscore rules reveal that the NSA tracks all connections to a server that hosts part of an anonymous email service at the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) in Cambridge, Massachusetts. It also records details about visits to a popular internet journal for Linux operating system users called “the Linux Journal - the Original Magazine of the Linux Community”, and calls it an “extremist forum”.
Also:
How many operating systems allow for a Tor-only traffic mode and how many users are using that?
The part of his answer that we are discussing is saying that when moving networks it is best to avoid all non-Tor connections because the network monitoring adversary will only be able to see Tor traffic across the various physical connection spots, but nothing else that could trivially reveal who the user is (such as identifiable clearnet traffic). This is not what I am saying, this is what Nick is saying. As you said, you can ask him this yourself.
What are you talking about? So because these attacks exist we should not bother rotating our guards at different phyiscal locations either? There are two completely different adversaries, the one that controls the physical locations and the one that doesn’t necessarily control any physical location but has access to the traffic (NSA). You are discussing attacks by the first, trusted Tor developer Nick’s recommendation to prevent non-Tor connections is a way to reduce information that falls into the hands of the second.
You have not misquoted and you have not included a quote from an untrusted source. I am not accusing you of either of those. I am saying there is room to be more informative about what exactly the quote is saying. Every Qubes user who encounters this quote will be left feeling uncertain and a simple footnote is all they require. I don’t understand why you’re so resistant to provide your users with additional, useful information.
You are right.
Perhaps:
In cases, such as with Qubes, where some non-Tor connections can’t be avoided, be aware that every clearnet connection you make allows the adversary to more easily determine that it is the same person connecting across multiple physical locations. Where possible you should absolutely limit the clearnet connections to those that are essential for the operating system to run. If done properly, the best hope would be that the adversary is incapable of confirming that two connections are from the same person other than that they are being made from the same operating system within the same region. In cases where certain hardware attacks are performed at the physical connection points, your connections will be linked regardless of whether clearnet connections are made.
After all of this discussion, I suggest to draft the footnote that you wish to see added and where. Maybe easier to understand.
Where Nick’s post uses the word “trivial”? Trivial or non-trivial for whom? What’s trivial?
Is guard based tracking, “shows the adversary that connections are all coming from the same user” trivial?
I don’t know any source that says how trivial or non-trivial.
There you have the recommendation. Please contribute to Qubes to make this possible if you can. If you cannot adhere to the recommendation due to technical challenges that’s bad. If there’s no authoritative sources what the implications are if this isn’t possible, that’s bad. But nothing can be done about it here and now. To go down the rabbit hole “but what if this recommendation cannot be followed” does’t seem the right way to spend effort.
Could add to the wiki “the theoretical or practical implications of not following this recommendation are unknown because there’s no research on this topic” for whatever that’s worth.
I will say that I am much less confident in this operating system than I was before having this discussion with you. I’m hoping it is a case of language barrier/miscommunication and not arrogance but I’m not so sure.
I believe that Nick’s comments about absolutely blocking all non-Tor connections is the optimal scenario but that as long as one does not generate “non-default” clearnet connections then their anonymity when moving networks is mostly equivalent. If you, as the maintainer of Whonix, struggle to see how I came to this conclusion then that is quite worrying.