Does Whonix prevent Javascript from deanonymiying?

I think protonmail has used javascript to deanonimize even though I use tor, because they block account creation by saying no verifications available. YES, I Did change Circuits and also restared Identity but they I think they have leaked my IP.

Is that possible for any JS script on a website to leak my IP when using tor? Does whonix do anything special? I used also vpn before tor

First, the specific part…

That’s flawed reasoning based on limited information.

Blocking all Tor exit relays is neither hard nor uncommon. Trivial to block Tor when using cloudflare (literally just a setting in the webinterface) just to name 1 method. And many do so. All of this is being elaborated with more details here: Tor Browser Essentials chapter Tor Censorship in Whonix wiki.

Finally, the general part…

Generally, without using Whonix: No, not directly. Only when an exploit is available and being used.

Example, here:
Whonix ™ Track Record against Real Cyber Attacks chapter Tor Browser Bundle (2012, 2013, 2017) in Whonix wiki

Yes. Recommended reading this page:
Whonix ™ - Overview chapter Innovative Architecture in Whonix wiki

See also this:

1 Like

Thanks a lot man for all the resources. But Proton used to work until today with tor and onion, they started blocking when I used some shitty temporary mail provider (is there any you recommend btw or generally an email provider). Maybe they use browser finger printing?

Email Overview chapter Anonymity Friendly Email Provider List in Whonix wiki

None of the following providers are explicitly recommended by the Whonix ™ team.

There are links to lists of e-mail providers.

Cloudflare (which many websites use) does. I’ve experienced situations where download using Tor Browser was supported but download using curl (command line downloader) was blocked. Can be very confusing.

1 Like

I see… but using curl is not bad idea in whonix right?

I didn’t mean to pick on curl in this forum thread.

what? XD

I didn’t make any negative statements about curl.

Just telling what happened. This cannot be blamed on curl.

I see XD Do you know Joinmarket? I want to use it but I feel that shit is a honeypot?

Off-topic. applies.

so strict man, ok XD

There is an interesting thread about this.

(Varying opinions of Whonix contributors)

While it would work on a vulnerable Tor Browser in Whonix

This means that it could compromise the machine, but not leak your IP without exploit chaining.


1 Like

damn that is scary

Cuts both ways…strict on security and protocols but focused on providing a very reliable and hardened tool.

Computers are terrifying and powerful. Welcome to the internet…XD

1 Like

FYI, I have had this exact same problem and its because you accessing the clearnet domain. The .onion domain only requires a captcha for sign up. Just use onionmail if your so anal about not using protonmail because of a perceived exploit.

It’s hard to make something with CSS and HTML only.

well, no even the onion url asks for email verification. But whats this onionmail you talk about? sounds straight up like a honey pot?

If you are seriously scared about everything being a honeypot, then it’s better to just quit the internet (half-joking)

Eventually, you need to put trust into something. You trusted Whonix to not be malicious without looking at the source code (I presume)

As for onionmail, it’s avalialble both on the clearnet and as an .onion service as and
http://pflujznptk5lmuf6xwadfqy6nffykdvahfbljh7liljailjbxrgvhfid.onion/ respectively.

The reason why I don’t believe that it is a honeypot is because it doesn’t coerce you to do crime by itself. It doesn’t explicitly advertise itself to criminals, just as how Tox and onionchat advertise to legal activists on sites like RiseUp.

Most of the known honeypot cases were directed at CP distributors and consumers and encouraged people to give incriminating evidence, so quite honestly for the average activist or restricted citizen using Tor it shouldn’t be too much of a problem.

TL;DR: Onionmail (probably) isn’t (currently) a honeypot for above reasons.

1 Like

Alright, thats true, but it does not hurt to minimize risks. For me its just fun to stay anonymous. having no privacy is disgusting to me. we are no animals in a zoo. But lets no drift away from the topic lol.

1 Like