Just to keep focus, I thought it might be useful to sum up what’s being discussed here. Probably some redundant stuff, but it’s easy to lose focus when there are so many parameters involved. Please let me know if I forgot something.
So we are discussing whether the Whonix Host/Desktop currently in development (temporary name, see here for more details about the project: Whonix host operating system - #79 by Patrick) should be shipped with default Whonix/Tor settings or not.
As a reminder, the Whonix Host/Dekstop project currently aims at providing the following features:
-
A fully functioning XFCE Desktop based on Hardened Debian (also temporary name), basically a Debian stable derivative with various enhanced security settings (see Kicksecure - Security Focused Linux Distribution based on Debian - In Development - Feedback Wanted!)
-
Shipped as a live bootable BIOS/UEFI ISO file with preconfigured Whonix-Gateway/Workstation VMs running on KVm for amnesic use and the Calamares Installer to install the whole system on hardware (see Whonix Desktop Installer with Calamares - field report)
The reasoning behind removing all Tor/Whonix-related stuff on the Whonix Host/Dekstop is that the end user may want to benefit from the various security enhancements we ship with this derivative without actually starting up Tor services/being identified as a Whonix user, which in certain instances could even hurt him.
If he wants to use Tor and Whonix, he would instead use the preconfigured Whonix VM that work out of the box, both from the live iso and from the installed system.
As far as I understand, this seems technically rather challenging as:
-
The list of installed packages will unmistakably reveal he is a Whonix user
-
Fetching Whonix repositories when updating will unmistakably reveal he is a Whonix user
-
Disabling updates for Whonix packages is bad for security
-
Some security settings related to the Hardened Debian project are probably another fingerprinting measure tying the machine to Whonix (but also probably harder to detect)
My proposal:
Why don’t we try to find some kind of reasonable middle ground:
-
Let’s not try to be “smarter than Tor” to quote @Patrick, hiding the fact that we are a Linux/Debian derivative, faking Windows network pattern is probably overkill right now
-
If the only thing which immediately identifies the user as a Whonix (not only Linux/Debian) user is the Whonix repositories/list of installed packages, then it’s just a question of not updating the machine on an untrusted network, right? So this eventually boils down to the user choice and wisdom, i.e. a simple warning could be added in the documentation/displayed when running apt update
(warning: updating your system may reveal that you are a Whonix user, or something like that), then no need to change the code or disabling Whonix packages… -
Regarding Tor services and connections, I still believe Tor should not be enabled by default, but only upon user’s consent, for instance on first boot with Anon Connection Wizard - Whonix as was suggested above. It can always be activated later. In such a configuration, unnecessary Whonix services that may run automatically and connect to Tor (thinking about swdate, Whonix Check, other stuff?) would be deactivated if the user opts out.
What do you think?