How effective is stream isolation while using multiple Whonix Workstations in Qubes Whonix? as I understand it, everything is stream isolated by default when using multiple workstations, including applications which would use the same SocksPort within their respective VMs. This is good. But how does it compare to using multiple Whonix Gateway, or perhaps even a separate Tor client on a different computer.
Is stream isolation a band-aid method to prevent identity correlation, or is it equally effective to using multiple gateways (e.g. separate Tor clients) presuming that it is highly unlikely to build the same circuit on two clients.
The recommendation is to never do two anonymous activities simultaneously, but I need to weigh the benefits of running say, an IRC client in one workstation while doing anonymous browsing in another.
Every client/Workstation uses a different stream related to other clients, not related to applications running on the same client, which have to be configured (if not by the package anon-apps-config).
Multiple Gateways and Multiple Workstations have a different use case. As the topic is stream isolation, the isolation from different clients/workstations and different servers/gateways are different.
Different Workstations are always stream isolated even if targeting one server.
Different Gateways does stream isolation, but is objective is different, it’s objective is to not handle clients of the same identity, therefore identity correlation on a compromised gateway would only leak the identities of the clients it is connected to, therefore clients using other gateways would not be leaked.
See not about “Tor client” in the following sections.
Stream Isolation it not a band-aid to prevent identity correlation, it helps significantly against traffic analysis, of course, depending on the attacker resources and tor’s limitations.
Please refer to Gateways as Tor servers and Workstations as Tor clients.
Note: Advanced users will know that the Gateway is a client of it’s own routing redirection to the tor daemon (“server”).
That is good enough if the Gateway is not compromised. Once the Gateway is compromised, identity correlation is trivial.
Required reading explains this well, but in this case I used it as a comparison, see below.
The point I was trying to make is that documentation points out the risks with identity correlation through circuit sharing well, but creating two identical circuits on two separate Tor servers is extremely unlikely. (Still acknowledging that it can happen).
The documentation goes as far as saying creating a new identity isn’t certain to give you a new exit relay. However if correlation happens through exit nodes, then two Tor servers won’t help as much as exits are sparse, so there goes my theory that multiple Tor servers are better to isolate activities.
Yes I think that is the case for my threat model, but I will be careful with separate activities. Documentation points towards correlation still being possible despite stream isolation.