Ideas on Whonix Security Bulletins

Anonymous user asked on the Tor blog post where TorMoil is introduced:

Tails users and users of our sandboxed-tor-browser are unaffected, though.

In addition to Whonix users, right?

Although the users have got the answer “Yes”, but should we have our own Whonix Security Bulletins? Example, Qubes Security Bulletins.

From my understanding, almost all of the IP leaking vulnerabilities that affect Tor Browser users does not affect Whonix users at all. However:

1. This may be a great way to promote Whonix.
2. There are still security vulnerability that affect Whonix users, like the apt-get upgrading security issue.

If we need a Whonix security bulletin, where should we publish the security bulletins on? Github and/or Whonix Blog? What would be the format of the bulletin? Who may be able to write that? How we can cooperate with each other?

If it is considered as a good idea, I am willing to help to write such bulletins? Does anyone else would like to do it, too? Because the vulnerabilities are found randomly in terms of time, the more people can help to do it, the more likely Whonix can respond quickly.

There are a lot vulnerabilities caused by upstream projects such as Debian and Tor Project.

The question is on which one should we focus? The “main ones” such as Tor Browser being affected?

A theoretically soon fixed (made this up) “Apache bug fixed in security.debian.org” is it worth a Whonix security bulletin? There are too many in Debian to always blog about them.

My current policy is to only write security bulletins in case:

• the security vulnerability was caused by Whonix’s code itself
• in exceptional cases (where exceptional is deliberately not well defined to stay flexible)

Since we are understaffed anyhow, I wouldn’t go to crazy about formalization in order to not further deter contributions.

That sounds good.

Yes, there are a lot things where users could be kept up to date better.

In short: yes, please feel free to use whonix.org blog more.

I agree!

The noteworthy ones IMHO that I usually find and report are ones that touch: Tor, apt, gpg, kernel networking stack or the hypervisor.

Its actually a lot less to focus on than the avalanche of the security bugs and plugs we see everyday thanks to a design that reduces attack surface.

If I find anything interesting I’ll usually post it on the forum and you can include it

HulaHoop:

If I find anything interesting I’ll usually post it on the forum and you can include it

No problem! Thank you so much for your effort and work, @HulaHoop !

Maybe a “Whonix Registry of Vulnerabilities” instead? It then becomes a very small list.

Ala TROVE · Wiki · Legacy / Trac · GitLab ?

Which is a reminder of when/if Whonix has ever had a proper, independent security audit. It might “only” be a collection of scripts etc. but there is still plenty of innocent ways to stuff up, particularly with new features like anon-connection wizard.

Worth thinking about in the context of your secret corporate sponsor. That would be an extremely valuable exercise, by someone who knows what they’re doing i.e. should have Linux security auditing experience of some description.

Yes. Security audit is something really nice to have. It seems Whonix has never had a security audit and I guess a security audit can be extremely expensive most of the time?

Whonix does have leak testing. And I am wondering how often it is performed by @Patrick .

Unlikely as per this post: Hiring: Linux Distribution Developers! - #4 by Patrick

OTF would do it, but time doesn’t permit.
https://phabricator.whonix.org/T62

Consider it never being done.