Long Wiki Edits Thread

Awesome work on SecBrowser!

Also awesome revision of Cryptocurrency Hardware Wallet: Threat Model!

https://github.com/Qubes-Community/Contents/pull/67

I’ll leave the older SecBrowser wiki page up for a little while until all PR are merged.

1 Like

Just realized I left out " ™ " in SecBrowser in Debian page title. Fixed .

https://www.whonix.org/wiki/SecBrowser_™_in_Debian

1 Like

Usually I did not use TM in page names (links) since these look ugly when copied/pasted elsewhere.

Tittle can and should use it. Page name (link) (i.e. move page) not so much.

Can stay as is (rather minor thing) but I don’t think we should go ahead and change lots of links in Whonix wiki because of this.

1 Like

Thanks - your seal of approval is always a good indicator for wiki editors :slight_smile:

Also:

  1. Remailers entry -> Fixed
  2. Nym servers entry -> Fixed

Let’s also make the Signal entry in that section pretty (currently states “UNFINISHED” and “good enough”), and then only the Email entry needs updating for it all to be current.

I was looking around for where you got the Signal fingerprint from with no luck etc. Maybe you can give me a pointer.

Edit: can we claim ‘TM’ status on SecBrowser without actually doing some kind of legal paperwork or similar? I have no idea, but doubt you can just claim it.

1 Like

Put exactly the following string

"DBA36B5181D0C816F630E889D980A17457F6FB06"

into exactly the following search engine:

google

The quotes help to make google search for that and really only that.

Also if you’re unsure, you can for any gpg keys always contact upstream. Mostly I do this by creating a bug ticket. Would be easy for signal since they use github.

Support: Professional Support

I.e. this was created for a customer a while ago. Other than that, I am not interested much in signal in context of Whonix since it requires phone numbers for registration. Maybe this can be marked better and/or removed from Documentation index but I wouldn’t want to spend more time on it than necessary.

Same goes for:

(which is nonfreedom software)

Re: explicit search “ABCD” etc - yes aware of that function. Just nothing was coming up in non-Google engines - I see Google’s engine finds it straight away…

(I don’t remember the last time I used the Stasi engine, because they should be avoided like the plague - ironically years ago you rarely could search effectively with Tor Browser. They’ve probably found some way to try and tag Tor users, else why would they have liberalized their search engine parameters since they are so hostile to privacy and generally blow the government’s wang in all regards).

I might try and clean up the entry, but if the online info is scarce, then might just remove it from the ToC listing since registered phones is incompatible with Whonix intent.

Although, adding the ‘Xenial’ repo leads to a frankenstein version of Debian (Whonix) which has mixed sources - as you know this is generally recommended against.

In the long run, Signal should just bite the bullet and modify their software for a pure standalone desktop app with their solid E2E encryption, and no shitty, hopelessly insecure mobile required. I’m sure Moxie is more than capable…

1 Like

Capable for sure, willing no. We might have had a forum thread on signal. It does other sketchy stuff too.

Updated Whonix Installer for Windows.

https://whonix.org/w/index.php?title=Dev/Building_the_Whonix-Installer_for_Windows&oldid=47395&diff=cur

https://whonix.org/w/index.php?title=Contribute&oldid=46765&diff=cur

1 Like

OK - just the email Mt Everest entry to update, and Section 10 will be finished. (these wiki approvers can’t keep up :wink: ). Then I’ll move on to the money section proper.

Lots of activity on the website and dev areas these days. Professional website appearance, solid wiki, good forum moderating etc. all adds up to a quality product and attracts quality human resources and contributions. Which also increases user base, # of Tor users and improves everyone’s overall anonymity. Good sign.

1 Like

Esoteric, Non Anonymous Onion Encryption and NAT Traversal - Kicksecure candidate for Advanced Documentation.

Created a new Windows Quick Start page although its rather large so I’m not sure it meets the definition of “Quick Start”. Download links look good. There is a yet to be created download link that needs to be added by me.

https://whonix.org/w/index.php?title=Windows_Qubes_Start&oldid=50409&diff=cur

1 Like

It meets quality standards as in good enough for a call for accepting wiki changes. Could even go to a call for testers. Some nits.

https://www.whonix.org/wiki/Windows_Qubes_Start - I guess Qubes has no place in page URL?

Perhaps move to https://www.whonix.org/wiki/Windows_Testers_Only_Version during testing?

That would match

And…

Whonix Windows Installer - Testers Only Version would e a bit weird, long?

Whonix for Windows, macOS, Linux inside VirtualBox currently redirects to Whonix for Windows, macOS, Linux inside VirtualBox. Not sure about if we want a redirect or two pages a long and a short version?

The initial version of the quick start guide looks more like the full verification instruction version.

Pages such as:

where dumbed down. Hidden by default download table, hidden and expandable by default verification instructions. OpenPGP/gpg verification for most users just is not realistic. I am not sure it can still be improved on Whonix side. We already support https (decent server TLS support), onion download (few will understand that). New users will just a swamped by the page length and length of instructions, just give up and use hidemyass (seen) or something similar instead. It’s important that new/first time users of Whonix (already complicated enough due to split-VM design and run in VM by default, Linux based…) have a quick path and feeling of success quickly.

Specifically on the Windows platform, the idea of a Whonix Windows Installer is to dumb down even further. However, by requiring to learn gpg verification and install other software before Whonix

OpenPGP/gpg verification: If you have a better idea in mind or ever see a better solution implemented anywhere, please open a new forum thread about this.


Import the Intevation CA Certificate

  • Trust GeoTrust
  • import a new certificate
  • root of trust: as secure as SSL

Install SignTools

  • root of trust: as secure as SSL

Download and Verify GPG4win

  • root of trust: as secure as SSL

instructions on whonix.org on gpg verification in the first place

Well, an adversary capable of changing download for targeted users in first place could also prevent these from learning about gpg in the first place from the same website. Only prior knowledge on gpg and verification through OpenPGP web of trust would prevent installation of maliciously modified downloads.

I guess what we’re doing is increasing the awareness about software verification generally and for the next download rather than securing the actual initial download?


And at no point, the user has any path to verify gpg4win through the The OpenPGP Web of Trust. Not sure if worth we’ll being the first ones (?) to point that out and document?

Intevation, the company that hosts GnuPG does not maintain a secure TLS site for gpg4win .[3]

Well, if upstream is broken, there is little we can do.

gpg is a dinosaur, I am quite negative about it and would like to see it replaced with something of today’s knowledge on usability.

  • MachineClosePower Off .

This is not good since this is a hard power off. Should only be used if Whonix hangs. Otherwise the usual shutdown mechanisms from inside the VM should be preferred.

Figure: Whonix user interface

Perhaps reduce size a bit? Looks much bigger than original on the actual screen? No new screenshot needed. Mediawiki allows somehow image resize, we are using that elsewhere in wiki somewhere.

Overall, amazing job on! Now have resurrected Whonix Windows Installer and better documentation. Yay!

Not sure what happened with that. Not intentional.

Sounds good.

Odd and might be a little confusing.

Keep mostly as with these modifications to https://www.whonix.org/wiki/Windows

Currently

Please choose:

Change to:(?)

Please choose:

  • A) Whonix with XFCE Expedited Setup (recommended for first time users to beginners (Quick and easy setup/configutation); or

  • B) Whonix with XFCE (recommended for beginners to intermediate users); or

  • C) Whonix with CLI. (recommended for intermediate to advanced users)

Yes. So the Whonix Installer docs could be seen (in terms of usabilty ONLY) a Live CD. Users just want to try out the distribion without the hastel of gpg verification or anything Cli… “I just want to get Whonix installed so I can start using it.” Simple is what they are used to with Windows. For myself, and before Whonix, I never realy had a use for the termimal in Windows.

OK, I’m sure there is a better solution somewhere.

Not just for verification (for security) but also to prevent unneeded support requests due to corrupted images (non MITM attacks) . Maybe certutil | Microsoft Learn (Windows built-in) could simply be used to ensure the Whonix Installer was not corrupted during download. Meaning verifying the checksum.

Definatly not for first time Whonix/linux users.

OK wasn’t aware of that. I’ll remove.

Tried to resize using Gimp but wasn’t successful. I forgot about Mediawiki resize which was brought up recently. I’ll see about shrinking tha png.

Thanks! I’ll revive the original Quick start (you mentioned in email) with the changes. Just to be clear,

  • maybe mention Whonix Installer verification with a link. But not imposing.
  • Add download link to 0brand.asc and Whonix installer signature
  • No gpg Cli.
  • Very simple (get Whoinx in Windows installed so users can get going)
1 Like

We can keep it even simpler for Windows users. XFCE version only. Everything else on a by search/by ask basis.

Btw Whonix VirtualBox images nowadays contain a manifest. Once imported, images should be fine. Non-malicious corrupted downloads are excluded due to integrated hash check by VirtualBox (manifest). (Maliciously modified downloads could have the hashsums in the manifest modified as well or somehow manifest hash check disabled.)

Haven’t herd of certutil but there is also signcode. (No preference yet. Little knowledge on Windows native digital signatures by me yet.)
(These tools can also be used on the Linux platform. If I was to figure out how to use these, I could automate creating such signatures during build of Whonix.)

(VirtualBox also has some kind of native signing but no one figured it out yet and we couldn’t use it since Whonix Windows Installer as a necessity wraps around it. References:

Just now remembered I did reserach Windows native software signatures a while ago and even tweet about it (also as note to self):

https://twitter.com/Whonix/status/1097805887438241792

story here:
Release Windows gifski.exe with a digital signature · ImageOptim/gifski · GitHub

There would be a lot of support requests if Whonix in Cli link was removed from that page. Better to leave it there imo.

I have the Whonix Installer Quick Start page section complete but haven’t decided where to put it on the XFCE page. Its Very minimal and verification is for advanced user only. For those users I’m going to provide a link to the yet to be created (https://www.whonix.org/wiki/Windows_Testers_Only_Version#Verify_Whonix_Installer)

BTW I did try resizing that image in Mediawiki but I’m not sure its was possible since that png only had one size. Lots of the other png images has multiple sizes to choose from. Anyways I save all my screenshots and I usually create a bunch for later use such as the new Stop Whonix image I uploaded. It was actually simple to resize in thunar (was having resolution issues with Gimp. )

1 Like

New Windows Quick Start section has been added. Tried to get a little separation from the Long configuration section. Can the second section be given a better name other than “Long Whonix configuration”? I haven’t added a header for that section.

https://whonix.org/w/index.php?title=VirtualBox/XFCE&oldid=46669&diff=cur

1 Like

I don’t think Whonix for Windows, macOS, Linux inside VirtualBox should include Whonix Windows Quick Start as a whole.

Previously it said:

1. Download Whonix Whonix old logo.png XFCE for Windows Windows logo - 2012.svg.png, Mac Rsz osx.png and Linux Tux.png FREE

thereby highlighting platform support.

By adding Windows Quick Start: on top, likely hood of non-Windows user bouncing away gets higher.

Instead we could add a link saying

Windows users can use the easy [[Windows_Quick_Start|Whonix Windows Installer]] instead.

The short instructions you just wrote could replace:

In essence for Windows users, ideally just need a single fat download button.

…and perhaps some screenshots and short instructions, looking easy, as encouragement. Whonix has been a tool to convert Windows users to first time Linux desktop users.

Whonix for Windows, macOS, Linux inside VirtualBox currently only looks the same like Whonix for Windows, macOS, Linux inside VirtualBox due to previous absence of Whonix Windows Installer.


Could you please rename the page

since it still incldues Qubes?


Btw there is also:

These pages are for users who use search engines. Search engine optimization (SEO). The best way to optimize things, I think, is to create landing pages which truthfully describe the status. These landing pages make it concise and abundantly clear, that what the searcher is looking for is explicitly possible.

1 Like

Misunderstanding. Thought you wanted all XFCE on one page. :slightly_smiling_face:

Simple and to the point? Note sure if this is the best spot for it.

https://www.whonix.org/w/index.php?title=Template:VirtualBox&stable=0

Done.

Done. Moved:

https://whonix.org/wiki/Windows_Testers_Only_Version

So all these pages are very specific content. No gray areas, what you see is what you get.

A lot of pages have {{Anchor|Landing}}. Is it important to have {{Anchor|Landing}} as opposed to " = Introduction = " Or is that just preference?

I wonder if the verify section for SecBrowser in Microsoft Windows should be sim;ified as well? It looks a bit to long . Maybe collapse the verify section. Would have to shuffle things around as well.

1 Like

A bit of a legacy link.
Download Whonix (FREE) links to #Landing. #Landing could be different from introduction.
Not very important and could be redesigned.

Yes, since the threat model on Windows is broken anyhow.
I doubt there are any Windows users who verify all of their software using the web of trust or similarly clever to verify all their software downloads.

Having documentation on Windows verification though is great to show how broken things on the Windows platform are. To through what length people have to go due to some mess caused by various upstream.