Long Wiki Edits Thread

Created Templates for splitting SecBrowser. Will have the pages split tomorrow.

Template:SecBrowser Introduction

No modifications.


Template:SecBrowser Table Security Enhancements

Fixed “named” reference


Template:SecBrowser Privacy and Fingerprinting Resistance

Due to spacing the SecBrowser Trade mark “™” moved to the next line in the Table. Fixed by removing space.


Template:Install SecBrowser Introduction

No modifications.


Template:SecBrowser Settings

  • Removed mention of AppVM to make template usable for both Qubes and Debian host/VM pages.

  • Removed gedit for text editor in steps and replaced with nano.

  • Added “Note: The following examples make use of nano text editor. However, users should prefer an editor that is most familiar and easy to use.

  • Changed "security slider set to ‘Standard’ " to "security slider set to ‘Safest’ " as per: https://github.com/Whonix/tb-updater/pull/10

  • A few minor Nits.


Template:SecBrowser Download Alpha Versions

No modifications.


Template:SecBrowser FAQ

  • Removed mention of Qubes

  • Question “Can I use SecBrowser ™ in a Whonix-Workstation VM (anon-whonix)?”

I added Whonix-Gateway in answer to make it usable for both Qubes and Debian host/VM pages.


Template:SecBrowser Disclaimer

No modifications


1 Like

Looks perfect so far!

1 Like

Made some changes to the new SecBrowser Templates due to previous changes in configuration file location:

tb-updater /usr/share/tb-updater/tb_without_tor_settings.js

was moved to

tb-starter /usr/share/secbrowser/user.js

Changes to SecBrowser Settings :


Changes to SecBrowser FAQ:


Split SecBrowser page into Qubes and Debian pages. The page titles are fairly simple. Tried a few different page titles for example; SecBrowser in Qubes: A Security hardnened non-anonmous Browser in Qubes but I don’t it looked that great.



Awesome work on SecBrowser!

Also awesome revision of https://www.whonix.org/wiki/Hardware_Wallet_Security!

I’ll leave the older SecBrowser wiki page up for a little while until all PR are merged.

1 Like

Just realized I left out " ™ " in SecBrowser in Debian page title. Fixed .

1 Like

Usually I did not use TM in page names (links) since these look ugly when copied/pasted elsewhere.

Tittle can and should use it. Page name (link) (i.e. move page) not so much.

Can stay as is (rather minor thing) but I don’t think we should go ahead and change lots of links in Whonix wiki because of this.

1 Like

Thanks - your seal of approval is always a good indicator for wiki editors :slight_smile:


  1. Remailers entry -> Fixed
  2. Nym servers entry -> Fixed

Let’s also make the Signal entry in that section pretty (currently states “UNFINISHED” and “good enough”), and then only the Email entry needs updating for it all to be current.

I was looking around for where you got the Signal fingerprint from with no luck etc. Maybe you can give me a pointer.

Edit: can we claim ‘TM’ status on SecBrowser without actually doing some kind of legal paperwork or similar? I have no idea, but doubt you can just claim it.

1 Like

Put exactly the following string


into exactly the following search engine:


The quotes help to make google search for that and really only that.

Also if you’re unsure, you can for any gpg keys always contact upstream. Mostly I do this by creating a bug ticket. Would be easy for signal since they use github.

Support: Professional Support

I.e. this was created for a customer a while ago. Other than that, I am not interested much in signal in context of Whonix since it requires phone numbers for registration. Maybe this can be marked better and/or removed from Documentation index but I wouldn’t want to spend more time on it than necessary.

Same goes for:

(which is nonfree software)

Re: explicit search “ABCD” etc - yes aware of that function. Just nothing was coming up in non-Google engines - I see Google’s engine finds it straight away…

(I don’t remember the last time I used the Stasi engine, because they should be avoided like the plague - ironically years ago you rarely could search effectively with Tor Browser. They’ve probably found some way to try and tag Tor users, else why would they have liberalized their search engine parameters since they are so hostile to privacy and generally blow the government’s wang in all regards).

I might try and clean up the entry, but if the online info is scarce, then might just remove it from the ToC listing since registered phones is incompatible with Whonix intent.

Although, adding the ‘Xenial’ repo leads to a frankenstein version of Debian (Whonix) which has mixed sources - as you know this is generally recommended against.

In the long run, Signal should just bite the bullet and modify their software for a pure standalone desktop app with their solid E2E encryption, and no shitty, hopelessly insecure mobile required. I’m sure Moxie is more than capable…

1 Like

Capable for sure, willing no. We might have had a forum thread on signal. It does other sketchy stuff too.

Updated Whonix Installer for Windows.



1 Like

OK - just the email Mt Everest entry to update, and Section 10 will be finished. (these wiki approvers can’t keep up :wink: ). Then I’ll move on to the money section proper.

Lots of activity on the website and dev areas these days. Professional website appearance, solid wiki, good forum moderating etc. all adds up to a quality product and attracts quality human resources and contributions. Which also increases user base, # of Tor users and improves everyone’s overall anonymity. Good sign.

1 Like

Esoteric, https://www.whonix.org/wiki/Non_Anonymous_Onion_Encryption_and_NAT_Traversal candidate for Advanced Documentation.

Created a new Windows Quick Start page although its rather large so I’m not sure it meets the definition of “Quick Start”. Download links look good. There is a yet to be created download link that needs to be added by me.


1 Like

It meets quality standards as in good enough for a call for accepting wiki changes. Could even go to a call for testers. Some nits.

https://www.whonix.org/wiki/Windows_Qubes_Start - I guess Qubes has no place in page URL?

Perhaps move to https://www.whonix.org/wiki/Windows_Testers_Only_Version during testing?

That would match


https://www.whonix.org/wiki/Windows_Quick_Start_Testers_Only_Version would e a bit weird, long?

https://www.whonix.org/wiki/Windows currently redirects to https://www.whonix.org/wiki/Windows_Quick_Start. Not sure about if we want a redirect or two pages a long and a short version?

The initial version of the quick start guide looks more like the full verification instruction version.

Pages such as:

where dumbed down. Hidden by default download table, hidden and expandable by default verification instructions. OpenPGP/gpg verification for most users just is not realistic. I am not sure it can still be improved on Whonix side. We already support https (decent server TLS support), onion download (few will understand that). New users will just a swamped by the page length and length of instructions, just give up and use hidemyass (seen) or something similar instead. It’s important that new/first time users of Whonix (already complicated enough due to split-VM design and run in VM by default, Linux based…) have a quick path and feeling of success quickly.

Specifically on the Windows platform, the idea of a Whonix Windows Installer is to dumb down even further. However, by requiring to learn gpg verification and install other software before Whonix

OpenPGP/gpg verification: If you have a better idea in mind or ever see a better solution implemented anywhere, please open a new forum thread about this.

Import the Intevation CA Certificate

  • Trust GeoTrust
  • import a new certificate
  • root of trust: as secure as SSL

Install SignTools

  • root of trust: as secure as SSL

Download and Verify GPG4win

  • root of trust: as secure as SSL

instructions on whonix.org on gpg verification in the first place

Well, an adversary capable of changing download for targeted users in first place could also prevent these from learning about gpg in the first place from the same website. Only prior knowledge on gpg and verification through OpenPGP web of trust would prevent installation of maliciously modified downloads.

I guess what we’re doing is increasing the awareness about software verification generally and for the next download rather than securing the actual initial download?

And at no point, the user has any path to verify gpg4win through the The OpenPGP Web of Trust. Not sure if worth we’ll being the first ones (?) to point that out and document?

Intevation, the company that hosts GnuPG does not maintain a secure TLS site for gpg4win .[3]

Well, if upstream is broken, there is little we can do.

gpg is a dinosaur, I am quite negative about it and would like to see it replaced with something of today’s knowledge on usability.

  • MachineClosePower Off .

This is not good since this is a hard power off. Should only be used if Whonix hangs. Otherwise the usual shutdown mechanisms from inside the VM should be preferred.

Figure: Whonix user interface

Perhaps reduce size a bit? Looks much bigger than original on the actual screen? No new screenshot needed. Mediawiki allows somehow image resize, we are using that elsewhere in wiki somewhere.

Overall, amazing job on! Now have resurrected Whonix Windows Installer and better documentation. Yay!

Not sure what happened with that. Not intentional.

Sounds good.

Odd and might be a little confusing.

Keep mostly as with these modifications to https://www.whonix.org/wiki/Windows


Please choose:

Change to:(?)

Please choose:

  • A) Whonix with XFCE Expedited Setup (recommended for first time users to beginners (Quick and easy setup/configutation); or

  • B) Whonix with XFCE (recommended for beginners to intermediate users); or

  • C) Whonix with CLI. (recommended for intermediate to advanced users)

Yes. So the Whonix Installer docs could be seen (in terms of usabilty ONLY) a Live CD. Users just want to try out the distribion without the hastel of gpg verification or anything Cli… “I just want to get Whonix installed so I can start using it.” Simple is what they are used to with Windows. For myself, and before Whonix, I never realy had a use for the termimal in Windows.

OK, I’m sure there is a better solution somewhere.

Not just for verification (for security) but also to prevent unneeded support requests due to corrupted images (non MITM attacks) . Maybe https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil (Windows built-in) could simply be used to ensure the Whonix Installer was not corrupted during download. Meaning verifying the checksum.

Definatly not for first time Whonix/linux users.

OK wasn’t aware of that. I’ll remove.

Tried to resize using Gimp but wasn’t successful. I forgot about Mediawiki resize which was brought up recently. I’ll see about shrinking tha png.

Thanks! I’ll revive the original Quick start (you mentioned in email) with the changes. Just to be clear,

  • maybe mention Whonix Installer verification with a link. But not imposing.
  • Add download link to 0brand.asc and Whonix installer signature
  • No gpg Cli.
  • Very simple (get Whoinx in Windows installed so users can get going)
1 Like

We can keep it even simpler for Windows users. XFCE version only. Everything else on a by search/by ask basis.

Btw Whonix VirtualBox images nowadays contain a manifest. Once imported, images should be fine. Non-malicious corrupted downloads are excluded due to integrated hash check by VirtualBox (manifest). (Maliciously modified downloads could have the hashsums in the manifest modified as well or somehow manifest hash check disabled.)

Haven’t herd of certutil but there is also signcode. (No preference yet. Little knowledge on Windows native digital signatures by me yet.)
(These tools can also be used on the Linux platform. If I was to figure out how to use these, I could automate creating such signatures during build of Whonix.)

(VirtualBox also has some kind of native signing but no one figured it out yet and we couldn’t use it since Whonix Windows Installer as a necessity wraps around it. References:

Just now remembered I did reserach Windows native software signatures a while ago and even tweet about it (also as note to self):

story here:

There would be a lot of support requests if Whonix in Cli link was removed from that page. Better to leave it there imo.

I have the Whonix Installer Quick Start page section complete but haven’t decided where to put it on the XFCE page. Its Very minimal and verification is for advanced user only. For those users I’m going to provide a link to the yet to be created (https://www.whonix.org/wiki/Windows_Testers_Only_Version#Verify_Whonix_Installer)

BTW I did try resizing that image in Mediawiki but I’m not sure its was possible since that png only had one size. Lots of the other png images has multiple sizes to choose from. Anyways I save all my screenshots and I usually create a bunch for later use such as the new Stop Whonix image I uploaded. It was actually simple to resize in thunar (was having resolution issues with Gimp. )

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]