Long Wiki Edits Thread

Thunderbird wiki if we need to upgrade the instructions without the need of enigmail plugin there are 2 ways to do that:

1- Ether use Thunderbird internal OpenPGP
2- Or use external tool

first method is maybe more convenient since its all happening within the same application but the downside of having this feature is efail and snowden recommended against that and better using external tools to do the encryption

Second method less convenient but its what recommended to be used. In our case GPA is shipped by default within whonix.

So which one we should add and upgrade the wiki with?

1 Like

TNT_BOM_BOM via Whonix Forum:

the downside of having this feature is efail and snowden recommended against that

Citation required.

Was a bug in enigmail that was patched and may very well be accounted for with the new TB crypto implementation. Instructions should direct users to Thunderbird which has the best usability. Stuff is hard as it is.

1 Like


Short term: No decryption in email client. The best way to prevent EFAIL attacks is to only decrypt S/MIME or PGP emails in a separate application outside of your email client. Start by removing your S/MIME and PGP private keys from your email client, then decrypt incoming encrypted emails by copy&pasting the ciphertext into a separate application that does the decryption for you. That way, the email clients cannot open exfiltration channels. This is currently the safest option with the downside that the process gets more involved.

And snowden he said it in one of his videos on youtube.(i need to dig into too many hours to find it but efail attack enough to explain)

1 Like

Could you review Full Disk Encryption: Difference between revisions - Whonix please? @HulaHoop

1 Like

new wiki page:

We can probably borrow some bits and pieces from this PDF for the wiki - anything here/easy wins that might have been overlooked? @HulaHoop @madaidan


  • Added cellebrite claims with the debunked references to signal wiki
  • Added one more reference to OpenPGP security concerns
  • Added rules on when to accept new onion source for sdwdate
1 Like

I don’t think so. From a quick skim of the site, it doesn’t seem very good.

Unrelated, but I’ve recently published a Linux hardening guide which you may want to link in the wiki: Linux Hardening Guide | Madaidan's Insecurities


There’s some interesting material that is worth integrating or covering. We should mention the benefits of updating UEFI if possible on the system. Not trusting preloaded OSs no matter what, even if they are a pre installed Linux. The fact that grub now supports encrypted boot partitions AFAIK (not in there but inspired by chapter heading).


new chapter:

General Threats to User Freedom

Updated Features and Advantages in response for a generic answer.

new wiki page:

and new related templates:

Anonymize Other Operating Systems is the first wiki page where this is being used. Will be added to other wiki pages as needed.

This enhancement might be useful to mention in the chat section. Basically people can use OnionShare 2.3 to set up an onion address for secure E2E chats.

The main benefit is users can have anonymous chats without needing to set up any accounts e.g. “… a whistleblower can send an OnionShare address to a journalist using a disposable e-mail address, and then wait for the journalist to join the chat room, all without compromising their anonymity.”

Another major new feature is chat. You start a chat service, it gives you an OnionShare address, and then you send this address to everyone who is invited to the chat room (using an encrypted messaging app like Signal, for example). Then everyone loads this address in a Tor Browser, makes up a name to go by, and can have a completely private conversation.

If you’re already using an encrypted messaging app, what’s the point of an OnionShare chat room? It leaves fewer traces.

If, for example, you send a message to a Signal group, a copy of your message ends up on each device (the devices, and computers if they set up Signal Desktop of each member of the group). Even if disappearing messages is turned on it’s hard to confirm all copies of the messages are actually deleted from all devices, and from any other places (like notifications databases) they may have been saved to. OnionShare chat rooms don’t store any messages anywhere, so the problem is reduced to a minimum.

OnionShare chat rooms can also be useful for people wanting to chat anonymously and securely with someone without needing to create any accounts. For example, a whistleblower can send an OnionShare address to a journalist using a disposable e-mail address, and then wait for the journalist to join the chat room, all without compromising their anonymity.

Because OnionShare relies on Tor onion services, connections between the Tor Browser and OnionShare are all end-to-end encrypted (E2EE). When someone posts a message to an OnionShare chat room, they send it to the server through their E2EE onion connection. The OnionShare server then forwards the message to all other members of the chat room through the other members’ E2EE onion connections, using WebSockets. OnionShare doesn’t implement any chat encryption on its own. It relies on the Tor onion service’s encryption instead.

1 Like

Bot protection at sign-up.

About which operating system this website is about? Use all lower case for your answer.

Proper English? Edit suggestions?

What operating system is this website about? Type your answer in all lower case.


Split done:

new wiki pages:

discussion here: