Long Wiki Edits Thread

The shared draft:

Looks awesome!

I’ll have to work on: (before Qubes pull request)

  • SecBrowser landing page
  • “Sec” icon
  • Instruction to create a desktop starter
  • Deprecating Tor Browser without Tor
  • Move SecBrowser to its own page (with current Tor Browser without Tor images)
1 Like

Existing already. Just has to be enabled through usual Qubes VM settings.
https://github.com/Whonix/tb-starter/blob/master/usr/share/applications/secbrowser.desktop

Moved here just now SecBrowser™ has been deprecated!
Better than SecBrowser™ has been deprecated!

What is the status of Nym Servers and Pseudonymous Emails after the deprecation of Mixmaster: Tor Remailer? @HulaHoop

They are all pretty much dead at this point because the Nymserver design was only ever relevant to Mixmaster.

1 Like

Updated Verfying the Whonix images in Windows. I combined the entire verification process to one page including importing the Whonix singing key. The borders on several of the screenshots didn’t come out all that great. I’ll see about creating new ones.

I also removed the the Kleopatra tutorial since its a little confusing. It should be put aside at least until it can be rewritten imo. So the attribution to Tails could also be removed now?

https://whonix.org/w/index.php?title=Verify_the_virtual_machine_images_using_Windows&oldid=47676&diff=cur

1 Like

A post was split to a new topic: APT seccomp-BPF sandboxing

It could be moved to /Deprecated/Mixmaster.

Instead, we could keep the page, add a clear box on top that it is deprecated, and remove it from TOC and all other links.

If we move to /Deprecated/Mixmaster, do we leave a redirect or not? If we leave a redirect, we gain little besides a better page name?

If it matters we could also add __NOINDEX__ to prevent users hitting the page from search engines but I doubt that would help the internet at large. At least we’d be still documenting why it is deprecated and have introduction and user documentation ready in case some developer wants to revitalize it.

0brand via Whonix Forum:

Updated Verfying the Whonix images in Windows. I combined the entire verification process to one page including importing the Whonix singing key.

Awesome!

I also removed the the Kleopatra tutorial since its a little confusing. It should be put aside at least until it can be rewritten imo.

Tails has also given up on Kleopatra.

So the attribution to Tails could also be removed now?

Yes, since we are not using any contents from Tails on that page
anymore. All content on that page is original and not from Tails.

Tails has a nice text on OpenPGP here.

source:

Copyright:

 Copyright (C) Amnesia <amnesia at boum dot org>

License:

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.
         
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
      
   You should have received a copy of the GNU General Public License
   along with this program; if not, write to:

    Free Software Foundation, Inc. 
    51 Franklin St, Fifth Floor
    Boston, MA 02110-1301, USA.

On Debian GNU/Linux systems, the complete text of the GNU General Public
License can be found in the /usr/share/common-licenses' directory.

The complete text of the GNU General Public License can also be found online on gnu.org <https://www.gnu.org/licenses/gpl.html>, in {{project_name}} virtual machine images in /usr/share/common-licenses/GPL-3 file or on Github <https://github.com/{{project_name_short}}/{{project_name_short}}/blob/master/GPLv3>.

Authenticate the signing key through the OpenPGP Web of Trust

Authenticating our signing key through the OpenPGP Web of Trust is the only way that you can be protected in case our website is compromised or if you are a victim of a man-in-the-middle attack. However, it is complicated to do and it might not be possible for everyone because it relies on trust relationships between individuals.

Read more about authenticating the Tails signing key through the OpenPGP Web of Trust.

The verification techniques that we present (browser extension, BitTorrent, or OpenPGP verification) all rely on some information being securely downloaded using HTTPS from our website:

  • The checksum for the Firefox extension
  • The Torrent file for BitTorrent
  • The Tails signing key for OpenPGP verification

It is possible that you could download malicious information if our website is compromised or if you are a victim of a man-in-the-middle attack.

OpenPGP verification is the only technique that protects you if our website is compromised or if you are a victim of a man-in-the-middle attack. But, for that you need to authenticate the Tails signing key through the OpenPGP Web of Trust.

If you are verifying an image from inside Tails, for example, to do a manual upgrade, then you already have the Tails signing key. You can trust this signing key as much as you already trust your Tails installation since this signing key is included in your Tails installation.

One of the inherent problems of standard HTTPS is that the trust put in a website is defined by certificate authorities: a hierarchical and closed set of companies and governmental institutions approved by your web browser vendor. This model of trust has long been criticized and proved several times to be vulnerable to attacks as explained on our warning page.

We believe that, instead, users should be given the final say when trusting a website, and that designation of trust should be done on the basis of human interactions.

The OpenPGP Web of Trust is a decentralized trust model based on OpenPGP keys that can help with solving this problem. Let’s see this with an example:

  1. You are friends with Alice and you really trust her way of making sure that OpenPGP keys actually belong to their owners.
  2. Alice met Bob, a Tails developer, in a conference and certified Bob’s key as actually belonging to Bob.
  3. Bob is a Tails developer who directly owns the Tails signing key. So, Bob has certified the Tails signing key as actually belonging to Tails.

In this scenario, you found, through Alice and Bob, a path to trust the Tails signing key without the need to rely on certificate authorities.

If you are on Debian, Ubuntu, or Linux Mint, you can install the debian-keyring package which contains the OpenPGP keys of all Debian developers. Some Debian developers have certified the Tails signing key and you can use these certifications to build a trust path. This technique is explained in detail in our instructions on installing Tails from Debian, Ubuntu, or Linux Mint using the command line.

Relying on the Web of Trust requires both caution and intelligent supervision by the users. The technical details are outside of the scope of this document.

Since the Web of Trust is based on actual human relationships and real-life interactions, it is best to get in touch with people knowledgeable about OpenPGP and build trust relationships in order to find your own trust path to the Tails signing key.

For example, you can start by contacting a local Linux User Group, an organization offering Tails training, or other Tails enthusiasts near you and exchange about their OpenPGP practices.

After you build a trust path, you can certify the Tails signing key by signing it with your own key to get rid of some warnings during the verification process.

Something that could be imported / rewritten for Whonix wiki?

Definitely. This is something that is not very well understood by beginners an more experienced users alike. With all that is happening with GPG sks servers this will be something that more users will be interested in as time goes on. Will do after I finish up SecBrowser. Would like to submit the Qubes PR soon.

Also, pushed some new images to the new verifying Whonix images in Windows. These PNGs have better defined borders.

https://whonix.org/w/index.php?title=Verify_the_virtual_machine_images_using_Windows&diff=49179&oldid=49172

1 Like

Awesome! A bit late to suggest but perhaps next time would the Box template have been a substitute too?

1 Like

Codecrypt’s author gives a great explanation why 256 algos are pretty much impossible to bruteforce in your universe.

Please add to the best place on the wiki:

The codeboxes don’t recognize aros and so an ugly code is shoulding instead. Any suggestions?

1 Like

I thought about using {{box|text= but not creating a Box template. Would have been less time consuming .

1 Like

Added DHCP section to KVM docs and linked to it from Android x86 dynamic IP seciton

Updated sound section for KVM detailing how to enable microphones selectively.

1 Like

Deactivate sdwdate Connectivity Test for whonix-ws-15 calls for editing this file but there is no anon-shared-helper-scripts directory.

sudo nano /usr/lib/anon-shared-helper-scripts/te_pe_tb_check

This should be changed to:

sudo mkdir -p /usr/lib/anon-shared-helper-scripts/

Then,

sudo nano /usr/lib/anon-shared-helper-scripts/te_pe_tb_check

https://www.whonix.org/wiki/Whonix-Gateway_Security_Hardening#Deactivate_sdwdate_Connectivity_Test

1 Like

The path changed. Should be fixed.

Replace text

" anon-shared-helper-scripts " will be replaced with " helper-scripts " in 9 pages.

1 Like

Use

<code>something</code> &rarr; <code>more</code> ...

(as standardized elsewhere in wiki)

1 Like

This message could use a revision since it will be prominent.