Hello Whonix folks,
I have been looking at the project and I liked what I could observe.
I have a few questions running through my head looking for answers.
Is it possible to open a non-gate connection from the Whonix workstation? Like a fronted web server talking to a database on another server?
Can Whonix be used for more efficient utilization of server hardware? Tor is single threaded. My idea was to create a load balancer with Onionbalance and point it to multiple Whonix gateways (on the same hardware), which themselves point to a single Whonix workstation web server. This way it should be possible to use multiple CPU cores, right?
Does this kind of setup downgrade privacy?
Are there any possible de-anonymization attacks for Onion servers by implementing TOTP 2FA? TOTP is time based. Does this then expose the time of the server?
Does anyone know what is the maximum number of hidden directory descriptors (v3) onionbalance can handle? It depends on how many introduction points a single onion service instance has, right?
Are there advantages/disadvantages in brute-forcing a hidden service host name?
What is the best brute forcing software for v3 addresses? Can I do it on a GPU? What is the math behind the time required for a given character length?
Not sure. 2FA requires that server and client have approximately the same system time (“Relative”, “in UTC”. Time zone, representation what is shown to user doesn’t matter.). In practice, “commonly” (haven’t seen otherwise) it’s the actual world’s time. (Again, this transcends timezones.) I am not sure about 2FA server implementations, but I’ve heard each code is valid for 30 seconds and servers grant a grace period of 2 before and 2 after. So in theory a clock +/- 90 seconds or so accuracy range. 2FA doesn’t require a network connection on the client side. But a server with a slow or fast clock could leak a +/- 90 seconds or so accuracy range.
General Tor / anonymity question. https://www.whonix.org/wiki/Free_Support_Principle applies.
sdwdate accuracy might be too low. Might break 2FA server implementation. Untested.
You are right: TOTP usually uses a 30sec period and a grace period.
What do you mean by “sdwdate accuracy might be too low”?
Do you have a better proposal for implementing 2FA? If TOTP is only a grace period issue, this can be ignored as I will implement the times myself.
Can you please give me your reasoning for not using a brute-force forced Whonix website onion host name?
I like to use the KVM version of Whonix. Can you please help me a little bit more with the open port networking topology? Where do I have to add another networking interface? Punching a hole inside the Wohnix-Gateway firewall with one of the user config files? What are the security disadvantages?
Is connecting to a database an uncommon use case of Whonix? Is there a better way to scale?
I guess you misunderstood question 2). I don’t want to improve Tor. I want to utilize a server with multiple cores more efficiently. Is this possible? Are there security or privacy threads? To bring the question to the point: Can I run two gateways on the same server and point them to a single workstation? Or three gateways.
Either gateway or workstation. That depends on the setup. Adding extra network adapter to workstation might be easier. That other VM might then exclusively grant access to a database server to that workstation.
I haven’t tested that.
Not sure the current configuration ability is sufficient or if script / iptables rules modifications would be required.
I haven’t seen anyone online saying doing that yet.
For 2FA I have some other ideas: Sending codes with XMPP or another messenger. Some big onion services offer a GPG encrypted message. However, this undermines the idea of 2FA in a way.
I can’t see the problem with TOTP and sdwdate. If I implement 2 grace times, it is +/- 90sec. Sdwdate is only between +/- 30sec, right? Please explain me the problem. I don’t get it. It should work even if sdwdate goes to min/max limit, because of the grace times. Otherwise, I write my own TOTP implementation with increased time, more digits (8), and rate limiting.
By using TOTP, I am more concerned that an attack can brute force the server time by trying many times and checking when the codes start to fail. Is this a real concern? I guess this is unproblematic because the host time is different, right? The only time danger is get the host time (what is not possible with this kind of attack) and change the tor consensus or do replay attacks by attack the time of Whonix.
Does this make any sense?
I read the link you provided to the Onion Domain. The question has been answered. It was exactly what I was looking for. It looks like I need a lot more processing power. However, with GPUs it is definitely doable. Thanks!
On the scaling question (and this is a really big/potentially revolutionary thing): even if you don’t understand it. Please give me some insight if Whonix can be used as the diagram shows. Multiple gateways on the same physical server and one workstation.
And if this kind of setup is possible, what are the potential risks of doing this? I see one problem: Guard discovery becomes doubly easy because each gateway has its own set of tor guards.
Who maintains the KVM version? Hulahoop, right? What is the best way to contact him? Are there any other maintainers?
I want to use KVM because it is the best version for a cloud hosting environment. Would you agree?
Thanks for the link about scaling ideas. I know the site because of RTFM. I read most if not all parts of the docs before starting this thread.
For the question about the open clear net connection setup. I would like to benefit from the great anti-leak setup of Whonix and also use fast backend database connections on different servers.
Would you like to help me figure out how this kind of setup is possible? I guess it would bring quite a lot to the Whonix project because of this amazing use case. Do you understand my setup? It is a really big project with lots of frontend (tor) servers and backend (clearnet database) servers. For various reasons, there are more servers. However, these are not important for the explanation of this setup.
Is there a CLI minimal version of KVM for cloud environments? I have checked the documentation and I am aware of the option to disable the GUI login manager. Is this the only thing I can do for a cloud environment?
I would like to have a stripped down version of Whonix without user programs like Monero GUI, Onionshare, Files, VLC, etc…
Due to the single-threaded nature of tor, it is quite expensive to run many individual servers. It is an idea of cost minimization strategy. Or in other words: I’m looking for a way around the bottleneck of the single threaded tor process. This would also be the best way to resist a DOS attack until the torproject finally understands that tor either needs to be completely rewritten, or some sort of proof of work needs to be implemented.
Thank you for the /Dev links. I have not checked them out. I will check/read everything and get back to you in the next few days/weeks.
/Dev/Build_Documentation/15_full contains a small bug: it displays --flavor whonix-workstation-cli twice.
The CLI versions are great for server use. However, these builds still include the user programs, right? How hard is it to build without user programs?
Like a server CLI version without any user programs.
“Better” can be very relative. Possible alterantives:
Never mind. All packages are build. But it’s not installed
The build script isn’t complex enough to only build required packages when building flavors that don’t use all packages. A lot imperfections from functionality viewpoint. That would be possible in theory but isn’t worth the added code complexity.
As I mentioned. I know every normal (not /Dev) wiki page. For me a hosting provider is still the best option.
I don’t understand this wink/criticism. Can someone please enlighten me?
Is he speaking about the risk of memory dumps and tampering?
Rented dedicated servers are still better than VPS , right?
Then I want to install a Debian and KVM in it.
It is possible to use full disk encryption at least at rest, correct? Then store the encryption key inside a CPU register by using the TRESOR Kernel Patch. Is this still a thing?
How can I verify that FDE is active?
Are there more things I can do to secure a dedicated cloud server? What about TPM chips?
I know the docs saying “Moreover, a specialized attacker who can reverse engineer hardware designs is also capable of extracting secrets held in processor caches or specialized chips like TPMs.”
However, for my project it is a huge benefit to get some time after a compromise.
What is the best way to detect tampering? I know there is no chance against a skilled attack in a cloud environment. I want to apply the best practices anyway.
SSH over Tor sounds good for anonymity (besides of leaking the “user” user name). By doing this I will be using a Tor exit and opening myself up to a number of attacks.
A better way would be to set up a non-Whonix Tor onion service on the host and use that for SSH, right? Tor authentication would also be a good idea.
Can a Tor onion service SSH setup be combined with port knocking?
By using a third party as a host the contents of your server are observable by them and you could be kicked off service whenever it pleases them. Usually people who run their site as onion, keep full control over their stack. Your split clear/onion config may leak things that makes unmasking the service hosting location very easy and could then endanger your users when the server is commandeered and used to dish out malware.
This is not too much of a problem if you use multiple clusters around the world.
All these projects are great. However, I want to use Tor as a static design choice of my setup.
Is it important if no one has to trust the infrastructure through an offline signature strategy?
Is there a better way to speed up database queries? Use a second onion service for the database and then do caching? The problem with caching is it isn’t great for binary data like images (Redis). I want to query images for example.
I wanted a setup like this:
Onionbalance with multiple frontend web server to spread the load
Distributed database backend servers for load balancing
Delayed database for backup functionality
Optional: An onion service database backend cluster as an censorship counter measurement
To scale Whonix (with Tor), I think the best option is still to establish an encrypted (TLS) but not hidden connection to the backend database servers. Otherwise, the query time is not one Tor delay (user to frontend), but two (frontend to backend).
Isn’t scaling also in the interest of the Whonix project?
I guess that would be the topology of Facebook, right?
I think we are talking past each other. I assumed you have a normal VM connecting to a reverse proxy that is in Whonix-WS and that serves queries coming thru Whonix GW. Unless what you call the clearnet backend is hosted inside Whonix Workstation, I cannot comment on how leak proof the setup will be,
Yeah non-trivial. Some advice floating around: using the object cache, pipelining, miscellaneous. As for the VM, look at the IO settings in libvirt’s manual and play with those. You will probably want to remove the blkiotune option I;ve set against DoS resource exhaustion attacks. Also look at renting a server with SSDs which should help performance.
Adding yet another remote link will always incur more latency instead of hosting it locally on the same machine and piping it through a virtual internal network straight to Tor.
No, TLS isf ingerprintable which means the data going thru the pipe can be easily enumerated by an attacker who has gathered info about ever file/page there is as basic TLS lacks any anonymity features like padding which the Tor protocol does. Tor is not merely 3 TLS connections going thru each other it is a custom protocol that makes use of crypto primitives.
We haven’t hit any constraints where we need to deploy these for our project yet. However we are interested in gathering knowledge that can help others do what they want like host onion services with great demands.
I wouldn’t know. Facebook onion is a side feature I doubt it would make sense to compare your needs with them since you are building around the onion mainly, while for them it is a gimmick. If it ceases to work it won;t affect their operations much.