Mailbag with questions from a knowledgeable tor user and Whonix noob.

The how to select which meta package gets installed will be simplified.

https://github.com/Whonix/Whonix/commit/bff95de201f9251bd2b2f1a67ceaa61fdd4f6e4a

Every major cloud provider has switched to it by this point.

Why would you bother with a Tor setup if the guts of the operation are out in the clear?

Technically can be used this way, have you tried? Whonix for KVM

Is there a better way to host a hidden service besides of dedicated hardware in own possession?
Your critic is about using a hosting provider without physical control, right?

Yes. I use this already. Works flawlessly.

For the CLI version I did this:

sudo ./whonix_build --flavor whonix-gateway-cli --arch amd64 --target qcow2 --connection onion --build

and

sudo ./whonix_build --flavor whonix-workstation-cli --arch amd64 --target qcow2 --connection onion --build

Is this the correct way to build KVM builds without the GUI stuff? I can’t see the output anymore. However, there was some output with Monero GUI. Is it still included?

Some fix to the verification section of the /Dev build page:

git verify-tag 15.0.1.7.3-stable

Doesn’t showed the last git commit.
Instead I did:

git log -n 1 15.0.1.7.2-stable
git verify-commit 34843792583b4acb1d4e4e3188deee02b31d6158

“Better” can be very relative. Possible alterantives:

Looks correct.

Never mind. All packages are build. But it’s not installed

The build script isn’t complex enough to only build required packages when building flavors that don’t use all packages. A lot imperfections from functionality viewpoint. That would be possible in theory but isn’t worth the added code complexity.

That is awesome. Thanks.

Was it helpful/correct?

As I mentioned. I know every normal (not /Dev) wiki page. For me a hosting provider is still the best option.

I don’t understand this wink/criticism. Can someone please enlighten me?
Is he speaking about the risk of memory dumps and tampering?

Rented dedicated servers are still better than VPS , right?
Then I want to install a Debian and KVM in it.

Encryption

It is possible to use full disk encryption at least at rest, correct? Then store the encryption key inside a CPU register by using the TRESOR Kernel Patch. Is this still a thing?
How can I verify that FDE is active?
Are there more things I can do to secure a dedicated cloud server? What about TPM chips?
I know the docs saying “Moreover, a specialized attacker who can reverse engineer hardware designs is also capable of extracting secrets held in processor caches or specialized chips like TPMs.”
However, for my project it is a huge benefit to get some time after a compromise.
What is the best way to detect tampering? I know there is no chance against a skilled attack in a cloud environment. I want to apply the best practices anyway.

SSH

SSH over Tor sounds good for anonymity (besides of leaking the “user” user name). By doing this I will be using a Tor exit and opening myself up to a number of attacks.
A better way would be to set up a non-Whonix Tor onion service on the host and use that for SSH, right? Tor authentication would also be a good idea.
Can a Tor onion service SSH setup be combined with port knocking?

Yes.

Self Support First Policy for Whonix applies.

Self Support First Policy for Whonix applies.

The only thing we have on that topic is here: Evil Maid Attack

SSH over onion exclusively:
Onion Services Reliability Issues

By using a third party as a host the contents of your server are observable by them and you could be kicked off service whenever it pleases them. Usually people who run their site as onion, keep full control over their stack. Your split clear/onion config may leak things that makes unmasking the service hosting location very easy and could then endanger your users when the server is commandeered and used to dish out malware.

See: Freenet, Tahoe-LAFS, Zeronet

Yes

This is not too much of a problem if you use multiple clusters around the world.

Why?

All these projects are great. However, I want to use Tor as a static design choice of my setup.

Is it important if no one has to trust the infrastructure through an offline signature strategy?

Is there a better way to speed up database queries? Use a second onion service for the database and then do caching? The problem with caching is it isn’t great for binary data like images (Redis). I want to query images for example.

I wanted a setup like this:

1. Onionbalance with multiple frontend web server to spread the load
2. Distributed database backend servers for load balancing
3. Delayed database for backup functionality
4. Optional: An onion service database backend cluster as an censorship counter measurement

To scale Whonix (with Tor), I think the best option is still to establish an encrypted (TLS) but not hidden connection to the backend database servers. Otherwise, the query time is not one Tor delay (user to frontend), but two (frontend to backend).
Isn’t scaling also in the interest of the Whonix project?
I guess that would be the topology of Facebook, right?

I think we are talking past each other. I assumed you have a normal VM connecting to a reverse proxy that is in Whonix-WS and that serves queries coming thru Whonix GW. Unless what you call the clearnet backend is hosted inside Whonix Workstation, I cannot comment on how leak proof the setup will be,

Yeah non-trivial. Some advice floating around: using the object cache, pipelining, miscellaneous. As for the VM, look at the IO settings in libvirt’s manual and play with those. You will probably want to remove the blkiotune option I;ve set against DoS resource exhaustion attacks. Also look at renting a server with SSDs which should help performance.

Adding yet another remote link will always incur more latency instead of hosting it locally on the same machine and piping it through a virtual internal network straight to Tor.

No, TLS isf ingerprintable which means the data going thru the pipe can be easily enumerated by an attacker who has gathered info about ever file/page there is as basic TLS lacks any anonymity features like padding which the Tor protocol does. Tor is not merely 3 TLS connections going thru each other it is a custom protocol that makes use of crypto primitives.

We haven’t hit any constraints where we need to deploy these for our project yet. However we are interested in gathering knowledge that can help others do what they want like host onion services with great demands.

I wouldn’t know. Facebook onion is a side feature I doubt it would make sense to compare your needs with them since you are building around the onion mainly, while for them it is a gimmick. If it ceases to work it won;t affect their operations much.

I am talking about this type of setup. All I want is a dedicated clearnet connection from the workstation that is not tunneled through the gateway.

Sure. However, I need multiple physical separated servers. Otherwise there is no high availability and protection from hosting providers.

I need a fast frontend to backend pipe. Is there something better than TLS? Whats about using Lokinet for this purpose?
Like having something like this:

                                               
           fast TLS/Lokinet connection         
              |------------------+             
+--------------------+   +--------------+      
|    +--------|----+ |   | +-----|----+ |      
| +--| Workstation | |   | | Database | |      
| |  | Frontend    | |   | | Backend  | |      
| |  +-------------+ |   | +----------+ |      
| |  +-------------+ |   +--------------+      
| ---| Gateway     | |   Diagram is simplified.
|    +-------------+ |   Missig:               
+--------------------+   1) Onionbalance       
              |          2) Multiple Frontends 
     +--------|----+     3) Multiple Backends  
     |Tor Network  |                           
     +-------------+                      

Is it important if no one has to trust the infrastructure through an offline signature strategy?

Remote servers have capability to steal the onion key at time of writing there is no revocation mechanism.

Isn’t scaling also in the interest of the Whonix project?

Interesting, yes.
Priority issue → Bug Reports, Software Development and Feature Requests

Perfectly understood.

This isn’t a problem for my specific usecase. Thanks for mentioning this issue.
The use of Onionbalance protects the onion service key by pointing to a different service descriptor (server).
When the attacker hacks the server, it is not the same key as the master key hosted by the Onionbalance instance, correct?

What about using OpenVPN and Wireguard or Lokinet as I mentioned earlier. I have done some speed tests and Lokinet can handle the required load.

Tor competitors - Orchid Protocol, Mainframe, Obsidian, Skrumble, Dusk, Marconi, Loki, Nym

No further comments available.

On the same page as TLS unfortunately hence why VPNs are not tools for anonymity, but limited privacy depending on the threat model.

Have heard it being mentioned in the past, but haven’t read any whitepapers, spec docs or peer reviewed research from the anonymity and privacy research community to make a judgement. Consider using a 1 hop onion service as a second connection between WS And backend.

Tor is not fast enough. Using a single hop onion service is a good idea to reduce latency. Unfortunately, this does not increase throughput.
What about Shadowsocks? I’ve heard that you can use this software to bypass the Chinese firewall (I suspect it does some padding to sneak through DPI).

Opinions on this topic?

Is Shadowsocks a valid option?
Also: Is my understanding about Onionbalance correct?

onionbalance: As said, I didn’t look into it. https://www.whonix.org/wiki/Free_Support_Principle applies.

Shadowsocks: Same. See also Non-bridge Censorship Circumvention Tools.

Would Onionbalance be a software worth writing documentation for?

Very much so. Bug Reports, Software Development and Feature Requests applies.