Mailbag with questions from a knowledgeable tor user and Whonix noob.

Support
1

Hello Whonix folks,
I have been looking at the project and I liked what I could observe.
I have a few questions running through my head looking for answers.

  1. Is it possible to open a non-gate connection from the Whonix workstation? Like a fronted web server talking to a database on another server?
  2. Can Whonix be used for more efficient utilization of server hardware? Tor is single threaded. My idea was to create a load balancer with Onionbalance and point it to multiple Whonix gateways (on the same hardware), which themselves point to a single Whonix workstation web server. This way it should be possible to use multiple CPU cores, right?
    Does this kind of setup downgrade privacy?
  3. Are there any possible de-anonymization attacks for Onion servers by implementing TOTP 2FA? TOTP is time based. Does this then expose the time of the server?
  4. Does anyone know what is the maximum number of hidden directory descriptors (v3) onionbalance can handle? It depends on how many introduction points a single onion service instance has, right?
  5. Are there advantages/disadvantages in brute-forcing a hidden service host name?
  6. What is the best brute forcing software for v3 addresses? Can I do it on a GPU? What is the math behind the time required for a given character length?
2

Possible in theory: 1) Add another network interface 2) add hole to firewall.

In practice, current undocumented.

No.

Not sure. 2FA requires that server and client have approximately the same system time (“Relative”, “in UTC”. Time zone, representation what is shown to user doesn’t matter.). In practice, “commonly” (haven’t seen otherwise) it’s the actual world’s time. (Again, this transcends timezones.) I am not sure about 2FA server implementations, but I’ve heard each code is valid for 30 seconds and servers grant a grace period of 2 before and 2 after. So in theory a clock +/- 90 seconds or so accuracy range. 2FA doesn’t require a network connection on the client side. But a server with a slow or fast clock could leak a +/- 90 seconds or so accuracy range.
General Tor / anonymity question. Self Support First Policy for Whonix applies.

sdwdate accuracy might be too low. Might break 2FA server implementation. Untested.

Best resolved as per Self Support First Policy for Whonix.

3

Hello Patrick,

thanks for your fast response.

You are right: TOTP usually uses a 30sec period and a grace period.
What do you mean by “sdwdate accuracy might be too low”?

Do you have a better proposal for implementing 2FA? If TOTP is only a grace period issue, this can be ignored as I will implement the times myself.

Can you please give me your reasoning for not using a brute-force forced Whonix website onion host name?

I like to use the KVM version of Whonix. Can you please help me a little bit more with the open port networking topology? Where do I have to add another networking interface? Punching a hole inside the Wohnix-Gateway firewall with one of the user config files? What are the security disadvantages?

Is connecting to a database an uncommon use case of Whonix? Is there a better way to scale?

I guess you misunderstood question 2). I don’t want to improve Tor. I want to utilize a server with multiple cores more efficiently. Is this possible? Are there security or privacy threads? To bring the question to the point: Can I run two gateways on the same server and point them to a single workstation? Or three gateways.

                                  Tor 1                                                              
                                    |                                                                
                                    |                                                                
                                    |    +---------------------+                                     
                                    |    | +------------+      |                                     
                                    +------| Gateway 1  |-----+|                                     
                                         | +------------+     ||                                     
                                         | +------------+     ||                                     
                                    +------| Gateway 2  |--+  ||                                     
                                    |    | +------------+  |  ||                                     
                                    |    |                 |  ||                                     
                                    |    | +-----------------+ |                                     
                                  Tor 2  | |Workstation      | |                                     
                                         | +-----------------+ |                                     
                                         |                     |                                     
                                         |    Single Server    |                                     
                                         +---------------------+
4

No.

The time it sets could be off by less/more than +/- 30 seconds from the real time everyone else is using.

Not maintained by me.

If you know how to do that generally, you might know how to do that for Whonix too. Self Support First Policy for Whonix applies.

Either gateway or workstation. That depends on the setup. Adding extra network adapter to workstation might be easier. That other VM might then exclusively grant access to a database server to that workstation.

I haven’t tested that.

Not sure the current configuration ability is sufficient or if script / iptables rules modifications would be required.

I haven’t seen anyone online saying doing that yet.

There are pointers here - Onion Services - Whonix - but not, no research into scalable onion services has been done by me, let alone how to integrate that with Whonix. Non-trivial to say the least.

Cannot see how.

5

For 2FA I have some other ideas: Sending codes with XMPP or another messenger. Some big onion services offer a GPG encrypted message. However, this undermines the idea of 2FA in a way.
I can’t see the problem with TOTP and sdwdate. If I implement 2 grace times, it is +/- 90sec. Sdwdate is only between +/- 30sec, right? Please explain me the problem. I don’t get it. It should work even if sdwdate goes to min/max limit, because of the grace times. Otherwise, I write my own TOTP implementation with increased time, more digits (8), and rate limiting.
By using TOTP, I am more concerned that an attack can brute force the server time by trying many times and checking when the codes start to fail. Is this a real concern? I guess this is unproblematic because the host time is different, right? The only time danger is get the host time (what is not possible with this kind of attack) and change the tor consensus or do replay attacks by attack the time of Whonix.
Does this make any sense?

I read the link you provided to the Onion Domain. The question has been answered. It was exactly what I was looking for. It looks like I need a lot more processing power. However, with GPUs it is definitely doable. Thanks!

On the scaling question (and this is a really big/potentially revolutionary thing): even if you don’t understand it. Please give me some insight if Whonix can be used as the diagram shows. Multiple gateways on the same physical server and one workstation.
And if this kind of setup is possible, what are the potential risks of doing this? I see one problem: Guard discovery becomes doubly easy because each gateway has its own set of tor guards.

Who maintains the KVM version? Hulahoop, right? What is the best way to contact him? Are there any other maintainers?

I want to use KVM because it is the best version for a cloud hosting environment. Would you agree?

Thanks for the link about scaling ideas. I know the site because of RTFM. I read most if not all parts of the docs before starting this thread.

For the question about the open clear net connection setup. I would like to benefit from the great anti-leak setup of Whonix and also use fast backend database connections on different servers.

+---------------------------------+                               
| +-------------+       +-------+ |                               
| |  Workstation|-------|Gateway| |                               
| +-------------+       +-------+ |                               
|        |                   |    |                               
+--------|-------------------|----+                               
         |                   |                                    
  +------|---------+    +----|----+                               
  |Backend Database|    | Tor     |                               
  |(clearnet)      |    | Network |                               
  +----------------+    +---------+

Would you like to help me figure out how this kind of setup is possible? I guess it would bring quite a lot to the Whonix project because of this amazing use case. Do you understand my setup? It is a really big project with lots of frontend (tor) servers and backend (clearnet database) servers. For various reasons, there are more servers. However, these are not important for the explanation of this setup.

Is there a CLI minimal version of KVM for cloud environments? I have checked the documentation and I am aware of the option to disable the GUI login manager. Is this the only thing I can do for a cloud environment?
I would like to have a stripped down version of Whonix without user programs like Monero GUI, Onionshare, Files, VLC, etc…

Due to the single-threaded nature of tor, it is quite expensive to run many individual servers. It is an idea of cost minimization strategy. Or in other words: I’m looking for a way around the bottleneck of the single threaded tor process. This would also be the best way to resist a DOS attack until the torproject finally understands that tor either needs to be completely rewritten, or some sort of proof of work needs to be implemented.

6

There is no research in how accurate sdwdate usually is. That depends on the time sources.

Keep looking at sdwdate log for a while. Compare VM time with real time. That’s the only way to get a feeling for its accuracy.

Not sure. No time to think about.

As said before, in theory possible.
In practice, not researched, not documented.

No Intentional User Freedom Restrictions

Whonix for KVM

Anyone researching, documenting this complex setup: highly unlikely.

I don’t have an opinion.

Yes.

No, but it could probably be build from source code.

Build and Update Whonix from Source Code

  • --flavor whonix-gateway-cli
  • --flavor whonix-gateway-xfce

Multiple Tor processes? These don’t necessarily require multiple VMs. A VM is quite a heavyweight solution just to run multiple processes of the same daemon.

One option is tor-instance-create. That might help a bit. Debian tor package feature. tor-instance-create(8) — tor — Debian bookworm — Debian Manpages. I recommend looking at its source code to see what it does. - Self Support First Policy for Whonix applies. But also possible manually without tor-instance-create.

That plus multiple systemd units could help to run multiple Tor processes on the same machine.

If that is a good idea depends on the use case.

  • facebook / duckduckgo: Maybe. These operators are not anonymous anyhow.
  • anonymous server: Mention of onionbalance on page Onion Services - Whonix applies. I’d approximate this rather than unique scaling solutions not used elsewhere.

I cannot provide more than the pointers that I’ve already provided. It’s not on the roadmap. Not even “simple” (without such a database server setup) use cases of onionbalance + Whonix are documented yet which would happen before.
Bug Reports, Software Development and Feature Requests applies.

Meanwhile I can only recommend this:

  1. Configure something simpler, manually, without involving Whonix.
  2. See how Whonix configures networking → Whonix Networking Implementation Documentation
  3. Try to apply to Whonix.
7

Thank you for the /Dev links. I have not checked them out. I will check/read everything and get back to you in the next few days/weeks.

/Dev/Build_Documentation/15_full contains a small bug: it displays --flavor whonix-workstation-cli twice.
The CLI versions are great for server use. However, these builds still include the user programs, right? How hard is it to build without user programs?
Like a server CLI version without any user programs.

8

Possible but undocumented.

  • file build-steps.d/1700_install-packages
  • variable whonix_build_script_skip_package_install
  • variable install_package_list
  • Build Configuration - Whonix chapter build variables or source code modifications
  • repository anon-meta-packages file debian/control: add packages for variable install_package_list
  • Dev/git - Kicksecure

Then the result of that would also be untested.

9

The how to select which meta package gets installed will be simplified.

https://github.com/Whonix/Whonix/commit/bff95de201f9251bd2b2f1a67ceaa61fdd4f6e4a

10

Every major cloud provider has switched to it by this point.

Why would you bother with a Tor setup if the guts of the operation are out in the clear?

Technically can be used this way, have you tried? Whonix for KVM

1 Like
11

Is there a better way to host a hidden service besides of dedicated hardware in own possession?
Your critic is about using a hosting provider without physical control, right?

Yes. I use this already. Works flawlessly.

For the CLI version I did this:

sudo ./whonix_build --flavor whonix-gateway-cli --arch amd64 --target qcow2 --connection onion --build

and

sudo ./whonix_build --flavor whonix-workstation-cli --arch amd64 --target qcow2 --connection onion --build

Is this the correct way to build KVM builds without the GUI stuff? I can’t see the output anymore. However, there was some output with Monero GUI. Is it still included?

Some fix to the verification section of the /Dev build page:

git verify-tag 15.0.1.7.3-stable

Doesn’t showed the last git commit.
Instead I did:

git log -n 1 15.0.1.7.2-stable
git verify-commit 34843792583b4acb1d4e4e3188deee02b31d6158
12

“Better” can be very relative. Possible alterantives:

Looks correct.

Never mind. All packages are build. But it’s not installed

The build script isn’t complex enough to only build required packages when building flavors that don’t use all packages. A lot imperfections from functionality viewpoint. That would be possible in theory but isn’t worth the added code complexity.

13

That is awesome. Thanks.

Was it helpful/correct?

As I mentioned. I know every normal (not /Dev) wiki page. For me a hosting provider is still the best option.

I don’t understand this wink/criticism. Can someone please enlighten me?
Is he speaking about the risk of memory dumps and tampering?

Rented dedicated servers are still better than VPS , right?
Then I want to install a Debian and KVM in it.

Encryption

It is possible to use full disk encryption at least at rest, correct? Then store the encryption key inside a CPU register by using the TRESOR Kernel Patch. Is this still a thing?
How can I verify that FDE is active?
Are there more things I can do to secure a dedicated cloud server? What about TPM chips?
I know the docs saying “Moreover, a specialized attacker who can reverse engineer hardware designs is also capable of extracting secrets held in processor caches or specialized chips like TPMs.”
However, for my project it is a huge benefit to get some time after a compromise.
What is the best way to detect tampering? I know there is no chance against a skilled attack in a cloud environment. I want to apply the best practices anyway.

SSH

SSH over Tor sounds good for anonymity (besides of leaking the “user” user name). By doing this I will be using a Tor exit and opening myself up to a number of attacks.
A better way would be to set up a non-Whonix Tor onion service on the host and use that for SSH, right? Tor authentication would also be a good idea.
Can a Tor onion service SSH setup be combined with port knocking?

14

Yes.

Self Support First Policy for Whonix applies.

Self Support First Policy for Whonix applies.

The only thing we have on that topic is here: Evil Maid Attack

SSH over onion exclusively:
Onion Services Reliability Issues

15

By using a third party as a host the contents of your server are observable by them and you could be kicked off service whenever it pleases them. Usually people who run their site as onion, keep full control over their stack. Your split clear/onion config may leak things that makes unmasking the service hosting location very easy and could then endanger your users when the server is commandeered and used to dish out malware.

1 Like
16

See: Freenet, Tahoe-LAFS, Zeronet

Yes

1 Like
17

This is not too much of a problem if you use multiple clusters around the world.

Why?

All these projects are great. However, I want to use Tor as a static design choice of my setup.

Is it important if no one has to trust the infrastructure through an offline signature strategy?

Is there a better way to speed up database queries? Use a second onion service for the database and then do caching? The problem with caching is it isn’t great for binary data like images (Redis). I want to query images for example.

I wanted a setup like this:

  1. Onionbalance with multiple frontend web server to spread the load
  2. Distributed database backend servers for load balancing
  3. Delayed database for backup functionality
  4. Optional: An onion service database backend cluster as an censorship counter measurement

To scale Whonix (with Tor), I think the best option is still to establish an encrypted (TLS) but not hidden connection to the backend database servers. Otherwise, the query time is not one Tor delay (user to frontend), but two (frontend to backend).
Isn’t scaling also in the interest of the Whonix project?
I guess that would be the topology of Facebook, right?

18

I think we are talking past each other. I assumed you have a normal VM connecting to a reverse proxy that is in Whonix-WS and that serves queries coming thru Whonix GW. Unless what you call the clearnet backend is hosted inside Whonix Workstation, I cannot comment on how leak proof the setup will be,

Yeah non-trivial. Some advice floating around: using the object cache, pipelining, miscellaneous. As for the VM, look at the IO settings in libvirt’s manual and play with those. You will probably want to remove the blkiotune option I;ve set against DoS resource exhaustion attacks. Also look at renting a server with SSDs which should help performance.

Adding yet another remote link will always incur more latency instead of hosting it locally on the same machine and piping it through a virtual internal network straight to Tor.

No, TLS isf ingerprintable which means the data going thru the pipe can be easily enumerated by an attacker who has gathered info about ever file/page there is as basic TLS lacks any anonymity features like padding which the Tor protocol does. Tor is not merely 3 TLS connections going thru each other it is a custom protocol that makes use of crypto primitives.

We haven’t hit any constraints where we need to deploy these for our project yet. However we are interested in gathering knowledge that can help others do what they want like host onion services with great demands.

I wouldn’t know. Facebook onion is a side feature I doubt it would make sense to compare your needs with them since you are building around the onion mainly, while for them it is a gimmick. If it ceases to work it won;t affect their operations much.

1 Like
19

I am talking about this type of setup. All I want is a dedicated clearnet connection from the workstation that is not tunneled through the gateway.

Sure. However, I need multiple physical separated servers. Otherwise there is no high availability and protection from hosting providers.

I need a fast frontend to backend pipe. Is there something better than TLS? Whats about using Lokinet for this purpose?
Like having something like this:

                                               
           fast TLS/Lokinet connection         
              |------------------+             
+--------------------+   +--------------+      
|    +--------|----+ |   | +-----|----+ |      
| +--| Workstation | |   | | Database | |      
| |  | Frontend    | |   | | Backend  | |      
| |  +-------------+ |   | +----------+ |      
| |  +-------------+ |   +--------------+      
| ---| Gateway     | |   Diagram is simplified.
|    +-------------+ |   Missig:               
+--------------------+   1) Onionbalance       
              |          2) Multiple Frontends 
     +--------|----+     3) Multiple Backends  
     |Tor Network  |                           
     +-------------+
20

Is it important if no one has to trust the infrastructure through an offline signature strategy?

Remote servers have capability to steal the onion key at time of writing there is no revocation mechanism.

Isn’t scaling also in the interest of the Whonix project?

Interesting, yes.
Priority issue → Bug Reports, Software Development and Feature Requests

Perfectly understood.