What is the requirements for offline documentation and how can it be done in a safe way that protects from wateringhole attacks?
TAILS have offline documentation that can be built offline.
Edit by Patrick:
This was implemented.
1 Like
It’s a good idea as always. Other Whonix work will prevent me from doing this anytime soon.
A https://github.com/Whonix/whonix-docs package could be created.
This needs automation. Manually would be a giant waste of time and impossible to keep updated.
Mediawiki comes with a
/maintenance/dumpHTML.phpscript.
We have instructions for replicating whonix.org wiki:
https://www.whonix.org/wiki/Dev/Replicating_whonix.org
Or just set up a test wiki and experiment with it.
Then write a script that uses mediawiki’s “/maintenance/dumpHTML.php” that creates a nice folder including html that actually works in a browser (local) [test] that we can then put into the https://github.com/Whonix/whonix-docs package package.
I can do the debian packaging part, but I won’t have time to create the script for automation of creating the local html.
So was this needs is a contributor with the motivation, time and skill who does the research and implementation. That’s all.
There are some easier ways from what I found. Maybe a tool like Kiwix can do the last part without needing scripting?
http://www.kiwix.org/wiki/Main_Page
Offline mediawiki reader:
http://www.okawix.com/
Downloading from whonix.org would not be as secure as using the tool on a server that has mediawiki. Not a blocker, but since you brought mentioned wateringhole attacks I thought it’s worth mentioning it.
Requires research. If one of these tools actually works and we actually end up with a usable html folder that contains Whonix documentation offline, that’d be great.
Of course I am not suggesting they use these programs to download from the site, but as an offline reader for the mediawiki backup folder distributed with Whonix. At that point converting to HTML is not needed anymore as they can interpret the data format just fine.
Its as simple as indexing the mediawiki dump with this program then its able to open it up for viewing seamlessly.
If you have downloaded a Non-indexed ZIM file, then you only need to open it with Kiwix (downloaded separately) and if you need to, index it in addition.
Kiwix is in Debian sid.
Kiwix allows you to read and search through offline content as they were online. Similar to a browser, Kiwix works with the highly compressed ZIM file format.Features:
- Pure ZIM file reader
- Case and diacritics insensitive full text search engine
- Bookmarks & Notes
- ZIM base HTTP server
- PDF/HTML export
- Localized
- Search suggestions
- ZIM file Index capacity
- Tabs navigation
It can be used as intermediate step to convert into HTML too, but taking the above attack into consideration, its probably best not to distribute something that uses a browser online or offline for that matter.
A comparison between these two programs: kiwix – Ziko's Blog
[sub]Credit for Kiwix goes to the author of this post.[/sub]
I know. But me running that programs against whonix.org isn’t any safer than any random user doing that. It would make the assumption, that I or a magical someone else checks all documentation after download if it contains nothing malicious - every time offline documentation gets updated. Too broad an assumption.
Kiwix is in Debian sid.Very good point for Kiwix! So I can download it from there and believe the package maintainer has checked the source for at least doing nothing malicious.
Wikipedia offline reader
So does it work with Whonix wiki as well?
It would make the assumption, that I or a magical someone else checks all documentation after download if it contains nothing malicious - every time offline documentation gets updated. Too broad an assumption.
You’re saying that the whole idea of offline documentation is a bad security risk then?
What is the simplest and safest format that we can provide this information as, text files? There has to be some way to realize this, TAILS managed to do it somehow.
Wikipedia offline readerSo does it work with Whonix wiki as well?
Yes it supports MediaWiki that Wikipedia is based on.
It is possible to read any Wikimedia project, although it was originally designed only for Wikipedia.
EDIT:
What if we can extend the reproducible build concept to the dumped data from the Whonix wiki? On a first run users use Kiwix to index the mediaiwiki dump copy you distribute that has a verified known good state. It should be a very fast process and only necessary once.
You’re saying that the whole idea of offline documentation is a bad security risk then?[/quote]
No.
While Whonix offline documentation feature would add value to Whonix, and might even improve security for some users, wateringhole attacks is still a different threat. Isn’t really worth going into the security nuances before someone working on this.
What is the simplest and safest format that we can provide this information as, text files?Yes.
But offline html would be fine as well.
It totally depends on the contributor who is willing to do the work on this.
There has to be some way to realize this,
Sure.
We probably cannot do it the same way they are doing it. They’re using a different content generator for their website:
ikiwiki (https://ikiwiki.info)
While whonix.org uses mediawiki as content generator. I wouldn’t want to move from mediawiki to ikiwiki for many reasons I am not going into before this is seriously suggested (I hope not).
[quote=“HulaHoop, post:8, topic:413”][quote]Wikipedia offline reader
So does it work with Whonix wiki as well?[/quote]
Yes it supports MediaWiki that Wikipedia is based on.[/quote]
Indeed. Kiwix - Wikipedia describes it quite well.
I’m a willing contributor. That’s why I’m having this discussion 
I am not implying you do this I’m just trying to figure out an easier way to achieve the same result without writing a script for HTML conversion. Kiwix looks as a solution because it converts the output into HTML among other things.
Please read the addition I made for my last post on reproducible builds.
Would be a good idea. Sure. If it works. Hopefully Kiwix produces deterministic (or at least verifiable [only small unimportant differences]) results.
I didn’t say someone needs to write a script for HTML conversion. As said in my first answer in this thread, mediawiki’s
/maintenance/dumpHTML.phpalready does that. Just re-read my first post. Someone just needs to actually start using/experimenting the existing /maintenance/dumpHTML.php script and see how results look like.
I’ll follow the replication page and see what gives.
https://www.mediawiki.org/wiki/Extension:DumpHTML
Please give it a quick look and tell what parameters are interesting for our usecase.
Required:
Maybe useful:
or
(Depending on which works.)
Maybe required:
Maybe useful, maybe not (depending on if it is deterministic)
Extension path:
/var/www/wiki/extensions/DumpHTML/dumpHTML.php
user@host:~$ sudo chown --recursive www-data:www-data /var/www user@host:~$ /var/www/wiki/extensions/DumpHTML/dumpHTML.php -d /home/user/Desktop/backup bash: /var/www/wiki/extensions/DumpHTML/dumpHTML.php: Permission denied user@host:~$ sudo /var/www/wiki/extensions/DumpHTML/dumpHTML.php -d /home/user/Desktop/backup sudo: /var/www/wiki/extensions/DumpHTML/dumpHTML.php: command not found user@host:~$ sudo su /var/www/wiki/extensions/DumpHTML/dumpHTML.php No passwd entry for user '/var/www/wiki/extensions/DumpHTML/dumpHTML.php'
Works fine but gives:
WARNING: destination directory already exists, skipping initialisation Creating static HTML dump in directory /home/user/Desktop/backup. Using database localhost Starting from page_id 1 of 1074 PHP Fatal error: Cannot access protected property LocalRepo::$thumbScriptUrl in /var/www/w/extensions/DumpHTML/dumpHTML.inc on line 1163
That last error is most likely because of a bug in the extension.
Alternatively I tried getting kiwix from sid and t wouldn’t work because of missing dependencies that haven’t been packaged yet.
Whenever kiwix is read I will test it and then all that is needed is the wiki data from git for distribution with this package preinstalled.