Potentional collect information

Greetings all. I have a bit of a strange question, but still. As I understand the gateway has all the information on all the tor nodes involved in the workstation. In addition it has the theoretical ability to see my internal ip.

How can I be sure that this data is not transmitted to collect? If I watch with sniffer, I see a lot of activity under ssl to different tor nodes, even if I’m not doing anything. And not understand, what information keep going to they.

Whonix-Gateway runs Tor and malware in Whonix-Gateway would have the ability to see everything sent from Whonix-Workstation to Whonix-Gateway.

Not only in theory. Also in practice. A user or malware running commands on Whonix-Gateway can figure out its own external internet service provider (ISP) assigned IP address.

You’re basically asking how to audit Whonix?


(Whonix is based on Kicksecure.)

Is that what you mean? Does that apply?

Whonix is based on Tor.

This is unspecific to Whonix. The traffic generated by Tor during idle should be comparable to other places running Tor. Most comparable would be Debian with the tor package installed. [1]

[1] Details, for more specific instructions how reproduce the same configuration (vangards, …) that Whonix is using on Debian, see:
Tor Documentation for Whonix ™ Users chapter Tor Generic Bug Reproduction in Whonix wiki (I am not implying there’s a bug here.)