Questions after reading the Wiki

Hello Whonix Community,

I have read almost the entire Whonix Wiki. However, there are some questions that the Wiki did not answer or remained unclear.

#General

1. The wiki recommends Debian as host operating system. Why not take advantage of Kicksecure’s hardening and use it as host operating system?
2. The wiki recommends disabling TCP SACK. Is this still recommended? Within Whonix 15 I can’t find the configuration under “/etc/sysctl.d/tcp_sack.conf”.
3. The wiki recommends hiding different user locations against Tor guard fingerprinting by using alternating bridges. Are these special bridges? Or “normal” bridges and they alternate by default?
4. FireJail is no longer recommended because it’s unclear whether it does more good than harm, right?

#Qubes-Whonix specific
5) I have read that the sys-net, sys-firewall templates from Fedora ping home by default. Is this still a problem?
6) Is there a good reason not to install Tirdad inside Qubes-Whonix?
7) The wiki recommends to disable core dumps and swap. Is this also recommended for Qubes-Whonix?
8) Why are disabled core dumps and swap files not the default setting within the Whonix templates?
9) The wiki recommends using Debian minimal templates for sys-net and sys-firewall. Why not use an already hardened cloned Whonix-ws-15?

Many thanks for your amazing work!

Hello,

1. You can use Kicksecure, but it is not ready for production use yet. Look in the development forum for threads about hosts for Whonix.

2. Check /etc/sysctl/30_security_misc.conf. If the wiki page is outdated, could you update it?

3. Do you mean by moving the state file? If so, the guide helps you to temporarily rotate guards, not use bridges.

4. There might be other issues, but it breaks things and it might affect fingerprinting.

5. You can find out with a dnf search for a package including “fedora connectivity check” in the name.

6. Does not work in Qubes.

9. Would not work. Whonix is specialized for its purpose. Go to the docs section of the Qubes website for managing minimal templates. There are instructions for adding packages to create fedora-minimal or debian-minimal netvm.

Thanks for your support

1. answered

2. /etc/sysctl/30_security_misc.conf has the TCP SACK option. The wiki is out of date if 30_security_misc.conf is the correct file for it. How can I check that this is the new correct file and not accidentally?
   => outdated wiki at /wiki/Whonix-Workstation_Security_Hardening#Disable_TCP_SACK

3. No, I don’t mean the state file. The wiki points out several options for the protection of fingerprints at different locations. One option is to use “alternating bridges”. My question is: Are “alternating bridges” special bridges or normal bridges and all bridges alternating? I think they are just the normal bridges, and “alternating bridges” describes that they are not persistent for the rotation of the guards. I just want to be sure.

4. answered

5. If I run dnf se “Fedora connectivity check” and nothing is found, is it okay?

6. Why does it not work inside of Qubes? Is there change in the near future?

7. question still open

8. question still open

9. answered

10. Is there a easy way to store the whonix wiki locally?

11. Is there an easy way to save the qubes-os wiki locally? (I know Qubes related)

12. Are Debian minimal templates still the better choice to use as sys-net and sys-firewall compared to fedora?

13. The “best” hypervisor currently available for onion service hosting is KVM because it allows the best defense against advanced deanonymization attacks, isn’t it?
    => /wiki/Advanced_Deanonymization_Attacks#Attack_Methodology

Whonix-Host - in development at time of writing - will be based on Kicksecure.

added just now:

Wording clarification: There is no such thing as “Alternating-Bridges”. It’s not it’s own word. It means “a bridge to alternate”. As in “use different bridges”.

“recommended” is such a strong word I try to avoid. There are complex technical topics and these cannot be boiled down to yes/no. Details are here:

Better look at / ask in the original ticket if anywhere.

No updates there - assume there are no updates.
I am not aware of any changes.

tirdad mentioned here:
Qubes-Whonix Security Disadvantages - Help Wanted!

Qubes host part: best redirected to Qubes support.

It’s disabled in security-misc pacakge but it’s also a host setting.

Because of its network configuration being incompatible with clearnet access.

Kicksecure might be an option but it’s untested.

Thank you for your appreciation!

Thanks,

I will check out your links.
Redirected to Qubes support:

7. The wiki recommends to disable core dumps and swap. Is this also recommended for Qubes-Whonix?

8. Is there an easy way to save the qubes-os wiki locally?

Reamaining questions:

10. Is there a easy way to store the whonix wiki locally?

11. The “best” hypervisor currently available for onion service hosting is KVM because it allows the best defense against advanced deanonymization attacks, isn’t it?
    => /wiki/Advanced_Deanonymization_Attacks#Attack_Methodology

do23bf7m via Whonix Forum:

10. Is there a easy way to store the whonix wiki locally?

The wiki is out of date at => /wiki/Whonix-Workstation_Security_Hardening#Disable_TCP_SACK

/etc/sysctl/30_security_misc.conf has the TCP SACK option now.

If you installed those packages from whonix repo and didn’t edit them into 30_security_misc.conf I would say that it is a correct file.

You can update that section. Wiki edits without an account are allowed.

The wiki is out of date at => /wiki/Whonix-Workstation_Security_Hardening#Disable_TCP_SACK

/etc/sysctl/30_security_misc.conf has the TCP SACK option now.

That wiki section is still needed, because 30_security_misc.conf still has the tcp_sack options commented by default (because uncommenting can cause network issues, so users must decide whether to do that manually or not).

For some reason the approved text on that page is not showing 30_security_misc.conf, but showing an alternative file. Weird. You can see the correct reference when you try to edit the relevant section.