Tails Features/Ideas

  • Remove the preconfigured #tails IRC channel. Join us on XMPP instead!
    ** Then configure your preferred instant messaging client, for example Pidgin, which runs on Windows, GNU/Linux, and Mac OS X, to connect to:

    server: conference.riseup.net
    room: tails
    Use TLS/SSL to connect!

(Using Pidgin is terrible advice but maybe the riseup xmpp service is a good idea?)

  • Use secure HKPS OpenPGP key server in Enigmail.

(I know our keyservers point to a HS, does this apply to Enigmail too?)

  • Harden our firewall by rejecting RELATED packets and restricting Tor to only send NEW TCP syn packets. (#11391)

  • Harden our kernel by:

    Setting various security-related kernel options: slab_nomerge slub_debug=FZ mce=0 vsyscall=none. (#11143)
    Removing the .map files of the kernel. (#10951)

  • Enable Packetization Layer Path MTU Discovery for IPv4. This should make the connections to obfs4 Tor bridges more reliable. (#9268)

If someone is up to host and run it, go ahead. I am not great with instant messengers. Too disruptive. I personally do it only on request to speak about specific topics. Not as a general hangout.

Yes. Can verify by checking icedove enigmail keyserver settings.


RELATED,ESTABLISHED -> ESTABLISHED was done for Whonix 13. Ticket:

They haven’t explained how restricting Tor, what restricting Tor to only send NEW TCP syn packets should be good for.

Something worthwhile for Advanced Security Guide - Whonix.

Why isn’t this done upstream in Debian? We ought to figure that out before changing these things in Whonix.

Qubes mailing list discussion: linux kernel hardening
Redirecting to Google Groups

I don’t think we have this problem in Whonix. If anything, this only matters for Whonix with physical isolation without virtualized Whonix-Gateway.

Very interesting info on haveged

haveged relies on the RDTSC instruction, that apparently is useless in some virtualized environments. Also, the quality of random numbers output by HAVEGE is unclear, and the topic of many discussions.


At least on KVM its not useful but we don’t need it anyhow since there is a dedicated rng device.

rdtsc or any tsc counter provides very accurate clock tick information so better to block.

1 Like




Linux kASLR is known as not being particularly strong, but one has to start somewhere.

Not an understatement. Though I thought vanilla kernels in Debian enabled it but doesn’t seem so.

1 Like