I realise this might be a tor issue, but I’m not sure.
I think i’ve been doing sometihng very stupid.
I was under the illusion that shutting down tor browser and then opening it again would do what the New identity button does. However this is not the case as the Ip stays the same. Does this mean that all my web activity is now linked to one single profile (for each starting up of whonix)? Is there anyway that this is not the case?
I woudl appreciate some detailed input…
Frequently Asked Questions - Whonix ™ FAQ
Closing Tor Browser and restarting it should have the same effect as new identity because Tor Browser also isolates streams per tab.
Stream isolation does not equal different Tor exit IP. A new stream might use a different Tor middle relay but the same Tor exit relay.
I tested this once and saw that the tpo.check IP was the same every time across snapshot rollbacks. The only way to refresh the identity was to initiate a NEWNYM on the GW.
So does that mean that the new connections used new circuits but had the same exit?
I’ve been researching this topic a bit and I’m going to disagree with some things that @Patrick said (!!).
Right. This is a Tor Browser issue. Whonix is not involved here. Shutting down and restarting is specific to Whonix (per HulaHoop’s comment.) Tor Browser has built-in circuit isolation features. A more descriptive title would be “Tor Browser circuit isolation”.
Other than clearing the application-level browser data, I do not know exactly what closing Tor Browser entails. However, the Torbutton New Identity function is well documented here: The Design and Implementation of the Tor Browser [DRAFT]
One thing that New Identity does that closing Tor Browser might not do is this…
After the state is cleared, we then close all remaining HTTP keep-alive connections and then send the NEWNYM signal to the Tor control port to cause a new circuit to be created.
This would explain why IP results differ between closing TB and issuing New Identity.
This is probabilistic evidence so make sure you run the test enough times to be sure. Even with “New Identity”, you’re IP address might stay the same: tor browser bundle - When I click "New Identity", why do I sometimes end up with the same exit relay? - Tor Stack Exchange
Assuming my edit of your question is what you intended, your web browsing was never (since TBB v4.5a1) limited to a single circuit. There are two ways that your browsing activities are isolated from each other:
1. Over time:
https://stem.torproject.org/faq.html#how-do-i-request-a-new-identity-from-tor
Tor periodically creates new circuits. When a circuit is used it becomes dirty, and after ten minutes new connections will not use it. When all of the connections using an expired circuit are done the circuit is closed.
2. By first-party domain name
Several places in the Whonix wiki (including Tor Browser Essentials) refer to Tor Browser Tab Isolation. AFAICT this is incorrect. Tor Browser should set SOCKS username for a request based on first party domain (#3455) · Issues · Legacy / Trac · GitLab explains that streams are isolated by SOCKSauth and that SOCKS username is a function of the base url first-party domain name. This can be seen by opening an arbitrary number of tabs and browsing to check.torproject.org. All of the tabs will show the same IP address. In order for multiple connections to the same website to use a different circuit, a separate instance of Tor Browser is required.
EDIT: Also of interest to OP, Tor Browser Bundle (TBB) new circuit versus new identity.
I stand corrected. 
I am wondering/about to create a Tor Browser bug report, make closing and restart of Tor Browser as good as New Identity. Any input?
draft…
make closing and restart of Tor Browser as good as New Identity
When using Tor Browser New Identity, it sends signal newnym and restarts the browser.
Manually terminating the browser and restarting it however does not result in sending signal newnym.
I would suggest to make make the shutdown / restart of Tor Browser as similar as it can get. I.e. when Tor Browser gets closed or started, why not send signal newnym?
Are there any other differences between Tor Browser New Identity and Tor Browser restart that could be sorted out?
This is Whonix specific though. With stock TBB the bundled Tor instance shutdown with the browser and so a new circuit is built on a restart. Not so with Whonix because it’s a system Tor daemon on the GW that keeps running.
I think this is a very important failsafe feature - but iyou should mention its for designs like Whonix.
It’s a very good point!
Ticket posted:
Indeed a good point. I see now why I thought this is the case. I even remember that it was recommended to restart tor browser rather than click the new id button but that was a long time ago.
Otherwise thanks for the responses.
entr0py, you are saying that actually only the periodical change of circuit would be able to stop linking my tor profile, given the second reason is not correct? So what if I changed ‘identities’ withing 10 minutes, then the identities are linked?
What I’m asking is - Does restarting the tor browser in whonix do exactly the same thing as opening a new tab in a current session i.e. nothing? If the answer is yes, then theoretically my profiles should be linked, right?
Here’s what I think you’re asking:
Within a 10 minute timeframe,
In this case, both Joe and Mary would have connected to gmail.com over the same Tor circuit.
Restarting Tor Browser deleted all application-level data so, for example, Joe and Mary would have had different cookies.
You can watch this process yourself by installing onioncircuits. It’s a great tool to learn about stream isolation.
This is a very concerning issue. I can imagine someone creating a bitcoin wallet at blockchain.info. Then, transferring bitcoins from wallet1 to wallet2 via some anonymizing service. Then, closing Tor Browser and logging into wallet2. While the bitcoin trail might have been obfuscated, both wallets would have been accessed from the same source.
[This example is complicated because blockchain.info doesn’t allow clearnet connections from Tor exit nodes. But I confirmed that the connection to the hidden service occurs over the same Tor circuit as well. However, I don’t know enough about hidden services to know what identifying metadata can be collected regarding the source of the connection - meaning IP addresses aren’t used, but can the relay be identified as being the same by it’s fingerprint?]
Just to add, Whonix has always advised against using the same Tor Browser for multiple identities:
Whonix ™ and Tor Limitations
Advanced Security Guide - Whonix
Multiple Whonix-Workstation ™
But the more failsafes, the better.
Yes, this is what I was asking. I assume it applies if joe logs into a different website than marry within those 10 minutes? Would this be enough to conclude that joe and marry are the same person?
Can this analysys be done only in real time or can it be backtracked?
Say if an adversary decided to look into marry’s activity now?
thanks
As a stopgap Whonix’s tb-starter /usr/bin/torbrowser could request newnym before starting Tor Browser and/or after Tor Browser has terminated. Does automation of that sound sane or can you imagine any ill effects?
⚓ T567 research: Single Tor-Gateway with Multiple Workstations vs Multiple Tor-Gateways mapped 1:1 to Workstation VMs is somewhat similar / related.
No, it doesn’t. That’s why I specifically mentioned gmail.com. You asked the following earlier:
If “second reason” is referring to:
why would that not be correct? The only way that Tor Browser would not isolate different websites is if you used some type of proxy after Tor, in which case, all of your browsing would occur over a single circuit until a relay died.
The fact that 2 connections originate from the same Tor exit node within a short timeframe would constitute some circumstantial evidence. People are free to draw whatever conclusions they want.
Depends on logging.
Can’t imagine any situation in which user would want to reuse circuits from a prior Tor Browser session - reauthentication with websites would be required anyway because cookies are destroyed.
Probably safer to issue newnym on termination, just because I don’t understand how SOCKSAuth is constructed and whether or not it’s possible for another application to issue the same SOCKSAuth.
Thanks for the replies and patience, entr0py. I think I’m getting there.
As you say, you think the first-party domain is incorrect because it does show the same IP for every checked tab within one session. I have no idea what the SOCKSAuth does, but if the tabs use the same IP, how does that help keeping profiles apart?
And why is it different if it’s not logging into the the same website?
If joe logs into say an onion website, then restarts Tor Browser and logs into a clearnet website as marry, then both should be connected the same way as if they would have logged in one website?
Can you please elaborate on what you mean by “Depends on logging”? The logs that the websites keep or something else?
I do appreciate this.
No problem. We have found the source of the confusion!
I never said or implied this. What I said was that every checked tab showed the same IP for the same website. This proved that Tor Browser doesn’t automatically create a new circuit for every tab.
In fact, Tor Browser creates a new circuit for every new first-party base domain URL. That means mail.google.com and accounts.google.com will stream over the same circuit but mail.facebook.com will generate a new circuit. All the additional URLs that are generated from the initial request will also stream over the respective initial (first-party) circuit. This is Tor Browser’s default behavior - like unused circuits dying at 10 mins - it has nothing to do with restarting the browser or clicking “New Identity”. (Also don’t worry about SOCKSAuth. That’s just the mechanism that Tor Browser uses to differentiate websites).
Whatever logs websites keep, whatever logs ISPs keep, whatever logs the NSA keeps… Basically, I don’t know.
@winibub To be absolutely certain that activities from your last session are not detectable in your new one - you should create a snapshot of a freshly installed GW after Tor is initially started up and rollback to it along with your WS clean state.
Want to run multi-WSs same time? You must have a separate GW assigned for every WS. Be sure to apply the advice above here too.
https://lists.torproject.org/pipermail/tor-dev/2016-November/011636.html
After restarting Tor Browser, connections should be stream isolated. Even to same domain. This is because Tor Browser sets a socks user name that contains a random string per first level domain the is different after a browser restart.
We are discussing multiple vs single gateway here at the moment btw:
⚓ T567 research: Single Tor-Gateway with Multiple Workstations vs Multiple Tor-Gateways mapped 1:1 to Workstation VMs
Sure.
My caution is related to worsening the fingerprint of any other application that may be running in parallel while sending newnym.
Learning the socks username can be done by running torbutton in debug mode. Just now documented here:
Tor Browser Essentials
The socks username consists of the the first level domain name as well as a random string. Example:
torproject.org:<random string >