Whonix-Gateway (sys-whonix) runs Tor (onion routing).
Threrefore from my understanding the Tor buttons in Tor browser running (running Tor browser in a Whonix-Workstation) have no effect on creating a new circuit (buttons: “New Identity”, “New Tor circuit for this site”) neither restarting the Tor Browser has. To create a new circuit which means a new identity someone has to click on “New Identity” on the Tor Control Panel in Whonix-Gateway (sys-whonix).
Is that explanation correct?
Based on the documentation multiple Whonix-Workstation are automatically stream isolated.
If I create a second Whonix-Workstation (e.g. anon-whonix-2) based on the Whonix-Workstation template with networking through Whonix-Gateway sys-whonix. From my understanding anon-whonix and anon-whonix-2 share the same Tor circuit through sys-whonix so that there is no stream isolation.
I read the documentation and tried to understand the mechanisms but still is is not fully clear to me.
When I use the New Identity button in the Tor browser, does Whonix-Gateway sys-whonix create a new Tor circuit for my Whonix-Workstation where my Tor browser is currently running on?
When I use multiple Whonix-Workstations do I have a separate Tor circuit for each Whonix-Workstation created by Whonixe-Gateway sys-whonix automatically which ensures stream isolation?
When I use the New Identity button in the Tor browser, does Whonix-Gateway sys-whonix create a new Tor circuit for my Whonix-Workstation where my Tor browser is currently running on?
What technically happens is that:
Tor Browser sends Tor control protocol command “signal newnym” to Tor
(not specific to any particular Tor Browser) (a “global command”) to
Tor, and
what is documented in the wiki (specific to that Tor Browser).
When I use multiple Whonix-Workstations do I have a separate Tor circuit for each Whonix-Workstation created by Whonixe-Gateway sys-whonix automatically which ensures stream isolation?
Under the assumption that different internal IP addresses are used per
workstatation (solid in Qubes) and that Tor’s default enabled IsolateClientAddr is functional, they’re stream isolated.
Stream isolation is a spectrum rather than on/off. Tor Browser is even
better (more fine grained) stream isolated thanks to Tor Browser’s
default usage of IsolateSOCKSAuth feature (per-tab isolation).
If any terminology is unknown, please look it up in the Whonix wiki / on
the Tor Project website.
Different tabs and websites in Tor Browser are isolated by since Tor Browser. [12] Stream Isolation
Is this statement still valid?
I opened a Whonix-Workstation (DisposableVM) and several tabs (up to 10) with the destination address https://check.torproject.org. It showed me always the same IP address.
Only when starting another Whonix-Workstation (DisposableVM or AppVM) I got another IP address while the same IP address remained on the first started Whonix-Workstation Tor browser.
Based on my understanding this means that there is no stream isolation when using different tabs in Tor Browser on the same Whonix-Workstation and these tabs share the same Tor circuit which means that identity correlation is possible.