OK.
First I want to say that I think Whonix, at this point of time, is at a very good place. Whonix 15 is mostly ready ahead of time. Hardened Debian project is underway. That’s great.
But, it faces the risk of having its current resources drained by wrong focus, that was not properly thought out, and that will be unsustainable for a small project. Moreover, choices made due to this focus, may compromise security / anonymity levels.
Specifically, the apparent desire to attract more lay users.
Yes, Whonix wants to protect as many people as possible, that’s commendable.
But do the people here really understand, what it means to cater for a much larger circle, of those significantly less technically skilled than the current average Whonix user?
Do you think Windows users that cannot even figure out how to handle VirtualBox VMs (if they did, no need for an installer) will accept your “Unsupported” or “Free Support Principle” pages?
Do you seek to attract them, then explain to them that you are a small project that can’t really provide the support, or that they should not expect the same user experience they are used to get with other OSs?
How does this wish to expand user base go together with the dislike of “many support tickets”, or with the thoughts of Patrick from last year to tone down Whonix into a research project?
Do you want those users or you don’t? decide.
Do you think users who use the Windows installer won’t not need to, at some point, change VM settings in Virtual Box, for example to increase memory? they will, and this attempt to dumb things down to a single exe will work (if it does at all) for a very limited amount of time. Then you will again get the support tickets you dislike so much. I say this installer is not doing any good at all. If one wants to use Whonix one must have basic capabilities to handle the virtualizer. There’s no way around it.
If you shift the focus to more lay users you should provide the level of support adequate to those lay users. Or waste many people’s time.
Whonix will have many more trivial support tickets, about Tor, about linux, about VirtualBox, about anything, doesn’t matter how many more pages or guides you add to the wiki.
But why should I care at all?
If Whonix project insists to exhaust itself, misguidedly in my view, why should I speak up?
Becuase I think this will inevitalby lead to relaxing standards and hurting all user base. And already is the case to some extent.
When you try to minimize support tickets by providing more usability on expense of security, that increases the risks to everyone.
Advanced users making adjustments by themselves? sure, it’s possible. But those adjustments aren’t done once. Main benefit to a VM is that you use it for what you need. This hardening will need to be manually done again and again and again. Forget once, continue to use Whonix as you’re used to, you may be vulnerable. Essentially you ship a less secure product that needs to continuously be hardened.
And we cannot ignore the reality here in which developers are not isolated from trivial support and forum activity. I don’t see how more lay users focus will not hurt the chances to further increase Whonix security even on the issues unrelated to usability.
Examples: kernel hardening, blacklisting / whitelisting applications firewall on the gateway, restrict workstation from finding information about host, providing forum that does not require JS, and more. There is no shortage to improvements to be made.
What about shipping a hardened version? no resources. But they exist for Windows installer or for fancy icons support?
Regarding the comparison to Tor project approach:
The two project are different in the level of security they aim to provide or what they ask users to do.
Tor project is OK with client seeing full onion circuit. Whonix isn’t.
Tor project is OK allowing insecure features of Tor Control Protocol to other programs. Whonix isn’t.
Tor project doesn’t try to convert users from Windows to Linux. Whonix apparently does (one the main reasons why Windows is supported at all. Becuase they “may become” linux users).
Consequentially, stricter settings should exists in Whonix. People don’t come to Whonix to get the same standards!
I find it very strange that a Whonix user will go all the way to use a virtualizer and VMs and then leave the door wide open to JS fingerprinting and exploits by any site whatsoever.
It makes no sense at all.
The common answer here to this issue is “we don’t want more support tickets”.
Well. I WANT to see this kind of support tickets. And the answer to this kind of ticket will be: “It makes things more secure. Don’t like it? here’s how you easily turn it off”. That’s a GOOD answer.
In fact I have seen many support tickets asking why the settings are not stricter, or generally posts concerned about JS being required. Then the answer is, “Yes it’s more secure to not use JS (and documented widely in the wiki), but we don’t want confused users posting support tickets asking about it”. That is a BAD answer. Do NOT do the opposite of what you recommend.
Even if your dislike to support tickets is somehow a good reason, shipping Whonix with less secure defaults does by itself generate those dreaded tickets anyway.
To summarize:
- More focus on lay users requires much higher level of support that Whonix can’t provide.
- It may lead to resources being drained in an impossible task, instead of further development and increase levels of security and anonymity.
- It will and already does lead to lower security standard being shipped.