Hello, everyone! Here’s the question migrated from Qubes forum here. The exact question is located here: Question to develepors: what hardware information reveals Qubes system clearnet traffic to an ISP? - #7 by Qubie - General Discussion - Qubes OS Forum Shortly: if it’s KVM + Whonix on some Linux (let it be Debian), does Whonix traffic look for ISP like definitely Whonix traffic or it looks like traffic from Debian distro that has Tor Browser installed, or does it look like traffic of some anonimous OS like Tails, Whonix and so on. In the original Qubes forum thread was already mentioned local articles from here that already were read but it is still unclear what specific information does the Whonix fingerprint provide to the ISP by its traffic?
This question is addressed more to the Whonix devs 'cause they surely should know the answer.
Why this issue should be considered as worthy of sufficient attention is fully described here 
: Question to develepors: what hardware information reveals Qubes system clearnet traffic to an ISP? - #11 by Qubie - General Discussion - Qubes OS Forum
There is already a link to Network, Browser and Website Fingerprint
Chapter ISP or Local Network Administrators elaborates on that.
Whonix has implemented various security hardening
measures like disabling TCP timestamps, ICMP redirections, firewalling invalid packages, and more. Unfortunately these measures can increase the risk of ISP or Local Network fingerprinting. Despite this, security hardening has been prioritized.
etc. see wiki.
So in other words, ISP can say for sure from the traffic that it is Whonix? The question is that: is it absolutely unique fingerprint for Whonix or it also can remind some other torified OS like Tails? This question originally came up because of these words from the same page:
In contrast, usually TBB [1] users have additional network activity outside of Tor, either from another web browser or other applications. This means the proportion or volume of Tor activity might be feasible identifiers to predict whether a user is running Whonix or the TBB [1]. It is probably harder for the ISP to determine whether a single user is solely generating Tor traffic (and potentially using Whonix) if:
- The Internet connection is shared with other users that do not run Whonix.
- A browser is also used on the host. [7]
It’s like you say that Whonix has unique recognizable fingerprint but then you say that if user will generate on the host some clearnet traffic then Whonix may be look like not Whonix but regular Tor Browser on the host. What’s the point of doing this if Whonix has unique fingerprint and anyway will be recognized?
I can tell you what doesn’t exist according to public available information:
-
- a research term who keeps analyzing Debian, TBB, Tails, Whonix, etc. network fingerprint - on different hardware - and publishing results
-
- based on above research, a development team trying to emulate popular network fingerprints
There are only 2 options:
- A) security is hardened and fingerprint might be unique; or
- B) security is not hardened and fingerprint might still be unique.
Why might it still be unique? Are we talking about passive or active attacks?
But in any case, the (Linux) kernel, networking is really complex. A different kernel version on different hardware (different network card) can have different characteristics.
Quote: Device fingerprint - Wikipedia
In 2005, researchers at the University of California, San Diego showed how TCP timestamps could be used to estimate the clock skew of a device, and consequently to remotely obtain a hardware fingerprint of the device.[13]
Hardened or not, nobody will magically get rid of device fingerprinting. In this particular case, Kicksecure + Whonix might even be better off, because TCP timestamps are disabled.
It might even be available as a commercial service: https://www.fingerbank.org/
With millions of DHCP, TCP, DNS and other traffic fingerprints, FingerBank is capable of uniquely identifying nearly 35,000 classes of devices, as well as providing detailed anomaly detection based on observed device behavior, such as Internet of Things (IoT) device visits on the network.
Solution:
- C) security hardened + emulating “popular” network fingerprints: does not exist.
Depends on how motivated someone is looking, because Tails has a different network fingerprint, see:
We’re talking about passive attack.
Thank you from a pure heart, for your detailed answer! Now I know at least something. It seems there should have been an update for a long time in Fingerprint part of the article that you sent me. 'Cause there is still TorVM, for example, and since there is now Whonix instead then there probably should be green “Yes” in the “Network fingerprint: ISP cannot trivially guess the project type” column. And some other updates because of the same reason.
A post was split to a new topic: MAC Address Questions
Network / web fingerprint | Whonix fingerprint page
If you want deep technical details, you need to click links and carefully read everything. For even deeper details, you need to follow more links and footnotes.
Network fingerprint: ISP cannot trivially guess the project type
trivially - none of this is trivial. There are no public available reports that advanced fingerprinting to figure out using TBB, Tails, or Whonix is done by any ISP.
Turning research papers or integrating with existing services - if any - building big databases could easily cost 100s of thousands of dollars. And the gain from such an implementation is rather low. There are better ways to spend money.
And all of these considerations are rather obscure. An ISP can already rather trivially know that a user is a Debian or Qubes user. This is due to connections to update servers (and other unknown unknowns). In combination with Fedora phone home. (See ticket
sys-net phones home to fedoraproject.org for captive portal detection · Issue #1814 · QubesOS/qubes-issues · GitHub - says closed, but wasn’t actually fixed.)
The realization “ah, it’s a Qubes user”, but “ah, I am wondering is that user using TBB in a Debian VM or Qubes-Whonix”? I am wondering, if anyone willing to spend serious money on this.
How would a user initially download TBB without revealing the fact, that they’re downloading TBB?
Users are already ridiculously falsely flagged as “extremist” much less of an “offense”:
NSA: Linux Journal is an “extremist forum” and its readers get flagged for extra surveillance
Use Tor or 'extremist' Tails Linux? Congrats, you're on an NSA list • The Register
Imagine their shock for using Qubes. How much worse does it get for finding out “ah, Qubes TorVM”, “oh, TBB”, “ah Qubes-Whonix”?
If using Qubes and Tor, chances are it’s best to “assume the worst”.
I guess another point could be added to the table:
Network fingerprint: Reasonable certainty, that ISP cannot guess the project type using advanced traffic fingerprinting
And then link to this forum thread. All projects will get “no”. As per:
Will do now.
Download through VPN. Also it’s possible to make APT traffic use https so that ISP will see only encrypted traffic instead of clear traffic, where it is clear that the user downloaded Tor Bundle or anything else.
You probably should read the comments of that ticket. It seems the issue already fixed itself and the ticket is no longer necessary. They say new Fedora’s version already has not that package that caused that issue. And I, for example, never used Fedora based qubes and disabled networking for all non-whonix qubes. Allowed update checks only to Whonix qubes and set sys-whonix everywhere as update proxy. Disabled time sync (it used Fedora servers too, by the way), and set UTC in BIOS. Could I solve that issue this way?
No, it cannot be fixed.
While Whonix is a project that reliably routes all traffic over Tor, but there’s no equivalent project addressing advanced operating system fingerprinting by ISP.
How to fingerprint, see this for inspiration:
https://arxiv.org/pdf/1603.04865
But VPN? It’s addressed in the paper.
Did I understand correctly that Qubes sys-net phones home to Fedora servers only while Wi-Fi is used and never when USB Modem is used? And, more importantly, what exactly tells to ISP this fact? That user is definitely using Qubes? Or “maybe Qubes, maybe Debian”? Because you said in this context this:
You might also be interested in my reply in this forum thread:
No. You didn’t. Was already mentioned that this is outdated.
And I also should read that ticket. Because it was even me who pointed that out.
Well, keep reading. It’s explained right in the next sentence.
I said it was outdated because the last comments there say that the packege that was causing that issue was removed from last Fedora versions. Then you said it still can’t be fixed.
Ha-ha, I wrote large canvas of the text, explaining my confusion until I have not remembered that Qubes dom0 is Fedora based and realized why you bind all this to the update process. 
So I probably should conclude that even after disabling all update checks through non-whonix qubes, disabling all their networking, setting all updates to whonix qubes and disabling time sync it still will be leaking traffic through some default, not disconnecting connections to Fedora servers? Sad. 
You need to check the goals of the project.
Avoidance of clearnet (non-Tor) traffic isn’t a stated (top) goal of the project.
- Qubes: No such goal. And unfortunately, not likely either.
- Kicksecure: Might get a feature to restrict outgoing traffic to specific Linux user accounts and/or IP addresses. But it’s not yet implemented. For latest status, see ticket: Kicksecure Firewall
- Whonix-Host: Has this goal but doesn’t exist at time of writing.
As a user, if the goal or implementation is absent, you know what to expect and need to act accordingly.
But still, why it looks for ISP as using Qubes or Debian if it phones to Fedora servers (especially for update purposes)? Why it can’t look like Fedora OS since dom0 is Fedora based and got this phone home “artifact” because of some old package that was left there because of some reason? I doubt that Fedora servers contain some Qubes packages that it checks and downloads from these Fedora servers.
sys-net phones home to fedoraproject.org for captive portal detection · Issue #1814 · QubesOS/qubes-issues · GitHub is probably fixed. Forget about that small aspect.
Maybe it can or could in theory, but it doesn’t.
- Different default Fedora packages.
- Therefore different amount of traffic.
- Connections to Qubes’ Fedora repository (qubes-core-agent, …)
- Qubes Fedora disables TCP timestamps. (Actually good.)
- qubes-core-agent-linux/config-overrides/20_tcp_timestamps.conf at main · QubesOS/qubes-core-agent-linux · GitHub
- Upstream Fedora probably doesn’t.
- → Fingerprintable.