As far as i can remember from reading most of the wiki during the last weeks, new versions and security announcements are made public in the whonix forum first.
Is this correct?
If it is, from a security point of view, this is not good, it can lead to deanonymization of the Tor user.
Why is that so?
Well, you don’t want to surf via Tor with an insecure or old version of Whonix and Tor software. Thus a user will very likely visit the forum to read the news before using Tor.
But when he does it this way all the time, this can be used for a correlation time attack .
Here’s an example:
When user X shows up by using TOR in an irc chat or forum, another user which could be the same user as X, might have always checked the whonix news forum 2-3 minutes earlier via clearnet Internet before posting something via Tor.
If you collect enough data, you might narrow it down to user X someday.
Solution:
Instead of publishing the news on the Whonix Forum, they should get published via a security-announce mailing list.
The reason is simple, E-Mails from a mailing list get sent to the users E-Mail account and then are waiting for the user to fetch them.
Even if a user always checks his e-mail account with an e-mail client minutes before using Tor, it’s not clear, what kind of e-mail he is accessing, when the mail transport is encrypted. It’s even not clear how long he does need to check his other emails.
And it’s not clear that he will use Tor afterwards.
If these other mails will consume time, he might also enter the Tor network on some time later, but it’s not clear when.
Thus a timing correlation like “user checks email 0-3 min before using Tor” is much more difficult than “user checks Whonix forum 0-3 min before using Tor”, because his e-mails do not need to relate to Tor at all.
With the Whonix forum, this is different. A user that visits the Whonix forum is very likely also a user of Tor. (Keep in mind, what i want to express with this sentence is not, that he is using Tor at the moment when he is using the Whonix forum, but that he is a user who ever uses Tor)