As far as i can remember from reading most of the wiki during the last weeks, new versions and security announcements are made public in the whonix forum first.
Is this correct?
If it is, from a security point of view, this is not good, it can lead to deanonymization of the Tor user.
Why is that so?
Well, you don’t want to surf via Tor with an insecure or old version of Whonix and Tor software. Thus a user will very likely visit the forum to read the news before using Tor.
But when he does it this way all the time, this can be used for a correlation time attack .
Here’s an example:
When user X shows up by using TOR in an irc chat or forum, another user which could be the same user as X, might have always checked the whonix news forum 2-3 minutes earlier via clearnet Internet before posting something via Tor.
If you collect enough data, you might narrow it down to user X someday.
Solution:
Instead of publishing the news on the Whonix Forum, they should get published via a security-announce mailing list.
The reason is simple, E-Mails from a mailing list get sent to the users E-Mail account and then are waiting for the user to fetch them.
Even if a user always checks his e-mail account with an e-mail client minutes before using Tor, it’s not clear, what kind of e-mail he is accessing, when the mail transport is encrypted. It’s even not clear how long he does need to check his other emails.
And it’s not clear that he will use Tor afterwards.
If these other mails will consume time, he might also enter the Tor network on some time later, but it’s not clear when.
Thus a timing correlation like “user checks email 0-3 min before using Tor” is much more difficult than “user checks Whonix forum 0-3 min before using Tor”, because his e-mails do not need to relate to Tor at all.
With the Whonix forum, this is different. A user that visits the Whonix forum is very likely also a user of Tor. (Keep in mind, what i want to express with this sentence is not, that he is using Tor at the moment when he is using the Whonix forum, but that he is a user who ever uses Tor)
In my opinion, a potentially insecure / old Whonix version is still a better than clearnet.
I disagree. This very habit by itself can lead to de-anonymization through correlation attacks even if Whonix itself / Tor are not compromised. When you visit the same site both with and without Tor, you are asking for trouble.
Right. So why should you ever visit it with clearnet?
If you’re talking adversaries powerful enough to do correlation attacks, then they’re powerful enough to yield influence over email providers. The transport maybe encrypted, but the stored content normally won’t be. Even if the content itself is somehow encrypted (whonix using public keys of every user…?), the very fact it arrives from Whonix will be telling.
More, such system might encourage users to receive those emails on their phones (very easy to be alerted that way), which is even worse security-wise.
Some Tor users were de-anonymized because they used an old Tor browser with a security hole that allowed to compromise their Tor system.
It’s a little harder with Whonix, but an attacker could still try to escape out of the VM.
That was the point of my thread.
It wouldn’t happen with mailinglists.
I agree, that this is a habit, a Whonix user, who have read the documentation doesn’t do.
If you have visited whonix forum in clearnet and created an account, you will continue to do so in future. It’s not a good idea to switch over to Tor and visit the whonix forum from there unless you want create a new account while using tor or have to do so because of laws in your country.
Because you have created an account in the past and want to continue using it.
We all know, using a well known account in clearnet and tor isn’t a good idea.
It only tells them, that the user knows Whonix and Tor and might have used Tor in the past or is still using it.
If you download the mail, they still don’t know when you are using Tor.
Signing the announcements with Whonix’s public key is enough. The security information is not a secret by itself.
No it does tell them only that they use Tor or have used Tor.
But they don’t know when they are using Tor.
Also keep in mind.
You can still create an email account while using Tor.
Then you can still get all the mails via Tor.
mailinglists also get archived and made public via http.
Thus you could still visit an url to the mailinglist and check it on a daily basis. From there, there is no difference to the forum.
And one more thing.
The developers of the Tor Project do use an announce-mailinglist themselves.
Unless you have a very serious reputation here you need to maintain (on expense of anonymity), using an account created with Tor, and with an anonymous email service (email account created with Tor as well), should not be an issue.
Actually, you don’t need a Whonix Forum account at all if you just want to read the news. It’s open to everyone without logging in.
If you are concerned the content of your VM is in danger, you can use another VM for that.
Or, if you are concerned Whonix itself is compromised, you can use Tor on the host. Or even with Tails.
I am not against the idea of mailing lists. Far from it. But I won’t make it into a vital means to report security issues or something users should rely on.
For one, I am not interested to give my email to Whonix or to anyone for that matter, unless I absolutely have to. Any list can be compromised at some point in the future, or you may have phishing attempts of sites pretending to be Whonix, one click or remote loading of content will be enough to deanonymize you, not to mention the danger of being served malicious “updates”. I signed up to this forum using an a temporary email address. I am thankful for Whonix that this is possible.
fair point but doesn’t help with the initial problem and why the thread was stared.
This would increase the required disk space.
That might be possible. But Tor users are typically under attack.
As far as i know, in the US they have a law that allows NSA to compromise the system of every Tor user. The users only need to use Tor, that is enough to give them the right from their view of legislation to attack.
And i don’t want give them a reason to have my host system compromised by them.
Okay, the security information could be offered in both ways, via the forum and the mailinglist.
As long as both are supported equally it shouldn’t be a problem.
Mailing lists are usually publicly available.
When the mails are signed with a public key the rest can be filtered easily.
I started doing the same, but prefer to use none temporary e-mail addresses for forums. Thus i changed it.
For user convenience, there are multiple avenues for receiving news. Choose the most suitable option below.
Whonix Important News Forum Tag (v3 onion) - Only critical information is reported. This includes security vulnerabilities and new stable Whonix versions. It is best suited for people with very limited time and interest in Whonix development and news.
