Whonix experimental for how long

What is so unreliable or unfinished in Whonix that warnings about it being experimental software are warranted? Are the shortcomings mostly in usability and user friendliness or in features to do with security, privacy, anonymity?

Isn’t it more secure to use Whonix than just Tor Browser? Yet Whonix scares the user with way more warnings. Saying that it may have grave bugs and vulnerabilites isn’t an argument, because that is true of all software. When will it grow out of its experimental phase and be considered mature? It says here

While many issues listed below are planned for future implementation, a number will probably never get “fixed” because they are impossible to address in a software-only project.

Does this mean Whonix will forever be condemned to being alpha software? Most of the vulnerabilites on the linked list are common to all computer systems and some transcend them entirely. Whonix can’t solve all computer security problems, no one system can. It shouldn’t stay experimental until it gains self-consciousness.

IMO, that’s kind of the point. A spreadsheet project has an objective and set of features that when functional can be deemed stable. These features tend to remain fairly constant. Security software, on the other hand, has goalposts that are constantly changing as the threats evolve. If all you want is a Tor daemon running in a separate VM, that’s easy. But Whonix aims to do much more than that: integration with the OS, integration with other security software, fingerprinting defenses, etc. That’s a lot of moving parts.

“No amount of experimentation can ever prove me right;
a single experiment can prove me wrong.” - Einstein

We don’t know of any cases where a Whonix vulnerability led to de-anonymization. Doesn’t mean it can’t happen tomorrow. Qubes calls itself “A reasonably secure operating system” (even though it’s arguably the most secure desktop OS). It’s an important attitude to avoid succumbing to a false sense of security.

I agree though, that being experimental can be off-putting to new users. Worth further discussion…

3 Likes

Whonix has been around for more than half a decade and has a solid following. At this point the warning is merely a disclaimer for legal purposes rather than fact. Whonix by design cannot add more vulnerabilities than its underlying components anyhow. Its also important to understand no type of software or hardware is enough in some threat models.

1 Like

entr0py:

I agree though, that being experimental can be off-putting to new users. Worth further discussion…

You can’t make everyone happy. Some more points to add:

Case remove experimental warnings advantages:

  • Less users being put off and not using hide my ass with their existing
    Windows browser instead.

Case remove experimental warnings disadvantages:

fish:

What is so unreliable or unfinished in Whonix that warnings about it being experimental software are warranted?

Many smaller and bigger issues. Selection:

In Qubes R4 things are getting quite complex. Far too few eyes on it.
Excerpt of complexity:
Dev/Qubes - Whonix

There are too many issues to tackle for such a small project like
Whonix. On the Libre Software ecosystem generally:

Wiki search fallback suggestion - #6 by Patrick

It’s far from any solid project. What could be a comparable solid
project? In end-user computer software, difficult. Selling a commercial
grade washing machine perhaps. Then the vendor can provide data: how
many times it can be run in what period approximately, which things
break how often, which things need maintenance in which order, complete
manual. Making anonymity software anywhere near solid and well defined
doesn’t seem on the horizon.

Are the shortcomings mostly in usability and user friendliness or in features to do with security, privacy, anonymity?

No.

When will it grow out of its experimental phase and be considered mature?

Doesn’t look like it ever will at this point.

While many issues listed below are planned for future implementation, a number will probably never get “fixed” because they are impossible to address in a software-only project.

Does this mean Whonix will forever be condemned to being alpha software?

Yes.

What do you think about relabeling Whonix as a research project?

That’s what it is. Underfunded, understaffed, incomplete research and
development.

Pros - maybe?:

  • sets expectations right [1]
  • communicates that a lot more work is required (many people seem to
    assume, “Whonix implementation is complete”)
  • communicates that a lot more help is required
  • changes the tone from exceptions and demands to, well, let’s hope
    research and development
  • more research and development activity?

[1] (users not expecting a very solid project like
Wiki search fallback suggestion - #6 by Patrick /
https://forums.whonix.org/t/get-rid-of-klipper)

2 Likes

I first heard about Whonix a few months ago, and started to test it / learn it a few weeks ago.

So, this is just my uninformed opinion, but if it is indeed -

Then I think Whonix tries to do too much, in the way of providing too many options.

Please consider focusing on a single hypervisor.

I cannot speak for anyone else, but I for one will go with whatever Qubes / KVM / VirtualBox if Whonix developers say “this is the best as far as we are concerned and we only have resources to support one of them”.

Same, if support is given only to one kind of host.

  • VirtualBox: provides popularity and funding
  • Qubes: provides personal fun and usefulness to me
  • KVM: provides @HulaHoop
1 Like

IIRC this very issue is mentioned in the upcoming Whonix 14 release blog post. i.e. focusing less on new options and more on core Whonix.

Don’t think this would be feasible as it would alienate a large majority of our community.

I was quoted twice here. People complaining about low quality, or expecting a solid system, is a negative in your eyes Patrick? If that’s the attitude then there’s really no point in such posts. You need to clarify that though, I was under the impression that pointing out things that can be improved is actually some kind of contribution.

Yes I support switching to a research label because its more accurate about the project’s goals and open problems.

It also gives it a more professional branding than “alpha” which otherwise implies that it’s an unmaintained hobbyist side project to most people.

1 Like

@pano where did that come from? Patrick was making neutral statement about your posts and using them as an example of people’s expectation? No one dislikes your topics and we are happy to discuss new ideas.

2 Likes

I get the impression many users’ posts are seen as a burden. Perhaps they are a burden. I can understand that and I really do appreciate the work done here by Patrick and others and I also understand the pressure of having to complete a lot with limited resources.

Personally I don’t seek great features, I seek stability. I wouldn’t mind at all if Whonix stayed on Jessie for example for a few more years. I think the type of users who need Whonix fit the same profile. All those warnings / experimental / research approach / being understaffed / underfunded / obviously overworked remarks aren’t reassuring. And reassurance is needed if one is to believe a project will not be abandoned at some point. Yes I didn’t contribute much here so far, but I spent already many many hours learning about Whonix and trying to figure the ins and outs, and I plan to continue doing that. Why would one spend a lot of time and energy if there is little confidence in the future of a project?

Reducing expectations levels, moving to research mode and emphasizing an ever lasting experimental state will be detrimental to receiving more funding, that’s for sure. People want to use and invest in viable, stable and long lasting projects, not in experiments. I agree with the OP, after what, 6+ years, Whonix can’t be viewed as an experiment any more. It’s either a success or a failure, and personally I think it’s a success. It is endorsed by many security experts, there is nothing like it, it works and does it’s job. No, it cannot cover 100% of security aspects, no product can, but you get a much lighter and optimistic feeling going through Qubes website for example.

+1 “actively maintained research project”

Qubes has more funding, paid staff, user contributions, larger audience. And by more, I don’t mean just greater than, but order of magnitude more. (Also, you mentioned the website specifically. I think Whonix could definitely improve on that front. But we don’t have a webmaster currently, let alone a web-designer.)

There is absolutely none to give. If Patrick were to quit tomorrow, there are certainly Whonix devs/users that have the skills to pick up the project, but absolutely no guarantee that anyone will do so. The best way to ensure the project’s survival is to have more participation in development.

There aren’t exactly a lot of Whonix-alternatives to choose from. Time and energy spent studying Whonix shouldn’t be viewed as an investment in Whonix as much as knowledge that can be applied to any privacy project.

These kinds of projects aren’t funded by VCs looking for return on investment. Funders are looking for projects that address a pressing need and require funds to survive. They want their limited funds to carry impact. Granted, they don’t want their funds to go to waste by a project that immediately shuts down. But it’s a lot more complicated than simply a label.

Many users’ posts are a burden. I say that as a matter of fact - not with any specific animosity. This is a complex project with many pieces - the vast majority of which are developed elsewhere: kvm, xen, qubes, vbox, debian, kde, all the application software, all the system daemons, etc, etc. It’s perfectly fine that new users don’t always know the best place to go to for support, or what is appropriately whonix-specific. And new users often have good ideas (especially regarding usability), so the goal is not to discourage posting.

However, there are things that users can do to lessen the burden.

  • First, look at the effort in this thread: Long Wiki Edits Thread - #659 by torjunkie . The accumulated time and energy that has gone into the wiki and forum posts is wasted when posters don’t search even Whonix resources.
  • Second, a basic web search can answer many questions, and if not, can make the poster more educated about what exactly they need help with.
  • Finally, I don’t post random links. The links I share are directly relevant (and if not, marked as such). I don’t post any links that I haven’t read myself (or written in some cases). My absolute pet peeve is when I take the time to find the appropriate links, and the poster comes back 5 minutes later, having ignored the links, to ask the same original question. That’s a burden.

Ideas to improve Whonix are always welcome - as long as people are mindful of the fact that this is an open-source, volunteer project and not one to which they are entitled to dictate. In many cases (like I2P Integration - #102 by goldstein-otg) when ideas can not be acted upon in a timely manner, suggestions are given to the original poster on how they can get involved personally - by contacting upstream projects, researching ideas further, or testing different scenarios.

2 Likes

Well, this is the impression, the point is not putting anyone on the defense, if you care about Whonix you will try to spot the details I’m right about and not try to refute them. I am not trying to win an argument, it’s good for nobody.

Regarding the documentation - I commented about some issues in the past, but I was very polite. I want to be a bit more direct this time - it is just terrible.

Almost every page is way too long to be useful for people with any kind of time constraints, who can’t become Whonix / Debian / networking experts before they find a solution to their specific problem.
Every page covers all possible options for every Hypervisor or setting, making an already complex technical point or procedure much more difficult to implement than it should be.
And, it contains mistakes and outdated information (see the VPN page, with the riseup account that “does not work anymore for the author of those lines”, and is still given as an example).

Then, switch to the Tails documentation. One gets the feeling it’s possible to cover it in a single afternoon.

Hey, tails developers don’t even maintain a forum like that. They don’t need to. Try to think why.

What part of underfunded and understaffed do you not understand? I agree that the wiki is verbose (sometimes for good reason) and could use better organization. I don’t agree that it’s constructive to complain without offering help (money or effort is gladly accepted). You are proficient in English. So like torjunkie and 0brand, who came to this project with little expert knowledge, you could also make massive contributions to cleaning up and expanding the documentation - which is btw, one of the most comprehensive how-to’s on internet privacy in existence.

You are absolutely right. Tails is a fantastic project. Highly polished, non-experimental, and amnesic to boot. That may be exactly what you’re looking for. (Of course, Tails users can be decloaked by root-escalation exploits, but hey, what’s a little deanonymization when you can get through the docs in an afternoon?)

[For the record, only the last question is sarcastic. Tails has its place, as does Whonix - and they’re not interchangeable. Comparing the two as you’ve done only illustrates that you don’t know the difference between apples and oranges.]

Umm, ok, I’ll give it a shot:

  1. They did have a forum.
  2. They closed it. Tails - Tails user support mailing list
  3. They now offer support via email, chat, and mailing list. Tails - Support

It’s so entangled I have no clue where to start. For example, if I wanted to write a simplified and consice chapter about a specific issue in Whonix 13 - Virtual Box case, I could do it, but the structure of the documentation dictates all hypervisors are discussed in a single page. Unless you write separate guides for each, or allow the user to filter them (as I suggested in an earlier thread and was told it’s not realistic), things won’t be improved and the clutter will stay. Again I think when you’re understuffed, underfunded you need to focus, as I suggested in this thread.

I like a bit of sarcasm, it made me smile and I enjoy your sense of humor. On the serious side, if I didn’t think Whonix has an important place I wouldn’t spend time on it. But I think it offers the biggest advantages especially to those who need ongoing access to the internet, for example those who run onion sites.

It is correct Whonix provides a better protection from some malware if it is present and from certain attacks, but on the other hand it will be probably easier for a malware to gain a foothold in Whonix rather than in Tails. Why? simply because Tails starts from scratch each time, so as long as the installation is clean and the user is very careful to save only what he absolutely has to, only plain data (in a persistent volume or a separate USB), and is careful in general, I think it is reasonably safe. Tails doesn’t have an admin pass to being with. Of course user had less flexibility in instalations etc.
You can roll back to an earlier snapshot in Whonix, correct, that can assist with this aspect, but first of all - this isn’t a default procedure, and defaults are important when we are in reality and not in theory (also - some people connect a string to the USB stick and pull it as a dead man switch, I wonder if roll-back can be done that quickly), and second, for sure the forensics side is better handled with Tails.

More about malware - even if it gained foothold in Whonix-workstation it’s not supposed to find your IP. Well, there are many other ways to deanonymize one other than an IP. If you are active on the system then sooner or later the nature of your activity if monitored by malware will be enough to deanonymize you without requiring an IP. And you know what? if you click CTRL-C on your IP in the Gateway it is immediately known to the Workstation and anything that runs on it unless you change (the default? I don’t recall) settings in VirtualBox that allow that. I have no clue about KVM or Qubes. Plus - Whonix-Gateway can also be subject to an attack due to a Debian vulnerability or anything that runs on it.

So, for those who need ongoing online access or require a lot of installations and non-default tools or settings (it will be a pain to install them again and again in Tails), Whonix is certainly a better solution. Otherwise, it’s a difficult question to determine if the vulnerabilities inherent in Whonix due to persistance are compensated by the workstation - gateway architecture advantages.

1 Like

I am awful at contributing to the wiki myself so I empathize. I can assure you though, that if you get some text into the hands of torjunkie and 0brand, they will know exactly what to do with it.


Your points are mostly fair concerning Whonix vs Tails.

Regarding hypervisors, Virtualbox support is maintained because it offers the best compatibility and ease-of-use - important factors when considering the audience that may need Whonix the most.

However, the preferred hypervisor for those willing to work with more advanced setups is KVM or Qubes. Qubes, in particular, offers many advantages in terms of non-persistence (via templateVMs and disposableVMs), isolation of networking & usb (and soon graphics), and secure file exchange and clipboard (of particular interest to you).

I don’t how the average Whonix end user looks like. In the end most people usually want something where they just need to push a button or click somewhere and it just works. Imho, Whonix does this anonymity/security/privacy wise really well. I guess, though don’t know for sure, most just use it for surfing, chatting, file sharing … over Tor.
Then there are advanced users who need something more and then of course have to dig into the documentation. You can’t fit everyones usecase.

Whonix vs Tails:
In case of Tails, as soon as you have persistence then malware has persistence, too. You can save files on your USB drive but there has been malware that uses hidden partitions. Some people save deb packages there which could be changed by malware and phone home.
Non persistence is not the default mode of Whonix because this never was the main point and also has some disadvantages (updates, entry guards).
Regarding forensics, FDE solves 99% of the issues with the exception of data in RAM during shutdown. To my knowledge there have not been any cases where some RAM wipe feature helped someone in real live.
If you want to have non persistence similar to Tails in Whonix then you can use the Whonix-Qubes live cd from @unman or the optional live mode in Whonix 14 (should work in 13 too)

As long as you don’t store your tax data or personal address there probably not. Maybe you are pseudonymous or the malware steals your BTC but your real IP will not be revealed. I would not say the same about malware on Tails.

Sounds interesting. Can you elaborate?

1 Like