Whonix failproof?

First of all i want to say thanks to Patrick and all contributors of whonix for this great project! Revolution!
I have been using whonix for a while, but i’m not computer guy so i want to ask some questions to help calm my mind.

It’s possible that because of some script fails in gateway when updating,installing or whatever, gateway begins to route all traffic without tor ? It’s possible that this thing can happen, or that’s impossible by gateway design ?

After the last torbrowser update, torbrowsers file structure was changed. So i start thinking, it’s possible if in the future tor-browser gets so changed it configuration that it not works correctly with whonix ? Let’s say new version of torbrowser comes out and it not ready for whonix config and we have tor over tor case ? In other words can changes in future, make fail rinetd listener ?

While one can be never 100% certain about anything, I am very certain that routing traffic over clearnet won’t ever happen.

[Technically: Because whether Whonix-Gateway is offline, Whonix-Gateway firewall not load at all, Tor not running on Whonix-Gateway - there will just be no service then. You could even run some random VM that uses internal network “Whonix” and runs on Whonix-Gateway’s IP. Only if that random VM did something that is not the default in Linux, activate IP forwarding, then clearnet traffic would be possible.]

Two upgraded could interfere here:

  • As long we’re using Debian stable, it is unlikely that rinetd received an upgrade that prevent the listener from being created.
  • Suppose rinetd does not work: When Tor Browser gets an upgrade an choses to ignore the TOR_SKIP_LAUNCH then Tor over Tor could happen.
  • Suppose rinetd works: When Tor Browser gets an upgrade an choses to ignore the TOR_SKIP_LAUNCH environment variable + changed default listener ports from 9050/9051//9150/9151 to something else, then Tor over Tor could happen.

To make it more unlikely, always look how a copy of latest TBB alpha works inside Whonix-Workstation. If a single user did that, and reported, there would have been no surprise as we had.