To reduce attack-surface, I really think Whonix should bundle less pre-installed applications.
Currently, Whonix bundles a dozen or so programs, who may or may not be used by the user.
I believe shipping a minimal Whonix (only with applications needed to make Whonix work, like Desktop Environment, and the various util programs) would be easiest (and wisest) thing Whonix could currently do to significantly reduce the attack-surface.
By reducing the amount of pre-installed programs, you achieve the following:
Reduced risk of local privilege escalation: local programs could be abused by attackers to elevate themselves to Root
Reduced risk of Remote Code Execution bugs: Preinstalled programs could be vulnerable to RCE bugs
Reduced development time: You only ship Whonix, without preinstalled applications which might hint to the user that you “support” them maintainace wise (i.e. program X stopped working / doesn’t work correctly, now you devote precious developer time to debug and resolve)
Smaller images and less time to update: Very important, updating large amount of software puts a lot of strain on the Tor network, and is very fingerprint-able network-wise. (attackers could hypothetically know when user is not just using Tor, but Whonix specifically, and when they first installed it)
Reduced attack-surface in general: Attackers would have a harder time hacking a Whonix user. Additionally, the user if he wants to, can simply install whatever program he needs on his own
I think it’s an easy win security wise, development-time saving wise, and minimalism wise.
I understand there are not much developer resources in hands of Whonix, hence I avoided suggesting anything extreme, this change is quite easy to implement even by 1 person, without “breaking” anything.
I agree. I don’t use the fluff that whonix bundles with itself. Like, irc clients (I use emacs), or pdf viewer (I use zathura or, again emacs), or image viewer (I use mpv, or, again emacs).
I would really like whonix without these packages, but removing any one of them removes a whole bunch of other packages that I don’t mean to remove and don’t know whether I am shooting myself on the foot by removing them.
I’m not sure I agree that shipping less preinstalled applications in general is a great idea, for a few reasons:
Most of the preinstalled programs in Whonix (both Gateway and Workstation) don’t (or at the very least shouldn’t!) connect to the network. If something doesn’t accept untrusted data from a remote source, it can’t possibly provide an RCE vulnerability. (Unless the user pipes untrusted data into it, i.e. “pipe curl to bash”, but that isn’t really the application’s fault.)
Some applications can provide a local privilege escalation vulnerability. But for this to happen, the application has to open a security hole via some sort of service, sudoers config, polkit rule, privleap rule, or similar. (The zuluCrypt package in Debian shipped a polkit rule that was insecurely configured, which ended up with a CVE assigned to it, see #1108288 - CVE-2025-53391: Local privilege escalation via zuluPolkit, caused by Debian patch - Debian Bug report logs) This is potentially a good argument for being cautious about any new applications that introduce security exceptions for whatever reason, but most applications don’t do that.
The linked bug report in zuluCrypt didn’t end up affecting the security of sufficiently new versions of Kicksecure and Whonix, because the vulnerability required a local user to get a polkit authorization prompt in order to exploit it, and user-sysmaint-split prevents those prompts from working when booted into a user session.
It’s also worth linking xkcd: Authorization here. If an attacker is able to run arbitrary code as a local user, the least of the victim’s worries are a subsequent root escalation, unless the attacker has hacked some borderline-useless system account like man.
Users might not know about some security tools that are available to them, and will never install them if they don’t know about them. Providing them out of the box when appropriate helps raise user awareness about them.
The support issue is worthwhile to take into account, but in practice, we don’t seem to get a lot of support requests for the “extra” applications in Whonix. If we do, they at least aren’t showing up on the forums where I see them.
The last point about updates being fingerprintable is interesting, but at the same time I’m not totally sure that can be prevented with less apps. Whonix has plenty of packages no non-Whonix Debian installation will have, by virtue of having the Whonix and Kicksecure repos enabled and software from them installed. They also have what is probably a rather unique set of packages installed from the Debian archives, since we make use of --no-install-recommends to keep image size down. Like with a lot of privacy-focused projects, it’s very difficult to hide that someone is using a particular privacy-focused project, but one can make it so that all users of the project look a lot like each other.
If there are particular applications you think look like a security risk, definitely point those out. But I don’t think just removing applications in general will do much good.
In cybersecurity, you don’t “prevent” something, instead, you “reduce” the chances. Therefore, I stand with my original point.
This is wrong, if user wants software X, they will figure a way to install software X. But shoving software down a user’s throat as preinstalled, might appear lowkey like a move done by Windows, not a Linux distro.
This is because of the small user base of Whonix, if Whonix as a project ever grows, you sure will.
Keyword “most”, we can start with the ones that do connect to the network (think crypto wallets, chat clients, etc) as those are prime targets.
Minimal images are great. It’s just a different target audience. Minimal images are most often requested by more technical users.
VirtualBox / KVM: Given a choice between minimal and regular, most users choose regular. Last time I checked, download of minimal images was 10% of total downloads. The other 90% were downloads of the regular image.
Most users want things to “just work”. They’re also much more rarely posting in forums.
Hence, minimal images are not a priority.
You would need to show that the likelihood is indeed lower.
Write down a threat model.
Write down all traffic an adversary can see over time such as initial download of the operating system, update traffic, volume of traffic, etc.
Basically, you want to look like Microsoft Windows current most popular version but without using WIndows?
Review Network, Browser and Website Fingerprint in detail, all of the existing research. And then see if you can really still conclude the same that if changing X then Y will get better.
A background in usability design is required for discussion. It cannot be known from personal opinion and philosophical arguments alone.
Being a reasonably complete distribution is the norm. The most popular operating systems are complete, not minimal.
Please show any that connect to the internet without the user starting these.
Which applications to include versus which one not is opinion based and has a high risk of law of triviality / bikeshed.
This is probably because of a misunderstanding / stigma on a user’s end. They might think that Whonix offering 2 versions “complete” and “minimal”, might hint that the “minimal” version might lack some essential functionality, or perhaps that they would be dropped into a nice black terminal like Arch does.
I would suggest not offering a “complete” edition in first place.
Meet Alice and Bob. They both have downloaded and installed Whonix. But Alice chose the current Whonix for Virtualbox, and Bob has download a hypothetical minimal edition that includes very few software.
Alice and Bob both decide to update their software
Here is what advantages Bob has over Alice in terms of network fingerprint-ability:
Bob download of Whonix, from the website, was significantly smaller in size than Alice
from a network adversary point of view, both Alice and Bob has visited Whonix.org, and downloaded an abnormal amount of data. The adversary POV can only make assumptions using statistics and gathered intelligence from the wire.
The adversary now knows both Alice and Bob have downloaded something, and since they visited whonix.org, adversary can guess they both downloaded Whonix.
However, the adversary isn’t 100% sure they did Download whonix image, but what he is sure about is Alice likelihood of downloading Whonix is significantly greater than Bob, that doesn’t make Bob in clear though, adversary still suspects it, but overall Bob’s network fingerprint was smaller.
Now the adversary needs more intelligence before drawing a more concrete conclusion.
Alice and Bob now both decide to initially update Whonix and software bundled.
The adversary now observes, sees both connect to Tor, and Alice download significantly more data over Tor than Bob, therefore, the adversary is more certain that Alice has just installed Whonix and conducted her first updates, while Bob is less certain, it’s possible Bob could be just using a regular Tor browser and downloading something / loading a heavy page / video even.
In these examples, as you can see, we didn’t eliminate fingerprintability, we just reduced it.
Further fingerprint protection could theoretically be added to Whonix’s download page, where each user gets a slightly “different” image than the other, so an adversary doesn’t see the exact download size and confidently conclude a Whonix download.
This can be achieved through… I don’t know, maybe Whonix adds some junk data download / appended to end of an image?, just a thought.
True, but a minimal image would also “just work”
Sure. I wasn’t really talking from personal opinion. Let’s talk statistics:
If Whonix suddenly gains 1 million new users, assuming even just 1% of those users ran into issues especially with pre-installed programs, and then even 10% of that 1% decided to post on the forums, that’s 1000 users, and if we assume the average number of “issues” each user has to bother to register on forum and post threads is 2 issues, that’s 2k threads, potentially just dedicated to issues, and assume 1 of those issues is related to software pre-installed on Whonix, that’s 1k threads.
With increasing surveillance as of lately even in so called “first-world countries”, Whonix and other privacy projects usage will skyrocket.
This is not a valid argument, your project is a research project. You are supposed to experiment, not stay in the “everyone does it, so we will do it too”, especially when said “experiment” benefits the core idea behind your project: Security.
Users who choose to download Whonix, are looking for a Linux distribution that is completely torified, has a desktop-environment, has Tor browser pre-bundled, and has “extra” protections like apparmor profiles for most common software they might optionally choose to download later on, and that’s it.
I don’t have much examples at hand, but the problem is not just them starting on their own. Take following scenario for instance: Alice decided to download and install Whonix. Alice, for whatever, forgot / delayed to initially update Whonix, now Alice accidently opened a program that connects to a server. Now that program is quite outdated by now, it is vulnerable. And if Alice was unlucky enough to use a malicious exit node, or even if the service she is connecting to was malicious, that could potentially become an easy RCE.
I would say, anything that is currently included that isn’t “certain” that the user will use, or, that isn’t essential to the security and “base” usability of the distro, should be removed.
Any crypto wallets, chat clients, etc.
PDF readers and whatnot could also be removed, and not affect usability, because Tor browser can read local PDF files, and it would be even safer, because it would be sandboxed.
Etc.
Right, but how much does this reduce the chances? I don’t think it would reduce them at all, an attacker can’t see what’s being downloaded by who anyway because of Tor, unless some behavior of apt can reveal the size of packages downloaded via a timing side channel in which case any unique package the user has installed is a threat, as is having removed any application. Anyone who uses Whonix as is and never installs or uninstalls any application won’t have the side channel issue, and anyone who installs or uninstalls anything could be considered at risk. Removing applications installed by default doesn’t help this situation at all, it arguably would make it worse. (Just to clarify, I don’t know if apt even has a timing side channel. like this)
How far should that argument be taken though? Is it forcing the user’s hand to install Tor Browser? What about the Xfce desktop environment? What if the user hates the FSF and doesn’t want to be subjected to using GNU’s coreutils? What if they want to use the illumos kernel rather than Linux?
I don’t think the problem is preinstalling software, the problem is preinstalling software that is not in the user’s best interest. What is and isn’t in the user’s best interest may be debatable, but I think we can all agree that ads for World of Tanks in Windows 11 aren’t in the user’s best interest, they exist solely to make Microsoft (and whoever makes World of Tanks) money. Tools that directly help achieve Whonix’s goal of security and anonymity, like anonymous web browsers, cryptocurrency wallets, and other security-related tools, aren’t the same.
If and when that happens, we can revisit previous design decisions in light of growing support burden.
I don’t think there are chat clients installed by default. Thunderbird used to be but is going to be removed in Whonix 18 (at least, maybe sooner?), I believe due to privacy concerns with Mozilla.
There is a crypto wallet (Electrum), I don’t have much to comment on that since I don’t personally use it. It is worth noting though, there are only three CVEs ever reported in it - one of them allowed Bitcoin theft by a malicious website (definitely not great but not arbitrary code execution), another one is a garbage bug report where someone essentially griped about the fact that a Python console in the application could run Python code (oh horror! lol), and the last one was, on Linux, little more than a fancy way to crash the program.
What does it gain the adversary to know that someone updated Whonix? Fingerprintability is about finding things about a user that distinguishes them from other users such that you can uniquely or nearly-uniquely identify them when you see them. Knowing that someone is using Whonix is pretty useless since you (theoretically, this is the goal) can’t tell them from any other Whonix user, and knowing that they updated Whonix is just as useless because everyone who uses Whonix updates Whonix (or at least, they should!).
This would make it a lot more difficult for the user to verify the Whonix image’s digital signature, which is a critical security feature.
How do you know that? For me, I’m also looking for a private communication tool, and to that end I would love to see a well-implemented, secure-by-design chat client that enabled users to be anonymous except to trusted contacts and communicate privately with those trusted contacts. That isn’t possible with the preinstalled software in Whonix today, and the chat applications that exist today all have serious issues with them to my awareness, but it’s something I’ve had in my head for a while. Other users might be looking for an OS where they can write down and share research that they’re doing for their journalist work, or whatever.
The only application in Whonix I can think of having a significant chance of doing this is Tor Browser, which is an essential part of Whonix.
You can’t measure software’s security by the number of CVEs for it.
Web browsers get a dozen or so CVEs on every release, yet they’re arguably the most secure software on your device. (sandboxing, etc)
Fingerprintability in here is about fact Whonix user Tor connection can be distinguished from a normal Tor browser connection.
This provides fingerprintability and leaks metadata.
I agree, but perhaps the process also generates a signature per download . I agree with you on this one though, it’s hacky way, I don’t have solution for this atm.
I was talking about most Whonix users. They want a torified enivorment, not nessacrily one prebundled with a whole lot of software that they may or may not use.
So the essentials are Tor browser, Whonix internal tools (whatever programs needed to keep system functional) and general usability programs (Desktop enviroment, etc).
TL;DR: Most users who download and use Whonix, just want the isolation Whonix provides to browse using Tor browser, not nessacrily for the “convience” of having prebundled programs
Obviously advanced users / users with a “not general” use case, would install additional software.
A background in cybersecurity is required for discussion. It cannot be known from personal opinion and philosophical arguments alone.
The web browser is the least likely target of an active RCE by a network adversary or through no interaction.
The only real risk of a browser getting hit with a RCE is within the browser it’s self, exclusively through user interaction (user visiting malicious site, etc)
There are many components of a system that can be exploited remotely without user interaction, like the NTP client, Package manager, etc.
What are we arguing against here ? This is a perfectly valid proposal, and if any security researcher worth a penny, and is aware of Whonix, read this, they would agree that larger attack surface (even if majority of which don’t directly connect to internet) is bad.
Whonix, has an advantage over most other distros, it’s a research project and is explicitly advertised as security-focused, which means some extreme (yet simple to implement) changes (like this) can take place.
I actually do have many critical critique and valid concerns about Whonix, and would like to create more posts to similar to this one, but I know Whonix’s only have one “serious” maintainer (Patrick) hence, I don’t be the angry old-man screaming at a foss project, but this change takes no effort, improves security and privacy and at (almost) no cost to user convince.
The problem is, that this is based on assumptions, philosophical arguments. Please let me know if I am presumptions, but I think this not based on usability design or operating system maintenance / support experience.
Minimal images increase support requests even more. Examples…
Given the support questions that MINIMAL templates
throw up, despite the prominent health warning in the docs, providing
such micro templates would just create yet more support issues.
No matter how small the images are. The traffic volume for initial download and updates would always be a give away.
If someone can “look inside” (fingerprint) Tor traffic and guess what’s going on, then that’s a Tor issue and needs to be fixed in Tor.
Related: cover traffic
How does a clearnet user learn about Tor, Tor Browser, Whonix (or Tails) without already getting flagged for looking up the forbidden fruit? It’s possible to construct a hypothetical case where one evades all of this but not a realistic one to base a distribution on.
For VirtualBox, KVM, there’s 2 flavors. GUI and CLI. Each has a target audience. CLI is more minimalist. GUI comes with more usability by default. There’s nothing in the middle.
We cannot expand to maintain more and more flavors. We don’t have plans for a flavor minimalist GUI only.
Hexchat hasn’t been shipped by default in Whonix for a while and is actually recommended against because of its unmaintained status. See HexChat: IRC Client
Have you installed a new version of Whonix recently? If not, you might consider doing so and looking through the preinstalled applications. If there are specific applications you’d like to see removed with specific reasons for that removal (known security issues, history of security issues, unmaintained status, dangerous practices in source code, etc.), we can look at those. You might find that the default set of applications is already minimal enough for your preference, or at least close to minimal enough.