[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Whonix Warrant Canary

Fortunately gag orders and NSLs don’t exist in German jurisdiction yet so Whonix is safe.

Also warrant canaries are not bullet proof since Australia’s government added provisions that work around it:

True, but they aren’t far away with this kind of stuff and Agencies can still pressure Someone to do certain things without a official gag order.

I don’t think a canary should only be used when “official” Papers come in…

just my 2 cents

What kind of pressure? Blackmailing? Violence?

Warrant canaries work if there are leftovers of constitutional[1] leftovers. The state playing by the law and the people defending with other laws. Once the law is ignored, I don’t see how canaries still are of any help.


[1] English: meaning due process (of law)
[1] German: ordentliches, rechtsstaatliches, faires Verfahren / Gerichtsverfahren

1 Like

Good day,

Adding to that, the question would be what purpose a canary would serve for Whonix? There is literally no information a hypothetical NSL could “get” from this project, as neither the forum nor the wiki log anything about it’s users (most of them using Tor anyways) and the source code for Whonix is public either way.

Have a nice ay,

Ego

A request to add a vulnerability / backdoor to the binary version / to an package upgrade?

I don’t know the legal theory behind NSL includes such as possibility. I know much too little about the US legal system and the legal theory behind it. With my little understanding of the warrant canary legal theory however, asking to add a backdoor to the source code / binary could perhaps be considered forced speech. And the legal theory behind NSL / warrant canary says, that forced speech cannot be demanded in the first place. And elsewhere it was legally established that ‘code is speech’.

2 Likes

Good day,

Well, a NSL after the American model, which like already mentioned isn’t really applying to a German project, only allows for the request of the release of telecommunication, bank record and similar information. That’s what I was meaning, since there is no information Whonix’s Forum/Wiki stores about their users which isn’t publicly accessible either ways. Forcing anything into the source code isn’t possible because, like you mentioned, according to Bernstein v. US, code is to be protected under the First Amendment and, adding to that, NSL’s haven’t been designed for that purpose either ways.

Have a nice day,

Ego

2 Likes

https://www.whonix.org/wiki/Trust#Whonix_Warrant_Canary

1 Like

I shouldn’t be bound by previous opinions of mine.

Recently I had the idea that a warrant canary could be implemented with almost zero extra maintenance effort.

Based on Qubes warrant canary:

Below is the template that I had in mind.

                    ---===[ Whonix Canary #_ ]===---

Statements
-----------

The Whonix lead developer digitally signed this file
and states the following:

1. The date of issue of this canary is: see time of gpg signature

2. No warrants have ever been served to us with regard to the Whonix
Project (e.g. to hand out the private signing keys or to introduce
backdoors).

3. We plan to publish the next of these canary statement the next
time Whonix APT repository gets re-signed.

This file should be signed via detached OpenPGP signature.
Do not just trust the contents of this file blindly!
Verify the digital signatures!

Special announcements
----------------------

None.

Disclaimers and notes
----------------------

We would like to remind you that Whonix has been designed under the
assumption that all relevant infrastructure is permanently
compromised. This means that we assume NO trust in any of the servers
or services which host or provide any Whonix-related data, in
particular, software updates, source code repositories, and Whonix
downloads.

This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other
means, like blackmail or compromising the signers laptops, to coerce
us to produce false declarations.

The news feeds quoted below (Proof of freshness) serves to demonstrate
that this canary could not have been created prior to the date stated.
It shows that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to
anybody. None of the signers should be ever held legally responsible
for any of the statements made here.

Proof of freshness
-------------------

Proof of freshness will be appended similar to Qubes.

Let me know what you think.

1 Like

I like the formatting. Keep it simple so everyone can understand it. :slight_smile:

Maybe one change.

The Whonix lead developer digitally signed this file
and states the following:

If its only you singing the file.

1 Like
  • Don’t you want the Whonix master key fingerprint somewhere?
  • How often (very roughly) will the Whonix APT repository get resigned? Readers will want to know.
  • Bit wordy & passive language?

Instead, how about:

Whonix Canary

Statements

The Whonix lead developer who digitally signed this file states the following:

  1. Canary issue date: see the gpg signature time.

  2. No warrants have ever been served on the Whonix Project; for example, to hand out the private signing keys or to introduce backdoors.

  3. We plan to publish the next canary statement whenever the Whonix APT repository is re-signed. This occurs approximately every month. [Ref 1] [Ref 2]

This file should be signed with a detached OpenPGP signature by the Whonix lead developer.

Do not trust the contents of this file blindly - always verify digital signatures!

Special announcements

None.

Disclaimers and notes

Be mindful that Whonix has been designed under the assumption that all relevant infrastructure is permanently compromised. This means NO trust is placed in any of the servers or services which host or provide any Whonix-related data, particularly software updates, source code repositories, and Whonix downloads.

This canary scheme is not infallible. Signing the declaration makes it very difficult for a third party to produce arbitrary declarations, but this does not prevent the use of coercion, blackmail, compromise of the signer’s laptop or other measures to produce false declarations.

The news feeds quoted below (see Proof of freshness) confirm this canary could not have been created earlier than the issue date. This demonstrates a series of canaries was not created in advance.

This declaration is provided without any guarantee or warranty. It is not legally binding upon any parties in any form. The signer should never be held legally responsible for any statements made here.

Proof of freshness

(coming soon)

References

  1. https://github.com/Whonix/Whonix/blob/master/aptrepo_remote/conf/distributions#L11
  2. https://wiki.debian.org/DebianRepository/Format “The Valid-Until field may specify at which time the Release file should be considered expired by the client.”

I haven’t seen this by anyone else except Qubes. And “Qubes does so” by itself isn’t an argument. Perhaps I should have asked Qubes for reasoning behind it? Well, the Whonix master key fingerprint will be visible when checking the gpg signature of the canary. If another (malicious) fingerprint would sign the canary they’d just change the contents of the file too. So yeah, an implicit assumption (not written anywhere before now but assumed) is that the one verifying the canary already know https://www.whonix.org/wiki/Whonix_Signing_Key by heart. Maybe not by heart but they already need to know which identity/fingerprint is behind. For whom it makes sense to sign the canary.

Good point. The valid-until period is currently set to 1 month. (Debian uses 2 weeks.)

(On APT valid-until: https://blog.ganneff.de/2008/09/valid-until-field-in-release-f.html)

( https://github.com/Whonix/Whonix/blob/master/aptrepo_remote/conf/distributions#L11 )

So I have to resign Whonix repository at less than 1 month before I signed it last time. I do it most times when I work on Whonix source code, and when I remember. So it’s infrequent. But we haven’t had outdated apt repository metadata for a while so that works quite well.

Not sure what you mean by that but by experience your suggestions are almost(?) always taken. :slight_smile:


Please add.

Thanks. I edited that into my suggested canary text above.

At step 3, I noted there should also be two footnotes:

  1. https://github.com/Whonix/Whonix/blob/master/aptrepo_remote/conf/distributions#L11
  2. https://wiki.debian.org/DebianRepository/Format “The Valid-Until field may specify at which time the Release file should be considered expired by the client.”

This canary looks good to go?

When it’s up with Proof of Freshness, we only need to change the wiki canary entry accordingly.

1 Like

What I never understood, what made me doubt the usefulness of canaries, but also never asked in public:

What if the case trying to plan for here actually happens? What if there:

  • is a legal basis exists to request adding a backdoor to Whonix, and
  • canary doesn’t get updated,
  • assume absence of other kinds of coercion for simplicity and focus of this question.

Then after the canary doesn’t get updated in time, the public could reasonably assume that a backdoor was added to Whonix.

In result: everyone who used Whonix from the time of the last canary issued (no backdoor version) until the canary expired (backdoor added in meanwhile) would be potentially compromised by the backdoor, depending on the type of backdoor.

That would be a very bad result indeed. But perhaps better to know after a month that one was compromised for a month than never knowing it? Is that the point of a canary?

“positives” (if it can be called that) in such worst case scenarios:

  • A canary might dissuade requests for adding a backdoor?
  • People might look for the backdoor, catch it, analyze it and widely publicize?
  • Possibly make similar backdoors in future unlikely by technological improvements?
  • People could fork Whonix and fix the issue?

What lavabit actually did by shutting down their service seems a much better than what lavabit could have done if they just had a canary and let it expire.

Warrant canary still seems to me have a very narrow scope:

  1. legally forced to add a backdoor
  2. legally forbidden to shut down service (can one be forced to run a project/business?)
  3. legally allowed to not update canary (right to refuse compelled speech)

Note: The point of this post is gathering a better understanding possibly leading to a better implementation. Whonix canary will be implemented in near future either way.

While I don’t see how it applies to Whonix, (2) can certainly happen at cases authorities view the operation as illegal / supporting illegal activities: they take over the project while the project manager is required / coerced to cooperate. We have seen it happen with dark net markets.

I agree that a combination of all 3 is quite unlikely.

Of course. Some users didn’t have a chance of updating and will not be affected. They are saved. Others didn’t have potentially harmful material, yet. The rest will minimize the damage in any way they can and abstain from adding further compromising material or engage in communication that can compromise others.

Another point: there is some apparent contradiction between the principle of “perform updates as frequently as possible” and this canary concept. If indeed there is a canary (that is reliable in at least some scenarios), won’t it be better to update from Whonix sources only once a month, after it’s published (or you can look at it as possible negative of having a canary - users delay updates).

1 Like

Or the way Truecrypt original devs shutdown shop by releasing a version that doesn’t encrypt.


Shutting down the website/code repos is indeed a more visible warning than any text notice.

2 Likes

Canary is now live.


Duplicated to github in case of whonix.org server issues.

2 Likes

Fixed.

Can you please change two things:

  1. Should have [1] [2] instead of [Ref 1] [Ref 2] in a few places (top section & footnotes section)
  2. Please add at the top this missing part and underline “Statements” (you want to keep numbering them right?):

—===[ Whonix Canary #1 ]===—

Statements

1 Like

References removed entirely because: No need to mention my internal process “of doing this most of the time whenever I resign Whonix repository”. Greatly simplified:

We plan to publish the next canary statement within 4 weeks.

Sorry, I didn’t get this one.

Actually, no, I don’t have numbering in mind.


Btw canary-template.txt lives here:

Pull requests welcome.

Actually it looks good now. +1

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]