Actually it looks good now. +1
1 Like
At time of writing, Whonix warrant canary is valid. However, itâs time to address some issues that recently came to mind.
Problem: Potential Maintenance Lapses:
- Re-signing the canary might happen too late. Didnât happen yet. Pretty unlikely as I usually do this whenever I resign the repository. And re-signing can be done during any point within the 4 weeks period to restart the 4 weeks period.
- There is no indication at the moment whatsoever that this might happen, but itâs possible that in future due to medical issues, an accident, being unable to re-sign the canary for a period of 4 weeks or longer. Should that ever happen, that should not forever shed doubt on the project. At least no more than unavoidable.
Solution: Healing Warrant Canary
- The warrant canary could get added a passage that future signatures can heal previous maintenance lapses.
Recommended User Action in Case of Warrant Canary Issues:
Warrant Canary Issues could be:
- Canary signature expired. (No new signature was created within 4 weeks after the last signature.)
- Canary disappeared.
Recommended User Action in Case of Warrant Canary Issues:
- Disable Whonix repository.
- Stop downloading Whonix releases.
- Monitor situation.
- Organize community in another place.
1 Like
Enumerating Whonix project infrastructure we care about and in what circumstances its trustworthiness would be necessary:
1) whonix.org server related:
-
By design - Distrusting Infrastructure - there is as little interesting as possible on
whonix.org. Although, some interesting things should not be received by any third parties. These are: -
IPs on the
whonix.orgserver. (Related: IP Addresses and IP Addresses Logging
Policy) -
User names, e-mail addresses, hashed passwords.
However, even if whonix.org server was under complete surveillance, that would not wreck the functionality of the Whonix software.
2) Whonix software related:
- Users downloading Whonix images, not doing digital signature verification. These should not get compromised.
- Users downloading Whonix images, doing digital signature verification. These should not get compromised.
- Users upgrading Whonix using the package manager. These should not get compromised.
- Users downloading Whonix source code (doing or not doing digital signature verification). These should not get compromised.
- That is, in case there was some legal order to backdoor Whonix, and/or to sign backdoored Whonix and/or to turn over signing keys.
Priorities:
- Whonix software is much more important than
whonix.orgwebsite.
Possible Solutions:
- A) Either make two sections in the canary. One for
whonix.orgserver
and one for Whonix software. In case of a legal threat, drop one
section. That however, seems very experimental legal wise. - B) Exclude
whonix.orgserver as long as Whonix software is free of
backdoors.
Canary re-wording consideration:
Change from
- No warrants have ever been served on the Whonix Project;
for example, to hand out the private signing keys or to introduce
backdoors.
to
Definition âartifactâ: Whonix software, Whonix downloads, Whonix
source code
- The Whonix Project has never added any backdoor to any artifact.
- The Whonix Project has never turned over any signing key.
- The Whonix Project has never knowingly signed any artifact containing any backdoor.
- The Whonix Project has never weakened, compromised, or subverted any of its cryptography.
1 Like
Bad idea upon reflection.
Probably going for it.
Draft - Warrant Canary Draft
Was modified:
Dev/Warrant Canary Draft: Difference between revisions - Whonix
Giving more time for comments and if there are no major issues, going to change the actual canary.
Implemented.
Warrant Canary Draft wording was updated to include both, Kicksecure and Whonix.