Actually it looks good now. +1
1 Like
At time of writing, Whonix warrant canary is valid. However, itâs time to address some issues that recently came to mind.
Problem: Potential Maintenance Lapses:
- Re-signing the canary might happen too late. Didnât happen yet. Pretty unlikely as I usually do this whenever I resign the repository. And re-signing can be done during any point within the 4 weeks period to restart the 4 weeks period.
- There is no indication at the moment whatsoever that this might happen, but itâs possible that in future due to medical issues, an accident, being unable to re-sign the canary for a period of 4 weeks or longer. Should that ever happen, that should not forever shed doubt on the project. At least no more than unavoidable.
Solution: Healing Warrant Canary
- The warrant canary could get added a passage that future signatures can heal previous maintenance lapses.
Recommended User Action in Case of Warrant Canary Issues:
Warrant Canary Issues could be:
- Canary signature expired. (No new signature was created within 4 weeks after the last signature.)
- Canary disappeared.
Recommended User Action in Case of Warrant Canary Issues:
- Disable Whonix repository.
- Stop downloading Whonix releases.
- Monitor situation.
- Organize community in another place.
1 Like
Enumerating Whonix project infrastructure we care about and in what circumstances its trustworthiness would be necessary:
1) whonix.org server related:
-
By design - Distrusting Infrastructure - there is as little interesting as possible on
whonix.org. Although, some interesting things should not be received by any third parties. These are: -
IPs on the
whonix.orgserver. (Related: IP Addresses and IP Addresses Logging
Policy) -
User names, e-mail addresses, hashed passwords.
However, even if whonix.org server was under complete surveillance, that would not wreck the functionality of the Whonix software.
2) Whonix software related:
- Users downloading Whonix images, not doing digital signature verification. These should not get compromised.
- Users downloading Whonix images, doing digital signature verification. These should not get compromised.
- Users upgrading Whonix using the package manager. These should not get compromised.
- Users downloading Whonix source code (doing or not doing digital signature verification). These should not get compromised.
- That is, in case there was some legal order to backdoor Whonix, and/or to sign backdoored Whonix and/or to turn over signing keys.
Priorities:
- Whonix software is much more important than
whonix.orgwebsite.
Possible Solutions:
- A) Either make two sections in the canary. One for
whonix.orgserver
and one for Whonix software. In case of a legal threat, drop one
section. That however, seems very experimental legal wise. - B) Exclude
whonix.orgserver as long as Whonix software is free of
backdoors.
Canary re-wording consideration:
Change from
- No warrants have ever been served on the Whonix Project;
for example, to hand out the private signing keys or to introduce
backdoors.
to
Definition âartifactâ: Whonix software, Whonix downloads, Whonix
source code
- The Whonix Project has never added any backdoor to any artifact.
- The Whonix Project has never turned over any signing key.
- The Whonix Project has never knowingly signed any artifact containing any backdoor.
- The Whonix Project has never weakened, compromised, or subverted any of its cryptography.
1 Like
Bad idea upon reflection.
Probably going for it.
Draft - Warrant Canary Draft
Was modified:
Dev/Warrant Canary Draft: Difference between revisions - Whonix
Giving more time for comments and if there are no major issues, going to change the actual canary.
Implemented.