I try to think like an attacker constantly when looking at Whonix’s design and I factor in knowledge about sidechannel attacks to lead me to accurate conclusions. Please understand that I am not criticizing Whonix by any means, but hope to give constructive advice.
-Part of whonixcheck relies on curl to query the clearnet for certain information
-curl has a troubling history of security holes, some remotely exploitable.
-https connections are subject to MITM this includes requests made by whonixcheck/curl to the clearnet.
-having a massive 0day arsenal at their disposal, its highly probable that the adversary is capable of exploiting curl.
- This could lead to both Whonix vms being compromised through these channels out of the gate.
Recommendation:
TBB already does the checks curl does but in a more secure way. Taking the points above into consideration, the hypothetical benefits of redundant checks for Tor usage does not justify the increased attack surface area.
For tor specific checks we can either rely on a mechanism that bootstraps off Torbutton* somehow or completely remove these specific operations that depend on curl from whonixcheck:
+Tor Bootstrap Status (if it only queries the gateway, then no risk)
+downloads https://check.torproject.org with curl through extra SocksPort
+downloads https://check.torproject.org with curl through TransPort
+Tor Browser version
+Whonix version and Whonix news
++ Pretty much anything curl/clearnet related that does not connect to Tor directory authorities/ signed Debian repos.
ref: systemcheck - Security Check Application
- TBB never checks check.tpo directly but relies on the small, vetted code of Torbutton to do so. Its definitely safer than curl’s code.