Anonymity Operating System Comparison - Whonix vs Tails vs Tor Browser Bundle

From Whonix
Jump to navigation Jump to search

This page contains a detailed comparison of Whonix, Tails, Tor Browser, Qubes OS TorVM and corridor.

Introduction[edit]

Although Qubes' TorVM -- a dedicated ProxyVM providing torified networking to all clients -- is now deprecatedarchive.org, it has been kept for comparison purposes since it acted like Whonix-Gateway (sys-whonix). [1]

If any incorrect or outdated information is noted, the reader can either directly edit this page, or contact us and we will correct it as soon as possible. Also see the statement about the neutrality of this page.

Last Update[edit]

Table: Comparison Information Currency

Whonix Tailsarchive.org Tor Browserarchive.org Qubes OS TorVMarchive.org corridorarchive.org (tor-talkarchive.org)
Compared Version [2] 16.0.3.7 2.4 6.0 0.1.3 ?
Latest Version [3] 17.1.3.1 5.16.1 12.5.2 0.1.3 ?
Status This wiki page is up to date This wiki page is up to date This wiki page is up to date This wiki page is up to date This wiki page is up to date

General[edit]

Table: General Factors

Whonix Tails Tor Browser Qubes OS TorVM corridor
Focus on anonymity, privacy and security Yes Yes Yes Yes Yes
Type General purpose OS available as VM images and physical isolation Live DVD / Live USB / Live SDCard Portable browser General purpose OS, VM plugin for Qubes OS Tor traffic whitelisting gateway
Supported hardware x86 compatible and/or Virtual Machines + [4] x86 compatible and/or Virtual Machines Windows, Linux, Mac and Virtual Machines Any capable of running Qubes OS, see: System Requirementsarchive.org and HCLarchive.org Any Linux (?)
Based on Tor, Debian [5] and a Virtualizer [6] when not using Physical Isolation Tor, Debian Tor, Firefox Tor, Qubes OS, Fedora iptables, sh
Gateway and torify any operating system [7] Yes [8] Not a torifying Gateway Not a torifying Gateway Yes [9] Not a torifying Gateway
Live Mode Yes [10] Yes No No No
Live DVD No Yes No No No
Live USB No Yes No No No
USB bootable Yes [11] Yes Yes [11] Yes [11] Yes [11]
USB installer feature No [12] Yes [13] ? Yes No
Requires VirtualBox [14] No No No No No
Requires VMware [14] No No No No No
Requires Qubes OS [14] No No No Yes No
System requirements Higher Lower Lowest Highest Lowest
Can run in VirtualBox Yes Yes, but not recommended. [15] Well documented [16] Yes, but (?) No [17] No
Can run in VMware Yes, but not recommended and unsupported [18] Yes, but not recommended [15] Yes, but (?) No [19] No
Can run in Qubes OS Yes [20] Yes [21] Probably yes, but without security features provided by an Isolating Proxyarchive.org Yes Yes
Persistence [22] Full Optional for Live USB Yes [23] Full Full
Number of developers Multiple [24] Multiple Multiple Multiple One
Maturity Project since 2012 Project since 2009 [25] Project since 2002 [26] Project since 2012 (now deprecated) Project since 2014
Open source Yes Yes Yes Yes Yes
Non-anonymous developers [27] Yes No Yes Yes No (?)

Security[edit]

Network[edit]

Table: Network Security

Whonix Tails Tor Browser Qubes OS TorVM corridor
Responsibility for building Tor circuits Tor client running on Whonix-Gateway Tor client running on workstation Tor client running on workstation Tor client running on TorVM (Gateway) Tor client running behind corridor-Gateway
Protection against IP address / location discovery [28] on the Workstation [29] Yes [30] No [31] No [31] Yes No [32]
IP / DNS protocol leak protection Full [33] Depends [34] Depends [34] Full Depends
No need for the Workstation to trust the Gateway Yes Not a gateway Not a gateway Yes No
Takes advantage of entry guards [35] Yes No [36] Yes Yes Not applicable [37]
Takes advantage of vanguardsarchive.org, which protects against guard discovery and related traffic analysis attacks and fixes CVE-2020-8516 Hidden Service deanonymizationarchive.org. Yes [38] No [39] No No Not applicable [37]

Stream Isolation[edit]

Table: Stream Isolation

Whonix Tails Tor Browser Qubes OS TorVM corridor
Stream isolation [40] Yes [41] Yes [42] Yes [43] [44] Manually [45] Yes
Enforces stream isolation when one of X Workstations behind the same Gateway is compromised in the default configuration [46] Not a gateway Not a gateway Yes [49] Yes [37]
Stream isolation in Tor Browser Yes Yes Yes ? ?

Updates[edit]

Table: Updates

Whonix Tails Tor Browser Qubes OS TorVM corridor
Operating system updates Persist once updated Incremental upgrades [50] Persist once updated Persist once updated Persist once updated
Update notifications Yes [51] Yes Yes Yes ?
Important news notifications Yes [52] Yes [53] ? [54] ? ?
APT unreliable exit code security workaround [55] Yes [56] ? ? ? ?

Hardware Serials[edit]

Table: Hardware Serials

Whonix Tails Tor Browser Qubes OS TorVM corridor
Hides hardware serials from malicious software with default settings Yes [57] No [58] No [58] Yes No [58]
Hides hardware serials from malicious software when additional hardware is assigned No No No No No
No collection of hardware serials Yes Yes Yes Yes Yes
Hides the MAC address from websites Invalid [59] Invalid [59] Invalid [59] Invalid [59] Invalid [59]
Hides the MAC address from the local LAN [60] No, see footnote [61] Yes [62] No Yes, but not enabled by default [63] Not applicable
Hides the MAC address from applications Yes [64] No No Yes, by default, unless... [65] Not applicable
Defeats advanced Wi-Fi device tracking [66] [67] No [68] [69] No No No [70] Not applicable

Forensics[edit]

Table: Forensic Issues

Whonix Tails Tor Browser Qubes OS TorVM corridor
Amnesic Yes [73] No [74] ? [75] Not applicable [76]
Local disk encryption Should be applied on the host Yes, for a persistent USB Should be applied on the host Should be applied on the host Should be applied on the host
Cold boot attack protection [77] No - should be applied on the host Yes No - should be applied on the host No [78] No - should be applied on the host

Download Security[edit]

Whonix Tails Tor Browser Qubes OS corridor
Onion Yes No Yes Yes [79] No
TLS (SSL) [80] Yes Yes Yes Yes Unneeded
OpenPGP signatures available Yes Yes Yes Yes Yes
Signify signatures available Yes No No No No
Codecrypt (Post-Quantum Cryptography Resistant) signatures available Planned No No No No
Server not under control of hosting provider [81] No No No No No

Verifiable Builds[edit]

Table: Verifiable Builds Comparison

Whonix Tails Tor Browser Qubes OS TorVM corridor
Deterministic builds [82] No No (planned) [83] Yes [84] No Not applicable [85]
Based on a deterministically built [82] operating system No [86] No [86] Not applicable No [86] No [86]
Verifiably no backdoor in the project's own source code Invalid [87] Invalid [87] Invalid [87] Invalid [87] Invalid [87]
Verifiably vulnerability-freearchive.org No [88] No [88] No [88] No [88] No [88]
Verifiably no hidden source code [89] in upstream distribution / binaries [90] No [91] No [91] No [91] No [91] No [91]
Project's binary builds are verifiably created from project's own source code (no hidden source code [89] in the project's own source code) No (deprecated) [92] No Yes No Not applicable [85]

Fingerprint[edit]

Table: Fingerprinting Issues

Whonix Tails Tor Browser Qubes OS TorVM corridor
Network / web fingerprint Whonix fingerprint page Tails fingerprint pagearchive.org TBB traffic is tunneled through Tor. Host traffic passes over clearnet ? ?
Network fingerprint: ISP cannot trivially guess the project type [93] Yes Yes Yes No [94] Yes
Network fingerprint: ISP cannot guess that a non-persistent Tor directory is in use Yes No [95] Yes Yes Yes
Clearnet traffic All Whonix-Gateway and Whonix-Workstation traffic is tunneled through Tor. Host traffic [96] uses clearnet None, unless other users sharing the same internet connection are not using Tails TBB traffic is tunneled through Tor. Host traffic [97] uses clearnet The gateway is not torified, therefore emitting clearnet traffic [98] The gateway is not torified, therefore emitting clearnet traffic
Network fingerprint: ISP cannot guess which anonymity software is in use due to the ratio of Tor and clearnet traffic Unknown [99] The ISP can guess a Tor live system is in use, unless... [100] ? Not applicable [101] ?
Network fingerprint: ISP cannot guess which anonymity software is in use because of tordatearchive.org [102] Yes, does not include tordate No, if the clock is grossly inaccurate when booting [102] No, not an operating system Yes, does not include tordate Yes, does not include tordate
Web fingerprint [103] Same as TBB [104] Not the same as TBB [105] TBB [106] Does not include Tor Browser [107] [108] Not applicable
Unsafe browser fingerprint [109] [110] [111] ? ? ?
Network time synchronization runs at randomized times during the session Yes [112] [113] Does not continuously run network time synchronization Not an operating system, does not include network time synchronization Does not include network time synchronization Does not include network time synchronization
Connection wizard prevents unwanted / accidental connections to the public Tor network [114] Yes Yes ? ? ?
Includes Tor Browser from The Tor Project Yes Yes + patches Yes No No
Privacy-enhanced browser [115] Yes, Tor Browser Yes, Tor Browser + patches [116] [105] Yes, Tor Browser No Not applicable
Secure distributed network time synchronization Yes [117] Yes [118] No No No
Hides the time zone (set to UTC) Yes Yes Yes No Not applicable
Hides the operating system account name [28] [29] [119] Yes, set to user Yes, set to amnesia No Yes, set to User Not applicable
Secure gpg.conf [120] [121] Yes Yes Not an operating system Not an operating system Not an operating system
Privacy-enhanced IRC client configuration Yes Yes Not an IRC client Not an operating system Not an IRC client
Keystroke Anonymization No No Not an operating system Not an operating system
Implement TCP ISN CPU Information Leak Protectionarchive.org to prevent de-anonymization of Tor onion servicesarchive.org by installing Tirdad kernel module for random ISN generationarchive.org. No No Not an operating system Not an operating system

Miscellaneous[edit]

Table: Miscellaneous Issues

Whonix Tails Tor Browser Qubes OS TorVM corridor
A warning appears when run in an unsupported / unrecommended virtualizer Yes Yes Unnecessary (?) Invalid (?) [124] Not applicable
Security and anonymity check Yes [125] ? ? ? ?

Hardening[edit]

Table: Security Hardening

Whonix Tails Tor Browser Qubes OS TorVM corridor
AppArmor [126] is enabled by default Yes ? ? ? ?
AppArmor profiles are enabled by default Partial [127] ? ? ? ?
Kernel Hardening through Kernel Boot Parameters
  • Qubes-Whonix: No [128]
  • Non-Qubes-Whonix: Yes [129]
? ? ? ?
Strong Linux User Account Separation
  • Qubes-Whonix: No [130]
  • Non-Qubes-Whonix: Yes [131]
? ? ? ?
Protection against Bruteforcing Linux User Account Passwords
  • Qubes-Whonix: No [132]
  • Non-Qubes-Whonix: Yes
? ? ? ?
security-miscarchive.org (Kernel Hardening; Improve Entropy Collection; Enhances Misc Security Settings; ...) Yes ? ? ? ?
SUID Disabling and Permission Hardening Planned. ? ? ? ?
secure mount optionsarchive.org Planned. ? ? ? ?
Console Lockdown Yes ? ? ? ?
hardened-kernel Planned. ? ? ? ?
apparmor.darchive.org (AppArmor for everything. APT, systemd, init, all systemd units, all applications. Mandatory Access Control. ) Planned. ? ? ? ?

Flash / Browser Plugin Security[edit]

Info Installing browser plugins such as Flash is not recommended [133] when anonymity is the goal.

Table: Flash and Browser Plugins Security

Whonix-Workstation Tor on the Host
Proxy bypass IP leak Protected Insecure, leads to deanonymization
Protocol IP leak Protected Insecure, leads to deanonymization
Flash cookies Reduces anonymity to pseudonymity. It is recommended to delete Flash cookies Flash activity over clearnet and Tor can be linked, which leads to deanonymization (or a significant reduction in the anonymity set) if the skew is large and rare. Flash is also useful for additional fingerprinting, which has an adverse impact [134]
Number of installed fonts The number of fonts inside Whonix-Workstation (anon-whonix) and the host (clearnet) operating system will differ, which is good for anonymity The same fonts are reported for both clearnet and Tor Flash activity, which is harmful to anonymity [134]
Exact flash player version The Flash version is shared among many users, [135] which is good for anonymity, since it reduces the impact of fingerprinting. The version is also probably different from the host (clearnet) operating system, which is beneficial The same version is reported for Flash activity over both clearnet and Tor, which is harmful to anonymity [134]
GNU/Linux kernel version This version is shared among many people, [135] which is good for anonymity, since it reduces the impact of fingerprinting The same version is reported for Flash activity over both clearnet and Tor [134]
Language Set to en_US for all Whonix users Set to the user's local language setting. This is useful for fingerprinting, since it leads to anonymity set reduction [134]
Exact date and time This differs from the host (clearnet) operating system, which is beneficial (see TimeSync for details) The same time / clockskew is reported for both clearnet and Tor Flash activity, which is harmful to anonymity [134]
Exact screen resolution and DPI ? The same screen resolution and DPI is reported for both clearnet and Tor use, which is harmful to anonymity [134]
Full path to the Flash plugin This is shared among many people, [135] which is good for anonymity Depends on the host (clearnet) operating system. In the worst case it could contain the operating system user name, which is fatal if it is the user's actual name. The same path to the Flash plugin is reported for both clearnet and Tor use, which is harmful to anonymity [134]
Other factors [136] Assume reduction from anonymity to pseudonymity Greater possibilities for fingerprinting and linkage of activities, which is harmful to anonymity [134]
Conclusion A user's IP address / location / identity will remain hidden inside Whonix-Workstation (anon-whonix), but it is assumed to be pseudonymous rather than anonymous Flash over Tor -- on the host, without software like Whonix -- is completely unsafe. If Flash is ever used over clearnet, linkage of activities is possible. In the worst case scenario, assume the strong Flash fingerprint can lead to full deanonymization

For further information about using Flash and other browser plugins in Whonix, see here.

Attacks[edit]

Circumventing Proxy Obedience Design[edit]

Introduction[edit]

This section presupposes the user is familiar with:

  • The security comparison of different Whonix variants.
  • Unsafe Browser: Tails and Liberte Linux package a so-called "Unsafe Browser". The Unsafe Browser does not use Tor, but instead connects in the clear. It is useful for hotspot registration or for viewing clearnet content without Tor.
  • Feasible exploits against a physically isolated Whonix-Gateway: this is difficult when the Whonix-Gateway is running in a bare metal configuration. The reason is that only Whonix-Workstation has access to Tor running on Whonix-Gateway. [137]

Whonix protects against discovery of a user's IP address / location via a successful root exploit (Malwarearchive.org with root rights) on the Whonix-Workstation (anon-whonix). [29] Users should not deliberately test this feature and risk becoming infected with malware, since all the data inside Whonix-Workstation (anon-whonix) would become available to the attacker.

Whonix is not a perfect or unbreakable system, nor can it ever be. However, Whonix does raise the bar for attackers, meaning greater effort and skill is needed to discover the user's real IP address and successfully deanonymize them. The following table summarizes the defense-in-depth provided by the Whonix design.

Terms that are used in the following table are defined below:

  • TBB: Tor Browser Bundle.
  • Fail: the IP address / location of the user is compromised.
  • Safe: the IP address / location of the user is hidden behind Tor.

Overview[edit]

Table: Proxy Circumvention Threats

Attack Whonix Default Whonix Physical Isolation Tails Tails in a VM TBB TBB in a VM Qubes OS TorVM corridor
1. Proxy bypass IP leak [138] Safe [139] Safe [139] Safe [139] Safe [139] Fail Fail Safe Safe
2. Protocol IP leak [140] Safe [141] Safe [141] Fail Safe [142] Fail Safe [142] Safe Safe [142]
3. Exploit [143] [144] Safe Safe Fail [145] Fail [145] Fail Fail Safe Fail
4. Exploit + root exploit [143] [146] Safe Safe Fail [145] Fail [145] Fail Fail Safe Fail
5. Root exploit [143] [147] Safe Safe Fail [145] Fail [145] Fail Fail Safe Fail
6. Exploit + VM exploit [148] [149] Fail Safe Fail Fail Fail Fail Fail Fail
7. Exploit + VM exploit + exploit against physically isolated Whonix-Gateway [150] Fail Fail Fail Fail Fail Fail Fail Fail
8. VM exploit [151] Fail Safe Safe Fail Safe Fail Fail, see [152] Fail
9. VM exploit + exploit against physically isolated Whonix-Gateway [153] Fail Fail Safe Fail [154] [155] Safe Fail [154] [155] Fail, see [152] [154] [155] Fail
10. Exploit against Tor process [156] Fail [157] Fail [157] Fail Fail Fail Fail Fail Fail
11. Attack against the Tor network [158] Fail Fail Fail Fail Fail Fail Fail Fail
12. Backdoor [159] [82] Fail Fail Fail Fail Fail Fail Fail Fail
13. Onion service domain name security after server software exploit Safe [160] Safe [160] Fail [161] Fail [161] Not an operating system Not an operating system ? [162] Fail

Network Time-related[edit]

Introduction[edit]

This section presupposes the user is familiar with:

Terms that are used in the following table are defined below:

  • (VM host) update/crypto block: prevention of (VM host) operating system updates and cryptographic verification such as TLS (SSL) in the (VM host) browser.
  • u/c-block: update/crypto block.
  • Tor blocked: prevention of connections to the Tor network until the clock is manually fixed.
  • Big clock skew: more than 1 hour in the past or more than 3 hours in the future. [163]
  • Small clock skew: less than 1 hour in the past or less than 3 hours in the future. [163]

Overview[edit]

Table: Network Time-related Issues

Whonix Default Whonix Physical Isolation Tails Tails in a VM TBB TBB in a VM Qubes OS TorVM
VM host time synchronization mechanism NTP Gateway: there is no VM host. Workstation host: NTP There is no VM host. Same as the operating system synchronization mechanism NTP There is no VM host NTP NTP
Operating system synchronization mechanism sdwdate sdwdate tordate and tails_htp tordate and tails_htp NTP NTP ?
Effect of a grossly inaccurate clock Tor blocked Tor blocked tordate fixes the clock tordate fixes the clock Tor blocked Tor blocked Tor blocked
VM host time differs from operating system time Yes [164] Yes [164] There is no VM host Yes [165] No [166] Possibly [167] No
Unsafe browser time differs from torified browser time [168] Yes [164] Yes [169] No [170] No [170] No [166] Possibly [167] No
Large clock skew attack against NTP [171]: VM host effects u/c-block VM host u/c-block There is no VM host VM host u/c-block There is no VM host VM host u/c-block u/c-block
Large clock skew attack against NTP [171]: operating system effects Tor blocked Tor blocked [172]; tordate fixes the clock skew [172]; tordate fixes the clock skew Tor blocked; u/c block Tor blocked; u/c block Tor blocked
Fingerprintable reaction [173] when a large clock skew attack is used No, fails identically to TBB No, fails identically to TBB Probably yes, see the fingerprint section above Probably yes, see the fingerprint section above TBB TBB No
Small clock skew attack against NTP [171], VM host effects: VM host u/c block (?) VM host u/c block (?) There is no VM host VM host u/c block (?) VM host u/c block (?) VM host u/c block (?) VM host u/c block (?)
Small clock skew attack against NTP [171], operating system effects: Whonix VMs: sdwdate fixes the clock skew sdwdate fixes the clock skew VM: tails_htp fixes the clock skew tails_htp fixes the clock skew If the user visits a page monitored by an adversary, they will know who is connecting [174] If the user visits a page monitored by an adversary, the will know who is connecting [174] If the user visits a page monitored by an adversary, they will know who is connecting [174]

Usability[edit]

Table: Overall Usability

Whonix Tails Tor on the Host Qubes OS TorVM corridor
Difficulty: installing additional software while the IP address remains hidden [175] Easy [176] Moderate [177] Difficult [178] Easy Moderate
Difficulty: installation of the base anonymity software Easy Easy Easy Difficult [180]
Required knowledge to prevent serious user error [181] Difficult Difficult Difficult Difficult Difficult
Pre-installed applications Wide selection Wide selection None Not applicable Not applicable
Grossly inaccurate host clock No connection to the Tor network until the clock is manually fixed Uses tordatearchive.org to fix the clock No connection to the Tor network until the clock is manually fixed No connection to the Tor network until the clock is manually fixed ?
Comprehensive documentation Yes [182] Yes [183] ? ? ?
Disable power savings in VMs Yes [184] No, but there is no sleep mode ? ? ?

Features[edit]

Table: Features

Whonix Tails Tor Browser Qubes OS TorVM
Default desktop Xfce GNOME Whatever the user has installed. Not an operating system Xfce
Multi-language support No Yes Yes ?
Fits on a DVD No Yes Not an operating system ?
VPN support: userVPNTordestination Manual configuration is required [185] No [186] Possibly can be manually installed (?) Yes
VPN support: userTorVPNdestination Manual configuration is required [185] No [186] ? Yes [187]
VPN support: userVPNTorVPNdestination Manual configuration is required [185] No [186] ? Yes
IRC client pre-configured for privacy No Yes (Pidgin) [188] Not an operating system No
Flash support Manual installation is required [189] No, but HTML5 videos are functional [190] Manual installation is required ?
Ricochet IM [191] [107] No [192] Unsupported, but can be manually installed [193] Not applicable ?
FTP support Partial [194] No (?) [195] Not an operating system ?
Download manager Manual installation is required [196] Manually installation is required [197] ? ?
Webmail can be used in the browser Yes Yes Yes Yes
Email client Thunderbird Thunderbird ? ?
Hidden service support Manual configuration is required [198] Manual configuration is required [199] ? ?
Hidden server configuration GUI No No [200] ? ?
Support for free Wi-Fi hotspots Yes [201] Yes [202] Yes [203] ?
Video / streaming software Manual installation is required Some applications are included, more can be manually installed Not an operating system Manual installation is required
Control port filter proxy Yes [204] Yes No No
TBB about:tor success message Yes ? ? ?
Functional new identity option in Tor Button Yes [205] Yes [206] [205] Yes [205] ?
Default browser set to Tor Browser Yes Yes (?) Not applicable ?
File / link open confirmation Yes ? ? ?
I2P over Tor Manual installation and configuration is required [207] ? Not an operating system Manual installation is required (?)
RetroShare over Tor Manual installation is required [208] ? Not an operating system Manual installation is required (?)
Shared folder help Yes [209] [210] [211] ? ? ?
Higher boot resolution Yes [212] ? ? ?
Verbose boot output Yes [213] ? ? ?
RAM-adjusted desktop starter Yes [214] [215] ? ? ?

Circumvention[edit]

Table: Censorship Circumvention Options

Whonix Tails Tor Browser Qubes OS TorVM corridor
obfs4 Yes [216] Yes Yes ? ?
meek Yes [217] Yes [218] Yes ? ?
Snowflake Yes [219] [220] No [221] Yes ? ?
Other Censorship Circumvention Tools ? ? ? ? ?

Statement about Neutrality of this Page[edit]

General[edit]

An impartial comparison of anonymity platforms and tools is difficult, since contributors to this page are most likely Whonix users. Regardless, an imperfect comparison page is better than none at all. The reader should bear in mind that this wiki content might have been anonymously posted elsewhere, such as Wikipedia. The contributors to this page have decided to attach their pseudonyms.

Anonymous edits are allowed and are generally published within a short time frame. Readers who notice any mistakes can immediately edit the page. This entire article is published under a Free (as in speech) license (GPLv3+). [222]

Different Views[edit]

Opinions should always be expressed carefully, particularly when analyzing the merits and weaknesses of other software projects. A range of different opinions already exist on this exact issue. Interested readers can refer to the following resources or add their own:

Systems Omitted from the Comparison[edit]

The following software platforms were not considered in this comparison, but may be included in the future: [223]

See Also[edit]

Footnotes[edit]

  1. The Qubes website states:

    If you are interested in TorVM, you will find the Whonix implementation in Qubes a more usable and robust solution for creating a torifying traffic proxy.

  2. At the time of last comparison.
  3. Most recent stable version.
  4. Custom-Workstation: self-made builds can run on any real or virtual hardware so long as they are behind a Whonix-Gateway (sys-whonix). Tor Browser binaries are limited to a handful of platforms - Windows, Linux, BSD and Mac.
  5. Whonix-Workstation (whonix-workstation-17): Other Operating Systems are also supported. With respect to Whonix-Gateway (whonix-gateway-17), developers are agnostic about supporting any other secure distributions. Of course another operating system could be used as the base, but it requires significant effort.
  6. The default downloads are for VirtualBox, but this is subject to change in the future. Physical Isolation is an optional security feature for advanced users. Experimental, optional support is available for VMware. Images can be built for other virtualizers, but it requires some work, see: Other Virtualization Platforms.
  7. For advanced users.
  8. See Other Operating Systems.
  9. See also HVMarchive.org.
  10. Qubes-Whonix: Disposables
  11. 11.0 11.1 11.2 11.3 Users can install the host operating system on a USB.
  12. Whonix does not have a fully-featured USB installer. Installing the operating system on a USB is recommended, but the decision is left to the user.
  13. Tails has a professional USB installer.
  14. 14.0 14.1 14.2 This has a neutral blue color, because the project dictates whether or not a specific virtualizer is required.
  15. 15.0 15.1 https://tails.boum.org/contribute/design/virtualization_support/archive.org
  16. https://tails.boum.org/doc/advanced_topics/virtualization/archive.org
  17. This has a red color because it raises the bar for new users, who must expend significant effort to try it.
  18. This is only available as an experimental proof of concept, see: VMware. It is not recommended because VMware is closed source software. Whonix developers do not support or test this configuration.
  19. This has a neutral color because Qubes OS is open source, while VMware is closed source and should therefore be discouraged.
  20. Qubes-Whonix.
  21. https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/tails.mdarchive.org
  22. Custom installed applications and user data can be stored and survive reboot.
  23. Depending on a user's settings, bookmarks and passwords can be saved, and downloaded files retained.
  24. See Contributors.
  25. https://en.wikipedia.org/wiki/Tails_%28operating_system%29archive.org
  26. https://en.wikipedia.org/wiki/Tor_browserarchive.org
  27. This matters because until Deterministic Builds become standard, (non-)anonymous developers might imply trust. A project's reputation, formal education and expertise are other relevant factors.
  28. 28.0 28.1 Protection from root exploits, specifically malwarearchive.org with root rights.
  29. 29.0 29.1 29.2 The Workstation is where the browser, IRC client and other user applications are run. The Gateway is where Tor and the firewall are running.
  30. Whonix protects against IP address / location discovery through root exploits (malwarearchive.org with root rights) inside Whonix-Workstation (anon-whonix), although this feature should not be unnecessarily tested. Successful attacks by adversaries cannot yield the user's real IP address / location, because Whonix-Workstation (anon-whonix) can only connect through the Whonix-Gateway (sys-whonix). More skill is required to compromise Whonix due to its design; also see attacks on Whonix.
  31. 31.0 31.1 If Tails is compromised by a root exploit, the adversary can simply bypass the firewall to discover the user's real IP address.
  32. corridor is not designed for that purpose. A compromised application could contact a colluding Tor relay.
  33. IP / DNS leaks are impossible in Whonix, since Whonix-Workstation (anon-whonix) is unaware of its external IP address.
  34. 34.0 34.1 Please read how Whonix protects against realistic threats first. IP leaks are possible in Tails if applications are configured incorrectly or have a critical bug - this similarly applies to the Tails platform itself. The Tails Security Pagearchive.org notes:

    Until an auditarchive.org of the bundled network applications is done, information leakages at the protocol level should be considered as - at the very least - possible.

  35. https://support.torproject.org/#about_entry-guardsarchive.org
  36. https://gitlab.tails.boum.org/tails/blueprints/-/wikis/persistent_Tor_state/archive.org
  37. 37.0 37.1 37.2 Since the responsibility for building Tor circuits falls on clients running behind corridor-Gateway.
  38. vanguards
  39. Similar to above because it requires persistent Tor entry guards.
  40. Stream isolation provides protection against identity correlation through circuit sharing.
  41. For further details, see stream isolation.
  42. Separate Tor streams in Tailsarchive.org.
  43. Ever since the following ticket was implemented: Tor Browser should set SOCKS username for a request based on refererarchive.org.
  44. Tor Browser comes with its own Tor instance. It is just a browser, not a live system or an operating system.
  45. The user must configure applications manually to use stream isolation. In Whonix, all applications that are installed by default (like curl, wget, ssh, tbb, and others) are configured to use their own SocksPort. Tails also has this feature, but it is not as extensive as Whonix. When QubesOS TorVM was last checked, it did not provide stream isolation.
  46. This is relevant when workstations x1, x2, ..., xn are all running behind the same gateway y.
  47. See: IP spoofing protection.
  48. A user can either run Multiple Whonix-Gateway or configure an encrypted and/or authenticated connection between the Whonix-Gateway and Whonix-Workstation.
  49. See: https://groups.google.com/d/msg/qubes-devel/le7-Rrq6yxY/k_fQdSTzvLAJarchive.org
  50. See https://tails.boum.org/contribute/design/upgrades/#index5h3archive.org
  51. See systemcheckarchive.org, Whonix news.
  52. See Whonix news.
  53. A GNOME libnotify notification pops up with a link and offers the user an opportunity to subscribe to news by email.
  54. This might be possible via the browser's https://check.torproject.orgarchive.org function. This was never implemented, even after old Tor Browser bundles became a popular exploitarchive.org.
  55. See security issues when using apt update in scripts.
  56. The systemcheckarchive.org function check_operating_systemarchive.org uses /usr/libexec/security-misc/apt-get-updatearchive.org.
  57. See Protocol-Leak-Protection and Fingerprinting-Protection for details.
  58. 58.0 58.1 58.2 By default this information is not sent to anyone. It is only at risk when the machine is compromised by malware.
  59. 59.0 59.1 59.2 59.3 59.4 The design of assigned MAC addresses means that destination servers cannot see them. Therefore yes, they are always hidden from destination servers.
  60. This is a realistic threat considering some ISPs are based on LANs, which means they can see the MAC addresses of their clients. Hotspots can also see the MAC addresses of connected devices.
  61. Please read Whonix in public networks / MAC Address.
  62. Tails spoofs the MAC address. This feature can be easily disabled.
  63. https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/anonymizing-your-mac-address.mdarchive.org
  64. The virtual MAC address for Whonix-Gateway internal network interface (eth1) is shared among all Whonix users, because Whonix-Workstation can see it. However, Whonix-Workstation cannot see the MAC address of Whonix-Gateway external network cards (eth0).
  65. Unless a physical network card is assigned to the virtual machine.
  66. Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanismsarchive.org
  67. A Passive Technique for Fingerprinting Wireless Devices with Wired-side Observationarchive.org
  68. https://forums.whonix.org/t/your-mac-address-randomization-attempts-are-futilearchive.org
  69. MAC Address Introduction
  70. https://github.com/QubesOS/qubes-issues/issues/2361archive.org
  71. Disposables are not amnesic in their current form, as traces of activity may be left on storage media or in RAM.
  72. There are no special measures to limit what is written to disk because Whonix acts like an ordinary operating system. A non-exhaustive list of user activity includes: user created files, backup files, temporary files, swap, chat history, browser history and so on. Whonix is also unable to prevent host memory swapsarchive.org to the host disk (see also: virtual memoryarchive.org). Mitigating this threat requires following the recommendation to use multiple VM snapshots and applying full disk encryption on the host. There is a security-usability trade off here: greater persistence allows Whonix to remain fully-featured and enables users to easily install additional software.
  73. Tails is amnesic by design.
  74. Although Tor Browser is designedarchive.org to prevent browser activity leaking to disk, the implementation could be faulty, or swap might still leak. Also see The Tor Project blog post Forensic Analysis of Tor on Linuxarchive.org and the full pdf resultsarchive.org.
  75. A Disposablearchive.org could be used with a TorVM. For a discussion of TorVM anti-forensics features, see Disposable versus local forensics?archive.org.
  76. corridor-Gateway itself is not amnesic. The amnesic feature must be implemented by the workstations (and possibly gateways) behind corridor-Gateway.
  77. See Cold boot attackarchive.org.
  78. https://github.com/QubesOS/qubes-issues/issues/716archive.org
  79. Mirror by unman: https://www.qubes-os.org/news/2019/04/17/tor-onion-services-available-again/archive.org
  80. Having TLS (SSL) supported mirrors may seem like an oxymoron. The common practice is to assume that mirrors are not to be trusted. Even if the mirror owners were trusted persons, it is still an open question how good their server security is. Even if their server security is exceptional, mirrors are generally also hosted in hosting companies and we cannot trust those. However, not all adversaries have extensive capabilities like being capable of mounting man-in-the-middle attacks, breaking server security or forcing the hosting company to turn over the keys and so on. Users who do not use verification are still better off downloading from a TLS supported mirror. Therefore, TLS protected mirrors work well against less sophisticated adversaries. In terms of numbers, this results in fewer users potentially ending up with maliciously altered downloads.
  81. It would also be safer if the download server was under the full control of the developers and not under control of a company, the hosting provider. Unfortunately that is not how things work today. Self-hosting is very expensive, requires a fast internet connection (home user contracts are not fast enough), and adequate physical security. Even the servers of The Tor Project are not hosted in a developer's home. This is being elaborated in chapter Trusting the Whonix Website.
  82. 82.0 82.1 82.2 Open Source software does not automatically prevent backdoorsarchive.org, unless the user creates their own binaries directly from the source code. People who compile, upload and distribute binaries (including the webhost) could add hidden code, without publishing the backdoor. Anybody can claim that a certain binary was built cleanly from source code, when it was in fact built using the source code with a hidden component. Those deciding to infect the build machine with a backdoor are in a privileged position; the distributor is unlikely to become aware of the subterfuge. Deterministic builds can help to detect backdoors, since it can reproduce identical binary packages (byte-for-byte) from a given source. For more information on deterministic builds and why this is important, see:
  83. See Tails Roadmaparchive.org.
  84. See Deterministic Builds Part One: Cyberwar and Global Compromisearchive.org and Deterministic Builds Part Two: Technical Detailsarchive.org.
  85. 85.0 85.1 corridor only uses shell scripts.
  86. 86.0 86.1 86.2 86.3 To be fair, there are no deterministically built operating systems yet. It is a difficult process and takes a lot of effort to complete. While Debian has around 25,000 reproducible packagesarchive.org in mid-2021, this work has been ongoing since 2013 and is far from done.
  87. 87.0 87.1 87.2 87.3 87.4 The first form of backdoorarchive.org is a vulnerabilityarchive.org (bug) in the source code. Vulnerabilities are introduced either purposefully or accidentally due to human error. Following software deployment, an attacker may discover the vulnerability and use an exploitarchive.org to gain unauthorized access. Such vulnerabilities can be cleverly planted in plain sightarchive.org in open source code, while being very difficult to spot by code auditors. Examples of this type of backdoor include: The second form of backdoor is adding the full code (or binary) of a trojan horsearchive.org (computer virus) to the binary build, while not publishing the extra source code and keeping it secret. This process can only be detected with deterministic builds.
    It is therefore impossible to claim that non-trivial source code is backdoor-free, because backdoors can be hidden as vulnerabilities. Auditors scrutinizing the source code can only state an opinion about the quality of the source code, and eventually report vulnerabilities if/when they are identified. Assertions that source code is free of computer viruses (like trojan horses) is the only reasonable assertion that can be made.
  88. 88.0 88.1 88.2 88.3 88.4 Although theoretically possible, there are no mathematically proven bug-freearchive.org operating systems yet.
  89. 89.0 89.1 Hidden source code is defined as code which is added by an adversary. They may have: compromised a build machine, conducted compiling prior to the binary build process, or be responsible for building the actual binary. The secret source code will remain unpublished and it will appear (or be claimed) that the software was built from the published source code. Reliably detecting such hidden code - added on purpose or due to build machine compromise - requires comparison with deterministic builds, which are discussed above. Other methods like watching network traffic are less reliable, since a backdoor can only be spotted when it is used. Backdoors are even less likely to be found through reverse engineeringarchive.org, because very few people are using a disassemblerarchive.org.
  90. The upstream distribution is the distribution on which the project is based. Whonix and Tails are based on Debian, thus Debian is their upstream distribution. QubesOS TorVM is based on Qubes OS, which is itself based on Fedora and Xen.
  91. 91.0 91.1 91.2 91.3 91.4 No, since the upstream software is not deterministically built. See above to learn about deterministic builds
  92. See verifiable builds.
  93. To discover if Whonix, Tails or TBB is running.
  94. Because TorVM's own traffic is not torified.
  95. Tails does notarchive.org support persistent entry guardsarchive.org yet.
  96. Operating system updates, use of a host browser and so on.
  97. Operating system updates, use of an untorified second browser and so on.
  98. Due to package selection, it will probably also reveal that it is an Qubes OS TorVM.
  99. Whonix users might tend to have more traffic than TBB users, as operating system updates of Whonix-Workstation (whonix-workstation-17) and Whonix-Gateway (whonix-gateway-17) take place over Tor. It is unknown if the data volume is specific enough to guess a transparent or isolating proxy is in use, or if a significant proportion of other Tor users route a large amount of traffic through Tor (to help disguise Whonix users). Research prior to the foundation of Whonix suggested that a large amount of file sharing occurred via Tor. Classical file-sharing is likely to have far greater upload than Whonix, but it is unclear how many people have disabled upload settings or moved to methods which have minimal upload, such as file hosters.
  100. The unsafe browser is in use, or other people are sharing the same Internet connection who are not using Tails.
  101. See above: Network fingerprint: ISP cannot trivially guess the project type.
  102. 102.0 102.1 The Tails Design about Time syncingarchive.org states:

    Our initial time guess based on the Tor consensus is probably easier to fingerprint, though: a fresh Tor is started, and restarted again right after the consensus has been downloaded.

  103. Fingerprint for the websites that are visited.
  104. Whonix uses the original Tor Browser from The Tor Project, with the only difference being Tor runs on Whonix-Gateway instead of using the locally shipped Tor.
  105. 105.0 105.1 Refer to the following Tails resources for the latest status update: (fingerprint) for the websites that you are visitingarchive.org, evaluate web fingerprintarchive.org and Tails: Trying to hide the fact one is using Torarchive.org.
  106. This is the original Tor Browser Bundle from torproject.org.
  107. 107.0 107.1 While preventing Tor over Tor, which is recommended.
  108. This could probably be installed manually, but users are generally not aware of fingerprinting issues. Further, they usually have trouble in using Tor Browser without the bundled Tor instance - which is of course recommended to prevent Tor over Tor scenarios.
  109. Tails and Liberte Linux contain a so called "Unsafe Browser". The Unsafe Browser does not use Tor and it connects in the clear. It is available on these platforms because it is useful for registering on hotspots or for general (non-anonymous) browsing purposes.
  110. When using VMs:
    • The unsafe browser on the host is untouched, so it is not affected by installing Whonix.
    When using Physical Isolation:
    • From Whonix 0.5.6 onwards, there is no unsafe browser. A separate third machine with clearnet access could be configured.
  111. Tails Todo: Improve fingerprint of the Unsafe Browserarchive.org
  112. This is useful for keeping the clock synchronized for long running sessions.
  113. See also TimeSync.
  114. Users who want to hide Tor and Whonix from the ISP should not connect to the public Tor network when starting the platform for the first time.
  115. Settings, patches and add-ons.
  116. See Tor Browserarchive.org.
  117. See TimeSync.
  118. See Tails - Time syncingarchive.org.
  119. It is best when account names are shared among anonymity-focused distributionsarchive.org.
  120. https://github.com/ioerror/torbirdy/blob/master/gpg.confarchive.org
  121. gpg.conf optimized for privacyarchive.org
  122. As TorVM may not run inside other virtualizers in the first place, although this is untested.
  123. systemcheckarchive.org
  124. https://en.wikipedia.org/wiki/AppArmorarchive.org
  125. Additional profiles can be manually installed. Profiles are already enabled by default for Tor, obfsproxy, Tor Browser and many others.
  126. https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581archive.org
  127. https://github.com/Kicksecure/security-misc/tree/master/etc/default/grub.darchive.org
  128. https://github.com/QubesOS/qubes-issues/issues/2695archive.org
  129. https://www.whonix.org/wiki/Dev/Strong_Linux_User_Account_Isolation#Bruteforcing_Linux_User_Account_Passwords_Protectionarchive.org
  130. See above.
  131. Due to anonymity, privacy and security problems associated with Adobe Flash.
  132. 134.0 134.1 134.2 134.3 134.4 134.5 134.6 134.7 134.8 If the fingerprint is detailed enough, then linkage of activities and subsequent deanonymization becomes easier.
  133. 135.0 135.1 135.2 That is, it is shared among all up-to-date Whonix users, and some Debian users. In Debian's case that would be persons using the same platform that Whonix is based on (Debian stretch in Whonix 14.0.0.7.4). In addition, some users of Debian derivatives (like Ubuntu) would share the same Flash version.
  134. Users can conduct their own checks on https://ip-check.infoarchive.org
  135. Whonix developers have also minimized the attack surface, added hardening features and so on. Refer to developer documentation on security and hardening for further details.
  136. An application not honoring proxy settings. Example: Tor Browser Bundle: Firefox security bug (proxy-bypass)archive.org.
  137. 139.0 139.1 139.2 139.3 Prevented by the firewall.
  138. This occurs when applications leak the user's real IP address. See Whonix Track Record against Real Cyber Attacks for examples where Whonix prevented them. Leaks are often circumvented in Whonix because Whonix-Workstation (anon-whonix) is unaware of the real IP address.
  139. 141.0 141.1 The workstation does not know its own external IP address.
  140. 142.0 142.1 142.2 The VM replaces the IP address with an internal LAN IP, which is safe.
  141. 143.0 143.1 143.2 Consider the following example. A user visits a website over Tor with a torified browser. The website uses a known or zero day vulnerability to gain remote code execution on the user's machine, and then installs malware.
  142. The vulnerability "only" allows the adversary to gain user rights, not root. The adversary could then remotely start the Unsafe Browser in order to discover the user's real IP address. This attack is circumvented by Whonix, because any applications running inside Whonix, including malware, can only connect through Tor.
  143. 145.0 145.1 145.2 145.3 145.4 145.5 Tails bug report The Unsafe Browser allows to retrieve the public IP address by a compromised amnesia user with no user interactionarchive.org contains an example how this attack could be accomplished.
  144. The vulnerability "only" allows the adversary to gain user rights, not root. The adversary gains root rights by escalating privileges with a second vulnerability. The adversary is then capable of tampering with iptables rules to make non-Tor connections and so on. This attack is circumvented by Whonix, because the firewall runs on another (virtual) machine. Further, any root applications inside Whonix, including malware with root rights, can only connect through Tor.
  145. The vulnerability used allows the adversary to gain root rights. The adversary is then capable of tampering with iptables rules to make non-Tor connections and so on. This attack is circumvented by Whonix, because the firewall runs on another (virtual) machine. Further, any root applications inside Whonix, including malware with root rights, can only connect through Tor.
  146. Consider the following example. A user visits a website over Tor with a torified Browser. The website uses a known or zero day vulnerability to gain remote code execution on the user's machine, and then installs malware.
  147. A second exploit is then used to break out of the virtual machine. The default Non-Qubes-Whonix and Qubes-Whonix platforms are vulnerable to this attack. Whonix with physical isolation defeats this attack, because the Whonix-Workstation host does not know its real IP address, only Whonix-Gateway does, which is running on another physical machine.
  148. This is the same as attack number six, except in this case the adversary uses an extra vulnerability to break into Whonix-Gateway. Whonix is vulnerable to this form of attack.
  149. Consider the following example. A user visits a website over Tor with a torified Browser. The website uses a known or zero day vulnerability to gain remote code execution on the user's machine. The default Non-Qubes-Whonix and Qubes-Whonix platforms will fall to this attack, the same as attack number six. Physical isolation defeats this attack in the same manner as per attack number six.
  150. 152.0 152.1 White is used as a more neutral color because according to this postarchive.org by Joanna Rutkowskaarchive.org, exploiting a QubesOS virtual machine is more difficult than exploiting VirtualBox.
  151. Consider the following example. A user visits a website over Tor with a torified Browser. The website uses a known or zero day vulnerability to gain remote code execution on the host. The adversary then uses an extra vulnerability to break into Whonix-Gateway. Whonix is vulnerable to this kind of attack.
  152. 154.0 154.1 154.2 Fail, because it has already fallen victim to a VM exploit.
  153. 155.0 155.1 155.2 This is not usually run behind a physically isolated Whonix-Gateway.
  154. Consider the following example. A user visits a website over Tor with a torified Browser, with Tor controlling (processing) the traffic. The adversary uses a vulnerability to gain remote code execution on the user's machine. The machine where Tor is running knows the user's real IP address (Tor control protocol command: getinfo address), unless this machine is itself behind another Gateway which is difficult to configure; see Chaining Multiple Gateways.
  155. 157.0 157.1 Unless a user is Chaining Multiple Gateways, which is unfortunately only available to expert users. Whonix is vulnerable to this form of attack.
  156. For example, an end-to-end correlation attack. Research has established that Tor is vulnerable to numerous other attack vectors. Any successful attack against Tor, where an anonymity operating system is dependent on it, will naturally deanonymize the user. The exception is users who are Chaining Multiple Gateways, which unfortunately is only available to expert users. Whonix is capable of defeating some attacks against Tor and associated components such as Tor Browser; for example, see the secure and distributed time synchronization mechanism and protocol and fingerprinting leak protection, along with the rest of the Design page.
  157. Any backdoorarchive.org in Tor would be fatal for operating systems which rely upon it, since it would open up an avenue for targeted attacks. Widespread attacks are more likely to be identified.
  158. 160.0 160.1 When server software on Whonix-Workstation (anon-whonix) is (root) exploited, the attacker cannot steal the key of the onion service because it is stored on Whonix-Gateway (sys-whonix).
  159. 161.0 161.1 Tails is not yet meant to be used as a server.
  160. This is safe in theory, but it is unclear if TorVM supports onion services.
  161. 163.0 163.1 Source: https://lists.torproject.org/pipermail/tor-talk/2012-February/023264.htmlarchive.org
  162. 164.0 164.1 164.2 Because the unsafe browser runs on the VM host which uses NTP, and the torified browser runs inside Whonix-Workstation (anon-whonix) which uses sdwdate.
  163. The VM host time is synchronized with NTP, and operating system time is synchronized with tails_htp.
  164. 166.0 166.1 An untorified host browser uses the same clock as TBB.
  165. 167.0 167.1 The host and VM clock are both synchronized with NTP, but there still might be a difference since they are synchronized independently.
  166. This is important because if the clock skew is too large and/or unique, non-anonymous and anonymous activity might be linked.
  167. The time differs because Whonix-Workstation (anon-whonix) and Whonix-Gateway (sys-whonix) use separate sdwdate instances.
  168. 170.0 170.1 The unsafe browser and torified browser share the same clock via tails_htp
  169. 171.0 171.1 171.2 171.3 An attack initiated by an ISP-level adversary.
  170. 172.0 172.1 This assumes installation of a regular operating system using NTP which was used earlier, and the introduction of a clock skew by an adversary.
  171. Such as running tordate.
  172. 174.0 174.1 174.2 Due to a unique clock skew introduced by an adversary.
  173. That is, installing new software safely.
  174. In Whonix, it is possible to install a (Tor-unsafearchive.org) BitTorrent client. In the worst case it would be pseudonymous rather than anonymous, as the IP address would still be hidden.
  175. Tails has a firewall to block non-Tor traffic, but an auditarchive.org at the protocol level is still required. The Tails Security Pagearchive.org notes:

    Until an auditarchive.org of the bundled network applications is done, information leakages at the protocol level should be considered as - at the very least - possible.

  176. The user must manually prevent non-Tor traffic, DNS leaks and protocol level leaks.
  177. Text, screenshot and video instructions are available.
  178. The user must install and set up the Gateway from source code.
  179. For examples of what not to do, see DoNot.
  180. Documentation
  181. https://tails.boum.org/doc/index.en.htmlarchive.org
  182. https://github.com/Kicksecure/vm-config-dist/blob/master/etc/profile.d/20_power_savings_disable_in_vms.sharchive.org
  183. 185.0 185.1 185.2 Necessary software is included, but there is no GUI to complete the process. For documentation on this optional configuration, see tunnel introduction.
  184. 186.0 186.1 186.2 Tails status for VPN support: https://gitlab.tails.boum.org/tails/tails/-/issues/5858archive.org
  185. By configuring the NetVM of the TorVM as a VpnVM.
  186. https://tails.boum.org/contribute/design/#index42h3archive.org
  187. See Browser Plugin Security and Browser Plugins.
  188. Tails status for Flash support: https://gitlab.tails.boum.org/tails/tails/-/issues/5363archive.org
  189. https://en.wikipedia.org/wiki/Ricochet_%28software%29archive.org
  190. Ricochet has been broken since Whonix 15 despite all efforts to fix it, see: Ricochet IM.
  191. Tails wishlistarchive.org.
  192. Filezilla works out of the box, but is not pre-installed. For Tor Browser and/or wget, users could experiment with TrackHostExitsarchive.org. Further information on TrackHostExits can be found herearchive.org and herearchive.org.
  193. Tails status for FTP support: https://gitlab.tails.boum.org/tails/tails/-/issues/6096archive.org
  194. Users can install any download manager, preferably using SocksPort, although TransPort works as well. wget -c (pre-configured to use SocksPort) has also been tested to work.
  195. Users can manually install any download manager in Tails. It only needs configuration to use the proper SOCKS proxy.
  196. Hidden services can be used without IP address / DNS leaks, see onion service support. No GUI is available to setup an onion service, but it works well nonetheless.
  197. This is possible via ordinary torrc mechanisms; see Persistence preset: Tor statearchive.org
  198. Tails server: Self-hosted services behind Tails-powered Tor onion servicesarchive.org
  199. When using VMs, this can be easily achieved on the host. For users relying on physical isolation, from Whonix 0.5.6 onward there is no unsafe browser. A separate third machine with clearnet access could also be configured.
  200. Tails has a unsafe browser for such tasks.
  201. The host operating system mechanism can be used.
  202. See onion-grater, a Tor Control Port Filter Proxy, design documentation.
  203. 205.0 205.1 205.2 The option is just as effective as comparable platforms, like Debian.
  204. This option is fully functional in Tails, despite the quote below - see the additional footnote. As noted on the Tails' website, https://tails.boum.org/doc/anonymous_internet/Tor_Browser/index.en.html#new-identityarchive.org:

    This feature is not enough to strongly separate contextual identitiesarchive.org in the context of Tails as the connections outside of Tor Browser are not restarted.

    Shutdown and restart Tails instead.

  205. See I2P.
  206. See RetroShare.
  207. https://github.com/Kicksecure/vm-config-dist/tree/master/usr/lib/systemd/systemarchive.org
  208. VirtualBox shared folders.
  209. KVM shared folders.
  210. https://github.com/Kicksecure/usability-misc/blob/master/etc/default/grub.d/30_screen_resolution.cfgarchive.org
  211. https://github.com/Kicksecure/debug-misc/blob/master/debian/controlarchive.org
  212. https://www.whonix.org/wiki/Desktop#RAM_Adjusted_Desktop_Starterarchive.org
  213. https://github.com/Kicksecure/radsarchive.org
  214. See Bridges.
  215. meek_lite is available from Whonix 14.
  216. https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/10-tor.sharchive.org
  217. Manual configuration is required, see: Snowflake.
  218. https://forums.whonix.org/t/replacing-meek-snowflake/5190archive.org
  219. https://gitlab.tails.boum.org/tails/tails/-/issues/5494archive.org
  220. Permission is granted by adrelanos (Patrick Schleizer) for anyone editing this page to shift the content to a more neutral place, like Wikipedia. Should it be required, Schleizer would also agree to dual / multi / re-licensing of this page under a different Free (as in speech) license, such as GFDL. Note that moving the article to Wikipedia is difficult to achieve anonymously, since they do not allow Tor user edits (and most people interested in this article are Tor users).
  221. Subgraph OSarchive.org has been removed from this list; the distribution has not released an ISO since 2017.

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!