Dev/Anonymity Network

From Whonix
< Dev
Jump to navigation Jump to search

Comparison of anonymizers considered for the implementation of the Anonymous Operating System Whonix.

Introduction[edit]

This page describes, why Tor was chosen for the Whonix Example Implementation as anonymity network and also discussed alternatives, which also have been considered.

Tor[edit]

Tor has been chosen for the Whonix Example Implementation, because it is the best researched and most used network. Whonix developer Patrick believes Tor is currently the most secure anonymity network legally available to most users. See anonbibarchive.org for a collection about research papers about Tor and other anonymity networks.

Many users are important, because you can only be anonymous within a big group of people. More secure networks exist in theory, such as the mixminion high latency network, but without enough users, in practice they are less secure. See Roger Dingledine explanationarchive.org for details.

On the Warningarchive.org page are some shortcomings of Tor listed.

Whonix and other Anonymity Networks[edit]

The Whonix Framework is agnostic about the Anonymity Network being used. In theory also Tor could be completely exchanged with any other suited anonymizing network, see Technical Introduction Whonix Framework. Development in this area stalled due to lack of interest from users, upstream developers and Whonix developers. Anyway, there has been some research, theoretical and practical work done towards such integration, see Inspiration in case you are interested.

Security considerations[edit]

Any successful attacks against Tor, does also work against Whonix and will result in a compromise of location/identity. 1

Whonix does not try to defend against network attacks, like a massive amount of evil Tor nodes, end-to-end correlation attacks and so on. The Tor software package from the Debian repository is installed in Whonix. There are no modifications to Tor software. This is left to the Tor developers and Debian packagers.

If TransPort, DnsPort or SocksPort, which Whonix heavily relies on, can be exploited, then it is also game over.

There is no known bug (or "feature") to obtain the users real IP address through either SocksPort, TransPort or DnsPort. If there were such a bug found in the future, which is possible, it would be a major bug in Tor. We would hope, that the Tor developers fix that bug.

There are other attacks conceivable, which we can not defend against. For example, if an adversary controls your entry node or can observe your ISP and has access to the Whonix-Workstation. He can simply use "morse" (5 seconds much traffic, 10 seconds no traffic...) And then observe the user's incoming connections. Then it is game over as well.

1 Unless Tor is combined with other means of anonymization (available as optional feature).

Other Anonymity Networks reviewed for Whonix[edit]

High latency networks[edit]

In theory, high latency networks would be safer than Tor. Unfortunately there is no high latency network, with enough users, which is well designed, developed and maintained.

AdvOR[edit]

Not suited for Whonix at all.

AdvORarchive.org, the "Advanced" Onion Router is not suited for Whonix. Reasons:

  • No interest from the research community.
  • No source control, i.e. git.
  • Licensing issues (See Nick Mathewson's (Tor's Chief Architect) analysis below.)
  • Absence in the Tor community.
  • No Linux support.
  • Whonix developer believes the Tails developers and the Tor developers to be modest and genuine. Doing their best on providing fine software. They generally work thoroughly, come to, in Patrick's opinion, clever conclusions. A Tails developer and a Tor developer wrote about AdvOR. Patrick believes it is best not to summarize the their writings. Please read it yourself, in case you're interested.
  • In Patrick's opinion: less safe than Tor.

I2P[edit]

Review[edit]

It may not be possible to reliably replace the Tor network with the I2P networkarchive.org for Whonix-Gateway. The I2P network is mainly designed to host all services inside the I2P network. We have to update the Whonix-Workstation operating system and software packages. That is not possible with I2P. Outproxies exist in past (http, https and socks), but too few of them? And they are not suited for use with Whonix. They are too unreliable (too often offline). At time of writing the I2P chapter (March 2012) there where no working https or socks outproxies, which we could use for apt. (Still the case as of today?)

I2P can only be used as an addition to Whonix (tunnel ip2 over Tor). See I2P.

Even if there where enough reliable outproxies, there is one question which would have to be answered. Is I2P designed for withholding the external IP from a Workstation, i.e. does the I2P webinterface spill the external IP and if yes, can it be configured, not to? → We could make I2P listen on Whonix-Gateway local host only. And only have other services, such as the outproxy, listen on the internal interface that is accessible by Whonix-Workstation(s).

There was development ideaarchive.org to install Tor and optionally I2P on Whonix-Gateway, but stalled due to lack from Whonix developers and I2P community.

That I2P is not in Debian package sources would also make integration harder.

Summary[edit]

Not suited for Whonix for the Default-Download-Version.

  • No out proxies at the moment. (Can not connect to any servers outside the I2P network. I2P is much different than Tor.) Clearnet websites could not be reached, APT wouldn't work, etc. Still up to date as of today?
  • Less interest from the research community.
  • No interest from the I2P community.
  • In Patrick's opinion: less safe than Tor.

VPN[edit]

Not suited for Whonix for the Default-Download-Version. For details, see Whonix versus VPNs.

Freenet[edit]

Not suited for Whonix for the Default-Download-Version.

Replacing Tor with Freenet is impossible, as Freenet is a separated network, not designed to exit the network, i.e. clearnet websites could not be reached, APT wouldn't work, etc.

There was a development ideaarchive.org to install Tor and optionally Freenet on Whonix-Gateway. It would pose the questions. Is Freenet designed for withholding the external IP from a Workstation, i.e. does the Freenet webinterface spill the external IP and if yes, can it be configured, not to?

RetroShare[edit]

Not suited for Whonix for the Default-Download-Version.

In fact RetroSharearchive.org is not an anonymizing networkarchive.org, it is a friend-to-friendarchive.org (F2F) network, or optionally a darknetarchive.org. RetroShare has a very different audience and threat model. RetroShare does not support using an outproxy yet, for this reason, it can not replace Tor on the Whonix-Gateway.

Proxies / Proxy Chains[edit]

This is a summary of Tor vs Proxy.

"(High) Anonymous" Proxies or even "Elite" Proxy Chains are not suited for Whonix for the Default-Download-Version.

  • Inferior to Onion Routing (Tor). Just two strong points (many more exist): no encryption between the user and the proxy possible (only end-to-end encryption possible); no onion routing alright (changing circuits).
  • Difficult (impossible?) to find a free, stable proxy, which is supposed to be legally used as proxy and which could handle enough Default-Download-Version users.
  • In Patrick's opinion: less safe than Tor.

Combinations of Anonymity Networks[edit]

Not suited for Whonix for the Default-Download-Version.

There is too much controversy, see Tor Plus VPN or Proxyarchive.org.

Controversy is avoided as a political project strategy with the goal to protect the project:

Quoted from the [FAQ]: "Whonix tries to be as less special as possible to ease security auditing of Whonix. Any changes to the Tor routing algorithm should be proposed, discussed and eventually implemented upstream in Tor on torproject.org. And if discussion fails, a Tor fork could be created. Tor has already been forked at least once. Doing such changes directly in Whonix would limit discussions about Whonix to the security of the modified routing algorithm. To allow further exploration of Whonix security, it is required to be as agnostic as possible about all parts of Whonix."

The user is able to tunnel Other Anonymizing Networks over Tor (see Other Anonymizing Networks in case you're interested).

Tunneling other Other Anonymizing Networks over Tor[edit]

It is possible with Whonix. (Other Anonymizing Networks).

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!