Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes USB ISO (coming soon) More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

TODO[edit]

• Gajim might intelligently set a Tor socks user name per account already. Do we still manually specify a user/password?
  • Gajim developers said they don't intelligently set a Tor socks user name per account. https://dev.gajim.org/gajim/gajim/issues/9213

• security
  • (3) TODO: create an AppArmor profile
• does it have any protocol leaks?
  • (4) TODO: check Gajim's built-in XML console
• how to pre-configure Gajim with all these settings by default as a linux distribution?
  • (5) TODO: feature request for .d config folder support - https://dev.gajim.org/gajim/gajim/issues/9214

• feature request: Forcing OMEMO out of the box
  • https://dev.gajim.org/gajim/gajim/issues/9215

Resolved[edit]

Was a blocker:

• Despite the proxy setting, it routes DNS requests use system default networking, thus end up in Tor's TransPort, thereby DNS is not stream isolated.
  • Won't be fixed. Python limitation.
  • https://dev.gajim.org/gajim/gajim/issues/8538
  • Violates Whonix Default Application Policy.
    • https://forums.whonix.org/t/gajim-messenger/708/7
    • https://forums.whonix.org/t/should-strict-stream-isolation-by-a-requirement-in-whonixs-default-application-policy/3940
• --> Strict stream isolation removed from Whonix Default Application Policy.

Done[edit]

• Are uploads by gajim-httpupload encrypted using gajim-omemo?
  • Developer responded: "yes if you have activated OMEMO, httpupload will always encrypt the file, in fact you can not send a unencrypted file with OMEMO activated even if you wanted."

• Plugin installer is only using https for verification which is weaker than gpg which is used by APT which is usually used to install software. ^{[1] [2]}
  • We can nuke the plugin installer. anon-apps-config which is installed by default will deactivate gajim plugin installer / updater because it's not secure. Using config-package-dev displace.
  • (2) Debian feature request to ship the gajim plugin-installer plugin in a separate Debian package. ^[3]

Discussion[edit]

• some answers here: https://dev.gajim.org/gajim/gajim/issues/8651

• gajim Whonix integration development discussion: https://forums.whonix.org/t/gajim-messenger

• it would take a lot patches to ensure that OMEMO encryption is always used, but on the other hand, because it is written in Python, Gajim is very easy to patch.

• Gajim can keep its account username and passwords in

KeepassXc using LibSecret integration. If we look at end-to-end security, and worry about the weakest links, then integration of IM with a password-manager should be a high priority.

Footnotes[edit]

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!