Placing Trust in Whonix

From Whonix
(Redirected from Verification Assets)
Jump to navigation Jump to search

Is Whonix trustworthy? Is there a backdoor in Whonix? How does Whonix protect itself from backdoors?

Trust Documentation[edit]

Kicksecure: Perform these steps inside Kicksecure.

Instead the user should apply the instructions inside Whonix-Workstation.

Kicksecure for Qubes: Perform these steps inside Qubes kicksecure-17 Template.

Instead the user should apply the instructions inside whonix-workstation-17 Template.

Trusting Tor[edit]

Whonix anonymity is based on Tor, which is developed by The Tor Projectarchive.org. Tor is a mature anonymity network with a substantial user base, and it has developed a solid reputation after around two decades of development. Tor's distributed trust model makes it difficult for any single entity to capture a user's traffic and identify them on a consistent basis.

Tor and its general development are subject to heavy public scrutiny by academics, security professionals and a host of developers. [1] For example, there is a body of Tor research related to potential attack vectors on onion routing and the adequacy of current defenses, and the source code has undergone several external audits. Like any software project, numerous security issues have been identified and resolved over the years, but a purposeful backdoor has never been discovered. [2] Theories about deliberate backdoors in Tor are considered highly speculative and lacking any credible basis.

Trusting Whonix[edit]

In one sense, Whonix is the simple union of Debian and Tor and a mechanism to glue them together. If a user already trusts Debian and The Tor Project, then a method for assessing Whonix trustworthiness is also necessary.

The Whonix project was founded on 11 January, 2012. It previously existed under different project names, including TorBOX and aos. As mentioned earlier, Whonix is Freedom Software which makes the source code available for inspection. In the main, Whonix is comprised of specifications for which Debian software packages should be installed and their appropriate configuration. See also this list of notable reviews and feedback about the security of Whonix.

With a relatively small development team and estimated user base, the "many eyeballs" theory may work against Whonix at present. However, the source code is comparably small and devoid of complexities, meaning the project is in relatively good shape compared to many other similar projects. Interested readers can learn more about the Whonix specification and design here. [3]

With these factors in mind, the reader can now make an informed decision about the trustworthiness of Whonix.

Whonix Warrant Canary[edit]

Canary

The Whonix warrant canaryarchive.org is intended to provide a mean of communication to users in the event Whonix is served with a secret subpoena, despite legal prohibitions on revealing its existence. For any canary in force, once the signature of the canary file is verified with OpenPGP and/or signify, this confirms that no warrants have been served on the Whonix project.

Note: the canary date of issue is represented by the gpg signature date. A new canary should be released within 4 weeks. [4]

The canary and signature are available here:

As a backup, the canary and signature are also available on github: [5]

Readers are reminded this canary scheme is not infallible. The canary declaration is provided without any guarantee or warranty, and it is not legally binding upon any parties in any form. The signer should never be held legally responsible for any statements made in the canary.

Related:

Trusting the Download Location[edit]

Binary images can be trusted to some extent if a user verifies that they received exactly the same code as thousands of other users, and no one has found or publicly reported any serious security issues. This requires verification of the Whonix-Workstation and Whonix-Gateway images using the available OpenPGP signatures. [6] All source code tags for releases are OpenPGP-signed by lead Whonix developer Patrick Schleizer.

In order of increasing security, the Whonix images can be:

  1. Downloaded via https://www.whonix.orgarchive.org. TLS provides some trust and integrity of the hash file, but it is still advisable to check the site's certificate and perform digital software signature verification (instructions).
  2. Downloaded over the Whonix v3 onion addressonion with Tor Browser before digital software signature verification. Onion addresses provide a higher standard of authentication than clearnet addresses.
  3. Built from source since it is a relatively easy procedure. [7]

Trusting Whonix Images[edit]

Table: Maintainer Overview - Platform, Source Code, Binary Images, Permissions

Whonix VirtualBox Whonix KVM Qubes-Whonix Built from Source Code
Source Code Creation Patrick Patrick Qubes project and Patrick Patrick
Source Code Trust Patrick Patrick Qubes project and Patrick Patrick
Binary Image Creation Patrick Patrick Qubes project [8] -
Binary Images Trust Patrick Patrick Qubes project and Patrick -
Package Upgrades Creation Patrick Patrick Qubes project and Patrick -

Since Whonix is based on Debian, Debian releases package upgrades. See also: Trusting Debian GNU/Linux.

Trusting Tor Browser[edit]

Tor Browser:

Verifiable Builds[edit]

Verifiable .ova Releases[edit]

verifiable builds warning icon Warning:

Deprecated. A dedicated contributor is required.

Whonix previously had a feature which allows the community to check that Whonix .ova [10] releases are verifiably created from the project's own source code - verifiable builds. [11] This only proves that the person and machine [12] building Whonix have not added anything malicious, such as a backdoor. [13] It does not prove there are no backdoors present in Debian. This is not possible, because neither Debian [14] nor any other operating system provides deterministic builds yet. [15]

This feature does not attempt to prove there are not any vulnerabilities present [16] in Whonix or Debian. Fatal outcomes are still possible via a remotely exploitable [17] bug in Whonix or Debian, a flaw in Whonix's firewall which leaks traffic, or code phoning home [18] the contents of the HDD/SSD. Community effort is a precondition to improved security with this feature, particularly auditing of Whonix and Debian source code to check for possible backdoors and vulnerabilities.

In summary, this feature is useful and potentially improves security, but it is not a magical solution for all computer security and trust issues. The following table helps to explain what this feature can achieve.

Table: Verifiable Builds Comparison

Whonix Tails Tor Browser Qubes OS TorVM corridor
Deterministic builds [19] No No (planned) [20] Yes [21] No Not applicable [22]
Based on a deterministically built [19] operating system No [23] No [23] Not applicable No [23] No [23]
Verifiably no backdoor in the project's own source code Invalid [24] Invalid [24] Invalid [24] Invalid [24] Invalid [24]
Verifiably vulnerability-freearchive.org No [25] No [25] No [25] No [25] No [25]
Verifiably no hidden source code [26] in upstream distribution / binaries [27] No [28] No [28] No [28] No [28] No [28]
Project's binary builds are verifiably created from project's own source code (no hidden source code [26] in the project's own source code) No (deprecated) [29] No Yes No Not applicable [22]

Some readers might be curious why Whonix was previously verifiable, while Debian and other distributions are not. In short, this is because Whonix is uncomplicated by comparison. In simple terms, Whonix is a collection of configuration files and scripts, and the source code does not contain any compiled code and so on. In contrast, Debian is a full operating system, without which Whonix would not exist. [30]

This feature was first made available in Whonix 8. Only users who download a new image can profit from this feature. [31] It is not possible to audit versions older than Whonix 8 with this script. [32]

This is only an an introduction to this topic; see Verifiable Builds for full details.

Verifiable Whonix Debian Packages[edit]

verifiable builds warning icon Warning:

Deprecated. A dedicated contributor is required.

This has been deprecated because it is difficult to implement before the experimental, Debian reproducible toolchain is merged into the stable release. [33] For full details on this topic, see Verifiable Whonix Debian Packages.

Whonix Updates[edit]

Introduction[edit]

An optional updater has been available in Whonix since version 6 of the platform. [34] When it comes to trust, there is a large difference between building Whonix from source code and using the Default-Download-Version.

APT Repository and Binary Builds Trust[edit]

When Whonix is built from source code using the build script and the source code is audited by the builder to be non-malicious and reasonably bug-free, Whonix developers are unable to access the system. On the other hand, if Whonix APT repository is enabled, developers holding a Whonix repository signing key could release a malicious update to gain full access to the machine(s). [35]

Even if the Whonix APT repository is not used with the Default-Download version, it is still theoretically possible for Whonix developers to sneak a backdoor into the binary builds which are available for download. [36] Although an unpleasant threat, using Whonix APT repository poses a greater risk: a malicious Whonix developer might sneak in a backdoor at any time.

It is easier to sneak backdoors into binary builds, since they contain compiled code in binary packages which are downloaded from the Debian repository when built.

APT Repository Default Settings[edit]

Non-Qubes-Whonix:

  • Building from source code: Whonix APT Repository is disabled by default. [37]
  • Default binary download: Whonix APT Repository is enabled by default.

Qubes-Whonix:

  • Qubes/Install: Whonix APT Repository is enabled by default.
  • Building from source code: Whonix APT Repository is enabled by default. [38]

Most users will have the Whonix APT repository enabled. This means when updated Whonix debian packages are uploaded to the Whonix APT repository, these packages will be automatically installed when the system is upgraded. [39] If this behavior is unwanted, this can be disabled. Refer to the previous section outlining security implications before proceeding.

Security Conclusion[edit]

Legend:

  • *: poor security.
  • ****: best security.

Table: Build and APT Repository Security Comparison

Binary Download with Whonix APT Repository Binary Download without Whonix APT Repository Built from Source Code and Whonix APT Repository Enabled Built from Source Code and Whonix APT Repository Disabled
Security * ** * ****
Convenience **** * ** *

In summary:

  • The Whonix binary download using the Whonix APT repository is the most convenient method, but also the least secure.
  • It is somewhat safer to use the Whonix binary download and then disable the Whonix APT repository. However, the user must then manually download updated Whonix deb packages upon release, and independently verify and install them.
  • The greatest security comes from building Whonix and updated packages from source code, particularly if the source code is verified before building Whonix.

Appendix[edit]

What Digital Signatures Prove[edit]

  • Digital signatures are a tool enhancing download security. They are commonly used across the internet and nothing special to worry about.
  • Optional, not required: Digital signatures are optional and not mandatory for using Whonix, but an extra security measure for advanced users. If you've never used them before, it might be overwhelming to look into them at this stage. Just ignore them for now.
  • Learn more: Curious? If you are interested in becoming more familiar with advanced computer security concepts, you can learn more about digital signatures here digital software signatures.

See Verifying Software Signatures for details on what digital signatures prove.

In short, a user must be careful to ensure the public keys that are used for signature verification are the Whonix key pair belonging to the Whonix developer of the component specific component. At time of writing there are two different components and signing keys.

Footnotes[edit]

  1. And undoubtedly advanced adversaries.
  2. That said, a skilled, malicious coder is far more likely to introduce subtle errors that open non-obvious attack vectors.
  3. This is a good starting point to understand how Whonix works.
  4. Meaning doubts should surface if a new canary was not issued for longer than 4 weeks.
  5. If issues arise with the whonix.org server, this ensures the canary is always available online.
  6. This feature has been available since Whonix 0.4.5.
  7. Verifiable Builds allow auditors to check if there is hidden code inside Whonix.
  8. Builds can be initiated by Patrick but the template build server and template repository are hosted by the Qubes project.
  9. Not in Whonix-Workstation CLI.
  10. https://en.wikipedia.org/wiki/Open_Virtualization_Formatarchive.org
  11. This feature only adds security if people actually use it. Do not assume that someone else will do it for you
  12. Due to build machine compromise.
  13. https://en.wikipedia.org/wiki/Backdoor_(computing)archive.org
  14. Whonix is based on Debian.
  15. Some Debian developers are steadily working on this long-term project, see: Reproducible Buildsarchive.org.
  16. https://en.wikipedia.org/wiki/Vulnerability_(computing)archive.org
  17. https://en.wikipedia.org/wiki/Exploit_(computer_security)archive.org
  18. https://en.wikipedia.org/wiki/Phoning_homearchive.org
  19. 19.0 19.1 Open Source software does not automatically prevent backdoorsarchive.org, unless the user creates their own binaries directly from the source code. People who compile, upload and distribute binaries (including the webhost) could add hidden code, without publishing the backdoor. Anybody can claim that a certain binary was built cleanly from source code, when it was in fact built using the source code with a hidden component. Those deciding to infect the build machine with a backdoor are in a privileged position; the distributor is unlikely to become aware of the subterfuge. Deterministic builds can help to detect backdoors, since it can reproduce identical binary packages (byte-for-byte) from a given source. For more information on deterministic builds and why this is important, see:
  20. See Tails Roadmaparchive.org.
  21. See Deterministic Builds Part One: Cyberwar and Global Compromisearchive.org and Deterministic Builds Part Two: Technical Detailsarchive.org.
  22. 22.0 22.1 corridor only uses shell scripts.
  23. 23.0 23.1 23.2 23.3 To be fair, there are no deterministically built operating systems yet. It is a difficult process and takes a lot of effort to complete. While Debian has around 25,000 reproducible packagesarchive.org in mid-2021, this work has been ongoing since 2013 and is far from done.
  24. 24.0 24.1 24.2 24.3 24.4 The first form of backdoorarchive.org is a vulnerabilityarchive.org (bug) in the source code. Vulnerabilities are introduced either purposefully or accidentally due to human error. Following software deployment, an attacker may discover the vulnerability and use an exploitarchive.org to gain unauthorized access. Such vulnerabilities can be cleverly planted in plain sightarchive.org in open source code, while being very difficult to spot by code auditors. Examples of this type of backdoor include: The second form of backdoor is adding the full code (or binary) of a trojan horsearchive.org (computer virus) to the binary build, while not publishing the extra source code and keeping it secret. This process can only be detected with deterministic builds.
    It is therefore impossible to claim that non-trivial source code is backdoor-free, because backdoors can be hidden as vulnerabilities. Auditors scrutinizing the source code can only state an opinion about the quality of the source code, and eventually report vulnerabilities if/when they are identified. Assertions that source code is free of computer viruses (like trojan horses) is the only reasonable assertion that can be made.
  25. 25.0 25.1 25.2 25.3 25.4 Although theoretically possible, there are no mathematically proven bug-freearchive.org operating systems yet.
  26. 26.0 26.1 Hidden source code is defined as code which is added by an adversary. They may have: compromised a build machine, conducted compiling prior to the binary build process, or be responsible for building the actual binary. The secret source code will remain unpublished and it will appear (or be claimed) that the software was built from the published source code. Reliably detecting such hidden code - added on purpose or due to build machine compromise - requires comparison with deterministic builds, which are discussed above. Other methods like watching network traffic are less reliable, since a backdoor can only be spotted when it is used. Backdoors are even less likely to be found through reverse engineeringarchive.org, because very few people are using a disassemblerarchive.org.
  27. The upstream distribution is the distribution on which the project is based. Whonix and Tails are based on Debian, thus Debian is their upstream distribution. QubesOS TorVM is based on Qubes OS, which is itself based on Fedora and Xen.
  28. 28.0 28.1 28.2 28.3 28.4 No, since the upstream software is not deterministically built. See above to learn about deterministic builds
  29. See verifiable builds.
  30. Whonix relies on the tireless efforts of Debian and other upstream projects.
  31. Because in order to implement the verifiable builds feature, a lot of non-deterministic, auto-generated files are removed at the end of the build process and re-created during first boot.
  32. It is not actually impossible, but it would require significant effort.
  33. Old advice: Since Whonix 7.5.2, all Whonix Debian Packages have been deterministically built. This means if the Whonix Debian Packages 7.5.2 are built from source code, and 7.5.2 downloaded from the Whonix Debian repository, it is possible to diff the checksum (for example the sha512sum) of those files and they should match. This has been deprecated because of a dpkg bug. The estimate of the Installed-Size can be wrong by a factor of 8, or a difference of 100MBarchive.org (note: this bug has now been resolved). Different underlying file systems cause different file sizes, leading to checksums not matching.
  34. When Whonix APT repository is disabled, there is no updater - as was the case in Whonix 0.5.6 and below.
  35. At the moment, Whonix developer Patrick Schleizer is the only one holding the Whonix APT repository OpenPGP signing key.
  36. See the Verifiable Builds section for further details.
  37. Since Whonix version 7.3.3
  38. To disable this setting, see: qubes-template-whonixarchive.org: in file TODO (please ask Qubes) and set DERIVATIVE_APT_REPOSITORY_OPTS = off
  39. After running sudo apt update && sudo apt full-upgrade manually or via a GUI updater.

License[edit]

Whonix Trust wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Trust wiki page Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!