-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-06-08 11:55, entr0py wrote:
> Andrew David Wong:
>> On 2016-06-08 00:14, Albin Otterhäll wrote:
>>> I'm assuming that if you connect to Tor using the same Whonix
>>> gateway (e.g. "sys-whonix"), you get the same "identity" (IP,
>>> etc.) on both your workstations. Is this correct?
>>
>>
>> Not entirely. By default, stream isolation applies to different
>> workstations and to any supported apps in those workstations.
>> This means that every VM connected to sys-whonix will (and every
>> supported app in those VMs) will use a different circuit through
>> the Tor network, hence a different exit node, hence have a
>> different IP address.
>>
>> However, there are still side-channel attacks that can be used to
>> correlate multiple workstations running on the same host
>> (stressing hardware and observing the effects in all
>> workstations, clock skew, network timings, etc.).
>>
>> Details:
https://www.whonix.org/wiki/Multiple_Whonix-Workstations
>>
https://www.whonix.org/wiki/Stream_Isolation
>>
>>
>
> What Andrew said. Some nitpicking:
>
> There is no guarantee that you will have a different exit node (or
> even a different circuit). It's random so you might wind up with
> the same but not intentionally.
>
Thanks for clarifying that. I had guessed that it was random and thus
the same exit node or even circuit could be selected by coincidence,
but wasn't sure. IIUC, this should be pretty unlikely in the case of
exit nodes, since there are many, and nigh-improbable in the case of
circuits, since there are vastly more possible combinations of nodes,
even taking into account that many nodes can only occupy certain
positions in the circuit (guard, relay, exit).
> Also, Tor Browser has stream isolation features of its own, such
> as separate circuits per tab and new circuits after a set time
> interval.
>
> Finally, non-stream-isolated (meaning non-tor-proxified) apps in
> the *same* workstation will share the same circuit since they will
> route through Whonix-Gateway's Transparent Proxy Port (TransPort).
> The TransPort can be disabled to prevent this. (Instructions in
> Andrew's links).
>
iQIcBAEBCgAGBQJXWIQdAAoJENtN07w5UDAwaQAP/ik320nIeqfea6V43gp5eLaI
l6kadNNL5jrw9DeHCAbYpRxcEz/a386B4f0VscGHBf9DCbVwmAFyqkXUKEY17NOr
CaZDJUjmVrdT8S0YHN9qoFnO8nY63Pu3DxL3fx5yVbBLWdPNhG2tnHF2klavz8sQ
ckvjPsENLLWdyQFmNvlW6SQMttrCSWmG8EiuRTnhXi8UuboaRXUV8o6dQ/OzX2Ip
lZPj9YFbS45DtAcKLa0QEhkaz7104LQIq85vohVHaYFon5FqdKpq6beqlaBtLrUj
UyNk1FYnbDwQaMvWUuU5/OEaK59SzSG3qUG+5FFJWT2SIrGgpi7yoIkXv4TNR6NF
+uvTuOzNTdcKKJDmB9K9fqwsoniz5AgdGVHkMh4oBTFRZE2FpTz+iJyoPeIxdHhx
vpiXLhkLjFO9jojdd1tN6i9RtWQzs8kAkzkiprkEB9V0+xeUyqio6YBMDblebS0P
MVbsMFush6YISymoJNVimDez01XD1UqQR6rlusvbt2Fo83hEwwt+gNolOGVcObeN
LtoNKv5XBfGMnyJqMpKbV+ek1fC8XCcL4ibYnTrlBozVDefmk6YHumCVfnpI8As0
DYzcOfT8PDhjXe1Xc0I8txcSi2xgjpIZuuAtH24s3FhUD2qbiRNRW06ZwvKW8Ixv
2OZfQEoNf4obLKwD43jn
=reTt
-----END PGP SIGNATURE-----