If using the same Whonix GW, does all Wonix WS get the same "identity"?
76 views
Skip to first unread message
Albin Otterhäll
Jun 8, 2016, 3:15:25 AM6/8/16
to qubes...@googlegroups.com
I'm assuming that if you connect to Tor using the same Whonix gateway
(e.g. "sys-whonix"), you get the same "identity" (IP, etc.) on both your
workstations. Is this correct?
(e.g. "sys-whonix"), you get the same "identity" (IP, etc.) on both your
workstations. Is this correct?
Andrew David Wong
Jun 8, 2016, 11:08:39 AM6/8/16
to Albin Otterhäll, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Not entirely. By default, stream isolation applies to different
workstations and to any supported apps in those workstations. This
means that every VM connected to sys-whonix will (and every supported
app in those VMs) will use a different circuit through the Tor
network, hence a different exit node, hence have a different IP address.
However, there are still side-channel attacks that can be used to
correlate multiple workstations running on the same host (stressing
hardware and observing the effects in all workstations, clock skew,
network timings, etc.).
Details:
https://www.whonix.org/wiki/Multiple_Whonix-Workstations
https://www.whonix.org/wiki/Stream_Isolation
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXWDTtAAoJENtN07w5UDAwkIMQAIsKMKDrWfy6JnVW0TZGFTgj
xk8QqTVg8sCwC0TqNBbpNccexb6AWB2IjS63k7CYfe9/mfPih92w+Qx+JzUiAiBo
Uyx+iTQ7MI9oNK/Aaqw0KEahTN/BiB4T+MhrebOyUEZNL0E0C4ax3SiZboMbNo+9
7wUlJ2DHrFNALYiYlQ40UKTtcaqpQB+aZ7RMi6fI+XU0Dpi35lSqTNEpqdxRaCot
M9oXap6tXn4PltF8JU+GR6lg43svdVMqrM/w+y0M/pi2Q0L83wxtc1W3FQJWsNOs
/dZazPoQsiongnjmxzUmW3L/ebgwZneVzb3Gzf2D3jTfKNNBtxvM2grX7Q6Z+H/t
S3lUaxkSH7dMDAyFoC0gBT08wZqlwiljjCUigDkuPdxiPOmefe5KftfhAWJHYjrK
RbjdYkzq0C0an3coT6cXCePIoIPA9cY7+j3tP42UkaW/lR/te5EvoywMrvPEDV+O
quuYBoajZgBP8K6Xp1yp4ykxJJjEm42LYY14WCdtZhYep6y9IUazsdxUeRSQnGM2
SSCdBW97S2gI1mzJlDaCz8szFK4mwNK7H5iUk7kqQ8LGFlB3DbTyfSIuy1ZetqE4
COUMWM8Ho/8jUVh9Ex8fTqsztdtSOAXDBNhn+4+y6XKcTVdYOYYUltHY30mQPEg8
iiYBUAdh/VIb8loHlBPS
=nJMD
-----END PGP SIGNATURE-----
Hash: SHA512
workstations and to any supported apps in those workstations. This
means that every VM connected to sys-whonix will (and every supported
app in those VMs) will use a different circuit through the Tor
network, hence a different exit node, hence have a different IP address.
However, there are still side-channel attacks that can be used to
correlate multiple workstations running on the same host (stressing
hardware and observing the effects in all workstations, clock skew,
network timings, etc.).
Details:
https://www.whonix.org/wiki/Multiple_Whonix-Workstations
https://www.whonix.org/wiki/Stream_Isolation
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXWDTtAAoJENtN07w5UDAwkIMQAIsKMKDrWfy6JnVW0TZGFTgj
xk8QqTVg8sCwC0TqNBbpNccexb6AWB2IjS63k7CYfe9/mfPih92w+Qx+JzUiAiBo
Uyx+iTQ7MI9oNK/Aaqw0KEahTN/BiB4T+MhrebOyUEZNL0E0C4ax3SiZboMbNo+9
7wUlJ2DHrFNALYiYlQ40UKTtcaqpQB+aZ7RMi6fI+XU0Dpi35lSqTNEpqdxRaCot
M9oXap6tXn4PltF8JU+GR6lg43svdVMqrM/w+y0M/pi2Q0L83wxtc1W3FQJWsNOs
/dZazPoQsiongnjmxzUmW3L/ebgwZneVzb3Gzf2D3jTfKNNBtxvM2grX7Q6Z+H/t
S3lUaxkSH7dMDAyFoC0gBT08wZqlwiljjCUigDkuPdxiPOmefe5KftfhAWJHYjrK
RbjdYkzq0C0an3coT6cXCePIoIPA9cY7+j3tP42UkaW/lR/te5EvoywMrvPEDV+O
quuYBoajZgBP8K6Xp1yp4ykxJJjEm42LYY14WCdtZhYep6y9IUazsdxUeRSQnGM2
SSCdBW97S2gI1mzJlDaCz8szFK4mwNK7H5iUk7kqQ8LGFlB3DbTyfSIuy1ZetqE4
COUMWM8Ho/8jUVh9Ex8fTqsztdtSOAXDBNhn+4+y6XKcTVdYOYYUltHY30mQPEg8
iiYBUAdh/VIb8loHlBPS
=nJMD
-----END PGP SIGNATURE-----
entr0py
Jun 8, 2016, 3:01:04 PM6/8/16
to Andrew David Wong, Albin Otterhäll, qubes...@googlegroups.com
Andrew David Wong:
There is no guarantee that you will have a different exit node (or even a different circuit). It's random so you might wind up with the same but not intentionally.
Also, Tor Browser has stream isolation features of its own, such as separate circuits per tab and new circuits after a set time interval.
Finally, non-stream-isolated (meaning non-tor-proxified) apps in the *same* workstation will share the same circuit since they will route through Whonix-Gateway's Transparent Proxy Port (TransPort). The TransPort can be disabled to prevent this. (Instructions in Andrew's links).
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
> On 2016-06-08 00:14, Albin Otterhäll wrote:
>> I'm assuming that if you connect to Tor using the same Whonix
>> gateway (e.g. "sys-whonix"), you get the same "identity" (IP, etc.)
>> on both your workstations. Is this correct?
>
>
> Not entirely. By default, stream isolation applies to different
> workstations and to any supported apps in those workstations. This
> means that every VM connected to sys-whonix will (and every supported
> app in those VMs) will use a different circuit through the Tor
> network, hence a different exit node, hence have a different IP address.
>
> However, there are still side-channel attacks that can be used to
> correlate multiple workstations running on the same host (stressing
> hardware and observing the effects in all workstations, clock skew,
> network timings, etc.).
>
> Details:
> https://www.whonix.org/wiki/Multiple_Whonix-Workstations
> https://www.whonix.org/wiki/Stream_Isolation
>
>
What Andrew said. Some nitpicking:
>> I'm assuming that if you connect to Tor using the same Whonix
>> gateway (e.g. "sys-whonix"), you get the same "identity" (IP, etc.)
>> on both your workstations. Is this correct?
>
>
> Not entirely. By default, stream isolation applies to different
> workstations and to any supported apps in those workstations. This
> means that every VM connected to sys-whonix will (and every supported
> app in those VMs) will use a different circuit through the Tor
> network, hence a different exit node, hence have a different IP address.
>
> However, there are still side-channel attacks that can be used to
> correlate multiple workstations running on the same host (stressing
> hardware and observing the effects in all workstations, clock skew,
> network timings, etc.).
>
> Details:
> https://www.whonix.org/wiki/Multiple_Whonix-Workstations
> https://www.whonix.org/wiki/Stream_Isolation
>
>
There is no guarantee that you will have a different exit node (or even a different circuit). It's random so you might wind up with the same but not intentionally.
Also, Tor Browser has stream isolation features of its own, such as separate circuits per tab and new circuits after a set time interval.
Finally, non-stream-isolated (meaning non-tor-proxified) apps in the *same* workstation will share the same circuit since they will route through Whonix-Gateway's Transparent Proxy Port (TransPort). The TransPort can be disabled to prevent this. (Instructions in Andrew's links).
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
Andrew David Wong
Jun 8, 2016, 4:46:32 PM6/8/16
to entr0py, Albin Otterhäll, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
On 2016-06-08 11:55, entr0py wrote:
> Andrew David Wong:
>> On 2016-06-08 00:14, Albin Otterhäll wrote:
>>> I'm assuming that if you connect to Tor using the same Whonix
>>> gateway (e.g. "sys-whonix"), you get the same "identity" (IP,
>>> etc.) on both your workstations. Is this correct?
>>
>>
>> Not entirely. By default, stream isolation applies to different
>> workstations and to any supported apps in those workstations.
>> This means that every VM connected to sys-whonix will (and every
>> supported app in those VMs) will use a different circuit through
>> the Tor network, hence a different exit node, hence have a
>> different IP address.
>>
>> However, there are still side-channel attacks that can be used to
>> correlate multiple workstations running on the same host
>> (stressing hardware and observing the effects in all
>> workstations, clock skew, network timings, etc.).
>>
>> Details: https://www.whonix.org/wiki/Multiple_Whonix-Workstations
>> https://www.whonix.org/wiki/Stream_Isolation
>>
>>
>
> What Andrew said. Some nitpicking:
>
> There is no guarantee that you will have a different exit node (or
> even a different circuit). It's random so you might wind up with
> the same but not intentionally.
>
Thanks for clarifying that. I had guessed that it was random and thus
> Andrew David Wong:
>> On 2016-06-08 00:14, Albin Otterhäll wrote:
>>> I'm assuming that if you connect to Tor using the same Whonix
>>> gateway (e.g. "sys-whonix"), you get the same "identity" (IP,
>>> etc.) on both your workstations. Is this correct?
>>
>>
>> Not entirely. By default, stream isolation applies to different
>> workstations and to any supported apps in those workstations.
>> This means that every VM connected to sys-whonix will (and every
>> supported app in those VMs) will use a different circuit through
>> the Tor network, hence a different exit node, hence have a
>> different IP address.
>>
>> However, there are still side-channel attacks that can be used to
>> correlate multiple workstations running on the same host
>> (stressing hardware and observing the effects in all
>> workstations, clock skew, network timings, etc.).
>>
>> Details: https://www.whonix.org/wiki/Multiple_Whonix-Workstations
>> https://www.whonix.org/wiki/Stream_Isolation
>>
>>
>
> What Andrew said. Some nitpicking:
>
> There is no guarantee that you will have a different exit node (or
> even a different circuit). It's random so you might wind up with
> the same but not intentionally.
>
the same exit node or even circuit could be selected by coincidence,
but wasn't sure. IIUC, this should be pretty unlikely in the case of
exit nodes, since there are many, and nigh-improbable in the case of
circuits, since there are vastly more possible combinations of nodes,
even taking into account that many nodes can only occupy certain
positions in the circuit (guard, relay, exit).
> Also, Tor Browser has stream isolation features of its own, such
> as separate circuits per tab and new circuits after a set time
> interval.
>
> Finally, non-stream-isolated (meaning non-tor-proxified) apps in
> the *same* workstation will share the same circuit since they will
> route through Whonix-Gateway's Transparent Proxy Port (TransPort).
> The TransPort can be disabled to prevent this. (Instructions in
> Andrew's links).
>
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXWIQdAAoJENtN07w5UDAwaQAP/ik320nIeqfea6V43gp5eLaI
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
l6kadNNL5jrw9DeHCAbYpRxcEz/a386B4f0VscGHBf9DCbVwmAFyqkXUKEY17NOr
CaZDJUjmVrdT8S0YHN9qoFnO8nY63Pu3DxL3fx5yVbBLWdPNhG2tnHF2klavz8sQ
ckvjPsENLLWdyQFmNvlW6SQMttrCSWmG8EiuRTnhXi8UuboaRXUV8o6dQ/OzX2Ip
lZPj9YFbS45DtAcKLa0QEhkaz7104LQIq85vohVHaYFon5FqdKpq6beqlaBtLrUj
UyNk1FYnbDwQaMvWUuU5/OEaK59SzSG3qUG+5FFJWT2SIrGgpi7yoIkXv4TNR6NF
+uvTuOzNTdcKKJDmB9K9fqwsoniz5AgdGVHkMh4oBTFRZE2FpTz+iJyoPeIxdHhx
vpiXLhkLjFO9jojdd1tN6i9RtWQzs8kAkzkiprkEB9V0+xeUyqio6YBMDblebS0P
MVbsMFush6YISymoJNVimDez01XD1UqQR6rlusvbt2Fo83hEwwt+gNolOGVcObeN
LtoNKv5XBfGMnyJqMpKbV+ek1fC8XCcL4ibYnTrlBozVDefmk6YHumCVfnpI8As0
DYzcOfT8PDhjXe1Xc0I8txcSi2xgjpIZuuAtH24s3FhUD2qbiRNRW06ZwvKW8Ixv
2OZfQEoNf4obLKwD43jn
=reTt
-----END PGP SIGNATURE-----
Patrick Schleizer
Jun 9, 2016, 4:14:36 PM6/9/16
to qubes...@googlegroups.com
entr0py:
necessarily assigns a different Tor exit.
Cheers,
Patrick
> Andrew David Wong:
>> On 2016-06-08 00:14, Albin Otterhäll wrote:
>>> I'm assuming that if you connect to Tor using the same Whonix
>>> gateway (e.g. "sys-whonix"), you get the same "identity" (IP, etc.)
>>> on both your workstations. Is this correct?
>>
>>
>> Not entirely. By default, stream isolation applies to different
>> workstations and to any supported apps in those workstations. This
>> means that every VM connected to sys-whonix will (and every supported
>> app in those VMs) will use a different circuit through the Tor
>> network, hence a different exit node, hence have a different IP address.
>>
>> However, there are still side-channel attacks that can be used to
>> correlate multiple workstations running on the same host (stressing
>> hardware and observing the effects in all workstations, clock skew,
>> network timings, etc.).
>>
>> Details:
>> https://www.whonix.org/wiki/Multiple_Whonix-Workstations
>> https://www.whonix.org/wiki/Stream_Isolation
>>
>>
>
> What Andrew said. Some nitpicking:
>
> There is no guarantee that you will have a different exit node (or even a different circuit). It's random so you might wind up with the same but not intentionally.
Yes, stream isolation by Tor default just isolated streams, not
>> On 2016-06-08 00:14, Albin Otterhäll wrote:
>>> I'm assuming that if you connect to Tor using the same Whonix
>>> gateway (e.g. "sys-whonix"), you get the same "identity" (IP, etc.)
>>> on both your workstations. Is this correct?
>>
>>
>> Not entirely. By default, stream isolation applies to different
>> workstations and to any supported apps in those workstations. This
>> means that every VM connected to sys-whonix will (and every supported
>> app in those VMs) will use a different circuit through the Tor
>> network, hence a different exit node, hence have a different IP address.
>>
>> However, there are still side-channel attacks that can be used to
>> correlate multiple workstations running on the same host (stressing
>> hardware and observing the effects in all workstations, clock skew,
>> network timings, etc.).
>>
>> Details:
>> https://www.whonix.org/wiki/Multiple_Whonix-Workstations
>> https://www.whonix.org/wiki/Stream_Isolation
>>
>>
>
> What Andrew said. Some nitpicking:
>
> There is no guarantee that you will have a different exit node (or even a different circuit). It's random so you might wind up with the same but not intentionally.
necessarily assigns a different Tor exit.
Cheers,
Patrick
Reply all
Reply to author
Forward
0 new messages