Difference between Whonix Workstation and Debian/Fedora?
Daniil .Travnikov
When I want to use one of my Debian VM through TOR, I am turn on Whonix-Gateway.
And I am asking beacuse I don't understand for what I must use Whonix-Workstation?
js...@bitmessage.ch
>
> When I want to use one of my Debian VM through TOR, I am turn on Whonix-Gateway.
>
> And I am asking beacuse I don't understand for what I must use Whonix-Workstation?
It's possible to use a debian/fedora based appVM with firefox, connected
to sys-whonix, and all connections will go through tor.
But whonix recommends to use a whonix-ws based appVM with tor browser
instead to reduce fingerprintability. Most tor users are using tor
browser, so if you're using tor with firefox and not tor browser it's
easier to fingerprint you.
I don't know if there are any other reasons why you would need to use
whonix-ws instead of debian/fedora or if there's any reason not to use
tor browser in a debian/fedora VM. But i like to use whonix-ws as a
template for any VM that's going to connect to tor, and debian for other
VMs.
--
Jackie
Daniil .Travnikov
> It's possible to use a debian/fedora based appVM with firefox, connected
> to sys-whonix, and all connections will go through tor.
>
> But whonix recommends to use a whonix-ws based appVM with tor browser
> instead to reduce fingerprintability. Most tor users are using tor
> browser, so if you're using tor with firefox and not tor browser it's
> easier to fingerprint you.
Whonix recommends this, but nothing to tell about Qubes Whonix. Qubes contains the basis of Whonix Workstation logic in all OS.
When we use Whonix-Gateway we have one TOR connection (3 onion connections), but when we use TOR browser (in any OS) we have second TOR connection (which means that now we have already 6 onions). And in some reason it is not a safe way. This is what I found:
"Please note that a Tor-over-Tor connection will always, without exception, be less safe than a normal Tor connection. There is always a possibility that your Tor connection would use the initial Tor connections guard as an exit, introduction point, rendezvous point, or in some other way interact with your own guard in such a way that it would be using a single relay for ingress and egress.
Never, ever use Tor-over-Tor. It is always less safe."
*** https://tor.stackexchange.com/questions/10071/running-tor-over-tor
On official site of Tor project I found a mention only in this way:
"* Simplified custom user installation of TorChat, thanks to dummytor.
(Protecting from Tor over Tor.)"
*** https://lists.torproject.org/pipermail/tor-talk/2014-February/032227.html
From which one can draw a conclusion that official position on this issue that Tor over Tor is not safe.
As I understand Whonix-Workstation is on a completely isolated network, it means that only connections through Tor are possible. But for Qubes users it does not make any sense because any OS (isolated) could work through TOR connection with Whonix-Gateway without Whonix-Workstation.
Actually you can download and install TOR browser but disconnect it from TOR network in Firefox options. It means that you will use Tor Browser with the same security level, but without direct TOR connection from Firefox. Of course it would be better only if you use this browser through Whonix-Gateway.
> I don't know if there are any other reasons why you would need to use
> whonix-ws instead of debian/fedora or if there's any reason not to use
> tor browser in a debian/fedora VM. But i like to use whonix-ws as a
> template for any VM that's going to connect to tor, and debian for other
> VMs.
That's why I am interested in this question. Maybe somebody use Whonix-Workstation for other reasons?
js...@bitmessage.ch
>> to sys-whonix, and all connections will go through tor.
>>
>> But whonix recommends to use a whonix-ws based appVM with tor browser
>> instead to reduce fingerprintability. Most tor users are using tor
>> browser, so if you're using tor with firefox and not tor browser it's
>> easier to fingerprint you.
>
>
> Whonix recommends this, but nothing to tell about Qubes Whonix. Qubes contains the basis of Whonix Workstation logic in all OS.
> When we use Whonix-Gateway we have one TOR connection (3 onion connections), but when we use TOR browser (in any OS) we have second TOR connection (which means that now we have already 6 onions). And in some reason it is not a safe way.
browser in a whonix-ws based VM connected to sys-whonix it won't be tor
over tor (there will only be 3 relays not 6).
At least when you use tor browser in a whonix-ws based vm anyways. From
looking at the whonix documentation it looks like if you download tor
browser in a regular debian/fedora based vm and connect to sys-whonix
that would result in tor over tor. Whonix modifies tor browser in
whonix-ws so it works with whonix-gw/sys-whonix to prevent tor over tor.
http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Tor_Browser#Whonix_Tor_Browser_Differences
https://www.whonix.org/wiki/Tor_Browser#Whonix_Tor_Browser_Differences
But anyways, using tor browser in whonix-ws based appVM connected to
sys-whonix doesn't result in tor over tor.
So it looks like there are basically 4 ways to browse the internet using
tor with qubes:
1. Use tor browser in a whonix-ws based appVM connected to sys-whonix
(this is recommended, whonix prevents tor over tor scenarios, and all
other traffic from the vm outside of tor browser is also routed through tor)
2. Use tor browser in a regular debian/fedora based appVM connected to
sys-firewall (just like using tor browser outside of whonix, you'd miss
out on any other whonix features, and other traffic from that vm outside
of tor browser would not be routed through tor)
3. Use regular firefox in a debian/fedora based appVM connected to
sys-whonix (no tor over tor, and all traffic from the VM is routed
through tor, but it would be easier for adversaries to fingerprint you
because most tor users use tor browser, not firefox, so you're more
unique this way)
4. Use tor browser in a regular debian/fedora based appVM connected to
sys-whonix (this would result in tor over tor, which is bad)
At least this is my understanding based in what i've read in the whonix
docs, but someone may know better than me!
--
Jackie
Daniil .Travnikov
> 3. Use regular firefox in a debian/fedora based appVM connected to
> sys-whonix (no tor over tor, and all traffic from the VM is routed
> through tor, but it would be easier for adversaries to fingerprint you
> because most tor users use tor browser, not firefox, so you're more
> unique this way)
Totally agree with all ways, but it has 1 more way about which I know:
https://trac.torproject.org/projects/tor/ticket/15800
When you change on 'false' in network.proxy.socks_remote_dns TorBrowser setting.
And this type of browsing you could use in a debian/fedora based appVM connected to sys-whonix. And it will be the same like in your 1 way (tor browser in a whonix-ws) without any fingerprint, because it is the same Tor Browser.
Stuart Perkins
Stuart
Daniil .Travnikov
After this discussion, I absolutely agree with both of you! :)
entr0py
>
> When I want to use one of my Debian VM through TOR, I am turn on Whonix-Gateway.
>
> And I am asking beacuse I don't understand for what I must use Whonix-Workstation?
>
https://forums.whonix.org/t/qubes-whonix-and-stream-isolation-understanding-for-non-default-applications/4676/3
For additional questions, please search:
https://forums.whonix.org
https://www.whonix.org/wiki/Documentation