Actions

Privacy Policy Technical Details

From Whonix

See Privacy Policy.

These technical details are not part of Privacy Policy.

In any case, it is recommended to visit this website using either Tor Browser in Whonix ™ or the Tor Browser Bundle.

Overview[edit]

Valid SSL Certificate Yes
HTTPS Everywhere [1] Inclusion Yes [2]
Passed Qualys SSL LABS [3] SSL Server Test [4]: Yes, A+ rating. [5]
HSTS [6] Yes [7]
HSTS Preloading List [8] [9] [10] [11] [12] Yes [13] [14] [15]
Certificate Authority (CA) Pinning Obsolete [16]
DNS Certification Authority Authorization (CAA) Policy[17] Yes[18]
HTTP Public Key Pinning[19] Obsolete [20]
Expect-CT header [21] Yes[22]
certspotter [23] Yes[24]
DNSSEC[25] Yes[26]
Flagged Revisions [27] Yes, admins must verify changes before they become the default version.
Content Security Policy (CSP) Yes, A Rating. [28] [29] [30] [31]
Feature-Policy Yes
Secondary .onion Domain [32] Yes [33] [34]
Onion-Location [35] Yes [36]
onion over TLS Unnecessary.

If users have any further suggestions, please edit this entry or discuss possible changes in the Whonix ™ forums.

Privacy on the Whonix ™ Website[edit]

The Whonix ™ website [37] is using popular web applications (web apps) like MediaWiki [archive], Phabricator [archive] and Discourse [archive] (forum software). [38] These are Freedom Software projects which are developed by third parties and not the Whonix ™ team. As an end user of web apps, whonix.org has no control over changes made by the respective developers, whom do not necessarily (seldom in fact) prioritize privacy and security.

The Whonix ™ platform is similarly based on many third party projects. For a simple (approximate) overview of the Whonix ™ organizational structure, see: Linux User Experience versus Commercial Operating Systems. In essence, many independent projects provide their software and source code for free, and they can be modified or used in their default state. Due to the structure of Freedom Software development and the limited funding available to Whonix ™, it is infeasible to try and tackle usability, privacy and security issues posed by these web apps.

Consider the Discourse software for example:

Based on the preceding information, it is clear websites can at best only provide privacy by policy, which is equivalent to a promise. For detailed information on the Whonix ™ privacy policy, see here. [39]

In contrast, the main project activities undertaken by Whonix ™ include research, development and maintenance of privacy by design software [archive]. This is achieved via technological enforcement, remaining free, [40] and utilizing Freedom Software which encourages external contributions, enhancements and audits.

Info Whonix ™ welcomes patches or financial contributions to support the development of desired features.

See also Trusting the Whonix ™ Website and Website Tests.

View Counters on the Whonix ™ Website[edit]

View counter in the Whonix ™ wiki have been disabled to reduce server load and because that is incompatible with caching.

View counters in Whonix ™ forums were inaccurate and have therefore been disabled on 09 April 2021. [41]

Since all webapps running the Whonix ™ server lack access to IP addresses (for details see, Whonix ™ Website privacy policy, Whonix ™ Website IP Addresses and IP Addresses Logging Policy), it is impossible for these webapps to accurately count for example how many times a wiki page has been visited or how many times a forum post has been viewed.

Onion TLS on the Whonix ™ Website[edit]

Would raise the question: use HSTS or not use HSTS for Onion TLS?

Does Tor Browser support HSTS? Looks like, yes [archive].

  • If not using HSTS: If the user's browser is not instructed to enforce TLS, then what's the point?
  • If using HSTS: That has potential to break connectivity when there are issues with the TLS Certificate Authority (CA), such as:
    • CA goes out of business.
    • CA terminates the services.
    • CA starts charging for the service.
    • (Legislation changes and) CA starts asking for things which cannot be provided with reasonable effort.

This issue is exacerbated since there is at the of writing only 1 CA that is offering affordable TLS certificates for onion domains, HARICA. (In future, specifically let's encrypt might offer the same and/or others might follow. But that's not the case yet.)

If required at some point for any reason, a downgrade from TLS-onion to non-TLS-onion downgrade would look bad.

There are two different systems.

  • A) The "normal" internet. The usual top level doamins, .com, .org, etc. It is a centralized, permissioned system. The same applies for CA's.
  • B) The "alternative" internet. For example .onion domains. decentralized, permissionless system. Anyone can set up an .onion without asking a central authority for permission.

Simplified: Connections to onions are already authenticated and end-to-end encrypted. (Details: Notes about End-to-end Security of Onion Services)

Using onions with a TLS certificate from a CA could be viewed as a downgrade. A decentralized, permissionless system is downgraded to a centralized, permissioned system.

Whonix ™ Website is currently using let's encrypt. Server setup would become more complex by adding another CA, HARICA. The advantages do not outweigh the disadvantages.

Quote Get a TLS certificate for your onion site [archive]:

Our Community portal page about onion services give you a list of reasons why a service admin would need a TLS certificate as part of their implementation. Here are some of them:

  • Websites with complex setups and that are serving HTTP and HTTPS content

Not the case.

  • To help the user verify that the .onion address is indeed the site you are hosting (this would be a manual check done by the user looking at the cert registration information)

Answered below (see 2.).

  • Some services work with protocols, frameworks, and other infrastructure that has HTTPS connection as a requirement

In case your web server and your tor process are in different machines

Not the case.

Quote We compiled some topics and arguments, so you can analyze what's the best for your onion site: [archive]

1. As anyone can generate an onion address and its 56 random alphanumeric characters, some enterprise onions believe that associating their onion site to an HTTPS certificate might be a solution to announce their service to users. Users would need to click and do a manual verification, and that would show that they're visiting the onion site that they're expecting. Alternatively, websites can provide other ways to verify their onion address using HTTPS, for example, linking their onion site address from an HTTPS-authenticated page, or using Onion-Location.

Already using Onion-Location [archive].

2. Another topic of this discussion is user expectations and modern browsers. While there is extensive criticism regarding HTTPS and the CA trust model, the information security community has taught users to look for HTTPS when visiting a website as a synonym of secure connection and avoid HTTP connections. Tor Developers and UX team worked together to bring a new user experience for Tor Browser users, so when a user visits an onion site using HTTP Tor Browser doesn't display a warning or error message [archive].

Visitors using the onion are expected to use Tor Browser anyhow which as already mentioned in the quote, does not have this issue.

3. Some websites have a complex setup and are serving HTTP and HTTPS content. In that case, just using onion services over HTTP could leak secure cookies. We wrote about Tor Browser security expectations, and how we're working on onion services usability and adoption. There are some alternatives you might want to try to address this problem:

  • To avoid using an HTTPS certificate for your onion, the easiest answer is to write all your content so it uses only relative links. Then the content will work smoothly no matter what website name it's being served from.

This is implemented.

  • Another option is to use webserver rules to rewrite absolute links on the fly.

This is implemented.

  • Or use a reverse proxy in the middle or more specifically EOTK with an HTTPS certificate.

Not needed.

4. Actually HTTPS does give you a little bit more than onion services. For example, in the case where the webserver isn't in the same location as the Tor program, you would need to use an HTTPS certificate to avoid exposing unencrypted traffic to the network in between the two. Remember that there's no requirement for the webserver and the Tor process to be on the same machine.

Not the case for Whonix ™ website. It does not require such a complex setup yet.

This might be revisited at a later point need arises and/or when Onion TLS support improved.

See Also[edit]

Footnotes[edit]

  1. https://www.eff.org/https-everywhere [archive]
  2. https://gitlab.torproject.org/legacy/trac/-/issues/9143 [archive]
  3. https://www.ssllabs.com/ [archive]
  4. https://www.ssllabs.com/ssltest/index.html [archive]
  5. https://www.ssllabs.com/ssltest/analyze.html?d=whonix.org [archive]
  6. https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security [archive] 
  7. curl -i https://whonix.org
  8. http://blog.chromium.org/2011/06/new-chromium-security-features-june.html [archive]
  9. http://blog.stalkr.net/2011/08/hsts-preloading-public-key-pinning-and.html [archive]
  10. http://www.chromium.org/sts [archive]
  11. https://blog.mozilla.org/security/2012/11/01/preloading-hsts/ [archive]
  12. https://bugzilla.mozilla.org/show_bug.cgi?id=861960 [archive]
  13. https://github.com/Whonix/Whonix/issues/34 [archive]
  14. http://src.chromium.org/viewvc/chrome?revision=209444&view=revision [archive]
  15. https://hstspreload.org/?domain=whonix.org [archive]
  16. https://phabricator.whonix.org/T66 [archive]
  17. https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum [archive]
  18. https://forums.whonix.org/t/dns-certification-authority-authorization-caa-policy-dnssec-for-Whonix-org-ssllabs-com-test-results/5487 [archive]
  19. https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning [archive]
  20. https://phabricator.whonix.org/T84 [archive]
  21. https://scotthelme.co.uk/a-new-security-header-expect-ct/ [archive]
  23. https://github.com/SSLMate/certspotter [archive]
  24. https://forums.whonix.org/t/dns-certification-authority-authorization-caa-policy-dnssec-for-Whonix-org-ssllabs-com-test-results/5487/2 [archive]
  25. https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions [archive]
  26. https://forums.whonix.org/t/dns-certification-authority-authorization-caa-policy-dnssec-for-Whonix-org-ssllabs-com-test-results/5487 [archive]
  27. https://www.mediawiki.org/wiki/Extension:FlaggedRevs/ [archive]
  28. https://securityheaders.io/?followRedirects=on&hide=on&q=whonix.org [archive]
  29. https://phabricator.whonix.org/T70 [archive]
  30. https://forums.whonix.org/t/Whonix-website-security-rating-b-mozilla-observatory-content-security-policy-csp/3874 [archive]
  31. https://forums.whonix.org/t/content-security-policy-now-deployed-on-Whonix-websites/5494 [archive]
  32. Optional Tor onion service (.onion domain); alternative end-to-end encrypted/authenticated connection; in this use case, not for location privacy; backup in case DNS is not functional.
  33. dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion
  34. See also Forcing .onion on Whonix ™.org.
  35. https://community.torproject.org/onion-services/advanced/onion-location/ [archive]
  36. https://forums.whonix.org/t/onion-forum-site-redirects-to-clearnet/197/15 [archive]
  37. Clearnet address: https://www.whonix.org [archive] and v3 onion address: dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion
  38. This is common practice. For example Free Software Foundation (FSF) also uses discourse. [archive]
  39. This includes any type of information that is collected and recorded, and how it may be used. The processing of any personal information is subject to the General Data Protection Regulation (GDPR).
  40. Free in terms of price, while also respecting user and developer freedoms.
Fosshost is sponsors Kicksecure ™ stage server 100px
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contribute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Privacy Policy Technical Details&body=./Privacy_Policy_Technical_Details link=https://reddit.com/submit?url=./Privacy_Policy_Technical_Details&title=Privacy Policy Technical Details link=https://news.ycombinator.com/submitlink?u=./Privacy_Policy_Technical_Details&t=Privacy Policy Technical Details link=https://mastodon.technology/share?message=Privacy Policy Technical Details%20./Privacy_Policy_Technical_Details&t=Privacy Policy Technical Details

Love Whonix ™ and want to help spread the word? You can start by telling your friends or posting news about Whonix ™ on your website, blog or social media.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Retrieved from "https://www.whonix.org/w/index.php?title=Privacy_Policy_Technical_Details&oldid=71377"
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
More information