'Jackie' via qubes-users:
Sven Semmler:
In addition to my fairly standard dvm based on whonix-ws connected to
sys-whonix based on whonix-ws I have now done the following:
1) cloned sys-whonix to sys-whonix-id
2) created app-signal based on whonix-ws
3) installed signal in whonix-ws
4) connected both app-email-private and app-signal to sys-whonix-id
The idea being:
1) sys-whonix and the instances of whonix-ws connected to it are for
truly anonymous browsing. I have never nor will I ever type in
anything even remotely identifying into those qubes.
2) sys-whonix-id is used more like a VPN in that the endpoint of the
connection (my email provider or my phone in case of signal) knows
very well who I am ... not anonymous at all. However no one in between
my PC and those end points should be able to tell.
Here is my assumption I would like to check against the members of
this group: while both instances (since cloned) will use the same
entry guards, the resulting TOR circuits will be different and there
is no way the traffic on the one connection can be correlated to the
other - right?
/Sven
Hi,
I'm certainly no expert, but i'm not sure having two sys-whonix vms is
necessary here. Whonix vms have stream isolation so different whonix
appvms, or even different applications within the same vm, will use
different tor circuits.
Of course it's possible that just coincidentally two applications in the
same or different vms could happen to use the same exit node for a
period of time, but that would also be possible if they use separate
sys-whonix proxy vms.
But i might be missing something here, so somebody please correct me if so.
One way to find out for sure. Open /etc/torrc (or ~/.config/tor/torrc,
or other torrc location), and look for stream isolation flags. Make sure
you understand exactly what each one means.
IsolateClientAddr
Don’t share circuits with streams from a different client address.
(On by default and strongly recommended when supported; you can disable
it with NoIsolateClientAddr. Unsupported and force-disabled when using
Unix domain sockets.)
IsolateSOCKSAuth
Don’t share circuits with streams for which different SOCKS
authentication was provided. (For HTTPTunnelPort connections, this
option looks at the Proxy-Authorization and X-Tor-Stream-Isolation
headers. On by default; you can disable it with NoIsolateSOCKSAuth.)
IsolateClientProtocol
Don’t share circuits with streams using a different protocol.
(SOCKS 4, SOCKS 5, TransPort connections, NATDPort connections, and
DNSPort requests are all considered to be different protocols.)
IsolateDestPort
Don’t share circuits with streams targeting a different destination
port.
IsolateDestAddr
Don’t share circuits with streams targeting a different destination
address.
https://www.torproject.org/docs/tor-manual.html.en
Since IsolateClientAddr is on by default, and since every whonix-ws has
a different address, one can assume that circuits will never be shared
between different VMs. So a single gateway should sufficiently isolate
traffic from different VMs.
Important note: Applications accessing the same Tor instance, via any
SOCKS address/port, can discover information about the remote
destinations of other applications on the same Tor instance.
So the reason to use two separate Tor instances (whonix-gw VMs) is only
if you're worried about untrusted or exploitable applications which
could discover where other applications (even on different workstation
VMs connected to the same gateway) are visiting. But it has nothing to
do with external traffic analysis or stream isolation or anything like that.
This is the same reason it's not recommended to expose your Tor SOCKS
port to the local network or anywhere else. Anyone who can access it can
find out what sites you're visiting.
For example, if you have two whonix-ws VMs using the same whonix-gw, a
browser in VM1 could be exploited and discover what sites you are
visiting in VM2.
So, in theory, you are right for using two different whonix-gw VMs, one
for anonymous work and one for non-anonymous work. However, I would
imagine that the Qubes and Whonix developers know about this and have
done everything right. I just don't know enough about Qubes/Whonix in
particular.
As far as entry guards... Yes, I believe the cloned VM will use the same
guards, at least initially. However I don't think guard selection is
deterministic, so after a while (usually a month) the two VMs will
select a new, different set of guards.
Generally you want to use as few guards as possible, so you want to use
the same ones in as many places as possible. To be precise, you want to
always use the same guard to connect to a given location (to the best
extent that is practical, anyway).
So if whonix-gw1 and whonix-gw2 are both connecting to google.com using
different guards, the likelihood of being deanonymized by a confirmation
attack is doubled (as compared to if they were using the same guards).
However, using two whonix-gw instances with different guards is really
no different than installing Tor on two different machines in the same
network (e.g. laptop and tablet), which is generally safe. It's up to
you to weigh the risks.
-------------------------------------------------
This free account was provided by VFEmail.net - report spam to ab...@vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/3244a2ad-a0c0-b151-1ba5-1f3056277990%40vfemail.net.