Whonix Anonymous OS Thread

Discussion in 'privacy technology' started by adrelanos, Sep 12, 2018.

  1. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    67
  2. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    156
    Been using Whonix 14 for about 2 weeks now. My only issue is this stuff popping up whenever I start the VMs. It's a minor annoyance, but it's nonetheless an annoyance.

    https://i.imgur.com/st7vykp.png
     
  3. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    67
  4. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    156
  5. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    67
  6. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    67
    Any news / discussion / social channels Whonix should set up?

    Any of telegram, whatsapp, gab.ai, d.tube, bitchute, peertube or anything else?

    ^adrelanos
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,041
    For messaging, Briar and Ricochet are arguably the most secure and private options. Both are fully P2P, with no third-party servers involved. Each client runs a Tor .onion service, and there's end-to-end encryption. So users are mutually anonymous, except for their .onion addresses. Both are free and open-source. However, Briar is available only for Android. But Ricochet is available for Linux.

    Tox and Ring are also fully P2P, with no third-party servers involved. They're both end-to-end encrypted, with perfect forward secrecy. By default, users see each other's IP addresses. But maybe they'll work via Tor, if TCP-only mode is possible. They're both free and open-source, and available for Linux. Ring is reportedly less buggy than Tox. A key downside of fully P2P apps is that conversations are fully device-specific. Even if you have the app on your phone and your laptop, for example, conversations aren't shared between them. Also, P2P doesn't deal well with users being offline.

    For the rest, all bets are off. In their privacy policies, Signal,[0] Telegram,[1] and WhatsApp[2] say that they may disclose such account information as IP address and phone number when legally required. All three are available for Linux. Although account creation requires SMS or voice verification, there are more-or-less anonymous options for that. I don't know whether TCP-only mode is possible, for connecting via Tor.

    Signal is arguably the most secure and private mainstream messaging app. It's free, ad-free and open-source. It's end-to-end encrypted, with perfect forward secrecy, using a protocol that generates a new encryption key for each message. It has a P2P mode, and self-destructing messages are an option.

    WhatsApp is the most popular end-to-end encrypted-messaging app. It's not open-source, but it is free and ad-free. It now uses the same end-to-end encryption as Signal, and it supposedly doesn’t store messages on servers. However, it's owned by Facebook, which can log metadata.

    Telegram is, in many ways, much like Signal. However, although it's free and ad-free, it's not open-source. In "secret chat" mode, it's fully P2P (not via Telegram servers) with end-to-end encryption and perfect forward secrecy. Self-destructing messages are also an option. However, it uses custom MTProto symmetric encryption, which some argue is insecure. And it's closed-source, and so hasn't been independently audited.

    0) https://www.signal.co/privacy-policy/
    1) https://telegram.org/privacy
    2) https://www.whatsapp.com/legal/
     
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,090
    Location:
    Outer space
    Do you have a source for Secret Chat being P2P? Afaik they still go via their server.
    I'm a big disliker of Telegram. They advertise it as a secure messenger but end-to-end encryption is not used by default, is only available on 1 device and there is no e2e encrypted group chat. Chats without e2e are saved on their servers. There is some sort of visualized public key to protect e2e chats from MitM attacks, but it does not alert you if it changes, so it is useless unless you check it every time you communicate with it.
    Telegram also uploads your contacts phone numbers and full names to their servers(without hashing.) It is possible to block this but you and your contacts will probably end up on their servers anyway if just a few of your contacts don't block it. They claim they need this information to give users a notification like "Contact X is now using Telegram." First of all, it says a lot about them if they value something like that over privacy, secondly, it is not even necessary because it the contact information can also be compared locally, like Signal does.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,041
    I hadn't seen the issue about Telegram uploading contacts to their servers. If that's the case, they're not a secure and private option. Do you have a cite for that?

    What about Signal? Is it clear that they don't upload contacts?

    https://www.tomsguide.com/us/pictures-story/761-best-encrypted-messaging-apps.html#s4

    But that's distinct from "secret chats", which are apparently P2P.
    https://heimdalsecurity.com/blog/the-best-encrypted-messaging-apps/

    I don't believe that either Signal nor Telegram offer P2P end-to-end encrypted group chats. And actually, I don't recall seeing any apps with P2P end-to-end encrypted group chats. Even Briar, Ricochet, Tox or Ring. Do you know of any?
     
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,090
    Location:
    Outer space
    Yes:
    https://news.ycombinator.com/item?id=6915194
    https://telegram.org/privacy


    Signal only uploaded SHA256 hashes of phone numbers. The problem with that is that there are a limited amount of phone numbers, so the hashes could be reversed. Now they're doing the serverside stuff in a SGX secure enclave so the servers has no access:
    https://signal.org/blog/private-contact-discovery/


    I'm not reading that as that they're P2P, but as your messages are not saved on the server so you don't have the convenience as with normal messages: standard Telegram chats are saved on the server/cloud, so when you add a new device, it can access your entire message history.


    Indeed, Signal does offer E2E encrypted group chats contrary to Telegram, but not P2P.
    Tox does offer group chat, but I don't know if it is also P2P like their normal chats.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,041
    OK, it sounds like Telegram is insecure. And Signal is iffy.

    So we're left with Ricochet, and maybe Tox and Ring.
     
  12. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    67
    Signal has groups but it's not possible to mute/kick people so it's unsuitable for a public chat group.

    > Any news / discussion / social channels Whonix should set up?

    Clarification: that refers to a public chat room. So ricochet for example is nice for private chats but not really suitable for a public chat, modern IRC replacement. Telegram looks better but I agree with all the issues mentioned here. I don't think Tox / Ring are used for public group chats either?
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,041
    Ah. I thought that you were talking about pre-installing on Whonix.

    What about hosting a secure IRC channel, and making sure it's accessible via Tor?

    I've seen a few sites use Discord for group chat. And Everipedia uses Telegram for chat, and Reddit for discussion.

    Maybe another option is Keybase Teams. But I've never used it.
     
  14. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    67
  15. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    67
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,090
    Location:
    Outer space
    I'm not so familiar with public chat alternatives, sorry.

    [Offtopic] Is Briar not a maybe or does it have downsides?(I'm not familiar with it)
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,041
    I was thinking that Briar is available only for Android, and so it's not relevant for Whonix.

    But this is for chat about Whonix, not necessarily using Whonix, so o_O But still, most Whonix users are on PCs, so Android-only is perhaps unworkable.
     
  18. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    67
    whonix can be useful in torrifying android based OS running inside virtual machine (vbox,kvm,qubes ..etc) by connecting Whonix Gateway to X OS (X could be any OS even the malware OSs like windows/mac..etc)

    ^TNT
     
  19. adrelanos

    adrelanos Registered Member

    Joined:
    Sep 28, 2012
    Posts:
    67
  20. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,041
    Truth. I've done that, with Windows, for using sites that won't work with other OS ;)
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.