IP correlation Attack and others

Hello, noob here. Perhaps this is more Operational security issue type question but. I have a few scenarios where you can probably be tracked?

Scenario 1- IP Correlation
You visit a website through standard internet(not Whonix/tor). You visit that same website again through Whonix/tor and now a single IP address is linked to the website and to tor and thus it can all be correlated to your originating IP address

Scenario 2 - browser fingerprints correlation
Now how about you visit a website on clear net, now do same above, visit same website using tor/whonix, now there is a correlation that the originating clearnet IP and Unique fingerprints has an association to a a whonix/tor

Am I not understanding…? Missing something

Why would you visit the same site using tor then immediately after using clearnet? Maybe if you search for a default string like testtest123 to check your internet in both, this could be a problem. But even if you did, someone would have to be monitoring the site (and search engines have oodles of searches a second) and also guessing that this will happen to bother linking the two.

Just keep your tor and clearnet use in separate qubes. Using TorBrowser for tor and Firefox or Chromium for clearnet (in separate qubes e.g. personal and anon-whonix) would take care of both scenarios. Just be careful to only search for certain things via tor and certain things via clearnet. If you actually log into a site over tor and then over clearnet, of course they will know you are both of these ip addresses.


Thanks I understand, I commonly browse news sites using clearnet, and tor but I guess I have to be careful. No logging of personal information through tor, that’s obvious OPsec.

The second part of your statement: use Tor and clearnet in separate qubes, but still won’t that fail because there is browser signature similarities and OS information that can be picked up through fingerprinting; that is, there is a tor user on Linux accessing this site and a clearnet user on Linux also

Thanks for help

Compare your fingerprints between Tor and clearnet here or here.
Tor browser should hide your actual fingerprint.

1 Like

Thanks yea I was messing around with fingerprinting sites, it seems that canvas fingerprinting is now added to the tracking toolbox:

I tested my canvas fingerprint and I found it to be unique even on Tor/Whonix. I guess us using Linux and Firefox is quite unique but then this takes it to another level. Just really concerned about these things for future development.

It just seems that obscuring the IP address is simply not enough for safe anonymity anymore. All fingerprints, identifiers, trackers must be suppressed and obscured. I think this should be a high priority

I suggest reading the Whonix documentation, which addresses this topic:

1 Like

Thank you will take a look

Thanks yea I was messing around with fingerprinting sites, it seems that canvas fingerprinting is now added to the tracking toolbox:

DNS Leak Test - BrowserLeaks

Canvas fingerprinting has been an issue for some time.
The decision by TBB to allow JavaScript by default makes it more likely
that fingerprinting using the canvas will work.
If Whonix does not deal with it that’s a major flaw: I don’t know if they

There are assorted plugins to deal with the canvas - some block canvas
calls, some use other mechanisms. I like Canvas Defender which adds
noise - if you use it in a qube or disposable you must generate new
noise at the start of any session, to avoid correlations.

1 Like

Is canvas defender a tor browser addon? Also wouldn’t it not add to a unique browser fingerprint on its own? I really think we are just getting way past the point that Whonix can keep you really anonymous with so many tracking methods out there

Perhaps there should be a method were webpages as loaded in a non JS manner or maybe we are presented screenshots. Perhaps there is a non GUI JS loader that loads the pages and then presents them on a front end to the user so the user can’t be fingerprinted even though the loader may be

Modern tracking doesn’t use IP addresses anymore. While Whonix capabilities are great I think Whonix needs to work on these other fingerprint limiting features

Do they not? I thought they’ve already been working on it. Might be a better question for the Whonix Forum.

Well the tor browser/Whonix Firefox itself does what it can to minimize fingerprints but I don’t think it is really good enough compared to these modern methods

It’s been a long time since tracking only looked at IP.

Canvas defender is a Firefox addon. Since it is adding noise, it doesn’t
matter if it contributes to a unique browser fingerprint. In some cases
that might be desirable.

Now I’m going to trot out my stock comment.
Most people don’t distinguish between three kinds of fingerprinting.

Fingerprinting can be used to identify you by linking online activity -
if you use separate qubes, whether over Tor or VPN, but both have similar
fingerprints, then an adversary may be able to link the distinct
activity. If they are able to link one of them to an IP traceable to you
then both qubes will be linked to you.

In some circumstances, just one fingerprint may be enough to
identify you, or at least limit the suspect pool substantially.

Fingerprinting can also be used as a confirmation tool, if you are
already under suspicion.
If a fingerprint has been captured doing X, you are under suspicion,
and your computer generates the same fingerprint, that’s good evidence
against you.

These are different things.
Proper use of Qubes helps to address them in different ways.
Using different templates, different browser configurations, different
timezones, various exit nodes, browser tools: these can all help.
In most cases t will be your habits, and stupidity, that will give you
away. Qubes can do nothing to help with that.

1 Like

Thank you I read most of the Whonix documentation and it is most excellent indeed. I will have to investigate the canvas browser extension