Possible Tor Browser/Whonix Leak


I am using Qubes 4.1 last fully updated a couple of days ago. I have not made any modifications. My hardware has not been compromised.

I launched the Tor Browser in a disposable Whonix Workstation.

I checked ipleak and confirmed my ip was hidden and was instead an exit node in another country.

When searching in the top bar I got a message in the browser that my connection was reset.

I hit enter to search again, and I was taken to a Duck Duck Go page with the language set to that of my home country and not the exit node.

When checking ipleak again after I saw only the exit node in a foreign country again.

Unfortunately the duck duck go search does not show ip, but the very unusual behaviour of selecting a very specific non-American country of location concerns me.

I often get sdwdate errors, I am unsure if this is related.

If you don’t think this could be related to Qubes, you should address your concerns to corespondent sources: torproject and Whonix.

Thanks for your reply. Do we have enough information to say that this is not related to Qubes? If so can you explain? I should also mention that my search terms were not in my own language so they could not have detected it that way.

Edit: Perhaps it is specific to the connection between Qubes? I was under the impression Whonix leaks were not possible.

I don’t have enough information, but I can clearly imagine that there is an exit node in my country and that I will face it sooner or later, which actually happened once to me since I use Qubes as my daily driver.

Thanks for your reply. The issue is not an exit node in my country. The issue is that I was at the same exit node before and shortly after this lost connection message, but in the few seconds immediately after the lost connection that particular search defaulted to my home country. I could not see an ip as it was not on an ip checking website that this potential fault occurred.

@KK5rHZg87, do any of your Qubes VM logs show anything that might resemble a leak, cross-contamination, or other pwnage?

Hopefully not, but if they don’t, then it would suggest that it’s a Tor thing.

Mind you, the Tor network has taken a few big hits because of “everything that has happened this year”, and the fact that there aren’t as many nodes as there used to be, particularly in certain parts of the world.

(I tried to keep that as politically-agnostic as I could… :woozy_face:)

Like so many people, I’m glad it’s still around.

It might be worth doing a panopticlick in a disposable Whonix VM and seeing what it shows up.

In any case, this is concerning, and you should definitely pass this onto the Whonix project.

Is there a way that you could explain what you just said to me at a much more basic level?

Due to the very transient nature of this disruption I’m not sure what I could test. It was a matter of one page refresh of time.

I suppose what I’m trying to get from the Qubes side is if there is any sort of known failure where the Qubes Workstation could go around the gateway and if the little x over the padlock by whonix regarding sdwdate means anything.

It did say Tor is running.

I don’t want to get too specific but this was an unaltered installation on very secure hardware.

It sounds like your connection dropped for a moment, then tor reconnected, and a new circuit was reestablished. It was probably coincidence that it happened to be an exit node in your same country. You might be able to check tor logs in your whonix gateway vm if you haven’t already shut it down. It’s hard for anyone to hypothesize based on your description without any absolute data or logs.

Did you search in your home language? If so, it may have also been duckduckgo sniffing out your language of choice through you entering text into the search bar. If you search in German for example, it’s probably going to set your language to German even if you are using a UK exit node.

Maybe duckduckgo could have known your language from cookies generated during your recent browsing session on other websites that you visited at the time.

I don’t see how a momentary firewall slip up would likely happen with Whonix. I would ask on /r/tor. People there might know more about the technical details of tor circuits and how they are built or reestablished.

1 Like