Questions regarding Tor identity in Qubes + Whonix

Thamil13 · October 9, 2021, 9:55am

I am using Qubes + Whonix.

As I have read in the Whonix docs, Whonix (Tor in general) offers stream isolation. Regarding this, and regarding Tor identity in general, I have some questions.

Docs say:

Stream isolation provides protection against identity correlation through circuit sharing.

How exactly does it work? Because when I am having several tabs open and operating them, they should all be the same identity. And when I want a new identity, I have to reopen the browser.

What benefit does stream isolation provide here?

I have thought about using Firefox instead of Tor browser in Whonix, because all traffic is forced over Tor anyway.

2.1 What is the difference between using Tor browser in Whonix, and Firefox in Whonix then?

2.2 Is stream isolation somehow possible with Firefox? How can I get a new browser identity at all when using Firefox in Whonix? I am not sure if reopening the browser does the trick, like it is with Tor browser.

If I have several Whonix VMs running (within Qubes) at the same time, are they isolated from each other as well, hiding that they are operated from the same person? (I’m 99% sure the answer is yes, but you can’t be safe enough).

Thank you very kindly.

ppc · October 9, 2021, 1:14pm

correct, it only protect you from some attack (not create new iden)

only protect you between app

tor b in whonix is tor b without tor
still better than firefox

yes

quite hard (below)

some time with private browsing

60% true

fsflover · October 10, 2021, 7:09pm

The difference is that Tor fights fingerprinting, while Firefox not so much. See also:

Thamil13 · October 17, 2021, 10:24pm

60% true

Can you please elaborate?
(Thanks for the rest!)

ppc · October 18, 2021, 12:26am

at the time of writing that, there is a lot of wrong info
one of the only way is hardware id, that because xen doesn’t hide your hardware (or at least, cpu) from vm, which is not so large concern

Thamil13 · October 18, 2021, 10:57pm

Okay. So, is it better for my privacy if I am not operating several Whonix VMs at once, but rather only once at a time, when their identity should be separated from each other?

ppc · October 19, 2021, 12:23am

short answer: yes
long answer: what is your adversary?

Thamil13 · October 19, 2021, 7:51pm

Is it because of the case that if my internet connection crashes, it is suspicious that all VMs crash at the same time?

My threat model is that I want to be anonymous to my internet providers as I am frequently using public WiFi (like in hotels where I have to check in with my real ID).
And secondly, authorities that should not be able to monitor and identify me.

ppc · October 20, 2021, 12:35am

uh oh, this can’t protect you from authorities to know you are using many Whonix VM

fsflover · October 20, 2021, 11:48am

More details:

github.com/QubesOS/qubes-issues

Stop telling VMs the exact physical CPU model in the computer

opened 12:21AM - 21 Aug 15 UTC

closed 11:45PM - 17 Oct 18 UTC

qubesuser

T: enhancement C: core C: Xen privacy R: declined

Currently Qubes lets VMs execute CPUID and get the exact model and microcode rev…ision of the physical CPU installed in the system. This is bad for anonymity and unexpected. Already discussed in https://groups.google.com/forum/#!msg/qubes-devel/Q8h-RGH5YoA/fzWbi7c-kfoJ but there seems to be no open issue, and it's a critical issue at least for anonymous VMs. Possible solutions: 1. Run all VMs in Xen PVHVM mode, fix libvirt so that it allows to set the CPUID for Xen and do so 2. Run all VMs in Xen PVH mode, fix Xen so that CPUID hiding works in PVH mode and fix libvirt as well to support PVH and allow to set CPUID 3. Replace Xen with KVM and then it just works with no additional effort The CPUID chosen should be the default libvirt one for the physical CPU microarchitecture (i.e. one for Skylake, one for Haswell, one for Sandy Bridge, etc.) which allows using all CPU instruction set extensions while not giving any more information and should be changeable to a less featureful one (Core 2 or Athlon 64) for increased anonymity if desired. Ideally Qubes should wait until a few months have passed from the release of a new CPU architecture before it starts advertising it by default, to ensure that the anonymity set is big enough, and it should also wait a random amount of time before changing it on upgrades, to avoid leaking the exact time the user installed the new CPU or changed computers. It would also be nice to look at whether it's possible to prevent applications indirectly detecting the size of the cache, size of TLBs, the speed of the CPU and other characteristics, although it may not be practical to avoid those.

Thamil13 · October 20, 2021, 12:15pm

Can it be seen that my VMs are all operated from the same person (me)?

If yes, how to change that?

fsflover · October 20, 2021, 12:19pm

This question is more about Whonix than Qubes, so you should probably ask it on Whonix forums and consult the Whonix docs: Multiple Whonix-Workstation ™.

ppc · October 20, 2021, 1:54pm

idk

adw · October 20, 2021, 3:08pm

This is generally known as “VM fingerprinting.” This page might address some of your questions on that topic:

Thamil13 · October 20, 2021, 9:44pm

@fsflover
@adw

What I found out with the links is that the best option is to not use several VMs simultaneously.

Now my final question regarding the different identities is:
Is using Qubes + Whonix VMs equally good as using several Tails sticks to prevent links between my identities and separate them, or is one of the two options better?

ppc · October 21, 2021, 12:19am

tails better if you don’t think much about it
Qubes + Whonix VMs is good depend on how you configure it like it is disp vm,…

fsflover · October 21, 2021, 7:43am

Thamil13 · October 21, 2021, 7:30pm

Yes, I think privacy-wise, it’s very similar. I actually tend to use Tails, but the only thing that seems to be better with Qubes is the security. If anything happens with my Tails, my entire PC could be affected (and therefore, my other identities as well). Qubes mitigates that risk better.
Correct me if I’m wrong.

fsflover · October 21, 2021, 8:47pm

You entire PC could be affected, but a reboot would fix that** (except maybe BIOS, which you could reflash in principle).

** Make sure you don’t have any hard drives or USB sticks connected while using Tails.

Thamil13 · October 21, 2021, 8:51pm

You entire PC could be affected, but a reboot would fix that** (except maybe BIOS, which you could reflash in principle).

But I want to use persistence. Still?

** Make sure you don’t have any hard drives or USB sticks connected while using Tails.

Even my PC’s SSD?