That might work. Seems like a lot effort just to implement this.

I guess the only solution would be two separate packages of the desktop config for the gateway and the workstation. Maybe also some kind of postinst script which detects when it is run on the gateway and changes the xml. However, such a starter is also present on a default Xfce installation without a browser so it is more or less default behaviour.

Apper no longer installed by default.

Reverted. Main reason:
https://forums.whonix.org/t/https-ssl-tls-by-default-broke-apt-cacher-ng-apt-package-caching-during-build/6276

• https://github.com/Whonix/anon-apt-sources-list/commit/9f08431be63b4977931fe2db57b067e660828997
• https://github.com/Whonix/Whonix/commit/867a481710077f6bf4e14a5d8c87471e81db85df

^ I hope this won't be causing issues in future such as when user/group changes from debian-tor to something else (very unlikely?) or when advanced users change user/group ownership for some reason (very unlikely?).

Tracker updated at https://github.com/jthingelstad/foreground/issues/182

No problem, but needs to add the commands manually to firetools in the GW.

I disagree. Firetools makes administration easier and has a place on both VMs.

firejail is enough for Whonix-GW
firejail + firetools for Whonix-WS

Was discussed before.

Yes (closeable), updates were not possible in timesyc-fail-closed mode. Nothing more to do with this ticket.

Yes. To simulate being in timesync-fail-closed mode:

https://packages.debian.org/stretch/paxrat

Got it. Set firewall_mode=timesync-fail-closed in sys-whonix and reload whonix_firewall. When that is done both whonix-ws-14 and whonix-gw-14 upgrades fail.

Not sure how to test this. I read through T533 and found this command but it does not restrict Apt traffic.

In T872#17440, @HulaHoop wrote:

By running packages from your distro there is a higher chance that bugs are more visible for more people and more likely to be fixed.

@HulaHoop that doesnt mean we dont install firejail by default.

We can now grab the browser tarball from the TPO onion instead which makes this ticket obsolete. Close if you concur.

Proposed implementations for multi-Tor suggested here:

The short story is that things get worse very quickly, but there is hope.
The analysis below assumes only the adversary that runs guards and not the local adversary like the host OS or the Whonix processes themselves.
In my analysis I assume a hypothetical adversarial guard bandwidth of 10% of the entire network. This is an arbitrary number since we don't know the real number, but it serves to show the trends as we increase the guards per client and number of clients per user. I do the kind of analysis we do in the Conflux[1] paper which is very relevant here, especially Table 3 and its discussion in section 5.2. I update the numbers and extend that analysis for the scenarios you have described.

1. 1 guard/client, 1 client/user. The adversary (i,e, the compromised guard) will have the ability to observe 10% of the clients and hence 10% users. This is the situation today.
2. 2 guards/client, 1 client/user. This is worse than 1 above. There is now a 18% probability that only one of the guards is compromised per client and a 1% chance that two guards are compromised per client. The probability of at least one bad guard is hence 19%. There really is not a real distinction between one or two bad guards from the user perspective since in both situations the client will go through a malicious guard in a short period of time, since the guard is picked uniformly at random from the guard set.
3. 1 guard/client, 2 clients/user. The observable clients again increase to 19% from the base 10% in 1 above. This means that if the user split her app (or group of apps) across the clients then there is a 19% chance that at least one of the app (groups) is compromised. However, for each client there is still only a 10% chance that a malicious guard is present. Is this configuration better than scenario 2 above? Perhaps, but let's look at the following scenario first.
4. 2 guards/client, 2 clients/user. The observable clients increases to 54%. This means that there is a 54% chance that at least one bad guard is present. This is worse than all the other scenarios above. However, if we fix apps (or groups of apps) to particular clients then we can compare to scenario 2 where the app group/client is analogous and the same analysis holds. Then, for each client there is again a 19% chance that there is a malicious guard present. If we compare to 3 above we can see that if we only use 1 guard/client then we can drop the exposure back down to 10% for that client and hence app group.
   
   Taking the above into account we can get good results by keeping the guard set size to 1 and users spin up one client for each app. Then we can achieve at most 10% of apps compromised at *any given time* but not simultaneously. We can call this scenario (which is an extension of scenario 3) the 1 guard/app scenario (1G/A). See the appendix for more tweaks to decrease guard exposure.
   
   If we want to consider 1G/A, then the next question for your user base is that is it better to either 1) have some portion of your apps compromised at *all* times (scenario 1G/A) or 2) have *all* your apps compromised some portion of the time (scenario 1). Tor tends to bend towards option 2, but then they have not considered the option of multi-client usage since it doesn't improve the situation in a non-compartmentalized setting, unlike the Whonix situation. I believe that option 2 is flawed because you never know if you are in fact currently compromised or not. It might be better to go ahead with assuming that you are compromised and mitigating that compromise to some portion of your network activity than all or nothing, which is what option 1 provides.
   
   I hope that answers your questions. Please do not hesitate to get in touch again if you would like to discuss further. I think this is a very interesting problem area and would be happy to contribute to improving the situation.
   
   Best regards, Tariq Elahi
   
   [1] http://cacr.uwaterloo.ca/techreports/2013/cacr2013-16.pdf
   
   Appendix We can do better if we allow a user's clients to look at each other's lists to exclude guards that are already picked. The benefit would be that once the bad bandwith has been assigned it can no longer affect subsequent guard selections. However, clients looking at each other's memory space will compromise your vision of process containment. A zero knowledge/oblivious method for comparing guard lists might work to avoid this problem, and indeed the adversarial response will be weak since the best they can do is spread their bad bandwidth over many relays and at best return to the original exposure rate (e.g. 10%) but now with added costs of running many more relays.

Sorry not reproducible on my end. May be related to the fact that you are running a non-standard setup with custom compiled binaries. By running packages from your distro there is a higher chance that bugs are more visible for more people and more likely to be fixed.

made no difference.

https://forums.whonix.org/t/remove-ricochet-from-whonix/5009

Closing. duplicate of:

There is nothing dead about it. I jsut explained this on the forum. It is perfectly workable and openprivacy is owrking on creating a P2P asynchronous chat solution over its protocol.

It's on the roadmap but a little far off until ParrotOS changes can be combined with the upstream package. It will make maintenance and turning it on by default much more easier.