{{Header}} {{hide_all_banners}}
{{Title|title=
Features, Advantages, Use Cases - {{project_name_long}}
}}
{{#seo:
|description={{project_name_short}} Feature List
|image=Drip-1037807-640.jpg
}}
[[File:Drip-1037807-640.jpg|thumb]]
{{intro|
{{project_name_short}} Feature List. {{project_name_short}} has a lot of features and advantages. This page gives an overview.
}}
= {{project_name_short}} Features =
[[File:Whonix-logo-rectangle.png|thumb|100px|[[Dev/Logo|{{project_name_short}} rectangular logo]]]]
{{project_name_short}} is an operating system focused on [https://www.whonix.org/#security anonymity and security]. It hides the user's IP address / location and uses the [[Why_does_Whonix_use_Tor|Tor network]] to anonymize data traffic. This means the contacted server, network eavesdroppers and operators of the Tor network cannot easily determine which sites are visited or the user's physical location. [
Without advanced, end-to-end, netflow correlation attacks which rely on statistical analysis of data volume and timing.
]
For a comprehensive comparison of {{project_name_short}} with other popular anonymity platforms, see [[Comparison with Others]].
== Platform Flexibility / Virtualizer friendly ==
Most if not every compatible feature of every system that {{project_name_short}} is based on can be used in {{project_name_short}} too. There are no atificial restrictions.
* Based on [https://www.debian.org Debian] GNU/Linux.
* Based on the [https://www.torproject.org Tor] anonymity network.
* Based on [[KVM]].
* Based on [[VirtualBox]].
* Based on [[{{q_project_name_short}}|Qubes]].
* [[Reasons for Freedom Software|Free]], Open Source, Libre, [https://forums.whonix.org/t/lets-call-it-freedom-software-rather-than-free-software-or-open-source/6961 Freedom] Software. This means flexibility for the user, because customization is possible and relatively simple.
* Virtual machine images with [[Virtualization_Platform_Security#Type_1_vs_Type_2_Hypervisors|Type I or 2 hypervisors]]. This means that {{project_name_short}} is flexible enough to be ported to different hypervisors.
== Pre-installed, Pre-configured Applications ==
A number of applications are pre-installed and pre-configured with safe defaults to make them ready for use. Most popular applications are compatible with the {{project_name_short}} design:
* [[Tor Browser]] is included for Internet browsing.
* Web server administration with Apache, ngnix, IRC servers, and more via [[Onion Services|onion services]].
* PGP-encrypted [[E-Mail]] with [[Encrypted_Email_with_Thunderbird|Thunderbird]].
* {{kicksecure_wiki
|wikipage=Keepassxc
|text=Keepassxc
}}
* Instant messengers like [[Chat#Gajim|Gajim]].
* The media player [[Software#Media_Player|VLC]]
* The Xfce [[Software#Terminal|Terminal]] of course
* The [[Electrum|Electrum Bitcoin wallet]]
* Clients for [[Bitcoin]]
* Clients for [[Monero]]
* Secure data transfer to and from a server with [[File_Transfer|scp]].
* Unobserved administration of servers via [[SSH|SSH]].
* A host of other [[Software|software programs]].
The {{project_name_short}} design permits the "torification" of applications which are not capable of proxy support by themselves. Further, the user is not jeopardized by installing custom applications or personalizing the desktop.
Detailed [[Documentation|documentation]] has been produced by developers and the {{project_name_short}} community. Various issues are explained in depth, including the {{project_name_short}} design, available software, the host of possible configurations, security and privacy considerations, and numerous advanced topics.
== Security, Privacy and Anonymity Protection ==
* By using {{project_name_short}}, the user can anonymously use Java / Javascript.
* A second, extra firewall is installed and protects {{project_name_workstation_long}} by default.
* Full [[Protocol-Leak-Protection_and_Fingerprinting-Protection|IP/DNS protocol leak protection]] means the user's anonymity is extra protected.
* [[Hide Tor from your Internet Service Provider|The user can hide their Tor use and their {{project_name_short}} use effectively from most network observers - even from their internet service providers]].
== Tor Network / Torification / The Everything Tor OS ==
* [[Reliable_IP_Hiding|Reliable IP Hiding]]
* Fail Closed Mechanism: Application's traffic is either sent over Tor or completely blocked.
* Application unspecific: This applies to all applications and even [[Other Operating Systems]] connected to Whonix-Gateway.
* Most applications in {{project_name_short}} can be routed to the internet over the Tor anonymity network instead of clearnet access. This process is called torification or torify.
* '''Not only pre-installed but also [[Install Software|custom / user installed]] applications can be "torified"'''. There are [[Reasons_for_Freedom_Software#No_Intentional_User_Freedom_Restrictions|no intentional user freedom restrictions]].
** Full [[Protocol-Leak-Protection_and_Fingerprinting-Protection|IP/DNS protocol leak protection]].
** Depends on which internet protocols the application requires to function.
** Most applications do not require any awareness of being run inside {{project_name_short}} for functional connectivity. This is called [[Stream_Isolation#Transparent_Proxy|transparent proxying]]. (See [[Stream_Isolation#Transparent_Proxy|this chapter]].)
*** It is difficult to know for users which application uses which internet protocol (TCP, UDP, ICMP). In doubt,
**** [[Please_Use_Search_Engines_And_See_Documentation_First|Please use Search Engines and see Documentation First]],
**** Ask the developers of the application,
**** [[Install_Software|Try it out]].
*** Main supported protocol: TCP
*** .onion domain reachablity: Yes.
*** UDP: [[Tunnel_UDP_over_Tor|Tunnel UDP over Tor]]. ICMP: Same as above.
*** [[Hosting Location Hidden Services]].
*** .onion services (server) support: Yes, see [[Onion Services]].
*** Ephemeral .onion services (server) support (for applications such as [[ZeroNet]], [[OnionShare]], [[Bisq]]): Yes, if an [[onion-grater]] profile was made available.
*** [[File_Sharing|Filesharing and Torrenting]].
*** Some server are blocking connections from the Tor network. ([https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockingTor inexhaustive list])
* Can torify [[Other Operating Systems|other operating systems]].
* Can torify Windows.
* [[Bridges|Circumvents censorship]].
* [[Alternative_DNS_Resolver#Recursive_Authenticated_DNSSEC_over_Tor|DNSSEC over Tor]]. [Via optional configuration.]
* Tor enforcement.
* [[Vanguards]] protect against guard discovery. [As well as related traffic analysis attacks.]
related:
* [[Whonix_against_Real_Attacks|Whonix Track Record against Real Cyber Attacks]]
* [[Dev/Leak_Tests|leak tests]]
== Tunnels ==
This tunnels chapter and the tunnels sub chapters are for advanced users who have knowledge and experience with tunneling.
=== Tunnel and Chaining Support ===
* Connect to a [[Tunnels/Connecting_to_a_proxy_before_Tor|Proxy]], [[Tunnels/Connecting_to_a_VPN_before_Tor|VPN]] or [[Tunnels/Connecting_to_SSH_before_Tor|SSH]] before Tor.
* Connect to Tor before a [[Tunnels/Connecting_to_Tor_before_a_proxy|Proxy]], [[Tunnels/Connecting_to_Tor_before_a_VPN|VPN]] or [[Tunnels/Connecting_to_Tor_before_SSH|SSH]].
* [[Tunnel_UDP_over_Tor|Tunnel UDP over Tor]].
Show more
'''Table:''' ''{{project_name_short}} Tunnel Options''
{| class="wikitable"
|-
! scope="col"| '''Tunnel Configuration'''
! scope="col"| '''Description'''
|-
! scope="row"| Tunnel Tor through a Proxy, VPN or SSH
| [[Tunnels/Connecting to a VPN before Tor | How to Connect to a VPN Before Tor: User → VPN → Tor → Internet]]
[[Tunnels/Connecting to a proxy before Tor | How to Connect to a Proxy Before Tor: User → Proxy → Tor → Internet]]
[[Tunnels/Connecting to SSH before Tor | How to Connect to SSH Before Tor: User → SSH → Tor → Internet]]
|-
! scope="row"| Tunnel Proxy / Proxychains / SSH / VPN through Tor
| [[Tunnels/Connecting to Tor before a VPN| How to Connect to Tor Before a VPN: User → Tor → VPN → Internet]]
[[Tunnels/Connecting to Tor before a proxy | How to Connect to Tor Before a Proxy: User → Tor → Proxy → Internet]]
[[Tunnels/Connecting to Tor before SSH | How to Connect to Tor Before SSH: User → Tor → SSH → Internet]]
|-
! scope="row"| Combine Pre- and Post-Tor Tunnels
| User → Proxy / SSH / VPN → Tor → Proxy / SSH / VPN → Internet
|-
! scope="row"| Combine Tor with other Protocols
| Tor can also be [[Other Anonymizing Networks|replaced with another anonymizing protocol]]. Note that only some combinations and networks will work in {{project_name_short}}, such as I2P and JonDonym. [This work is partially complete, but features will remain unfinished for the foreseeable future.]
|}
For further reading on this topic, see:
* [[Whonix_versus_Proxies|Tor vs. Proxies, Proxy Chains]]
* [[Tunnels/Examples|Free VPN Tunnel Setup Examples]]
* Experts only: [[Chaining_Anonymizing_Gateways|Chaining Anonymizing Gateways]]
= Use Cases =
== Anonymous Browsing ==
* Use [[Browser_Plugins#Introduction|plug-ins]] [[Tips_on_Remaining_Anonymous#Study:_Anonymity_and_Pseudonymity_are_not_the_same|pseudononymously]].
* Anonymous [[Tor_Browser|Internet Browsing]].
== Anonymous Communications, Hosting Hidden Servers and Publishing ==
* Anonymous [[Software#Publishing|publishing]].
* Anonymous [[E-Mail|Email]] with Mozilla Thunderbird.
* Anonymous [[Chat|chat]].
* Anonymous IRC.
* Anonymous [[VoIP]].
* Anonymous file sharing and chat with [[OnionShare|OnionShare]].
* [[Hosting Location Hidden Services|Host location / IP hidden servers]].
* [[Chat#Tox|qTox]] and other encrypted communications.
= {{project_name_short}} Soft Features =
'''Table:''' ''Primary {{project_name_short}} Advantages''
{| class="wikitable"
|-
! scope="col"| '''{{project_name_short}} Feature'''
! scope="col"| '''Security and/or Anonymity Advantage'''
|-
! scope="row"| Best Possible [[Protocol-Leak-Protection and Fingerprinting-Protection|Protocol Leak Protection and Fingerprinting Protection]]
| Java, JavaScript, [There is no functional JavaScript difference when it is enabled in {{project_name_short}} Tor Browser versus the standard Tor Browser (TB).] [Of course, using JavaScript in the {{project_name_short}} Tor Browser protects against IP address leaks, but browser fingerprinting risks still apply. For more information, see [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO/WebBrowsers Web-browser]!] Flash, browser plugins [Plugins are still not recommended, as they may decrease anonymity (for example, flash cookies) and they often have security vulnerabilities. Most popular plugins are closed source. Although deprecated, the [[Browser_Plugins#Plugin_Warnings|browser plugins warnings]] section is still valid.] and mis-configured applications cannot leak the user's real external IP address. [See [[Whonix against Real Attacks|Security in the Real World]].]
|-
! scope="row"| Build Simplicity
| Building {{project_name_short}} from source is easy; see [[Dev/Build Documentation|Build Documentation]].
|-
! scope="row"| Combine Anonymizing Networks
| [[Other_Anonymizing_Networks|Other anonymizing networks]] like Freenet, GNUnet, I2P, JonDonym and ZeroNet can be used.
|-
! scope="row"| Fully Featured
| A host of [[Features#{{project_name_short}} Features|Features]] are available.
|-
! scope="row"| Highly Configurable
| Numerous optional configurations, additional features and add-ons are available.
|-
! scope="row"| Open Source
| Only free software is used. [https://en.wikipedia.org/wiki/Free_software]
|-
! scope="row"| Private Obfuscated [[Bridges]]
| Bridges can be added to the Tor configuration file.
|-
! scope="row"| Process Separation
| Tor [https://www.torproject.org] and Tor Browser [https://www.torproject.org/download/] are not running inside the same virtual machine which means an exploit in the browser cannot affect the integrity of the Tor process. [[[Deprecated/Vidalia|Vidalia]] is now deprecated; [[Tor Controller|arm]] is installed as the alternative.]
|-
! scope="row"| Protection Against IP Address / Location Discovery
| Exploits using malware [https://en.wikipedia.org/wiki/Malware] with root rights inside {{project_name_workstation_short}} ({{project_name_workstation_vm}}) are foiled. However, users should avoid testing this protective feature. [If {{project_name_workstation_short}} (]{{project_name_workstation_vm}}) is rooted, the adversary cannot find out the user's real IP address / location. The reason is {{project_name_workstation_short}} ({{project_name_workstation_vm}}) can only connect through the {{project_name_gateway_long}} ({{project_name_gateway_vm}}). More skill is required to compromise {{project_name_short}}, see [[Comparison with Others#Attacks|Attack Comparison Matrix]] and [[Design]].
|-
! scope="row"| Protection Against De-anonymization Attacks
| No IP address or DNS leaks are possible. [{{project_name_short}} does not automatically protect against other possible leaks like username, time zone and so on. Users should read the [[Documentation]] to learn how to mitigate these threats. Additionally, {{project_name_short}} [[Protocol-Leak-Protection and Fingerprinting-Protection|Protocol Leak Protection and Fingerprinting Protection]] mitigates many possible fingerprinting attacks by using common, non-identifying defaults. For example, the username is set to user, the timezone is set to UTC etc.]
|-
! scope="row"| Safe Hosting of [[Onion Services]]
| Even if someone hacks the user's hidden server software (lighttpd, thttpd, apache, etc.), they cannot steal the onion service key. [The key is stored on the {{project_name_gateway_short}} (]{{project_name_gateway_vm}}). Once a clean {{project_name_workstation_short}} ({{project_name_workstation_vm}}) is used, no one can impersonate the onion service anymore. [The {{project_name_workstation_short}} (]{{project_name_workstation_vm}}) is where the browser, IRC client and other user applications are run. The {{project_name_gateway_short}} ({{project_name_gateway_vm}}) is where Tor and the firewall are run.
|-
! scope="row"| Software Flexibility
| Installation of any software package is possible. [The program must be able to run on Debian GNU/Linux or [[Other Operating Systems]] which are used. See also [[Install Software|Software installation on {{project_name_workstation_short}} (]{{project_name_workstation_vm}})]] for further details. [ICMP, ping, VoIP calls over UDP and so on.] [Skype works over TCP, but it is not recommended because it is proprietary, closed source software and there is no control over the encryption keys. Skype authorities can compromise a user at any moment. A secure encryption / authentication design looks different. For example GPG and OTR are secure, because the user has control over the keys, not the server. See [[Voip#Skype|VoIP Skype section]] for further details.] [[[Tunnel UDP over Tor]]]
|-
! scope="row"| Tor Data Persistence
| A major {{project_name_short}} advantage over Live CDs is that Tor's data directory is still available after reboot due to persistent storage. Tor requires persistent storage to save its Entry Guards. [https://support.torproject.org/#about_entry-guards]
|-
! scope="row"| Tor Enforcement
| All applications are automatically routed via Tor, including those which do not support proxy settings. [For application warnings, see [[Documentation]].] [UDP is not natively supported by Tor and will therefore also not work in {{project_name_short}} (unless a [[Tunnel_UDP_over_Tor|VPN]] is used).] [Services that need to listen on publicly reachable ports (open / forwarded ports) are also not supported. However, users may run [[Onion Services]] which are reachable via Tor or tor2web ([https://gitlab.torproject.org/legacy/trac/-/wikis/doc/tor2web care is required]).] [[https://gitlab.torproject.org/legacy/trac/-/issues/7830 UDP is not supported by Tor]]
|-
! scope="row"| Torify Windows
| {{project_name_gateway_short}} ({{project_name_gateway_vm}}) can also torify Windows. [See [[Other Operating Systems]].]
|-
! scope="row" | Tunnel Chaining
| It is possible to combine {{project_name_short}} with VPNs, SSH and other proxies. [Users should read the [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN Tor plus VPN/proxies Warning] before proceeding. ] Every permutation is possible; VPNs / SSH / other proxies can be combined and used pre- and/or post-Tor tunnels.
|}
= License =
{{JonDos}} The "{{project_name_short}} Features" section of this wiki page contains content sourced from the JonDonym documentation [https://web.archive.org/web/20200123130536/http://anonymous-proxy-servers.net/en/help/about.html Features] page.
= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]