{{Header}} {{Title|title= Anonymity Operating System Comparison - {{project_name_short}} vs Tails vs Tor Browser Bundle }} {{#seo: |description=Comparison of {{project_name_long}}, Tails, Tor Browser Bundle, QubesOS TorVM and corridor. About anonymity, privacy, security, circumvention, attacks, fingerprinting, usability, features, etc. |image=Balance-154516-640.png }} {{tech_intro_mininav}} [[image:Balance-154516-640.png|thumb]] {{intro| This page contains a detailed comparison of {{project_name_short}}, Tails, Tor Browser, Qubes OS TorVM and corridor. }} = Introduction = Although Qubes' TorVM -- a dedicated ProxyVM providing torified networking to all clients -- is [https://www.qubes-os.org/doc/external/privacy-guides/torvm/ now deprecated], it has been kept for comparison purposes since it acted like {{project_name_gateway_long}} ({{project_name_gateway_vm}}). The Qubes website states:
If you are interested in TorVM, you will find the {{project_name_short}} implementation in Qubes a more usable and robust solution for creating a torifying traffic proxy.
If any incorrect or outdated information is noted, the reader can either directly edit this page, or [[contact]] us and we will correct it as soon as possible. Also see the [[#Statement about Neutrality of this Page|statement about the neutrality of this page]]. = Last Update = '''Table:''' ''Comparison Information Currency'' {| class="wikitable" style="text-align: center" ! ! '''[[About|{{project_name_short}}]] || style="width:125px"| '''[https://tails.boum.org/ Tails]''' || style="width:125px"| '''[https://www.torproject.org/ Tor Browser]''' || style="width:125px"| '''[https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/torvm.md Qubes OS TorVM]''' || style="width:125px"| '''[https://github.com/rustybird/corridor corridor]''' ([https://lists.torproject.org/pipermail/tor-talk/2014-February/032152.html tor-talk]) |- ! Compared Version At the time of last comparison. | style="background-color: {{Green}}"| 16.0.3.7 | style="background-color: {{Green}}"| 2.4 | style="background-color: {{Green}}"| 6.0 | style="background-color: {{Green}}"| 0.1.3 | style="background-color: {{Green}}"| ? |- ! Latest Version Most recent stable version. | style="background-color: {{Green}}"| {{VersionNew}} | style="background-color: {{Green}}"| 5.16.1 | style="background-color: {{Green}}"| 12.5.2 | style="background-color: {{Green}}"| 0.1.3 | style="background-color: {{Green}}"| ? |- ! Status | style="background-color: {{Green}}"| This wiki page is up to date | style="background-color: {{Green}}"| This wiki page is up to date | style="background-color: {{Green}}"| This wiki page is up to date | style="background-color: {{Green}}"| This wiki page is up to date | style="background-color: {{Green}}"| This wiki page is up to date |- |} = General = '''Table:''' ''General Factors'' {| class="wikitable" style="text-align: center; |- ! ! '''{{project_name_short}}''' ! '''Tails''' ! '''Tor Browser''' ! '''Qubes OS TorVM''' ! '''corridor''' |- ! Focus on anonymity, privacy and security |{{Yes}} |{{Yes}} |{{Yes}} |{{Yes}} |{{Yes}} |- ! Type | General purpose OS available as VM images and physical isolation | Live DVD / Live USB / Live SDCard | Portable browser | General purpose OS, VM plugin for Qubes OS | Tor traffic whitelisting gateway |- ! Supported hardware | x86 compatible and/or Virtual Machines + [[Other Operating Systems|Custom-Workstation]]: self-made builds can run on any real or virtual hardware so long as they are behind a {{project_name_gateway_short}} ({{project_name_gateway_vm}}). Tor Browser binaries are limited to a handful of platforms - Windows, Linux, BSD and Mac. | x86 compatible and/or Virtual Machines | Windows, Linux, Mac and Virtual Machines | Any capable of running Qubes OS, see: [https://www.qubes-os.org/doc/system-requirements/ System Requirements] and [https://www.qubes-os.org/hcl/ HCL] | Any Linux (?) |- ! Based on | Tor, Debian {{project_name_workstation_long}} ({{project_name_workstation_template}}): [[Other Operating Systems]] are also supported. With respect to {{project_name_gateway_short}} ({{project_name_gateway_template}}), developers are agnostic about supporting any other secure distributions. Of course another operating system could be used as the base, but it requires significant effort. and a Virtualizer The default downloads are for VirtualBox, but this is subject to change in the future. [[Dev/Build_Documentation/Physical_Isolation|Physical Isolation]] is an optional security feature for advanced users. Experimental, optional support is available for [[VMware]]. Images can be built for other virtualizers, but it requires some work, see: [[Dev/Other_Virtualization_Platforms|Other Virtualization Platforms]]. when not using Physical Isolation | Tor, Debian | Tor, Firefox | Tor, Qubes OS, Fedora | iptables, sh |- ! Gateway and torify any operating system For advanced users. |{{Yes}} See [[Other Operating Systems]]. | {{BlueBackground}} Not a torifying Gateway | {{BlueBackground}} Not a torifying Gateway | {{Yes}} See also [https://www.qubes-os.org/doc/standalones-and-hvms/ HVM]. | {{BlueBackground}} Not a torifying Gateway |- ! Live Mode | style="background-color: {{Green}}"| [[VM_Live_Mode|Yes]] [[Qubes|{{q_project_name_long}}]]: [[Qubes/Disposables|Disposables]] |{{Yes}} |{{No}} |{{No}} |{{No}} |- ! Live DVD |{{No}} |{{Yes}} |{{No}} |{{No}} |{{No}} |- ! Live USB |{{No}} |{{Yes}} |{{No}} |{{No}} |{{No}} |- ! USB bootable | style="background-color: {{Yellow}}"| Yes Users can install the host operating system on a USB. | {{Yes}} | style="background-color: {{Yellow}}"| Yes | style="background-color: {{Yellow}}"| Yes | style="background-color: {{Yellow}}"| Yes |- ! USB installer feature | {{No}} {{project_name_short}} does not have a fully-featured USB installer. Installing the operating system on a USB is recommended, but the decision is left to the user. | {{Yes}} Tails has a professional USB installer. | ? | {{Yes}} | {{No}} |- ! Requires VirtualBox This has a neutral blue color, because the project dictates whether or not a specific virtualizer is required. | {{BlueBackground}} No | {{BlueBackground}} No | {{BlueBackground}} No | {{BlueBackground}} No | {{BlueBackground}} No |- ! Requires VMware | {{BlueBackground}} No | {{BlueBackground}} No | {{BlueBackground}} No | {{BlueBackground}} No | {{BlueBackground}} No |- ! Requires Qubes OS | {{BlueBackground}} No | {{BlueBackground}} No | {{BlueBackground}} No | {{BlueBackground}} Yes | {{BlueBackground}} No |- ! System requirements | style="background-color: {{Yellow}}"| Higher | style="background-color: {{Green}}"| Lower | style="background-color: {{Green}}"| Lowest | style="background-color: {{Yellow}}"| Highest | style="background-color: {{Green}}"| Lowest |- ! Can run in VirtualBox | {{Yes}} |style="background-color: {{Yellow}}"| Yes, but not recommended. https://tails.boum.org/contribute/design/virtualization_support/ Well documented https://tails.boum.org/doc/advanced_topics/virtualization/ | Yes, but (?) | style="background-color: {{Red}}"| No This has a red color because it raises the bar for new users, who must expend significant effort to try it. | {{No}} |- ! Can run in VMware | style="background-color: {{Yellow}}"| Yes, but not recommended and unsupported This is only available as an experimental proof of concept, see: [[VMware]]. It is not recommended because VMware is closed source software. {{project_name_short}} developers do not support or [[Essential_Tests|test]] this configuration. | style="background-color: {{Yellow}}"| Yes, but not recommended | Yes, but (?) | {{BlueBackground}} No This has a neutral color because Qubes OS is open source, while VMware is closed source and should therefore be discouraged. | {{No}} |- ! Can run in Qubes OS | {{Yes}} [[Qubes|{{q_project_name_short}}]]. | {{Yes}} https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/tails.md | style="background-color: {{Yellow}}"| Probably yes, but without security features provided by an [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO/IsolatingProxy Isolating Proxy] | {{Yes}} | {{Yes}} |- ! Persistence Custom installed applications and user data can be stored and survive reboot. | style="background-color: {{Green}}"| Full | style="background-color: {{Green}}"| Optional for Live USB |{{Yes}} Depending on a user's settings, bookmarks and passwords can be saved, and downloaded files retained. | style="background-color: {{Green}}"| Full | style="background-color: {{Green}}"| Full |- ! Number of developers | Multiple See [[Contributors]]. | Multiple | Multiple | Multiple | One |- ! Maturity | Project since 2012 | Project since 2009 https://en.wikipedia.org/wiki/Tails_%28operating_system%29 | Project since 2002 https://en.wikipedia.org/wiki/Tor_browser | Project since 2012 (now deprecated) | Project since 2014 |- ! Open source |{{Yes}} |{{Yes}} |{{Yes}} |{{Yes}} |{{Yes}} |- ! Non-anonymous developers This matters because until {{Code2|Deterministic Builds}} become standard, (non-)anonymous developers might imply trust. A project's reputation, formal education and expertise are other relevant factors. |{{Yes}} |{{No}} |{{Yes}} |{{Yes}} |{{No}} (?) |- |} = Security = == Network == '''Table:''' ''Network Security'' {| class="wikitable" style="text-align: center;" |- ! ! '''{{project_name_short}}''' ! '''Tails''' ! '''Tor Browser''' ! '''Qubes OS TorVM''' ! '''corridor''' |- ! Responsibility for building Tor circuits | Tor client running on {{project_name_gateway_short}} | Tor client running on workstation | Tor client running on workstation | Tor client running on TorVM (Gateway) | Tor client running behind corridor-Gateway |- ! Protection against IP address / location discovery Protection from root exploits, specifically [https://en.wikipedia.org/wiki/Malware malware] with root rights. on the Workstation The Workstation is where the browser, IRC client and other user applications are run. The Gateway is where Tor and the firewall are running. | {{Yes}} {{Anchor|protection}}{{project_name_short}} protects against IP address / location discovery through root exploits ([https://en.wikipedia.org/wiki/Malware malware] with root rights) inside {{project_name_workstation_short}} ({{project_name_workstation_vm}}), although this feature should not be unnecessarily tested. Successful attacks by adversaries cannot yield the user's real IP address / location, because {{project_name_workstation_short}} ({{project_name_workstation_vm}}) can only connect through the {{project_name_gateway_short}} ({{project_name_gateway_vm}}). More skill is required to compromise {{project_name_short}} due to its [[Design|design]]; also see [[#Attacks|attacks on {{project_name_short}}]]. | {{No}} If Tails is compromised by a root exploit, the adversary can simply bypass the firewall to discover the user's real IP address. | {{No}} | {{Yes}} | {{No}} corridor is not designed for that purpose. A compromised application could contact a colluding Tor relay. |- ! IP / DNS protocol leak protection | style="background-color: {{Green}}"| Full IP / DNS leaks are [[#protection|impossible]] in {{project_name_short}}, since {{project_name_workstation_short}} ({{project_name_workstation_vm}}) is unaware of its external IP address. | style="background-color: {{Yellow}}"| Depends Please read how {{project_name_short}} [[Whonix against Real Attacks|protects against realistic threats]] first. IP leaks are possible in Tails if applications are configured incorrectly or have a critical bug - this similarly applies to the Tails platform itself. The [https://tails.boum.org/security/index.en.html Tails Security Page] notes:
Until an [https://gitlab.tails.boum.org/tails/tails/-/issues/5769 audit] of the bundled network applications is done, information leakages at the protocol level should be considered as - at the very least - possible.
| style="background-color: {{Yellow}}"| Depends | style="background-color: {{Green}}"| Full | style="background-color: {{Yellow}}"| Depends |- ! No need for the Workstation to trust the Gateway | {{Yes}} | {{BlueBackground}} Not a gateway | {{BlueBackground}} Not a gateway | {{Yes}} | {{No}} |- ! Takes advantage of entry guards https://support.torproject.org/#about_entry-guards | {{Yes}} | {{No}} https://gitlab.tails.boum.org/tails/blueprints/-/wikis/persistent_Tor_state/ | {{Yes}} | {{Yes}} | {{BlueBackground}} Not applicable |- ! Takes advantage of [https://github.com/mikeperry-tor/vanguards vanguards], which protects against guard discovery and related traffic analysis attacks and fixes [https://nvd.nist.gov/vuln/detail/CVE-2020-8516 CVE-2020-8516 Hidden Service deanonymization]. | {{Yes}} [[vanguards]] | {{No}} Similar to above because it requires persistent Tor entry guards. | {{No}} | {{No}} | {{BlueBackground}} Not applicable |- |} == Stream Isolation == '''Table:''' ''Stream Isolation'' {| class="wikitable" style="text-align: center;" |- ! ! '''{{project_name_short}}''' ! '''Tails''' ! '''Tor Browser''' ! '''Qubes OS TorVM''' ! '''corridor''' |- ! Stream isolation Stream isolation provides protection against identity correlation through circuit sharing. | {{Yes}} For further details, see [[Stream Isolation|stream isolation]]. | {{Yes}} [https://gitlab.tails.boum.org/tails/tails/-/issues/5334 Separate Tor streams in Tails]. | {{Yes}} Ever since the following ticket was implemented: [https://gitlab.torproject.org/legacy/trac/-/issues/3455 Tor Browser should set SOCKS username for a request based on referer]. Tor Browser comes with its own Tor instance. It is just a browser, not a live system or an operating system. | Manually The user must configure applications manually to use stream isolation. In {{project_name_short}}, all applications that are installed by default (like curl, wget, ssh, tbb, and others) are configured to use their own SocksPort. Tails also has this feature, but it is not as extensive as {{project_name_short}}. When QubesOS TorVM was last checked, it did not provide stream isolation. | {{Yes}} |- ! Enforces stream isolation when one of X Workstations behind the same Gateway is compromised in the default configuration This is relevant when workstations x1, x2, ..., xn are all running behind the same gateway y. | * [[Qubes|{{q_project_name_short}}]]: {{Yes_text}} See: [[Dev/Qubes#IP_Spoofing_Protection|IP spoofing protection]]. * [[Non-Qubes-Whonix|{{non_q_project_name_short}}]]: Optional A user can either run [[Multiple_{{project_name_gateway_short}}|Multiple {{project_name_gateway_short}}]] or configure an [[Connections between Gateway and Workstation|encrypted and/or authenticated connection between the {{project_name_gateway_short}} and {{project_name_workstation_short}}]]. | {{BlueBackground}} Not a gateway | {{BlueBackground}} Not a gateway | {{Yes}} See: https://groups.google.com/d/msg/qubes-devel/le7-Rrq6yxY/k_fQdSTzvLAJ | {{Yes}} Since the responsibility for building Tor circuits falls on clients running behind corridor-Gateway. |- ! Stream isolation in Tor Browser | {{Yes}} | {{Yes}} | {{Yes}} | ? | ? |- |} == Updates == '''Table:''' ''Updates'' {| class="wikitable" style="text-align: center;" |- ! ! '''{{project_name_short}}''' ! '''Tails''' ! '''Tor Browser''' ! '''Qubes OS TorVM''' ! '''corridor''' |- ! Operating system updates | style="background-color: {{Green}}"| Persist once updated | style="background-color: {{Green}}"| Incremental upgrades See https://tails.boum.org/contribute/design/upgrades/#index5h3 | style="background-color: {{Green}}"| Persist once updated | style="background-color: {{Green}}"| Persist once updated | style="background-color: {{Green}}"| Persist once updated |- ! Update notifications | {{Yes}} See [https://www.kicksecure.com/wiki/Systemcheck systemcheck], [[Stay_Tuned#{{project_name_short}}_News|{{project_name_short}} news]]. | {{Yes}} | {{Yes}} | {{Yes}} | ? |- ! Important news notifications | {{Yes}} See [[Stay_Tuned#{{project_name_short}}_News|{{project_name_short}} news]]. | {{Yes}} A GNOME libnotify notification pops up with a link and offers the user an opportunity to subscribe to news by email. | ? This might be possible via the browser's https://check.torproject.org function. This was never implemented, even after [https://blog.torproject.org/tor-security-advisory-old-tor-browser-bundles-vulnerable/ old Tor Browser bundles became a popular exploit]. | ? | ? |- ! APT unreliable exit code security workaround See [[Dev/Automatic_Updates#Security_Issues_when_using_apt-get_update_in_Scripts|security issues when using apt update in scripts]]. | {{Yes}} The [https://www.kicksecure.com/wiki/Systemcheck systemcheck] function [https://github.com/Kicksecure/systemcheck/blob/master/usr/libexec/systemcheck/check_operating_system.bsh check_operating_system] uses [https://github.com/Kicksecure/security-misc/blob/master/usr/libexec/security-misc/apt-get-update ''/usr/libexec/security-misc/apt-get-update'']. | ? | ? | ? | ? |- |} == Hardware Serials == '''Table:''' ''Hardware Serials'' {| class="wikitable" style="text-align: center;" |- ! ! '''{{project_name_short}}''' ! '''Tails''' ! '''Tor Browser''' ! '''Qubes OS TorVM''' ! '''corridor''' |- ! Hides hardware serials from malicious software with default settings | {{Yes}} See [[Protocol-Leak-Protection and Fingerprinting-Protection]] for details. | {{No}} By default this information is not sent to anyone. It is only at risk when the machine is compromised by malware. | {{No}} | {{Yes}} | {{No}} |- ! Hides hardware serials from malicious software when additional hardware is assigned | {{No}} | {{No}} | {{No}} | {{No}} | {{No}} |- ! No collection of hardware serials | style="background-color: {{Green}}"| Yes | style="background-color: {{Green}}"| Yes | style="background-color: {{Green}}"| Yes | style="background-color: {{Green}}"| Yes | style="background-color: {{Green}}"| Yes |- ! Hides the MAC address from websites | {{BlueBackground}} Invalid The design of assigned MAC addresses means that destination servers cannot see them. Therefore yes, they are always hidden from destination servers. | {{BlueBackground}} Invalid | {{BlueBackground}} Invalid | {{BlueBackground}} Invalid | {{BlueBackground}} Invalid |- ! Hides the MAC address from the local LAN This is a realistic threat considering some ISPs are based on LANs, which means they can see the MAC addresses of their clients. Hotspots can also see the MAC addresses of connected devices. | style="background-color: {{Red}}"| No, see footnote Please read [[MAC_Address|{{project_name_short}} in public networks / MAC Address]]. | {{Yes}} Tails spoofs the MAC address. This feature can be easily disabled. | {{No}} | style="background-color: {{Yellow}}" | Yes, but not enabled by default https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/anonymizing-your-mac-address.md | {{BlueBackground}} Not applicable |- ! Hides the MAC address from applications | {{Yes}} The virtual MAC address for {{project_name_gateway_short}} internal network interface (eth1) is shared among all {{project_name_short}} users, because {{project_name_workstation_short}} can see it. However, {{project_name_workstation_short}} cannot see the MAC address of {{project_name_gateway_short}} external network cards (eth0). | {{No}} | {{No}} | {{Yes}}, by default, unless... Unless a physical network card is assigned to the virtual machine. | {{BlueBackground}} Not applicable |- ! Defeats advanced Wi-Fi device tracking [https://papers.mathyvanhoef.com/asiaccs2016.pdf Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms] [https://web.archive.org/web/20151011055119/http://www2.ece.gatech.edu/cap/papers/1569740227-3.pdf A Passive Technique for Fingerprinting Wireless Devices with Wired-side Observation] | {{No}} https://forums.whonix.org/t/your-mac-address-randomization-attempts-are-futile [[MAC_Address#Introduction|MAC Address Introduction]] | {{No}} | {{No}} | {{No}} https://github.com/QubesOS/qubes-issues/issues/2361 | {{BlueBackground}} Not applicable |- |} == Forensics == '''Table:''' ''Forensic Issues'' {| class="wikitable" style="text-align: center;" |- ! ! '''{{project_name_short}}''' ! '''Tails''' ! '''Tor Browser''' ! '''Qubes OS TorVM''' ! '''corridor''' |- ! Amnesic | * [[Qubes|{{q_project_name_short}}]]: {{Yes_text}} [[Qubes/Disposables#Warnings|Disposables are not amnesic]] in their current form, as traces of activity may be left on storage media or in RAM. * [[Non-Qubes-Whonix|{{non_q_project_name_short}}]]: {{Yes_text}} There are no special measures to limit what is written to disk because {{project_name_short}} acts like an ordinary operating system. A non-exhaustive list of user activity includes: user created files, backup files, temporary files, swap, chat history, browser history and so on. {{project_name_short}} is also unable to prevent host memory [https://en.wikipedia.org/wiki/Memory_paging#Unix_and_Unix-like_systems swaps] to the host disk (see also: [https://en.wikipedia.org/wiki/Virtual_memory virtual memory]). Mitigating this threat requires following the [[{{project_name_workstation_short}}_Security#VM_Snapshots|recommendation to use multiple VM snapshots]] and applying [[Full_Disk_Encryption|full disk encryption]] on the host. There is a security-usability trade off here: greater persistence allows {{project_name_short}} to remain fully-featured and enables users to easily install additional software. | {{Yes}} Tails is amnesic by design. | {{No}} Although Tor Browser [https://2019.www.torproject.org/projects/torbrowser/design/#Implementation is designed] to prevent browser activity leaking to disk, the implementation could be faulty, or swap might still leak. Also see The Tor Project blog post [https://blog.torproject.org/forensic-analysis-tor-linux/ Forensic Analysis of Tor on Linux] and the [https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf full pdf results]. | ? A [https://www.qubes-os.org/doc/how-to-use-disposables/ Disposable] could be used with a TorVM. For a discussion of TorVM anti-forensics features, see [https://groups.google.com/g/qubes-devel/c/QwL5PjqPs-4 Disposable versus local forensics?]. | {{BlueBackground}} Not applicable corridor-Gateway itself is not amnesic. The amnesic feature must be implemented by the workstations (and possibly gateways) behind corridor-Gateway. |- ! Local disk encryption | style="background-color: {{Yellow}}"| Should be applied on the host | {{Yes}}, for a persistent USB | style="background-color: {{Yellow}}"| Should be applied on the host | style="background-color: {{Yellow}}"| Should be applied on the host | style="background-color: {{Yellow}}"| Should be applied on the host |- ! Cold boot attack protection See [https://en.wikipedia.org/wiki/Cold_boot_attack Cold boot attack]. | {{No}} - should be applied on the host | {{Yes}} | {{No}} - should be applied on the host | {{No}} https://github.com/QubesOS/qubes-issues/issues/716 | {{No}} - should be applied on the host |- |} == Download Security == {| class="wikitable" style="text-align: center;" |- ! ! '''{{project_name_short}}''' ! '''Tails''' ! '''Tor Browser''' ! '''Qubes OS''' ! '''corridor''' |- ! Onion | {{Yes}} | {{No}} | {{Yes}} | {{Yes}} Mirror by unman: https://www.qubes-os.org/news/2019/04/17/tor-onion-services-available-again/ | {{No}} |- ! TLS (SSL) Having TLS (SSL) supported mirrors may seem like an oxymoron. The common practice is to assume that mirrors are not to be trusted. Even if the mirror owners were trusted persons, it is still an open question how good their server security is. Even if their server security is exceptional, mirrors are generally also hosted in hosting companies and we cannot trust those. However, not all adversaries have extensive capabilities like being capable of mounting man-in-the-middle attacks, breaking server security or forcing the hosting company to turn over the keys and so on. Users who do not use verification are still better off downloading from a TLS supported mirror. Therefore, TLS protected mirrors work well against less sophisticated adversaries. In terms of numbers, this results in fewer users potentially ending up with maliciously altered downloads. | {{Yes}} | {{Yes}} | {{Yes}} | {{Yes}} | Unneeded |- ! [[OpenPGP]] s[[Verifying_Software_Signatures|ignatures]] a[[Verify the virtual machine images#Signify_Signatures|vailable]] | {{Yes}} | {{Yes}} | {{Yes}} | {{Yes}} | {{Yes}} |- ! [[Signify]] signatures a[[Verify the virtual machine images#Signify_Signatures|vailable]] | {{Yes}} | {{No}} | {{No}} | {{No}} | {{No}} |- ! [[PQCrypto#Codecrypt|Codecrypt]] ([[PQCrypto|Post-Quantum Cryptography]] Resistant) signatures available | Planned | {{No}} | {{No}} | {{No}} | {{No}} |- ! Server not under control of hosting provider It would also be safer if the download server was under the full control of the developers and not under control of a company, the hosting provider. Unfortunately that is not how things work today. Self-hosting is very expensive, requires a fast internet connection (home user contracts are not fast enough), and adequate physical security. Even the servers of The Tor Project are not hosted in a developer's home. This is being elaborated in chapter [[Trust#Trusting_the_{{project_name_short}}_Website|Trusting the {{project_name_short}} Website]]. | {{No}} | {{No}} | {{No}} | {{No}} | {{No}} |- |} == Verifiable Builds == '''Table:''' ''Verifiable Builds Comparison'' {{Verifiable_Builds_Comparsion_Table}} == Fingerprint == '''Table:''' ''Fingerprinting Issues'' {| class="wikitable" style="text-align: center;" |- ! ! '''{{project_name_short}}''' ! '''Tails''' ! '''Tor Browser''' ! '''Qubes OS TorVM''' ! '''corridor''' |- ! Network / web fingerprint | [[Fingerprint|{{project_name_short}} fingerprint page]] | [https://tails.boum.org/doc/anonymous_internet/Tor_Browser/index.en.html#fingerprint Tails fingerprint page] | TBB traffic is tunneled through Tor. Host traffic passes over clearnet | ? | ? |- ! Network fingerprint: ISP cannot trivially guess the project type To discover if {{project_name_short}}, Tails or TBB is running. | {{Yes}} | {{Yes}} | {{Yes}} | {{No}} Because TorVM's own traffic is not torified. | {{Yes}} |- ! Network fingerprint: ISP cannot guess that a non-persistent Tor directory is in use | {{Yes}} | {{No}} Tails [https://gitlab.tails.boum.org/tails/tails/-/issues/5462 does not] support [https://support.torproject.org/#about_entry-guards persistent entry guards] yet. | {{Yes}} | {{Yes}} | {{Yes}} |- ! Clearnet traffic | All {{project_name_gateway_short}} and {{project_name_workstation_short}} traffic is tunneled through Tor. Host traffic Operating system updates, use of a host browser and so on. uses clearnet | None, unless other users sharing the same internet connection are not using Tails | TBB traffic is tunneled through Tor. Host traffic Operating system updates, use of an untorified second browser and so on. uses clearnet | The gateway is not torified, therefore emitting clearnet traffic Due to package selection, it will probably also reveal that it is an Qubes OS TorVM. | The gateway is not torified, therefore emitting clearnet traffic |- ! Network fingerprint: ISP cannot guess which anonymity software is in use due to the ratio of Tor and clearnet traffic | Unknown {{project_name_short}} users might tend to have more traffic than TBB users, as operating system updates of {{project_name_workstation_short}} ({{project_name_workstation_template}}) and {{project_name_gateway_short}} ({{project_name_gateway_template}}) take place over Tor. It is unknown if the data volume is specific enough to guess a transparent or isolating proxy is in use, or if a significant proportion of other Tor users route a large amount of traffic through Tor (to help disguise {{project_name_short}} users). Research prior to the foundation of {{project_name_short}} suggested that a large amount of file sharing occurred via Tor. Classical file-sharing is likely to have far greater upload than {{project_name_short}}, but it is unclear how many people have disabled upload settings or moved to methods which have minimal upload, such as file hosters. | The ISP can guess a Tor live system is in use, unless... The unsafe browser is in use, or other people are sharing the same Internet connection who are not using Tails. | ? | Not applicable See above: ''Network fingerprint: ISP cannot trivially guess the project type''. | ? |- ! Network fingerprint: ISP cannot guess which anonymity software is in use because of [https://tails.boum.org/contribute/design/Time_syncing/ tordate] The [https://tails.boum.org/contribute/design/Time_syncing/#index5h1 Tails Design about Time syncing] states:
Our initial time guess based on the Tor consensus is probably easier to fingerprint, though: a fresh Tor is started, and restarted again right after the consensus has been downloaded.
| {{Yes}}, does not include tordate | {{No}}, if the clock is grossly inaccurate when booting | {{BlueBackground}} No, not an operating system | {{Yes}}, does not include tordate | {{Yes}}, does not include tordate |- ! Web fingerprint Fingerprint for the websites that are visited. | style="background-color: {{Green}}"| Same as TBB {{project_name_short}} uses the original Tor Browser from The Tor Project, with the only difference being Tor runs on {{project_name_gateway_short}} instead of using the locally shipped Tor. | style="background-color: {{Red}}"| Not the same as TBB Refer to the following Tails resources for the latest status update: [https://web.archive.org/web/20210505033517/https://tails.boum.org/contribute/design/#index19h2 (fingerprint) for the websites that you are visiting], [https://gitlab.tails.boum.org/tails/tails/-/issues/5362 evaluate web fingerprint] and [https://tails.boum.org/contribute/design/Tor_network_configuration/ Tails: Trying to hide the fact one is using Tor]. | style="background-color: {{Green}}"| TBB This is the original Tor Browser Bundle from torproject.org. | style="background-color: {{Red}}"| Does not include Tor Browser While preventing [[Tips_on_Remaining_Anonymous#Refrain_from_"Tor_over_Tor"_Scenarios|Tor over Tor]], which is recommended. This could probably be installed manually, but users are generally not aware of fingerprinting issues. Further, they usually have trouble in using Tor Browser without the bundled Tor instance - which is of course recommended to prevent [[Tips_on_Remaining_Anonymous#Refrain_from_"Tor_over_Tor"_Scenarios|Tor over Tor scenarios]]. | {{BlueBackground}} Not applicable |- ! Unsafe browser fingerprint Tails and Liberte Linux contain a so called "Unsafe Browser". The Unsafe Browser does not use Tor and it connects in the clear. It is available on these platforms because it is useful for registering on hotspots or for general (non-anonymous) browsing purposes. | When using VMs: * The unsafe browser on the host is untouched, so it is not affected by installing {{project_name_short}}. When using Physical Isolation: * From {{project_name_short}} 0.5.6 onwards, there is no unsafe browser. A separate third machine with clearnet access could be configured. | Tails Todo: [https://gitlab.tails.boum.org/tails/tails/-/issues/5412 Improve fingerprint of the Unsafe Browser] | ? | ? | ? |- ! Network time synchronization runs at randomized times during the session | {{Yes}} This is useful for keeping the clock synchronized for long running sessions. See also [[Dev/TimeSync|TimeSync]]. | {{BlueBackground}} Does not continuously run network time synchronization | {{BlueBackground}} Not an operating system, does not include network time synchronization | {{BlueBackground}} Does not include network time synchronization | {{BlueBackground}} Does not include network time synchronization |- ! Connection wizard prevents unwanted / accidental connections to the public Tor network Users who want to [[Hide Tor from your Internet Service Provider|hide Tor and {{project_name_short}} from the ISP]] should not connect to the public Tor network when starting the platform for the first time. | {{Yes}} | {{Yes}} | ? | ? | ? |- ! Includes Tor Browser from The Tor Project | {{Yes}} | {{Yes}} + patches | {{Yes}} | {{No}} | {{No}} |- ! Privacy-enhanced browser Settings, patches and add-ons. | {{Yes}}, Tor Browser | {{Yes}}, Tor Browser + patches See [https://tails.boum.org/contribute/design/#index40h3 Tor Browser]. | {{Yes}}, Tor Browser | {{No}} | {{BlueBackground}} Not applicable |- ! Secure distributed network time synchronization | {{Yes}} See [[Dev/TimeSync|TimeSync]]. | {{Yes}} See [https://tails.boum.org/contribute/design/Time_syncing/ Tails - Time syncing]. | {{No}} | {{No}} | {{No}} |- ! Hides the time zone (set to UTC) | {{Yes}} | {{Yes}} | {{Yes}} | {{No}} | {{BlueBackground}} Not applicable |- ! Hides the operating system account name It is best when [https://web.archive.org/web/20141005082901/https://mailman.boum.org/pipermail/tails-dev/2013-January/002457.html account names are shared among anonymity-focused distributions]. | {{Yes}}, set to {{Code2|user}} | {{Yes}}, set to {{Code2|amnesia}} | {{No}} | {{Yes}}, set to {{Code2|User}} | {{BlueBackground}} Not applicable |- ! Secure gpg.conf https://github.com/ioerror/torbirdy/blob/master/gpg.conf [https://github.com/ioerror/torbirdy/pull/11 gpg.conf optimized for privacy] | {{Yes}} | {{Yes}} | {{BlueBackground}} Not an operating system | {{BlueBackground}} Not an operating system | {{BlueBackground}} Not an operating system |- ! Privacy-enhanced IRC client configuration | {{Yes}} | {{Yes}} | {{BlueBackground}} Not an IRC client | {{BlueBackground}} Not an operating system | {{BlueBackground}} Not an IRC client |- ! [[Keystroke_Deanonymization|Keystroke Anonymization]] | * [[Qubes|{{q_project_name_short}}]]: {{No_text}} * [https://github.com/QubesOS/qubes-issues/issues/2558 provide Linux kernel input device so kloak (anti keystroke deanonymization tool) can be used in {{q_project_name_short}}] * [https://github.com/QubesOS/qubes-issues/issues/1850 Feature Request: Anti-Keystroke Fingerprinting Tool] * [[Non-Qubes-Whonix|{{non_q_project_name_short}}]]: {{Yes_text}} | {{No}} | {{No}} | {{BlueBackground}} Not an operating system | {{BlueBackground}} Not an operating system |- ! Implement [https://forums.whonix.org/t/tcp-isn-cpu-information-leak-protection-tirdad/8552 TCP ISN CPU Information Leak Protection] to prevent [https://dl.acm.org/doi/10.1145/1180405.1180410 de-anonymization of Tor onion services] by installing [https://github.com/Kicksecure/tirdad Tirdad kernel module for random ISN generation]. | * [[Qubes|{{q_project_name_short}}]]: {{No_text}} * [https://github.com/QubesOS/qubes-issues/issues/2558 provide Linux kernel input device so kloak (anti keystroke deanonymization tool) can be used in {{q_project_name_short}}] * [https://github.com/QubesOS/qubes-issues/issues/1850 Feature Request: Anti-Keystroke Fingerprinting Tool] * [[Non-Qubes-Whonix|{{non_q_project_name_short}}]]: {{Yes_text}} | {{No}} | {{No}} | {{BlueBackground}} Not an operating system | {{BlueBackground}} Not an operating system |- |} == Miscellaneous == '''Table:''' ''Miscellaneous Issues'' {| class="wikitable" style="text-align: center;" |- ! ! '''{{project_name_short}}''' ! '''Tails''' ! '''Tor Browser''' ! '''Qubes OS TorVM''' ! '''corridor''' |- ! A warning appears when run in an unsupported / unrecommended virtualizer | {{Yes}} | {{Yes}} | Unnecessary (?) | Invalid (?) As TorVM may not run inside other virtualizers in the first place, although this is untested. | {{BlueBackground}} Not applicable |- ! Security and anonymity check | {{Yes}} [https://www.kicksecure.com/wiki/Systemcheck systemcheck] | ? | ? | ? | ? |- |} == Hardening == '''Table:''' ''Security Hardening'' {| class="wikitable" style="text-align: center;" |- ! ! '''{{project_name_short}}''' ! '''Tails''' ! '''Tor Browser''' ! '''Qubes OS TorVM''' ! '''corridor''' |- ! AppArmor https://en.wikipedia.org/wiki/AppArmor is enabled by default | {{Yes}} | ? | ? | ? | ? |- ! AppArmor profiles are enabled by default | {{BlueBackground}} Partial Additional profiles can be [[AppArmor|manually installed]]. Profiles are already enabled by default for Tor, obfsproxy, Tor Browser and many others. | ? | ? | ? | ? |- ! Kernel Hardening through Kernel Boot Parameters | * Qubes-Whonix: {{No_text}} https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581 * Non-Qubes-Whonix: {{Yes_text}} https://github.com/Kicksecure/security-misc/tree/master/etc/default/grub.d | ? | ? | ? | ? |- ! Strong Linux User Account Separation | * Qubes-Whonix: {{No_text}} https://github.com/QubesOS/qubes-issues/issues/2695 * Non-Qubes-Whonix: {{Yes_text}} https://www.whonix.org/wiki/Dev/Strong_Linux_User_Account_Isolation#Bruteforcing_Linux_User_Account_Passwords_Protection | ? | ? | ? | ? |- ! [[Dev/Strong_Linux_User_Account_Isolation#Bruteforcing_Linux_User_Account_Passwords_Protection|Protection against Bruteforcing Linux User Account Passwords]] | * Qubes-Whonix: {{No_text}} See above. * Non-Qubes-Whonix: {{Yes_text}} | ? | ? | ? | ? |- ! [https://github.com/Kicksecure/security-misc security-misc] (Kernel Hardening; Improve Entropy Collection; Enhances Misc Security Settings; ...) | {{Yes}} | ? | ? | ? | ? |- ! [[Security-misc#SUID_Disabler_and_Permission_Hardener|SUID Disabling and Permission Hardening]] | Planned. | ? | ? | ? | ? |- ! [https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/1 secure mount options] | Planned. | ? | ? | ? | ? |- ! [[Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown|Console Lockdown]] | {{Yes}} | ? | ? | ? | ? |- ! [[hardened-kernel]] | Planned. | ? | ? | ? | ? |- ! [https://github.com/Kicksecure/apparmor.d apparmor.d] (AppArmor for everything. APT, systemd, init, all systemd units, all applications. Mandatory Access Control. ) | Planned. | ? | ? | ? | ? |- |} == Flash / Browser Plugin Security == {{mbox | type = notice | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = Installing [[Browser Plugins|browser plugins such as Flash]] is not recommended Due to anonymity, privacy and security problems associated with Adobe Flash. when anonymity is the goal. }} '''Table:''' ''Flash and Browser Plugins Security'' {| class="wikitable" style="text-align: center;" |- ! ! '''{{project_name_workstation_short}}''' ! '''Tor on the Host''' |- ! Proxy bypass IP leak | style="background-color: {{Green}}"| Protected | style="background-color: {{Red}}"| Insecure, leads to deanonymization |- ! Protocol IP leak | style="background-color: {{Green}}"| Protected | style="background-color: {{Red}}"| Insecure, leads to deanonymization |- ! Flash cookies | style="background-color: {{Yellow}}"| Reduces anonymity to pseudonymity. It is recommended to delete Flash cookies | style="background-color: {{Red}}"| Flash activity over clearnet and Tor can be linked, which leads to deanonymization (or a significant reduction in the anonymity set) if the skew is large and rare. Flash is also useful for additional fingerprinting, which has an adverse impact If the fingerprint is detailed enough, then linkage of activities and subsequent deanonymization becomes easier. |- ! Number of installed fonts | style="background-color: {{Green}}"| The number of fonts inside {{project_name_workstation_short}} ({{project_name_workstation_vm}}) and the host (clearnet) operating system will differ, which is good for anonymity | style="background-color: {{Red}}"| The same fonts are reported for both clearnet and Tor Flash activity, which is harmful to anonymity |- ! Exact flash player version | style="background-color: {{Yellow}}"| The Flash version is shared among many users, That is, it is shared among all up-to-date {{project_name_short}} users, and some Debian users. In Debian's case that would be persons using the same platform that {{project_name_short}} is based on (Debian stretch in {{project_name_short}} 14.0.0.7.4). In addition, some users of Debian derivatives (like Ubuntu) would share the same Flash version. which is good for anonymity, since it reduces the impact of fingerprinting. The version is also probably different from the host (clearnet) operating system, which is beneficial | style="background-color: {{Red}}"| The same version is reported for Flash activity over both clearnet and Tor, which is harmful to anonymity |- ! GNU/Linux kernel version | style="background-color: {{Yellow}}"| This version is shared among many people, which is good for anonymity, since it reduces the impact of fingerprinting | style="background-color: {{Red}}"| The same version is reported for Flash activity over both clearnet and Tor |- ! Language | style="background-color: {{Green}}"| Set to ''en_US'' for all {{project_name_short}} users | style="background-color: {{Red}}"| Set to the user's local language setting. This is useful for fingerprinting, since it leads to anonymity set reduction |- ! Exact date and time | style="background-color: {{Green}}"| This differs from the host (clearnet) operating system, which is beneficial (see [[Dev/TimeSync|TimeSync]] for details) | style="background-color: {{Red}}"| The same time / clockskew is reported for both clearnet and Tor Flash activity, which is harmful to anonymity |- ! Exact screen resolution and DPI | style="background-color: {{Yellow}}"| ? | style="background-color: {{Red}}"| The same screen resolution and DPI is reported for both clearnet and Tor use, which is harmful to anonymity |- ! Full path to the Flash plugin | style="background-color: {{Yellow}}"| This is shared among many people, which is good for anonymity | style="background-color: {{Red}}"| Depends on the host (clearnet) operating system. In the worst case it could contain the operating system user name, which is fatal if it is the user's actual name. The same path to the Flash plugin is reported for both clearnet and Tor use, which is harmful to anonymity |- ! Other factors Users can conduct their own checks on https://ip-check.info | style="background-color: {{Yellow}}"| Assume reduction from anonymity to pseudonymity | style="background-color: {{Red}}"| Greater possibilities for fingerprinting and linkage of activities, which is harmful to anonymity |- ! Conclusion | style="background-color: {{Yellow}}"| A user's IP address / location / identity will remain hidden inside {{project_name_workstation_short}} ({{project_name_workstation_vm}}), but it is assumed to be [[Tips_on_Remaining_Anonymous#Study:_Anonymity_and_Pseudonymity_are_not_the_same|pseudonymous rather than anonymous]] | style="background-color: {{Red}}"| Flash over Tor -- on the host, without software like {{project_name_short}} -- is completely unsafe. If Flash is ever used over clearnet, linkage of activities is possible. In the worst case scenario, assume the strong Flash fingerprint can lead to full deanonymization |- |} For further information about using Flash and other browser plugins in {{project_name_short}}, see [[Browser Plugins|here]]. = Attacks = == Circumventing Proxy Obedience Design == === Introduction === This section presupposes the user is familiar with: * The [[Comparison of different variants|security comparison of different {{project_name_short}} variants]]. * Unsafe Browser: Tails and Liberte Linux package a so-called "Unsafe Browser". The Unsafe Browser does not use Tor, but instead connects in the clear. It is useful for hotspot registration or for viewing clearnet content without Tor. * Feasible exploits against a physically isolated {{project_name_gateway_short}}: this is difficult when the {{project_name_gateway_short}} is running in a bare metal configuration. The reason is that only {{project_name_workstation_short}} has access to Tor running on {{project_name_gateway_short}}. {{project_name_short}} developers have also minimized the attack surface, added hardening features and so on. Refer to developer documentation on security and hardening for further details. {{project_name_short}} protects against discovery of a user's IP address / location via a successful root exploit ([https://en.wikipedia.org/wiki/Malware Malware] with root rights) on the {{project_name_workstation_short}} ({{project_name_workstation_vm}}). Users should not deliberately test this feature and risk becoming infected with malware, since all the data inside {{project_name_workstation_short}} ({{project_name_workstation_vm}}) would become available to the attacker. {{project_name_short}} is not a perfect or unbreakable system, nor can it ever be. However, {{project_name_short}} does raise the bar for attackers, meaning greater effort and skill is needed to discover the user's real IP address and successfully deanonymize them. The following table summarizes the defense-in-depth provided by the {{project_name_short}} design. Terms that are used in the following table are defined below: * TBB: Tor Browser Bundle. * Fail: the IP address / location of the user is compromised. * Safe: the IP address / location of the user is hidden behind Tor. === Overview === '''Table:''' ''Proxy Circumvention Threats'' {| class="wikitable" style="text-align: center;" |- ! '''Attack''' ! '''{{project_name_short}} Default''' ! '''{{project_name_short}} Physical Isolation''' ! '''Tails''' ! '''Tails in a VM''' ! '''TBB''' ! '''TBB in a VM''' ! '''Qubes OS TorVM''' ! '''corridor''' |- | style="height: 27px;text-align: left;background-color: #f9f9f9"| 1. Proxy bypass IP leak An application not honoring proxy settings. Example: [https://blog.torproject.org/firefox-security-bug-proxy-bypass-current-tbbs/ Tor Browser Bundle: Firefox security bug (proxy-bypass)]. | {{Safe}} Prevented by the firewall. | {{Safe}} | {{Safe}} | {{Safe}} | {{Fail}} | {{Fail}} | {{Safe}} | {{Safe}} |- | style="height: 27px;text-align: left;background-color: #f9f9f9"| 2. Protocol IP leak This occurs when applications leak the user's real IP address. See [[Whonix against Real Attacks|Whonix Track Record against Real Cyber Attacks]] for examples where {{project_name_short}} prevented them. Leaks are often circumvented in {{project_name_short}} because {{project_name_workstation_short}} ({{project_name_workstation_vm}}) is unaware of the real IP address. | {{Safe}} The workstation does not know its own external IP address. | {{Safe}} | {{Fail}} | {{Safe}} The VM replaces the IP address with an internal LAN IP, which is safe. | {{Fail}} | {{Safe}} | {{Safe}} | {{Safe}} |- | style="height: 27px;text-align: left;background-color: #f9f9f9"| 3. Exploit Consider the following example. A user visits a website over Tor with a torified browser. The website uses a known or zero day vulnerability to gain remote code execution on the user's machine, and then installs malware. The vulnerability "only" allows the adversary to gain user rights, not root. The adversary could then remotely start the Unsafe Browser in order to discover the user's real IP address. This attack is circumvented by {{project_name_short}}, because any applications running inside {{project_name_short}}, including malware, can only connect through Tor. | {{Safe}} | {{Safe}} | {{Fail}} Tails bug report [https://gitlab.tails.boum.org/tails/tails/-/issues/15635 The Unsafe Browser allows to retrieve the public IP address by a compromised amnesia user with no user interaction] contains an example how this attack could be accomplished. | {{Fail}} | {{Fail}} | {{Fail}} | {{Safe}} | {{Fail}} |- | style="height: 27px;text-align: left;background-color: #f9f9f9"| 4. Exploit + root exploit The vulnerability "only" allows the adversary to gain user rights, not root. The adversary gains root rights by escalating privileges with a second vulnerability. The adversary is then capable of tampering with iptables rules to make non-Tor connections and so on. This attack is circumvented by {{project_name_short}}, because the firewall runs on another (virtual) machine. Further, any root applications inside {{project_name_short}}, including malware with root rights, can only connect through Tor. | {{Safe}} | {{Safe}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Safe}} | {{Fail}} |- | style="height: 27px;text-align: left;background-color: #f9f9f9"| 5. Root exploit The vulnerability used allows the adversary to gain root rights. The adversary is then capable of tampering with iptables rules to make non-Tor connections and so on. This attack is circumvented by {{project_name_short}}, because the firewall runs on another (virtual) machine. Further, any root applications inside {{project_name_short}}, including malware with root rights, can only connect through Tor. | {{Safe}} | {{Safe}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Safe}} | {{Fail}} |- | style="height: 27px;text-align: left;background-color: #f9f9f9"| 6. Exploit + VM exploit Consider the following example. A user visits a website over Tor with a torified Browser. The website uses a known or zero day vulnerability to gain remote code execution on the user's machine, and then installs malware. A second exploit is then used to break out of the virtual machine. The default [[Non-Qubes-Whonix|{{non_q_project_name_short}}]] and [[Qubes|{{q_project_name_short}}]] platforms are vulnerable to this attack. {{project_name_short}} with physical isolation defeats this attack, because the {{project_name_workstation_short}} host does not know its real IP address, only {{project_name_gateway_short}} does, which is running on another physical machine. | {{Fail}} | {{Safe}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} |- | style="height: 27px;text-align: left;background-color: #f9f9f9"| 7. Exploit + VM exploit + exploit against physically isolated {{project_name_gateway_short}} This is the same as attack number six, except in this case the adversary uses an extra vulnerability to break into {{project_name_gateway_short}}. {{project_name_short}} is vulnerable to this form of attack. | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} |- | style="height: 27px;text-align: left;background-color: #f9f9f9"| 8. VM exploit Consider the following example. A user visits a website over Tor with a torified Browser. The website uses a known or zero day vulnerability to gain remote code execution on the user's machine. The default [[Non-Qubes-Whonix|{{non_q_project_name_short}}]] and [[Qubes|{{q_project_name_short}}]] platforms will fall to this attack, the same as attack number six. Physical isolation defeats this attack in the same manner as per attack number six. | {{Fail}} | {{Safe}} | {{Safe}} | {{Fail}} | {{Safe}} | {{Fail}} | Fail, see White is used as a more neutral color because according to [https://groups.google.com/g/qubes-devel/c/GT8LyE-la-o/m/XBvbiOnQtaIJ this post] by [https://en.wikipedia.org/wiki/Joanna_Rutkowska Joanna Rutkowska], exploiting a QubesOS virtual machine is more difficult than exploiting VirtualBox. | {{Fail}} |- | style="height: 27px;text-align: left;background-color: #f9f9f9"| 9. VM exploit + exploit against physically isolated {{project_name_gateway_short}} Consider the following example. A user visits a website over Tor with a torified Browser. The website uses a known or zero day vulnerability to gain remote code execution on the host. The adversary then uses an extra vulnerability to break into {{project_name_gateway_short}}. {{project_name_short}} is vulnerable to this kind of attack. | {{Fail}} | {{Fail}} | {{Safe}} | {{Fail}} Fail, because it has already fallen victim to a VM exploit. This is not usually run behind a physically isolated {{project_name_gateway_short}}. | {{Safe}} | {{Fail}} | Fail, see | {{Fail}} |- | style="height: 27px;text-align: left;background-color: #f9f9f9"| 10. Exploit against Tor process Consider the following example. A user visits a website over Tor with a torified Browser, with Tor controlling (processing) the traffic. The adversary uses a vulnerability to gain remote code execution on the user's machine. The machine where Tor is running knows the user's real IP address (Tor control protocol command: getinfo address), unless this machine is itself behind another Gateway which is difficult to configure; see [[Chaining_Anonymizing_Gateways|Chaining Multiple Gateways]]. | {{Fail}} Unless a user is [[Chaining_Anonymizing_Gateways|Chaining Multiple Gateways]], which is unfortunately only available to expert users. {{project_name_short}} is vulnerable to this form of attack. | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} |- | style="height: 27px;text-align: left;background-color: #f9f9f9"| 11. Attack against the Tor network For example, an end-to-end correlation attack. Research has established that Tor is vulnerable to numerous other attack vectors. Any successful attack against Tor, where an anonymity operating system is dependent on it, will naturally deanonymize the user. The exception is users who are [[Chaining_Anonymizing_Gateways|Chaining Multiple Gateways]], which unfortunately is only available to expert users. {{project_name_short}} is capable of defeating some attacks against Tor and associated components such as Tor Browser; for example, see the [[Dev/TimeSync|secure and distributed time synchronization mechanism]] and [[Protocol-Leak-Protection and Fingerprinting-Protection|protocol and fingerprinting leak protection]], along with the rest of the [[Design|Design]] page. | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} |- | style="height: 27px;text-align: left;background-color: #f9f9f9"| 12. Backdoor Any [https://en.wikipedia.org/wiki/Backdoor_(computing) backdoor] in Tor would be fatal for operating systems which rely upon it, since it would open up an avenue for targeted attacks. Widespread attacks are more likely to be identified. | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} | {{Fail}} |- | style="height: 27px;text-align: left;background-color: #f9f9f9"| 13. Onion service domain name security after server software exploit | {{Safe}} When server software on {{project_name_workstation_short}} ({{project_name_workstation_vm}}) is (root) exploited, the attacker cannot steal the key of the onion service because it is stored on {{project_name_gateway_short}} ({{project_name_gateway_vm}}). | {{Safe}} | {{Fail}} Tails is not yet meant to be used as a server. | {{Fail}} | {{BlueBackground}} Not an operating system | {{BlueBackground}} Not an operating system | ? This is safe in theory, but it is unclear if TorVM supports onion services. | {{Fail}} |- |} == Network Time-related == === Introduction === This section presupposes the user is familiar with: * [[Dev/TimeSync|{{project_name_short}} Design: TimeSync]]. * [https://tails.boum.org/contribute/design/Time_syncing/ Tails Design: Time syncing]. Terms that are used in the following table are defined below: * (VM host) update/crypto block: prevention of (VM host) operating system updates and cryptographic verification such as TLS (SSL) in the (VM host) browser. * u/c-block: update/crypto block. * Tor blocked: prevention of connections to the Tor network until the clock is manually fixed. * Big clock skew: more than 1 hour in the past or more than 3 hours in the future. Source: https://lists.torproject.org/pipermail/tor-talk/2012-February/023264.html * Small clock skew: less than 1 hour in the past or less than 3 hours in the future. === Overview === '''Table:''' ''Network Time-related Issues'' {| class="wikitable" style="text-align: center;" |- ! ! '''{{project_name_short}} Default''' ! '''{{project_name_short}} Physical Isolation''' ! '''Tails''' ! '''Tails in a VM''' ! '''TBB''' ! '''TBB in a VM''' ! '''Qubes OS TorVM''' |- ! VM host time synchronization mechanism | NTP | Gateway: there is no VM host. Workstation host: NTP | There is no VM host. Same as the operating system synchronization mechanism | NTP | There is no VM host | NTP | NTP |- ! Operating system synchronization mechanism | sdwdate | sdwdate | tordate and tails_htp | tordate and tails_htp | NTP | NTP | ? |- ! Effect of a grossly inaccurate clock | style="background-color: {{Red}}"| Tor blocked | style="background-color: {{Red}}"| Tor blocked | style="background-color: {{Green}}"| tordate fixes the clock | style="background-color: {{Green}}"| tordate fixes the clock | style="background-color: {{Red}}"| Tor blocked | style="background-color: {{Red}}"| Tor blocked | style="background-color: {{Red}}"| Tor blocked |- ! VM host time differs from operating system time | {{Yes}} Because the unsafe browser runs on the VM host which uses NTP, and the torified browser runs inside {{project_name_workstation_short}} ({{project_name_workstation_vm}}) which uses sdwdate. | {{Yes}} | {{BlueBackground}} There is no VM host | {{Yes}} The VM host time is synchronized with NTP, and operating system time is synchronized with tails_htp. | {{No}} An untorified host browser uses the same clock as TBB. | style="background-color: {{Yellow}}"| Possibly The host and VM clock are both synchronized with NTP, but there still might be a difference since they are synchronized independently. | {{No}} |- ! Unsafe browser time differs from torified browser time This is important because if the clock skew is too large and/or unique, non-anonymous and anonymous activity might be linked. | {{Yes}} | {{Yes}} The time differs because {{project_name_workstation_short}} ({{project_name_workstation_vm}}) and {{project_name_gateway_short}} ({{project_name_gateway_vm}}) use separate sdwdate instances. | {{No}} The unsafe browser and torified browser share the same clock via tails_htp | {{No}} | {{No}} | style="background-color: {{Yellow}}"| Possibly | {{No}} |- ! Large clock skew attack against NTP An attack initiated by an ISP-level adversary.: VM host effects | style="background-color: {{Red}}"| u/c-block | style="background-color: {{Red}}"| VM host u/c-block | {{BlueBackground}} There is no VM host | style="background-color: {{Red}}"| VM host u/c-block | {{BlueBackground}} There is no VM host | style="background-color: {{Red}}"| VM host u/c-block | style="background-color: {{Red}}"| u/c-block |- ! Large clock skew attack against NTP : operating system effects | style="background-color: {{Red}}"| Tor blocked | style="background-color: {{Red}}"| Tor blocked | style="background-color: {{Green}}"| This assumes installation of a regular operating system using NTP which was used earlier, and the introduction of a clock skew by an adversary.; tordate fixes the clock skew | style="background-color: {{Green}}"| ; tordate fixes the clock skew | style="background-color: {{Red}}"| Tor blocked; u/c block | style="background-color: {{Red}}"| Tor blocked; u/c block | style="background-color: {{Red}}"| Tor blocked |- ! Fingerprintable reaction Such as running tordate. when a large clock skew attack is used | style="background-color: {{Green}}"| No, fails identically to TBB | style="background-color: {{Green}}"| No, fails identically to TBB | style="background-color: {{Yellow}}"| Probably yes, see the [[#Fingerprint|fingerprint]] section above | style="background-color: {{Yellow}}"| Probably yes, see the [[#Fingerprint|fingerprint]] section above | style="background-color: {{Green}}"| TBB | style="background-color: {{Green}}"| TBB | style="background-color: {{Green}}"| No |- ! Small clock skew attack against NTP , VM host effects: | {{BlueBackground}} VM host u/c block (?) | {{BlueBackground}} VM host u/c block (?) | {{BlueBackground}} There is no VM host | {{BlueBackground}} VM host u/c block (?) | {{BlueBackground}} VM host u/c block (?) | {{BlueBackground}} VM host u/c block (?) | {{BlueBackground}} VM host u/c block (?) |- ! Small clock skew attack against NTP , operating system effects: | style="background-color: {{Green}}"| {{project_name_short}} VMs: sdwdate fixes the clock skew | style="background-color: {{Green}}"| sdwdate fixes the clock skew | style="background-color: {{Green}}"| VM: tails_htp fixes the clock skew | style="background-color: {{Green}}"| tails_htp fixes the clock skew | style="background-color: {{Red}}"| If the user visits a page monitored by an adversary, they will know who is connecting Due to a unique clock skew introduced by an adversary. | style="background-color: {{Red}}"| If the user visits a page monitored by an adversary, the will know who is connecting | style="background-color: {{Red}}"| If the user visits a page monitored by an adversary, they will know who is connecting |- |} = Usability = '''Table:''' ''Overall Usability'' {| class="wikitable" style="text-align: center;" |- style="background-color: #f9f9f9" ! ! '''{{project_name_short}}''' ! '''Tails''' ! '''Tor on the Host''' ! '''Qubes OS TorVM''' ! '''corridor''' |- ! Difficulty: installing additional software while the IP address remains hidden That is, installing new software safely. | style="background-color: {{Green}}"| Easy In {{project_name_short}}, it is possible to install a ([https://blog.torproject.org/bittorrent-over-tor-isnt-good-idea/ Tor-unsafe]) BitTorrent client. In the worst case it would be pseudonymous rather than anonymous, as the IP address would still be hidden. | style="background-color: {{Yellow}}"| Moderate Tails has a firewall to block non-Tor traffic, but an [https://gitlab.tails.boum.org/tails/tails/-/issues/5769 audit] at the protocol level is still required. The [https://tails.boum.org/security/index.en.html Tails Security Page] notes:
Until an [https://gitlab.tails.boum.org/tails/tails/-/issues/5769 audit] of the bundled network applications is done, information leakages at the protocol level should be considered as - at the very least - possible.
| style="background-color: {{Red}}"| Difficult The user must manually prevent non-Tor traffic, DNS leaks and protocol level leaks. | style="background-color: {{Green}}"| Easy | style="background-color: {{Yellow}}"| Moderate |- ! Difficulty: installation of the base anonymity software | * [[Qubes|{{q_project_name_short}}]]: Easy * [[Non-Qubes-Whonix|{{non_q_project_name_short}}]]: Moderate Text, screenshot and video instructions are available. | style="background-color: {{Green}}"| Easy | style="background-color: {{Green}}"| Easy | style="background-color: {{Green}}"| Easy | style="background-color: {{Red}}"| Difficult The user must install and set up the Gateway from source code. |- ! Required knowledge to prevent serious user error For examples of what ''not'' to do, see [[DoNot]]. | style="background-color: {{Red}}"| Difficult | style="background-color: {{Red}}"| Difficult | style="background-color: {{Red}}"| Difficult | style="background-color: {{Red}}"| Difficult | style="background-color: {{Red}}"| Difficult |- ! Pre-installed applications | style="background-color: {{Green}}"| Wide selection | style="background-color: {{Green}}"| Wide selection | {{BlueBackground}} None | {{BlueBackground}} Not applicable | {{BlueBackground}} Not applicable |- ! Grossly inaccurate host clock | style="background-color: {{Yellow}}"| No connection to the Tor network until the clock is manually fixed | style="background-color: {{Green}}"| Uses [https://tails.boum.org/contribute/design/Time_syncing/ tordate] to fix the clock | style="background-color: {{Yellow}}"| No connection to the Tor network until the clock is manually fixed | style="background-color: {{Yellow}}"| No connection to the Tor network until the clock is manually fixed | ? |- ! Comprehensive documentation | {{Yes}} [[Documentation]] | {{Yes}} https://tails.boum.org/doc/index.en.html | ? | ? | ? |- ! Disable power savings in VMs | {{Yes}} https://github.com/Kicksecure/vm-config-dist/blob/master/etc/profile.d/20_power_savings_disable_in_vms.sh | style="background-color: {{Yellow}}"| No, but there is no sleep mode | ? | ? | ? |- |} = Features = '''Table:''' ''Features'' {| class="wikitable" style="text-align: center;" |- ! ! '''{{project_name_short}}''' ! '''Tails''' ! '''Tor Browser''' ! '''Qubes OS TorVM''' |- ! Default desktop | Xfce | GNOME | {{BlueBackground}} Whatever the user has installed. Not an operating system | Xfce |- ! Multi-language support | {{No}} | {{Yes}} | {{Yes}} | ? |- ! Fits on a DVD | {{No}} | {{Yes}} | {{BlueBackground}} Not an operating system | ? |- ! VPN support: userVPNTordestination | style="background-color: {{Yellow}}"| Manual configuration is required Necessary software is included, but there is no GUI to complete the process. For documentation on this optional configuration, see [[Tunnels/Introduction|tunnel introduction]]. | {{No}} Tails status for VPN support: https://gitlab.tails.boum.org/tails/tails/-/issues/5858 | style="background-color: {{Yellow}}"| Possibly can be manually installed (?) | {{Yes}} |- ! VPN support: userTorVPNdestination | style="background-color: {{Yellow}}"| Manual configuration is required | {{No}} | ? | {{Yes}} By configuring the NetVM of the TorVM as a VpnVM. |- ! VPN support: userVPNTorVPNdestination | style="background-color: {{Yellow}}"| Manual configuration is required | {{No}} | ? | {{Yes}} |- ! IRC client pre-configured for privacy | {{No}} | {{Yes}} (Pidgin) https://tails.boum.org/contribute/design/#index42h3 | {{BlueBackground}} Not an operating system | {{No}} |- ! Flash support | style="background-color: {{Yellow}}"| Manual installation is required See [[#Flash_.2F_Browser_Plugin_Security|Browser Plugin Security]] and [[Browser Plugins|Browser Plugins]]. | {{No}}, but HTML5 videos are functional Tails status for Flash support: https://gitlab.tails.boum.org/tails/tails/-/issues/5363 | style="background-color: {{Yellow}}"| Manual installation is required | ? |- ! Ricochet IM https://en.wikipedia.org/wiki/Ricochet_%28software%29 | {{No}} Ricochet has been broken since {{project_name_short}} 15 despite all efforts to fix it, see: [[Chat#Ricochet_IM|Ricochet IM]]. | style="background-color: {{Yellow}}"| Unsupported, but can be manually installed [https://gitlab.tails.boum.org/tails/tails/-/issues/5554 Tails wishlist]. | {{BlueBackground}} Not applicable | ? |- ! FTP support | style="background-color: {{Yellow}}"| [[FTP|Partial]] {{FTP}} | {{No}} (?) Tails status for FTP support: https://gitlab.tails.boum.org/tails/tails/-/issues/6096 | {{BlueBackground}} Not an operating system | ? |- ! Download manager | style="background-color: {{Yellow}}"| Manual installation is required Users can install any download manager, preferably using SocksPort, although TransPort works as well. ''wget -c'' (pre-configured to use SocksPort) has also been tested to work. | style="background-color: {{Yellow}}"| Manually installation is required Users can manually install any download manager in Tails. It only needs configuration to use the proper SOCKS proxy. | ? | ? |- ! Webmail can be used in the browser | {{Yes}} | {{Yes}} | {{Yes}} | {{Yes}} |- ! Email client | style="background-color: {{Green}}"| [[Encrypted_Email_with_Thunderbird|Thunderbird]] | style="background-color: {{Green}}"| Thunderbird | ? | ? |- ! Hidden service support | style="background-color: {{Yellow}}"| Manual configuration is required Hidden services can be used without IP address / DNS leaks, see [[Onion Services|onion service support]]. No GUI is available to setup an onion service, but it works well nonetheless. | style="background-color: {{Yellow}}"| Manual configuration is required This is possible via ordinary ''torrc'' mechanisms; see [https://gitlab.tails.boum.org/tails/tails/-/issues/5462 Persistence preset: Tor state] | ? | ? |- ! Hidden server configuration GUI | {{No}} | {{No}} [https://gitlab.tails.boum.org/tails/tails/-/issues/5688 Tails server: Self-hosted services behind Tails-powered Tor onion services] | ? | ? |- ! Support for free Wi-Fi hotspots | {{Yes}} When using VMs, this can be easily achieved on the host. For users relying on physical isolation, from {{project_name_short}} 0.5.6 onward there is no unsafe browser. A separate third machine with clearnet access could also be configured. | {{Yes}} Tails has a unsafe browser for such tasks. | {{Yes}} The host operating system mechanism can be used. | ? |- ! Video / streaming software | style="background-color: {{Yellow}}"| Manual installation is required | style="background-color: {{Yellow}}"| Some applications are included, more can be manually installed | {{BlueBackground}} Not an operating system | style="background-color: {{Yellow}}"| Manual installation is required |- ! Control port filter proxy | {{Yes}} See [[Dev/onion-grater|onion-grater, a Tor Control Port Filter Proxy, design documentation]]. | {{Yes}} | {{BlueBackground}} No | {{BlueBackground}} No |- ! TBB about:tor success message | {{Yes}} | {{BlueBackground}} ? | {{BlueBackground}} ? | {{BlueBackground}} ? |- ! Functional new identity option in Tor Button | {{Yes}} The option is just as effective as comparable platforms, like Debian. | {{Yes}} This option is fully functional in Tails, despite the quote below - see the additional footnote. As noted on the Tails' website, https://tails.boum.org/doc/anonymous_internet/Tor_Browser/index.en.html#new-identity:
This feature is not enough to strongly [https://tails.boum.org/doc/about/warnings/identity/index.en.html#contextual separate contextual identities] in the context of Tails as the connections outside of Tor Browser are not restarted. Shutdown and restart Tails instead.
| {{Yes}} | {{BlueBackground}} ? |- ! Default browser set to Tor Browser | {{Yes}} | {{Yes}} (?) | {{BlueBackground}} Not applicable | {{BlueBackground}} ? |- ! File / link open confirmation | {{Yes}} | {{BlueBackground}} ? | {{BlueBackground}} ? | {{BlueBackground}} ? |- ! I2P over Tor | style="background-color: {{Yellow}}"| Manual installation and configuration is required See [[I2P]]. | {{BlueBackground}} ? | {{BlueBackground}} Not an operating system | style="background-color: {{Yellow}}"| Manual installation is required (?) |- ! RetroShare over Tor | style="background-color: {{Yellow}}"| Manual installation is required See [[RetroShare]]. | {{BlueBackground}} ? | {{BlueBackground}} Not an operating system | style="background-color: {{Yellow}}"| Manual installation is required (?) |- ! Shared folder help | {{Yes}} https://github.com/Kicksecure/vm-config-dist/tree/master/usr/lib/systemd/system [[VirtualBox/Guest Additions#Shared_Folder|VirtualBox shared folders]]. [[KVM#Shared_Folders|KVM shared folders]]. | ? | ? | ? |- ! Higher boot resolution | {{Yes}} https://github.com/Kicksecure/usability-misc/blob/master/etc/default/grub.d/30_screen_resolution.cfg | ? | ? | ? |- ! Verbose boot output | {{Yes}} https://github.com/Kicksecure/debug-misc/blob/master/debian/control | ? | ? | ? |- ! RAM-adjusted desktop starter | {{Yes}} https://www.whonix.org/wiki/Desktop#RAM_Adjusted_Desktop_Starter https://github.com/Kicksecure/rads | ? | ? | ? |- |} = Circumvention = '''Table:''' ''Censorship Circumvention Options'' {| class="wikitable" style="text-align: center;" |- style="background-color: #f9f9f9" ! ! '''{{project_name_short}}''' ! '''Tails''' ! '''Tor Browser''' ! '''Qubes OS TorVM''' ! '''corridor''' |- ! obfs4 | {{Yes}} See [[Bridges]]. | {{Yes}} | {{Yes}} | ? | ? |- ! meek | {{Yes}} meek_lite is available from {{project_name_short}} 14. | {{Yes}} https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/10-tor.sh | {{Yes}} | ? | ? |- ! Snowflake | {{Yes}} Manual configuration is required, see: [[Bridges#Snowflake|Snowflake]]. https://forums.whonix.org/t/replacing-meek-snowflake/5190 | {{No}} https://gitlab.tails.boum.org/tails/tails/-/issues/5494 | {{Yes}} | ? | ? |- ! [[Censorship_Circumvention_Tools|Other Censorship Circumvention Tools]] | ? | ? | ? | ? | ? |- |} = Statement about Neutrality of this Page = == General == An impartial comparison of anonymity platforms and tools is difficult, since contributors to this page are most likely {{project_name_short}} users. Regardless, an imperfect comparison page is better than none at all. The reader should bear in mind that this wiki content might have been anonymously posted elsewhere, such as Wikipedia. The contributors to this page have decided to attach their pseudonyms. Anonymous edits are allowed and are generally published within a short time frame. Readers who notice any mistakes can immediately edit the page. This entire article is published under a Free (as in speech) license (GPLv3+). Permission is granted by adrelanos (Patrick Schleizer) for anyone editing this page to shift the content to a more neutral place, like Wikipedia. Should it be required, Schleizer would also agree to dual / multi / re-licensing of this page under a different Free (as in speech) license, such as GFDL. Note that moving the article to Wikipedia is difficult to achieve anonymously, since they do not allow Tor user edits (and most people interested in this article are Tor users). == Different Views == Opinions should always be expressed carefully, particularly when analyzing the merits and weaknesses of other software projects. A range of different opinions already exist on this exact issue. Interested readers can refer to the following resources or add their own: * [https://web.archive.org/web/20160913002655/https://mailman.boum.org/pipermail/tails-dev/2012-September/001704.html Tails-dev: please look at Comparison of {{project_name_short}}, Tails and TBB] * [https://web.archive.org/web/20160913002103/https://mailman.boum.org/pipermail/tails-dev/2013-February/002563.html Tails-dev: please look at Comparison of {{project_name_short}}, Tails and TBB #2] * [https://groups.google.com/g/qubes-devel/c/GT8LyE-la-o qubes-devel: please look at Comparison of {{project_name_short}}, Tails, TBB and Qubes OS TorVM] =Systems Omitted from the Comparison= The following software platforms were not considered in this comparison, but may be included in the future: [https://subgraph.com/sgos/index.en.html Subgraph OS] has been removed from this list; the distribution has not released an ISO since 2017. * [https://web.archive.org/web/20210301141016/https://www.ipredia.org/ Ipredia OS] * [https://web.archive.org/web/20170104140536/https://www.freepto.mx/en/ Freepto] * [https://web.archive.org/web/20210417174920/http://www.spi.dod.mil/lipose.htm LPS] * [https://www.parrotsec.org/ ParrotSec OS] = See Also = {{other_networks_mininav}} = Footnotes = {{reflist|close=1}} {{Footer}} [[Category:Documentation]] [[Category:Design]]