This is a list of notable reviews and feedback about Whonix security.

= Reviews =

* [https://web.archive.org/web/20200712221931/https://corelight.blog/2019/07/18/profiling-whonix/ corelight Bright Ideas Blog: Profiling Whonix]
* Not an audit of Whonix but an audit of software which is based on Whonix:
** [https://securedrop.org/ "SecureDrop]
SecureDrop is an open source whistleblower submission system that media organizations and NGOs can install to securely accept documents from anonymous sources. It was originally created by the late Aaron Swartz and is now managed by [https://freedom.press/ Freedom of the Press Foundation]. SecureDrop is available in [https://docs.securedrop.org/en/stable/admin/reference/securedrop_admin.html#updating-localization-for-the-source-interface-and-the-journalist-interface 20 languages].
Journalist Workstation [https://github.com/freedomofpress/securedrop-workstation environment for submission handling] is based on Qubes-Whonix.” ** [https://securedrop.org/news/third-party-audit-integrated-securedrop-workstation-completed/ Third party audit of integrated SecureDrop Workstation completed] * [https://lists.torproject.org/pipermail/tor-talk/2012-March/023531.html Cursory check of TorBOX] by the creator of [https://web.archive.org/web/20141217135247/http://www.janusvm.com/ JanusVM] (TorBOX was later renamed to {{project_name_short}}) * [https://github.com/QubesOS/qubes-issues/issues/2108#issuecomment-228379491 Quote] rustybird, author of [https://github.com/rustybird/corridor corridor, a Tor traffic whitelisting gateway]:
Happy to report no leaks observed, ever.
* [[Edward_Snowden_on_Whonix|Edward Snowden on Whonix]] = Discussions = == Tor-talk == There are [https://lists.torproject.org/pipermail/tor-talk/2012-March/subject.html#23489 a few older threads] on the Tor Talk Mailing List concerning the security of {{project_name_short}} / transparent proxy: * [https://lists.torproject.org/pipermail/tor-talk/2012-March/023486.html tor-talk: Operating system updates / software installation behind Tor Transparent Proxy] * [https://lists.torproject.org/pipermail/tor-talk/2012-March/023519.html tor-talk: Obtain real IP behind Tor transparent proxy; was: Operating system updates / software installation behind Tor Transparent Proxy] * [https://lists.torproject.org/pipermail/tor-talk/2012-March/023531.html tor-talk: Risk with transparent proxy mode (was Re:Operating system updates / software installation behind Tor Transparent Proxy)] - In summary, coderman (developer of TorVM / JanusVM) had some concerns, which could be dispelled. "Looks fine from a cursory check." == Older References == This section is for older, general {{project_name_short}} discussion references. It is useful to capture people's thoughts and feedback concerning the project, even if feedback is secondhand and not provided directly. Most links are found by searching for "[https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorBOX TorBOX]". ----- '''TorBOX''' * [https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorBOX/Dev/ArchivedDiscussion/QUESTIONS Dev/ArchivedDiscussion/QUESTIONS] * [https://html.duckduckgo.com/html?q=site%3Awilderssecurity.com%20TorBOX {{project_name_short}} on wilderssecurity.com]; a few threads exist * [https://ra.fnord.at/2011/05/easy-and-secure-anonymous-internet-usage/ ra's blog]; negative feedback - search for "TorBOX that they have" * LulzSec / AntiSecOp: [https://toodamnez.wordpress.com/2012/02/15/want-to-be-a-ghost-on-the-internet/ Want to be a ghost on the internet?]; {{project_name_short}} (TorBOX) is a part of their instructions ----- '''Early TorBOX and {{project_name_short}} Releases''' * [https://www.reddit.com/r/TOR/comments/tyabf/torbox_critical_issue_help/ reddit: torbox critical issue help]; this only applied to 0.1.3. A workaround was provided and a fix was announced and available from 0.2.0 onwards * October 2012 - {{project_name_short}} 0.4.5 release announcement ** [https://lists.torproject.org/pipermail/tor-talk/2012-October/025921.html tor-talk Mailing List: Whonix ALPHA 0.4.5 - Anonymous Operating System released]; in summary, no answers were provided ** [https://lists.debian.org/debian-derivatives/2012/10/msg00007.html on debian-derivatives Mailing list: Whonix ALPHA 0.4.5 - Anonymous Operating System released]; in summary it was mentioned that if VirtualBox is exploited, it is game over. This is true and already mentioned in the [[Comparison with Others#Attacks|attack matrix]] ----- '''General Discussions'''
October 2012 - Discussions:

* [https://www.wilderssecurity.com/showthread.php?p=2122152#post2122152 Wilders Security Forum: Anonymous operating system Whonix]; in summary, only questions were asked and no concerns raised
* Qubes OS Mailing List: [https://groups.google.com/g/qubes-devel/c/aJGrmlkwO3M qubes vs Whonix virtualization solution]; in summary, Qubes OS is deemed safer than VirtualBox. Other than that point, no complaints were raised
* Qubes OS Mailing List: [https://groups.google.com/g/qubes-devel/c/aJGrmlkwO3M Whonix: VirtualBox vs Qubes OS]; in summary, it was agreed that Qubes OS is safer than VirtualBox

= Upstream =