Hello everyone! I came here from Whonix forum 'cause Whonix and Kicksecure team member asked me to move my question here. At first the text below was just a comment for the thread named “What exaclty tells to ISP generating by Whonix traffic?” I can’t post links here yet, so for more detailed context of the subject you can go there and easely find that thread.
All these days I was thinking about proposition to use Kicksecure as the host for Whonix. Studied Kicksecure documents but there was nothing about its fingerprint. The main thing I would like to know is how is the fingerprinting situation with Kicksecure? I already know that it checks online its canary every time it starts connection and know that there is a way to disable it. But what else (or how many) is there in traffic saying to ISP that it’s Kicksecure? And is it possible to disable as many of these things as possible? For example replace all its update servers with onion versions (if there are any) and route all its traffic through Tor during update process. Of course I can’t use torified connection all the time since it’s all done for Whonix usage and Tor over Tor is bad.
Of course Kicksecure is much more secure than Debian but it is definitely used by far fewer people than even Qubes (especially since it seems there even is no publicly available Kicksecure metrics to find out for sure). So of course it would be better if it was not so easy for someone to see that this is Kicksecure and not regular Debian. 
2 Likes