Hello everyone! I came here from Whonix forum 'cause Whonix and Kicksecure team member asked me to move my question here. At first the text below was just a comment for the thread named “What exaclty tells to ISP generating by Whonix traffic?” I can’t post links here yet, so for more detailed context of the subject you can go there and easely find that thread.
All these days I was thinking about proposition to use Kicksecure as the host for Whonix. Studied Kicksecure documents but there was nothing about its fingerprint. The main thing I would like to know is how is the fingerprinting situation with Kicksecure? I already know that it checks online its canary every time it starts connection and know that there is a way to disable it. But what else (or how many) is there in traffic saying to ISP that it’s Kicksecure? And is it possible to disable as many of these things as possible? For example replace all its update servers with onion versions (if there are any) and route all its traffic through Tor during update process. Of course I can’t use torified connection all the time since it’s all done for Whonix usage and Tor over Tor is bad.
Of course Kicksecure is much more secure than Debian but it is definitely used by far fewer people than even Qubes (especially since it seems there even is no publicly available Kicksecure metrics to find out for sure). So of course it would be better if it was not so easy for someone to see that this is Kicksecure and not regular Debian. 
I would think this would be the standard of Networking like DHCP when connecting to a network since ISP’s (well there is a debate) indeed store all connections identifiers.
In this case the things that would make you fingerprintable are the hostname which Kicksecure sets to a generic name “host” and the MAC Address which currently Kicksecure doesn’t randomize.
Hostname and MAC Address are sent to a network and via DHCP request packets so these are necessarily Kicksecure but rather the identifier of you on a network.
Things that could be fingerprintable as you mentioned are outbound connections that are sent.
Others are Linux kernel headers with things like browsers but as far as the OS I would say you just look like standard Debian with Tor when you go to update.
Hostname and MAC don’t leave home network except if using a LAN based ISP.
MAC address, documented here: