Hi there!
I’m using the latest Tor-version on Qubes 4.2.2.-Whonix and I’ve noticed some peculiarities for some time now. I mean that it could also be important to be discussed here. I´m not sure whether it´s a bug or not.
Tor-Security-Level: Standard
System: Intel NUC I 5 MYBE, 8 GB RAM
When you first call a Whonix disposable-instance in Qubes and then analyze the circuit connections in the Tor Control Panel→Utilities→Onion Circuits, you notice the following:
(a) Above average number of times, no connection to a circuit can be made. See figure 1:
b) Even if you have not yet visited a website, cryptic onion pages appear under random circuits, of which it is unclear what they mean.
c) When calling up a website, it is often impossible to establish a connection even though the gate is active. When analysing the circuits, it is noticeable that the following line is constantly being rebuilt and leads to a “continuous scrolling” and thus to a blocking of the connection:
This line can be either single (see Figure 2)
or several times below a circuit line and the line can be repeated (Figure 3)
and a new circuit is repeated with one or two lines of ff00:::443 below it infinitely.
More often, a circuit line with ff00:::443 appears, where ff00:::443 repeats itself indefinitely (Figures 4a and 4b).
In any case, the system is always trying to build new circuits to counteract this disruption.
If you then change the identity with the button in the upper right corner, the phenomenon often disappears, but not always.
I turned off IPv6, but it didn’t do anything.
I suspect that this problem is being artificially created from the outside to force Tor to build new circuits and increase the likelihood of correlation analysis. I may be wrong and it may be a bug, so I’m asking for experience and your views on it.
A search on the net has not yielded much, except for this link with similar facts, which does not describe 100 percent the same problem and does not lead to further insights.
See here:
Another peculiarity is that recently an IP address often appears as an entry node, and then only for a few minutes as an exit node. There may be suspicion that this is an attempt to compare and analyse the amount of data flowing in and out.
I would like your views on this. Thank you.