Kicksecure ™

Download

On Computer USB Installation Intel / AMD64 ARM64 Raspberry Pi PPC64 Windows (VM) Mac Linux (VM) VirtualBox (VM) Qubes (VM) KVM (VM) Debian morph to Kicksecure More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

About Kicksecure Network, Bridge/Guard, Internet Service Provider (ISP) Fingerprint and Website Traffic Fingerprinting.

In this chapter, the term fingerprint refers to the specific way Kicksecure behaves on the Internet. Those specificities could be used to determine whether a particular user is running Kicksecure or not.

Various types of information can be leaked about the user's browser, (host) operating system and hardware depending on the external party in question.

The very same wiki chapter as in the Whonix wiki applies. Entry Guards or Bridges

Fingerprinting Domains

Domain	Description
Network Stack Hardening	Kicksecure has implemented various security hardening measures like disabling TCP timestamps, ICMP redirections, firewalling invalid packages, and more. Unfortunately these measures can increase the risk of ISP or Local Network fingerprinting. Despite this, security hardening has been prioritized.
Random ISN Generation	Kicksecure prevents TCP ISN leaks through Tirdad kernel module for random ISN generation. Unfortunately this reduces ISP or Local Network fingerprinting resistance. Despite this, security has been prioritized.
Tor Entry Guards	Kicksecure uses an unmodified version of Tor, Tor Entry Guards are used as the default mechanism to connect to the Tor network. [1] Consequently, a Tor user will maintain the same relay as the first hop for an extended period, [2] which is a security feature.
Time Synchronization	When Kicksecure is started, the system clock is synchronized to make sure it slightly differs from the host clock via sdwdate. [3]
systemcheck	systemcheck also issues some network traffic over Tor to check for updates and Warrant Canary Check, which all passes through different circuits. This behavior might be specific to Kicksecure.
Website Traffic Fingerprinting	Website traffic fingerprinting is also an open Tor research question, which is unspecific to Kicksecure. [4] A related and unresearched issue is whether fingerprinting risks also apply to other traffic, such as apt traffic.

See Advanced Traffic Fingerprinting.

Destination websites can retrieve a lot of information about a user's browser and system, while advanced adversaries have even greater capabilities.

This is not the focus of Kicksecure. For that, use Whonix instead.

See Website Traffic Fingerprinting.

See Privacy Goals and Non-Goals of Kicksecure.

The following do not exist, based on currently available public information. This is applicable to Kicksecure, but also unspecific to Kicksecure. It is also applicable to other operating systems such as Qubes OS.

• A) No phone home research: There is no ongoing research project that regularly checks whether software that comes pre-installed with Kicksecure (or is commonly installed by users) secretly connects to the internet (called "phoning home") using regular, non-anonymous internet connections (clearnet), without user action or consent. This kind of research would be important to ensure that the system is not leaking information in the background.
• B) No fingerprint research: There is no active project that regularly studies and compares how different operating systems (like Microsoft Windows, Debian, Tor Browser Bundle (TBB), Tails, Whonix, Kicksecure, etc.) appear on the internet, known as their "network fingerprint." A network fingerprint is a set of technical clues that the internet service provider (ISP) or servers can use to recognize what kind of system you're using, even without cookies or login information. These fingerprints can vary depending on the software and hardware combination, and without this kind of research, users may be more identifiable online than they realize.
• C) No fingerprint emulation development team: Based on the lack of the above research, there is also no development team working on making Kicksecure (or similar systems) mimic the network fingerprint of more commonly used systems. The goal of such emulation would be to make users harder to identify or track by blending in with the crowd — for example, by making their internet traffic look like that of a typical Windows or Debian user.

Users can check what goals a software project explicitly states.

Many software projects do not list "radio silence" as a main objective. In this context, "radio silence" means that the system should not automatically send any network traffic unless the user initiates it. In more technical terms, this means avoiding clearnet traffic, which refers to regular, non-anonymous internet traffic that does not go through privacy networks like Tor.

• Qubes OS: Avoiding clearnet traffic is not a goal of Qubes OS. It is also unlikely to become a major goal in the future.
  • Qubes FAQ entry What about privacy in non-Whonix qubes? - This FAQ shows that privacy protection in non-Whonix parts of Qubes is not a focus.
  • Qubes FAQ entry What is Qubes’ attitude toward changing guest distros? - Suggests limited willingness to adopt major changes aimed at improving privacy.
  • Qubes issue ticket create or fork a Linux distribution for default use by App Qubes for better security Discusses whether to create a more secure Linux distribution for Qubes, but not focused on traffic anonymity.
  • See the issue: sys-net phones home to fedoraproject.org for captive portal detection. This means that the network component of Qubes OS was connecting to Fedora’s servers automatically to check for internet restrictions. The issue was reported in 2016, and no action was taken until 2022, when the issue resolved itself without deliberate changes. This indicates that preventing such traffic was not treated as a high priority.
  • See list of issues Qubes Important Anonymity related Network Issues.
• Kicksecure: There is a possible future feature that would allow blocking or allowing network access based on specific Linux user accounts or IP addresses. However, this feature has not been implemented yet. For the most recent updates, see: Kicksecure Firewall
• Whonix-Host: This project aims to avoid clearnet traffic entirely, but as of the time of writing, it does not yet exist.

As a user, knowing which goals are officially supported by a project helps manage expectations. If a feature or behavior is not listed as a goal or has not been implemented, users should assume it is not available and act accordingly to protect their privacy.

Solution:

C) security hardened networking + emulating "popular" network fingerprints: does not exist anywhere.

Kicksecure: Might get a feature to restrict outgoing traffic to specific Linux user accounts and/or IP addresses. But it’s not yet implemented. For latest status, see ticket: Kicksecure Firewall

This however does not magically fix all advanced fingerprinting techniques.

• https://forums.kicksecure.com/t/how-many-details-are-there-in-kicksecures-fingerprint-revealing-to-isp-the-os/1044
• https://forums.kicksecure.com/t/outbound-traffic-security-kicksecure-and-qubes/1059
• https://forums.whonix.org/t/what-exaclty-tells-to-isp-generating-by-whonix-traffic/21549
• https://forum.qubes-os.org/t/question-to-develepors-what-hardware-information-reveals-qubes-system-clearnet-traffic-to-an-isp/33778

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2026 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!