raahe...@gmail.com: > or just only allow https in the vm firewall settings.
I assume you mean whitelisting TCP port 443? If so, be aware that while this will stop most non-HTTPS traffic, there is nothing that prevents other protocols from using port 443. It's a fairly well-known attack on Tor's "stream isolation by port" feature for websites to use nonstandard ports in order to get isolated in the wrong Tor circuit (e.g. in order to deanonymize SSH traffic), which is why Tor doesn't stream-isolate by port by default. Whitelisting TCP port 443 is still better than nothing, though, assuming that you don't expect any legitimate traffic to go over other ports. Just be aware that it's trivially easy to bypass for an attacker. Assuming that you're using a Firefox-based browser (including Tor Browser), you can get some defense in depth by also enabling the feature of HTTPS-Everywhere that blocks all non-TLS requests. Nothing wrong with combining this with the firewall whitelist that you suggested. Cheers, -Jeremy -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8d47d4b9-7ed4-84f4-e697-13db24877024%40airmail.cc. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
