mara.kuens...@gmail.com wrote:
Not only do you have to assume that all sites you visit within the
same VM knows everything you did in there, but also you have to
assume they know all the passwords for all the other sites you visit
there and basically have full control over that VM
[...]
I think what would solve this dilemma is a custom dom0 browser layer.
The way this can work is as follows:
Hi Mara,
While I agree with you on your assumptions, I completely disagree on
your conclusion. What should actually solve this dilemma is to use
several AppVMs, each one dedicated to a different activity, or as I
prefer to refer it myself: to different sensitivity levels.
This way indeed, you can consider that a website at some sensitivity
level may have access to full information belonging to this same
sensitivity level, but if you design this correctly this should not be a
major issue.
So, first make a list of your different on-line activities and the
sensitivity of information stored / transmitted in each cases (if you
need some ideas, there was a very interesting article from Joanna
describing the process: you should quickly find and recognize it thanks
to the spaghetti-like diagram it contains ;) ).
Then, you may want to apply different setups to Firefox depending on the
needs and the trust level.
For instance:
- You may want to apply maximum paranoia on your random surf AppVM,
- You may want to be a bit more permissive in your shopping AppVM so
NoScript will not break a payment process right in the middle, leaving
you uncertain about how many times you will be charged.
- You may have a dedicated Firefox instance still having the infamous
Flash plugin installed when you need to access some websites requiring
it.
- Etc.
Decide how you may want to store your logins and passwords. Here are two
possible solutions, but there are other ones of course:
- Use (X)KeePass in a separated, isolated and dedicated AppVM. I suggest
you to create a "Web" or "Firefox" group, and then create a different
sub-group for each of you AppVM so everything stays clean and organized.
- Use Firefox integrated password management.
Before you scream, do not forget that all activity in this Firefox
will be limited to the same sensitivity level. For instance, you are in
your "Public forums" AppVM, someone posts a link to a third-party
website: you will *not* open this link in the same AppVM but instead
copy/paste it in your "Random surf" AppVM. Would this site be malicious
and steal your password database, it would miserably fail (without
mentioning Firefox "paranoid" settings in this AppVM).
The only way for someone to actually gets its hand on your Firefox
password database is to first hack the forum, and use it as a pivot to
then be able to hack your computer and get access to your file system.
At this point, installing a keylogger or a malicious Firefox extension
becomes just trivial, so avoiding to use Firefox password store will be
of no help and if you design your AppVMs correctly then all the efforts
deployed by the attacker will be done quite in vain since he will not
actually gain any new valuable information.
If you use Firefox password management, I would however still
recommend you to use the Secure Login extension
(https://addons.mozilla.org/en-US/firefox/addon/secure-login/) so
Firefox does not dumbly automatically fill any password field without
requiring any human intervention (I find it a shame it still acts this
way by default): this prevents you against online stealing of your
password store content and require the attacker to either exploit the
browser or get his hands on your file system.
The two are not exclusive. Actually, if you use Firefox password store
(and I find it really more convenient than doing a dozen Ctrl-Shift
thing each morning just to identify myself on random public websites,
but YMMV), I would strongly recommend to keep at least a backup of these
passwords in some password safe like (X)KeePass.
There are still a some other points you mention in your bullets I did
not addressed until now:
* Trying to visit a non-white-listed website
Basically, you are responsible of what you do with your own computer.
There are several Firefox modules (plus Qubes' firewall) which should
help you to ensure that you do not use an AppVM from a certain
sensitivity level to access websites belonging to other ones. Modules
like uMatrix or NoScript which allow to better control third-party
requests seem like a must here.
* You always use a new VM for each tab
It *may* be possible to implement a way to handle different AppVM in
different tabs instead of different windows, but I'm not sure to see any
real advantage of this.
If you have too many windows opened (which indeed happens very quickly
with Qubes), do not hesitate to use your windows manager feature to
handle them:
- Assign specific activities to your workspaces (or desktops) and name
them accordingly instead of keeping the default names (it is easier to
distribute and manage your opened windows between the "Web", "Work" and
"Personal" workspaces than the default "1", "2" and "3"). I moreover
recommend having a different set of shortcut per workspace, even if
there is sadly no standard way to do this in XFCE (see
https://askubuntu.com/questions/581913/can-i-set-up-my-xfce-workspaces-differently)
- Reduce or roll them: since the switch to XFCE, have you noticed that
using the mouse wheel on a window title bar you can roll it to save
space and avoid distraction? I find this feature really useful.
- Check your windows manager setting to adapt it to your taste. For
instance, personally I set it to not display reduced windows in the
Alt-Tab menu, so I can focus on the window I am currently working with.
* Each VM is disposable
I miss this feature too, if someone who is reading this can tell me how
to selectively make some AppVM to be volatile it would be helpful.
Some of my AppVM are used only for browsing and are not meant to store
anything locally (bookmark and history may be either
hardcoded/discarded, or saved remotely using the Sync feature). It would
be useful to have them volatile on a day-to-day basis, and turn them
non-volatile only to update Firefox's modules or save a change in its
settings.
* The browser gets installed after launch, so no kind of tracking can
take place here via installation UUIDs etc.
To be honest I did never investigated this, I'm not sure what the
concrete threats there are. If you really need to keep your identity
secret for some life-or-death related tasks, instead of generating new
UUID you really should just use the same UUID as a lot of other people
by using Qubes' bundled Whonix support: this will keep you blended in
the crowd.
Talking about missing features for web-browsing, I would love to see a
plugin or a solution allowing to open a link in another designated AppVM
(the "Random surf" VM or a disposable one) with just a right-click
option instead of the current "Right-Click, A, Ctrl-Shift-C, Alt-Tab,
Ctrl-T, Ctrl-Shift-C, Ctrl-C, Enter" sequence...
Best regards,
Simon.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/b4b39a993559e425698ee67927195766%40whitewinterwolf.com.
For more options, visit https://groups.google.com/d/optout.
