nekroze.law...@gmail.com: > On Tuesday, August 30, 2016 at 12:57:54 PM UTC+10, Jeremy Rand wrote: >> Seems to me that an attack could be constructed where the Tor exit used >> for update downloads feeds sys-whonix an exploit, and from there is able >> to either break out of Tor, or compromise Tor in some way that may >> affect other VM's' anonymity. > > Forgive me if I am misunderstanding the scenario you proposed, but the setup > in question "sys-net>sys-firewall>sys-whonix>sys-update" If dom0 uses > sys-update to pull updates we should be ok. The default for when qubes is > told to use whonix/tor for updates however is > "sys-net>sys-firewall>sys-whonix" with sys-whonix being the update VM if I > remember correctly. In that case dnf/yum is in fact running in a whonix VM > (which as you mention might be a security issue) and the previously discussed > method should prevent that, however as Marek mentioned it is not the default > because it would require the addition of another appVM and the base setup > should be as minimal as possible. Not everyone has 16+gb of ram.
Yes, you understand the scenario I suggested correctly. I agree with you and Marek that, for users with less RAM, it may be an acceptable tradeoff to run the update in sys-whonix. However, there are some users who either have a lot of RAM or are willing to shut down other VM's while performing dom0 updates in order to gain some extra security, and I think it would be reasonable for those users to use a "sys-update" VM for dom0 updates. I also think that this is something that might make sense to ask the user on Qubes install, and automatically configure "sys-update" if the user opts for the extra security. The attack surface probably isn't massive here. But I always like reducing attack surface when feasible, and using a "sys-update" VM seems like a decent way to do so. If Marek (or perhaps Patrick) disagree with me that there's a security vs RAM usage tradeoff, I'd be very interested to hear their analysis on this. Cheers, -Jeremy Rand -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ce619a10-ecc2-3b31-85f2-f0d28afdcbb1%40airmail.cc. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature