> Well, entr0py, you are correct. > > It does indeed come down, to either Xen, or my networking stack. > > Let me ask... what is the security like for Ethernet..?
Anything going over a wire is going to have a far shorter RF leakage range than WiFi. Unless your threat actor is in the house or next door, ethernet is hard to beat for security (and simplicity). WiFi protocols are (obviously) over the air, which is inherently more vulnerable. Plus they're more complex, and complexity is no friend of security. WiFi (protocols and hardware itself) is a pretty juicy target for NSA and state actors, so you know a lot of effort is being put into that. Ethernet is pretty well-established and boring as compared to WiFi. https://en.wikipedia.org/wiki/Wireless_security That being said, there is an argument that since WiFi is encrypted by default (usually), and Ethernet isn't, WiFi may be considered more secure in that aspect. But you can certainly (as discussed before) make sure everything going over the ethernet cable is encrypted. But WiFi has had a pretty bad track record of security (WEP, WPA, WPS all considered crackable), so I'd stick with wired. If you're paranoid, make sure your cable runs are short and RF-shielded. WPA2 (a.k.a 802.11i) is considered secure for the long run; but given the complexity, and the aggressiveness of state actors and crooks to put backdoors and bugs into the protocols and hardware, I'd stick with ethernet. Broadcasting and security don't mix, even with encryption. If someone sneaks onto your ethernet, they'll have to it by tapping into an existing wire, picking up RF leakage, or plugging into your cable modem. Pretty noticeable and containable. If someone sneaks onto your WiFi network somehow, you likely won't notice. A few points about WiFi routers: - Often the admin pages are just http, not https. So anyone on your network (legitimately, or not) can snag the cable modem credentials and later reconfigure you modem to redirect traffic to themselves, or whatever. - Make sure your admin password is long, random, and unique. Only administer it or change the password when WiFi is off and you're the only one connected on ethernet. - Turn off SSID broadcast. Users can type in the network name (something non-guessable, not just "linksys" or "dlink",lol). - While Mac address spoofing is easy, it still can't hurt to turn on Mac authentication, so only listed Mac addresses are permitted on the network. If they can't otherwise snoop on the network, they won't know *which* Mac addresses to spoof, so it could help a bit. - I also turn off DHCP serving (for both WiFi and ethernet). It's not that inconvenient to manually type in the address, gateway, DNS. I use an unusual IP address range as well. None of those necessarily add significantly to security, but they sure don't hurt, especially for the less sophisticated threat. And don't use your ISP's DNS. It's trivial for a small-time privately-owned provider (or the NSA tapping into the same) to hijack DNS and send you to a spoofed site. Google's 8.8.8.8/8.8.4.4 is quite popular, if you trust google inherently. (I don't.) Open DNS's 8.26.56.26 is also popular, but it does redirect to ads for unrecognized sites, which isn't particularly cool. I prefer using my commercial VPN provider's DNS server. If I can't trust the VPN provider, my security is toast anyway, so I might as well trust their DNS too. :) To me, a good commercial VPN provider is one of the few "stakes in the ground" you have to place and trust. (Also, I connect to my VPN provider by IP address, which I verify several different ways, rather than by DNS lookup.) Also, if you run whonix or Tor, it can do the DNS resolution for you over Tor, which is great for security and preventing DNS leakage. If you do serve up DHCP from your cable modem, put in your preferred DNS server there, so any clients automatically use it. But in general, don't use WiFi if you're concerned at all about security. :) > Let's say I connected to my home router via Ethernet, and also served out > the Tor connection to a 2nd laptop, over Ethernet. > > In this setup, there is no WiFi at all. > > Would that make things more secure..? I would say yes, unless there's someone nearby who can pick up leaking RF from your ethernet connection, a fairly rare and manageable threat. I turn on WiFi when friends, family, my kids, are over, or for casual browsing (with a VPN layer on top). But never for anything work related or personal. Otherwise it's off. (Some modems have a button to do that; but make sure it's not a WPS configuration button, because that's insecure.) Interestingly, I noticed my FM radio, tuned to around 100 Mhz (go figure) picks up Ethernet noise. It's a good ghetto way to see how leaky your cables might be. For my wiring, moving a foot or so away from the cable, and you don't hear anything. (I have one VOIP phone which just screams RF noise in the 100 mhz range. You can hear the dialing activity, clearly. It's a low-end phone, so I'm not sure if it's just a crappy design with poor shielding, or, ahem, a bit "suspect." It was given to me by a "potential client" whom I never heard from again. :S I don't use it, lol. It's joined "Johny J's Museum of Suspect Hardware.") At the very least, with WiFi, even if they can't see the actual traffic, an attacker can see that there *is* traffic or not. Which could let them know when you're home or out, as well as doing traffic correlation attacks. ("Hmmm, occupywallstreet.com gets hits corresponding to the timing of Joe's WiFi traffic. Let's get him!") Cable Modems seem very sloppy in their software design, in my experience. I'd even recommend not using it to be the router, doling out DHCP addresses, and such, but to run it in "bridged mode" which behaves more like your PC is directly connected to your providers LAN. And put a good, secure, controllable, open-source, updateable Linux firewall between the modem and your users instead. Don't let a closed source system do your personal DHCP, DNS, routing. My cable modem repeatedly turns on "allow remote administration" which shows up with a big red warning banner. I asked my ISP about that, and they said it's normal, and they use it for remote maintenance. Um, okay. (Assuming, of course, I was actually having an email conversation with the actual ISP, lol. Not necessarily a safe assumption in my situation.) Once again, sorry for the brain dump. I get excited when it comes to security. JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8312a987dbae2f92189ce393def1bb40.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.