> And yes, by all means, I will use Whonix's system rather than my own > custom script.
I agree that Whonix is a key component. A NetVM that ensures *all* your traffic goes through Tor, with no leakage, as well as doing secure DNS lookups for you, is a big security plus. They've also put a fair bit of work into the iptables (i.e. firewall) configuration of the sys-whonix Network VM. Something I had expected of Qubes, and a bit more on par with what Tails does. And Whonix is more of an open sourced "configuration" rather than a code base. It just ties other established pieces together solidly, and configures them well. And you're free to check it out and put together yourself, no coding required. In System, Global Settings, it's good to make sys-whonix your Update VM as well, reducing MITM risk during the update process. As well as making it your Clock VM, to avoid clock synchronization leaks. (apt-get-transport tor is slightly preferable, since it goes directly to Debian's hidden service, encrypted of course, for updates. But hopefully package signing would reduce any risk for dodgy exit nodes and the like when using sys-whonix for updates.) It's worth noting that using whonix does increase the number of trusted parties from two (Fedora + Qubes devs) to four (Fedora + Qubes + Debian + Whonix devs). More repositories/updates for potential threats or bugs. But where all are open source, that's probably not a big additional security risk. The benefit far outweighs the risks, IMO. Cheers, JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9b6ce2e7b0a256e05bad31d067da1cbf.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
