> or just only allow https in the vm firewall settings.

I assume you mean whitelisting TCP port 443?  If so, be aware that while
this will stop most non-HTTPS traffic, there is nothing that prevents
other protocols from using port 443.  It's a fairly well-known attack on
Tor's "stream isolation by port" feature for websites to use nonstandard
ports in order to get isolated in the wrong Tor circuit (e.g. in order
to deanonymize SSH traffic), which is why Tor doesn't stream-isolate by
port by default.

Whitelisting TCP port 443 is still better than nothing, though, assuming
that you don't expect any legitimate traffic to go over other ports.
Just be aware that it's trivially easy to bypass for an attacker.

Assuming that you're using a Firefox-based browser (including Tor
Browser), you can get some defense in depth by also enabling the feature
of HTTPS-Everywhere that blocks all non-TLS requests.  Nothing wrong
with combining this with the firewall whitelist that you suggested.


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to