On Tuesday, September 27, 2016 at 5:11:27 PM UTC-4, Jeremy Rand wrote:
> raahe...@gmail.com:
> > or just only allow https in the vm firewall settings.
> I assume you mean whitelisting TCP port 443?  If so, be aware that while
> this will stop most non-HTTPS traffic, there is nothing that prevents
> other protocols from using port 443.  It's a fairly well-known attack on
> Tor's "stream isolation by port" feature for websites to use nonstandard
> ports in order to get isolated in the wrong Tor circuit (e.g. in order
> to deanonymize SSH traffic), which is why Tor doesn't stream-isolate by
> port by default.
> Whitelisting TCP port 443 is still better than nothing, though, assuming
> that you don't expect any legitimate traffic to go over other ports.
> Just be aware that it's trivially easy to bypass for an attacker.
> Assuming that you're using a Firefox-based browser (including Tor
> Browser), you can get some defense in depth by also enabling the feature
> of HTTPS-Everywhere that blocks all non-TLS requests.  Nothing wrong
> with combining this with the firewall whitelist that you suggested.
> Cheers,
> -Jeremy

I do https only on most of my vms.  Of course nothing is 100% but i'm not sure 
if you are saying that would make me more vulnerable?  I believe this is common 
qubes practice among even the devs.

what extra benefits would https everywhere plugin have over the firewall?   I 
do use this plugin on the vms that aren't restricted to only https, I also use 
ublock origin. I also always use noscript or scriptsafe on all vms.  But is 
there extra settings to use in https everywhere,  because all I thought it does 
was verify certs with the fsf.  I use it on all my machines and maybe i'm 
missing the setting to stop http connections, but I think the firewall is all 
you need and separate from the browser itself.

But by blocking everything but https is helpful not just against mitm, but say 
for example in your email vm where you dont' want to accidentally click a bad 
link.    So if some sketchy non http link you would be forced to copy it to a 
less privileged vm to open it.

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to