On Tuesday, September 27, 2016 at 5:11:27 PM UTC-4, Jeremy Rand wrote:
> raahe...@gmail.com:
> > or just only allow https in the vm firewall settings.
> I assume you mean whitelisting TCP port 443?  If so, be aware that while
> this will stop most non-HTTPS traffic, there is nothing that prevents
> other protocols from using port 443.  It's a fairly well-known attack on
> Tor's "stream isolation by port" feature for websites to use nonstandard
> ports in order to get isolated in the wrong Tor circuit (e.g. in order
> to deanonymize SSH traffic), which is why Tor doesn't stream-isolate by
> port by default.
> Whitelisting TCP port 443 is still better than nothing, though, assuming
> that you don't expect any legitimate traffic to go over other ports.
> Just be aware that it's trivially easy to bypass for an attacker.
> Assuming that you're using a Firefox-based browser (including Tor
> Browser), you can get some defense in depth by also enabling the feature
> of HTTPS-Everywhere that blocks all non-TLS requests.  Nothing wrong
> with combining this with the firewall whitelist that you suggested.
> Cheers,
> -Jeremy

oh I see now there is the feature in the plugin ive never used lol.  I still 
think its unescessary if you already blocking that traffic with the firewall, 
especially if that plugin or browser is compromised,  especially with latest 
news about firefox plugins.  For example noscript itself is considered a 
vulnerability on firefox now. 

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to