> On Tuesday, September 27, 2016 at 5:11:27 PM UTC-4, Jeremy Rand wrote:
>> raahe...@gmail.com:
>>> or just only allow https in the vm firewall settings.
>> I assume you mean whitelisting TCP port 443?  If so, be aware that while
>> this will stop most non-HTTPS traffic, there is nothing that prevents
>> other protocols from using port 443.  It's a fairly well-known attack on
>> Tor's "stream isolation by port" feature for websites to use nonstandard
>> ports in order to get isolated in the wrong Tor circuit (e.g. in order
>> to deanonymize SSH traffic), which is why Tor doesn't stream-isolate by
>> port by default.
>> Whitelisting TCP port 443 is still better than nothing, though, assuming
>> that you don't expect any legitimate traffic to go over other ports.
>> Just be aware that it's trivially easy to bypass for an attacker.
>> Assuming that you're using a Firefox-based browser (including Tor
>> Browser), you can get some defense in depth by also enabling the feature
>> of HTTPS-Everywhere that blocks all non-TLS requests.  Nothing wrong
>> with combining this with the firewall whitelist that you suggested.
>> Cheers,
>> -Jeremy
> oh I see now there is the feature in the plugin ive never used lol.  I still 
> think its unescessary if you already blocking that traffic with the firewall, 
> especially if that plugin or browser is compromised,  especially with latest 
> news about firefox plugins.  For example noscript itself is considered a 
> vulnerability on firefox now. 

As I said, it gets you defense in depth because the two mechanisms
prevent different (though overlapping) attacks.

HTTPS Everywhere's feature for blocking non-TLS requests will block
non-TLS requests from Firefox that use port 443, while the FirewallVM
won't be able to stop this.  For example, a request to
http://www.nsa.gov:443/ will be stopped by HTTPS Everywhere, since it
knows the protocol being used as opposed to just the TCP port.

The FirewallVM, on the other hand, will block TCP connections on ports
other than 443 even if Firefox in the AppVM is compromised.  E.g. you
visit https://www.nsa.gov/ , they deploy a Firefox zero-day, and are
thus able to bypass HTTPS Everywhere.

Both of these attacks have a lot of overlap (e.g. a simple request to
http://www.nsa.gov/ will be blocked by both).  But each defense does
prevent some types of attack that the other doesn't, so it makes sense
IMO to use both.  Definitely won't hurt you, and it might help depending
on what attacks get aimed at you.

(Of course, either of those defenses alone is likely to prevent the vast
majority of real-world attacks, but I'd still suggest doing both.
Justified paranoia is why we're all here, right?  :) )


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to