On Tuesday, September 27, 2016 at 9:14:51 PM UTC-4, Jeremy Rand wrote: > raahe...@gmail.com: > > On Tuesday, September 27, 2016 at 5:11:27 PM UTC-4, Jeremy Rand wrote: > >> raahe...@gmail.com: > >>> or just only allow https in the vm firewall settings. > >> > >> I assume you mean whitelisting TCP port 443? If so, be aware that while > >> this will stop most non-HTTPS traffic, there is nothing that prevents > >> other protocols from using port 443. It's a fairly well-known attack on > >> Tor's "stream isolation by port" feature for websites to use nonstandard > >> ports in order to get isolated in the wrong Tor circuit (e.g. in order > >> to deanonymize SSH traffic), which is why Tor doesn't stream-isolate by > >> port by default. > >> > >> Whitelisting TCP port 443 is still better than nothing, though, assuming > >> that you don't expect any legitimate traffic to go over other ports. > >> Just be aware that it's trivially easy to bypass for an attacker. > >> > >> Assuming that you're using a Firefox-based browser (including Tor > >> Browser), you can get some defense in depth by also enabling the feature > >> of HTTPS-Everywhere that blocks all non-TLS requests. Nothing wrong > >> with combining this with the firewall whitelist that you suggested. > >> > >> Cheers, > >> -Jeremy > > > > oh I see now there is the feature in the plugin ive never used lol. I > > still think its unescessary if you already blocking that traffic with the > > firewall, especially if that plugin or browser is compromised, especially > > with latest news about firefox plugins. For example noscript itself is > > considered a vulnerability on firefox now. > > > As I said, it gets you defense in depth because the two mechanisms > prevent different (though overlapping) attacks. > > HTTPS Everywhere's feature for blocking non-TLS requests will block > non-TLS requests from Firefox that use port 443, while the FirewallVM > won't be able to stop this. For example, a request to > http://www.nsa.gov:443/ will be stopped by HTTPS Everywhere, since it > knows the protocol being used as opposed to just the TCP port. > > The FirewallVM, on the other hand, will block TCP connections on ports > other than 443 even if Firefox in the AppVM is compromised. E.g. you > visit https://www.nsa.gov/ , they deploy a Firefox zero-day, and are > thus able to bypass HTTPS Everywhere. > > Both of these attacks have a lot of overlap (e.g. a simple request to > http://www.nsa.gov/ will be blocked by both). But each defense does > prevent some types of attack that the other doesn't, so it makes sense > IMO to use both. Definitely won't hurt you, and it might help depending > on what attacks get aimed at you. > > (Of course, either of those defenses alone is likely to prevent the vast > majority of real-world attacks, but I'd still suggest doing both. > Justified paranoia is why we're all here, right? :) ) > > Cheers, > -Jeremy
good points. Yes seems like a good idea to do both. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/95ea1c42-5f2f-477a-9314-e4460d374fb1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
