On Tuesday, September 27, 2016 at 9:14:51 PM UTC-4, Jeremy Rand wrote:
> raahe...@gmail.com:
> > On Tuesday, September 27, 2016 at 5:11:27 PM UTC-4, Jeremy Rand wrote:
> >> raahe...@gmail.com:
> >>> or just only allow https in the vm firewall settings.
> >>
> >> I assume you mean whitelisting TCP port 443?  If so, be aware that while
> >> this will stop most non-HTTPS traffic, there is nothing that prevents
> >> other protocols from using port 443.  It's a fairly well-known attack on
> >> Tor's "stream isolation by port" feature for websites to use nonstandard
> >> ports in order to get isolated in the wrong Tor circuit (e.g. in order
> >> to deanonymize SSH traffic), which is why Tor doesn't stream-isolate by
> >> port by default.
> >>
> >> Whitelisting TCP port 443 is still better than nothing, though, assuming
> >> that you don't expect any legitimate traffic to go over other ports.
> >> Just be aware that it's trivially easy to bypass for an attacker.
> >>
> >> Assuming that you're using a Firefox-based browser (including Tor
> >> Browser), you can get some defense in depth by also enabling the feature
> >> of HTTPS-Everywhere that blocks all non-TLS requests.  Nothing wrong
> >> with combining this with the firewall whitelist that you suggested.
> >>
> >> Cheers,
> >> -Jeremy
> > 
> > oh I see now there is the feature in the plugin ive never used lol.  I 
> > still think its unescessary if you already blocking that traffic with the 
> > firewall, especially if that plugin or browser is compromised,  especially 
> > with latest news about firefox plugins.  For example noscript itself is 
> > considered a vulnerability on firefox now. 
> As I said, it gets you defense in depth because the two mechanisms
> prevent different (though overlapping) attacks.
> HTTPS Everywhere's feature for blocking non-TLS requests will block
> non-TLS requests from Firefox that use port 443, while the FirewallVM
> won't be able to stop this.  For example, a request to
> http://www.nsa.gov:443/ will be stopped by HTTPS Everywhere, since it
> knows the protocol being used as opposed to just the TCP port.
> The FirewallVM, on the other hand, will block TCP connections on ports
> other than 443 even if Firefox in the AppVM is compromised.  E.g. you
> visit https://www.nsa.gov/ , they deploy a Firefox zero-day, and are
> thus able to bypass HTTPS Everywhere.
> Both of these attacks have a lot of overlap (e.g. a simple request to
> http://www.nsa.gov/ will be blocked by both).  But each defense does
> prevent some types of attack that the other doesn't, so it makes sense
> IMO to use both.  Definitely won't hurt you, and it might help depending
> on what attacks get aimed at you.
> (Of course, either of those defenses alone is likely to prevent the vast
> majority of real-world attacks, but I'd still suggest doing both.
> Justified paranoia is why we're all here, right?  :) )
> Cheers,
> -Jeremy

good points.  Yes seems like a good idea to do both.

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to