On 10/13/2016 09:31 PM, Manuel Amador (Rudd-O) wrote:

Oops about what?  Unlike the official Qubes VPN documentation, which
counsels people to write scripts that make non-atomic modifications to
their firewall, which actually and demonstrably have a leak between
Qubes firewall updates and VPN rules setup, my work doesn't leak traffic
in-between the addition of iptables rules.

The qubes-firewall-user-script is a feature of Qubes firewall. And its one of the original Qubes docs that encourage people to use it. So, yes, there is a vulnerability in Qubes firewall, and it should be noted foremost in the Known Issues for the project.

The VPN use case is probably one of the least-vulnerable examples of leakiness in Qubes firewall, because it requires multiple failures to line up in a small window. That means non-VPN use cases are probably at least as vulnerable. Its the underlying problem which is my overriding concern.


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to