> "there is absolutely no point in not allowing e.g. Thunderbird to remember > the password – if it got compromised it would just steal it the next time I > manually enter it"
Correct! > So this was written 6 years ago but it's the latest one I think. > > Can't we just create disposable thunderbirds to protect the password? > Or is disposable not true security? I mean maybe a custom thunderbird would > be needed so it never used the password again/instantaneously forgets it > after login >.> no, this is not possible. let me try to explain: This is going to be looooong thing, i hope anyone will read it, i was quite inspired; qubes is A-W-E-S-O-M-E-!-!-! the main reason is that you want to be able to read your mails, so you can't just drop/delete/forget every received mail on shutdown. you also can't drop/forget/don't store the password after login because the way any email work is: login->check if there are new mails->download->logout and if you keep it open like me so that it check for new mails every 10 minutes it can't work. websites with a login works in a different way: you fill the password and if it is correct they give you a cookie that your browser store and automatically give back to website every time you open. as you can see if you want to be logged in a moment of time you have to present to the remote side some kind of "secret thing" in that moment of time. is not that "you login once and the remote side automagically know that you are logged". so for the whole time you use the service you must keep in memory a secret to prove that you are logged. So where is the difference between Qubes and a normal os? how Qubes improve the security? let's think about a normal windows/linux computer: you have many programs and every program can control the whole pc. yes, there is admin vs not admin but on windows this means that a not admin process can't mess with admin processes or can't write in c:\programs or c:\windows. but this is useless! a virus can do all the damage it wants also running as not admin; it can: -delete all your files (cryptolocker) -run at boot (persistence) -spy you from mic/webcam -steal/upload all your files in internet -keylogging all what you write -steal saved passwords for me this is comparable to "full control of the pc" the problem with this model is that any single exe that you open can do pretty much what it want, and you can only hope/hava a bit of trust that it will not do it. in such security model it might be good not store passwords because when you will get a virus it will steal instantly all your saved password (bad). while if you don't save them it will only steal the one that you will write while the virus is present for example mail password because you use it often. so if we suppose that antivirus delete it after a few days you can hope that you have used only a few passwords on the compromised pc, and not all your passwords. TL;DR: any program you open/have opened in the past might have read/stealed all your mails/passwords NOW QUBES OS: On qubes your pc is splitted in more parts, every part works the way i said above (in fact they are normal windows/linux os) and is isolated. the only (important) difference is that only home in linux and c:\users in windows is preserved if you reboot; this is good because it limits the places in which a virus can hide (but still there is persistence=run at boot). suppose that you get a virus, downloaded from your browser. your mail is safe because it runs in another vm. simple, isn't? same for every other action you can do on your pc: play games, reading documents, ... because all these actions happens in a different vm, not in the mail vm. now suppose that you get a virus exactly the mail vm: the first question is how this can happen? it's not that virus pop up automagically, most of the time is the user that open them. so how can you open a virus from the email? you can open an attachment or a link, thats all you can do to open a virus from email. but on qubes this should not be possible because you should not open attachments and links in the mail vm, but in a disposable vm! (here is where the disposable thing became useful!!!) you can also automate this, so you can't forget to open a link in dispvm. if the attachment was something bad you simply don't care, close dispvm and virus is gone. but sometimes (smaller that always!) you need to store attachments, because they are work documents, photos, or something important. but again mail can't be compromised because you save photos and documents in work vm or somewhere different. the final question is: can mail vm be compromised? yes, but since the user can't be tricked to open something bad in the mail vm the only thing left is a zeroday: some bug in thunderbird that when it receive the bad email it is instantly compromised because *for example* the bad guy send 500 attachments and thunderbird can manage only up to 255 attachments, and this thing lead to code execution in thunderbird when you receive that mail and tunderbird parse it. but this is SUPER HARD. such bugs are a small ammmount, difficult to find, and difficult to use! suppose that you have found this "crash if more than 255 attachments" is not that 5 minutes later you can hack any pc running thunderbird. getting from "it crash" to "it does what i want" is difficult, and not always possible. how difficult? there are people who pay you 10000€ if you find such a thing. so let's do a final comparsion for the email: normal os linux/windows: you open 1 bad program (virus) ->someone take full control of your pc you are hacked using 1 zeroday ->someone take full control of your pc on qubes: you open 1 bad program (virus) ->don't care you are hacked using 1 zeroday ->depends: a zeroday in which program? if firexox, vlc media player, whatever-> don't care if it is a zeroday against thunderbird->ONLY your mail is compromised for *me* THIS IS AWESOME!!!! a final note: you might say "hey but pc is not only mail! you are ignoring the rest of the pc!!!" not exactly: for example think about "work vm" it has inside: -documents you personally made (trusted/known good/not virus) -documents some co-worker sent you *by mail* (see???) so, yes work vm can compromised by opening 1 bad thing, but bad things tend to not end up here :) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/69c69814-c8ac-070c-bd15-f4b3471933f8%40posteo.net. For more options, visit https://groups.google.com/d/optout.
