Re: [qubes-users] I have a bank vm, how do you restrict
On Sat, Feb 11, 2017 at 2:35 AM, Oleg Artemievwrote: > On Wed, Feb 8, 2017 at 2:36 AM, Chris Laprise wrote: >> On 02/07/2017 04:47 AM, Oleg Artemiev wrote: > I have a bank vm, how do you restrict the browser from being able to go > else > where? Do you add the iprules in the vm or do you create a proxyvm and > add > the iprules there? I've tried both solution some time ago and definitly the tinyproxy solution works much better and can handle nicely dns round robin or servers behind load balancers. By the way this solution offer an other nice possibility, you can use regular expressions and for example allow .*\.mycompany\.com$ on the conter-part, you will have to trust the dns resolution. >>> >>> Look also for modules like 'request policy' and 'no script' or >>> 'policeman' that implements nice GUI allowing both types in a single >>> place. >>> Request policy + 'ask for reload permission' should be enough to >>> control in a single VM for a few banks in single place. >>> Not that secure as proxying and denying in some other VM, but easy + >>> GUI controls + require some configuration work at start. >> Good recommendations. I'll add one to that list: HttpsEverywhere. >> It will keep you from accidentally accessing pages in unencrypted form. You >> can also set it to allow only https (although some banks may use a mix of >> https and http). > look also for uMatrix, Privacy Badger, force cache loading, For > banking use of policeman and https everywhere should be enough. Though > other firefox modules are also good. forgot to mention uBlock Origin . -- Bye.Olli. gpg --search-keys grey_olli , use key w/ fingerprint below: Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABunX6Mo6oPKD0i7feBm5qpEW_MNYHAZ%2BesTADLG%2BqthXN%3DXsg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I have a bank vm, how do you restrict
On Wed, Feb 8, 2017 at 2:36 AM, Chris Laprisewrote: > On 02/07/2017 04:47 AM, Oleg Artemiev wrote: >> >> On Tue, Feb 7, 2017 at 11:57 AM, '0xDEADBEEF00' via qubes-users >> wrote: I have a bank vm, how do you restrict the browser from being able to go else where? Do you add the iprules in the vm or do you create a proxyvm and add the iprules there? I've tried both, and created an email vm with iprules "deny everything except" But then neither vm(s) will connect. Is there a proper way to do this? Or will I have to do the tinyproxy thing I've read elsewhere ? >>> >>> I've tried both solution some time ago and definitly the tinyproxy >>> solution >>> works much better and can handle nicely dns round robin or servers behind >>> load balancers. By the way this solution offer an other nice possibility, >>> you can use regular expressions and for example allow .*\.mycompany\.com$ >>> on >>> the conter-part, you will have to trust the dns resolution. >> >> Look also for modules like 'request policy' and 'no script' or >> 'policeman' that implements nice GUI allowing both types in a single >> place. >> >> Request policy + 'ask for reload permission' should be enough to >> control in a single VM for a few banks in single place. >> Not that secure as proxying and denying in some other VM, but easy + >> GUI controls + require some configuration work at start. >> > > Good recommendations. I'll add one to that list: HttpsEverywhere. > > It will keep you from accidentally accessing pages in unencrypted form. You > can also set it to allow only https (although some banks may use a mix of > https and http). > look also for uMatrix, Privacy Badger, force cache loading, For banking use of policeman and https everywhere should be enough. Though other firefox modules are also good. -- Bye.Olli. gpg --search-keys grey_olli , use key w/ fingerprint below: Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABunX6OeKXvXC%2BJpJopqhMGX4YobP5yJj0-KLzHgXLkis0jhVQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I have a bank vm, how do you restrict
On 02/07/2017 04:47 AM, Oleg Artemiev wrote: On Tue, Feb 7, 2017 at 11:57 AM, '0xDEADBEEF00' via qubes-userswrote: I have a bank vm, how do you restrict the browser from being able to go else where? Do you add the iprules in the vm or do you create a proxyvm and add the iprules there? I've tried both, and created an email vm with iprules "deny everything except" But then neither vm(s) will connect. Is there a proper way to do this? Or will I have to do the tinyproxy thing I've read elsewhere ? I've tried both solution some time ago and definitly the tinyproxy solution works much better and can handle nicely dns round robin or servers behind load balancers. By the way this solution offer an other nice possibility, you can use regular expressions and for example allow .*\.mycompany\.com$ on the conter-part, you will have to trust the dns resolution. Look also for modules like 'request policy' and 'no script' or 'policeman' that implements nice GUI allowing both types in a single place. Request policy + 'ask for reload permission' should be enough to control in a single VM for a few banks in single place. Not that secure as proxying and denying in some other VM, but easy + GUI controls + require some configuration work at start. Good recommendations. I'll add one to that list: HttpsEverywhere. It will keep you from accidentally accessing pages in unencrypted form. You can also set it to allow only https (although some banks may use a mix of https and http). Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/29639edc-2a3b-09cf-848d-321d2400216c%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I have a bank vm, how do you restrict
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-02-07 00:11, elsiebuck...@gmail.com wrote: > I have a bank vm, how do you restrict the browser from being able > to go else where? Do you add the iprules in the vm or do you > create a proxyvm and add the iprules there? > > I've tried both, and created an email vm with iprules "deny > everything except" > > But then neither vm(s) will connect. > > Is there a proper way to do this? > > Or will I have to do the tinyproxy thing I've read elsewhere ? > Previously discussed here: https://groups.google.com/d/topic/qubes-users/fSiFkQeoqGE/discussion - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYmapOAAoJENtN07w5UDAwQKkP/Rk9PPLXAPtTagkGJssRoOXU jF50PkiCXSRRGbksmq0KUIAp5JIIlVybMha9RQUdx01z3q4fngSnaU/ORoZx6phN RwzEc2ADjczAbvRyGZfFnA4dAGyypGlGm5gKMS6qKxDVs5IoI8ja6QK5d4R4QJfq QD+RwRegRh1f9s5A2j33V5lPHfofgqUQydYdWEz/kEu3PsziDmGu0pptVpxIAERK O3JzYB8fo0eqzLKduZTiH2IefhH8ZLkjytSe6ddCD0nHCDo9B+8qq6kHTDIhLT5q vnamGnvv54I11x3KgOXsF4Ld0EYZaMJpSYT4c+Bd6WkH5/mNu736vTVkZ+od6DNA BT807UeqKi93sMyjc8m5kX0S25wxxs/hfzdf/EV6t7BIA/RsmXM+xrr+4XTTsBch m3VgxAEBXpgXKQKMMqHyuvfuy3JSzt7SUwLBgryxGYku0Ho+pmMENMBZSIaVUWCp WuA3a51FwxXoz4QYqmEZriMn5JKQlyFq4NPQ2CXPKdtyW43D+vB0YdsN1j6bAGNW eusbFrK0CC3Qa/ZAmqetCf78n1HjDCMMCYItVYzFcdYWdSj3ORy70OcVVMTMrwQz tw8K89TqK6XzqcLmyJEhxEUEP/943HHYasy1ormkNclRqb6xmJZ/O0AK5Sd1FjqD jDoaX1uRJYumry8UOgFB =1vaM -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/210d590b-dcbf-525e-2b77-091b1bd83a65%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I have a bank vm, how do you restrict
On Tue, Feb 7, 2017 at 11:57 AM, '0xDEADBEEF00' via qubes-userswrote: >> I have a bank vm, how do you restrict the browser from being able to go else >> where? Do you add the iprules in the vm or do you create a proxyvm and add >> the iprules there? >> >> I've tried both, and created an email vm with iprules "deny everything >> except" >> >> But then neither vm(s) will connect. >> >> Is there a proper way to do this? >> >> Or will I have to do the tinyproxy thing I've read elsewhere ? > I've tried both solution some time ago and definitly the tinyproxy solution > works much better and can handle nicely dns round robin or servers behind > load balancers. By the way this solution offer an other nice possibility, > you can use regular expressions and for example allow .*\.mycompany\.com$ on > the conter-part, you will have to trust the dns resolution. Look also for modules like 'request policy' and 'no script' or 'policeman' that implements nice GUI allowing both types in a single place. Request policy + 'ask for reload permission' should be enough to control in a single VM for a few banks in single place. Not that secure as proxying and denying in some other VM, but easy + GUI controls + require some configuration work at start. -- Bye.Olli. gpg --search-keys grey_olli , use key w/ fingerprint below: Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABunX6MEURHmQ38Nc6rY4XpuNEWSknSUdJOCoVUCRV9sQ%2Bq4Tg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I have a bank vm, how do you restrict
Hi, It's my first contribution on this list. I've tried both solution some time ago and definitly the tinyproxy solution works much better and can handle nicely dns round robin or servers behind load balancers. By the way this solution offer an other nice possibility, you can use regular expressions and for example allow .*\.mycompany\.com$ on the conter-part, you will have to trust the dns resolution. Best, 0xdeadbeef Sent with [ProtonMail](https://protonmail.com) Secure Email. Original Message Subject: [qubes-users] I have a bank vm, how do you restrict Local Time: February 7, 2017 9:11 AM UTC Time: February 7, 2017 8:11 AM From: elsiebuck...@gmail.com To: qubes-users <qubes-users@googlegroups.com> I have a bank vm, how do you restrict the browser from being able to go else where? Do you add the iprules in the vm or do you create a proxyvm and add the iprules there? I've tried both, and created an email vm with iprules "deny everything except" But then neither vm(s) will connect. Is there a proper way to do this? Or will I have to do the tinyproxy thing I've read elsewhere ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d3a620c9-2fce-45c5-95f9-78a988990849%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/i6YOc4MifJ229V8fukuyAnh2WW1cydMAS7dzUA_0L_HhWziUzxCQE-c6rvq7Te117JTKKs-FCSgBkHeTob8KwAH9JHh0z-66GiI6Ii72J6g%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] I have a bank vm, how do you restrict
I have a bank vm, how do you restrict the browser from being able to go else where? Do you add the iprules in the vm or do you create a proxyvm and add the iprules there? I've tried both, and created an email vm with iprules "deny everything except" But then neither vm(s) will connect. Is there a proper way to do this? Or will I have to do the tinyproxy thing I've read elsewhere ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d3a620c9-2fce-45c5-95f9-78a988990849%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.