subject:"\[qubes\-users\] Re\: Critical PGP bugs. Do they possibly affect Split\-GPG in Qubes\?"

Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

2018-05-16 Thread 'Leo Gaspard' via qubes-users

On 05/16/2018 11:20 PM, Ilpo Järvinen wrote:
> On Wed, 16 May 2018, taii...@gmx.com wrote:
> 
>> On 05/15/2018 01:22 AM, john wrote:
>>
>>> On 05/14/18 14:58, Ángel wrote:
 This paper is most interesting for the discovery of multiple ways email
 client leak information on visualization.
 (not clearly stated in the paper: some of them are already fixed, while
 in other cases the developers are still working on providing them)

 Luckily, with Qubes it is easy to set a firewall rule so that your email
 AppVM can only contact with your email server.
 NB that some of these leaks are dns-based, so ideally you would not
 allow it to perform any dns query, either.

 Best regards

>>> can you give an example to the steps to   make such a fw rule,   if
>>> it's that simple  please ?
>> I would suggest simply only allowing the ports you need for your email
>> client.
> 
> It's much less secure approach than blocking all but the email server 
> address. With a port filter, the attacker only needs to use that same 
> port for the attack to succeed.

That's true, except HTML engines like the ones used by this attack
should disallow eg. loading an image from port 25.

For instance, firefox blocks at least ports 993 and 587, the only two
that should be used by a reasonably recent and secure email setup.

So that's not a solution against an arbitrary attacker, but that's a
solution against the currently-spoken-about attack.

BTW, if you really want to protect yourself from an arbitrary attacker,
you'll want to protect against an attacker that has root on your email
VM. And that means
 1/ setting firewall rules in the FirewallVM, not in the email VM, as
the latter could just be removed by the attacker
 2/ all kinds of hardening against side-channels for compromised VM
communication, that are currently not possible with Xen (and possibly
not even with any widely-spread hypervisor, as that would likely entail
a huge performance cost)

Another solution for 2/ could be to never run the email VM at the same
time as another potentially-compromised VM, but that very much restricts
what you can do. And that can maybe (now that's all hypothetical) still
be by-passed with side-channels through eg. LVM's thin pool allocator,
as IIRC Qubes4 uses LVM thin pools as storage backend. (still haven't
migrated…)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/436c6811-9ca0-bd0b-0c21-f2097248d43c%40leo.gaspard.ninja.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

2018-05-16 Thread Ilpo Järvinen

On Wed, 16 May 2018, taii...@gmx.com wrote:

> On 05/15/2018 01:22 AM, john wrote:
> 
> > On 05/14/18 14:58, Ángel wrote:
> >> This paper is most interesting for the discovery of multiple ways email
> >> client leak information on visualization.
> >> (not clearly stated in the paper: some of them are already fixed, while
> >> in other cases the developers are still working on providing them)
> >>
> >> Luckily, with Qubes it is easy to set a firewall rule so that your email
> >> AppVM can only contact with your email server.
> >> NB that some of these leaks are dns-based, so ideally you would not
> >> allow it to perform any dns query, either.
> >>
> >> Best regards
> >>
> > can you give an example to the steps to   make such a fw rule,   if
> > it's that simple  please ?
> I would suggest simply only allowing the ports you need for your email
> client.

It's much less secure approach than blocking all but the email server 
address. With a port filter, the attacker only needs to use that same 
port for the attack to succeed.

-- 
 i.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/alpine.DEB.2.20.1805170016590.32415%40whs-18.cs.helsinki.fi.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

2018-05-16 Thread taii...@gmx.com

On 05/15/2018 01:22 AM, john wrote:

> On 05/14/18 14:58, Ángel wrote:
>> This paper is most interesting for the discovery of multiple ways email
>> client leak information on visualization.
>> (not clearly stated in the paper: some of them are already fixed, while
>> in other cases the developers are still working on providing them)
>>
>> Luckily, with Qubes it is easy to set a firewall rule so that your email
>> AppVM can only contact with your email server.
>> NB that some of these leaks are dns-based, so ideally you would not
>> allow it to perform any dns query, either.
>>
>> Best regards
>>
> can you give an example to the steps to   make such a fw rule,   if
> it's that simple  please ?
I would suggest simply only allowing the ports you need for your email
client.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c3f24013-dfa6-a25e-1b25-11976b39ef8b%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys

Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

2018-05-15 Thread [799]

Hello Eivind,

On 05/15 09:24, Eivind K. Dovik wrote:
> [...]
> Through Qubes VM Manager, I've added the following firewall rule:
> 
> - Deny network access except ...
> - IP address of my email server
> 
> This works fine.

please keep in mind that most email providers will use load-balancers for 
incoming requests.
As such you might need to add more than one IP to the firewall.
If you're using the Qubes GUI to add firewall rules:
If you enter a FQDN it will be translated to an IP-address when you enter the 
rule.
As such it might not work next time, if the load balancers route you to another 
IP.

regards

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180516054302.gxex6eovvbetxp65%40my-privmail.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

2018-05-15 Thread 799

Hello,

On 15 May 2018 at 09:24, Eivind K. Dovik  wrote:

> On Mon, 14 May 2018, john wrote:
>
> On 05/14/18 14:58, Ángel wrote:
>>
>>>   [...]
>>>
>>
>> can you give an example to the steps to   make such a fw rule,   if it's
>> that simple  please ?
>>
>>
> Through Qubes VM Manager, I've added the following firewall rule:
>
> - Deny network access except ...
> - IP address of my email server
> This works fine.


I prefer adding my rules to my AppVM. This is how do it:

1st you can check the connections which are request by running this command
in your Email AppVM.

watch -n 1 'sudo netstat -tap'

It will show you if your email app connects to a server

But as most mail providers use more than one IP for load balancing you need
to add more IPs (see my posting a few hours ago in this thread how do find
the IPs your mail provider is using).

This are the rules I am currently applying to my Email AppVM.
You can put them into a script which loads on AppVM startup or copy & paste
them into a terminal.
You need use sudo for the commands or switch to root via sudo -i (if you
have sudo installed).
If you don't have sudo you can request a root terminal via qvm-run --auto
--user root  gnome-terminal

- - - - 8< - - - - snip - - - - 8< - - - -

#show default policy
iptables -L -v | grep policy

# delete all rules
iptables -t filter -F

# change default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# allow DNS to gateway 10.137.1.1 (this is the sys-firewall)
iptables -A OUTPUT -p udp -d 10.139.1.1 --dport 53 -m conntrack --ctstate
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p udp -s 10.139.1.1 --sport 53 -m conntrack --ctstate
ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -d 10.139.1.1 --dport 53 -m conntrack --ctstate
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 10.139.1.1 --sport 53 -m conntrack --ctstate
ESTABLISHED -j ACCEPT

# Allow outgoing ping/echo (only for troubleshooting / can be removed
afterwards)
iptables -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -m state --state
ESTABLISHED,RELATED -j ACCEPT

### allow IMAP (valid for germany, use other IPs you're from somewhere else)
# Gmail IMAP
iptables -A OUTPUT -p tcp -d 108.177.96.0/19 --dport 993 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 108.177.96.0/19 --sport 993 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 74.125.0.0/16 --dport 993 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 74.125.0.0/16 --sport 993 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 64.233.160.0/19 --dport 993 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 64.233.160.0/19 --sport 993 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 108.177.8.0/21 --dport 993 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 108.177.8.0/21 --sport 993 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 173.194.0.0/16 --dport 993 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 173.194.0.0/16 --sport 993 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 66.102.0.0/20 --dport 993 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 66.102.0.0/20 --sport 993 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
# Outlook IMAP
iptables -A OUTPUT -p tcp -d 40.96.0.0/13 --dport 993 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 40.96.0.0/13 --sport 993 -m conntrack --ctstate
ESTABLISHED,RELATED -j ACCEPT

### allow SMTP
#Gmail SMTP
iptables -A OUTPUT -p tcp -d 74.125.0.0/16 --dport 587 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 74.125.0.0/16 --sport 587 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 108.177.8.0/21 --dport 587 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 108.177.8.0/21 --sport 587 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 108.177.96.0/19 --dport 587 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 108.177.96.0/19 --sport 587 -m conntrack
--ctstate ESTABLISHED,RELATED -j ACCEPT
#Outlook SMTP
iptables -A OUTPUT -p tcp -d 40.96.0.0/13 --dport 587 -m conntrack
--ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 40.96.0.0/13 --sport 587 -m conntrack --ctstate
ESTABLISHED,RELATED -j ACCEPT

# allow everything for localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

- - - - 8< - - - -

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to

Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

2018-05-15 Thread Eivind K. Dovik

On Mon, 14 May 2018, john wrote:

On 05/14/18 14:58, Ángel wrote:

This paper is most interesting for the discovery of multiple ways email
client leak information on visualization.
(not clearly stated in the paper: some of them are already fixed, while
in other cases the developers are still working on providing them)

Luckily, with Qubes it is easy to set a firewall rule so that your email
AppVM can only contact with your email server.
NB that some of these leaks are dns-based, so ideally you would not
allow it to perform any dns query, either.

Best regards

can you give an example to the steps to make such a fw rule, if it's that
simple please ?

Through Qubes VM Manager, I've added the following firewall rule:

- Deny network access except ...
- IP address of my email server

This works fine.

To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/cd72c1d8-8293-0143-b6e8-70da0da12a95%40riseup.net.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/alpine.LFD.2.20.1805150921140.1177%40localhost.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

2018-05-14 Thread 799

Hello John,

john  schrieb am Di., 15. Mai 2018, 07:23:

> On 05/14/18 14:58, Ángel wrote:
> > (...)
> > Luckily, with Qubes it is easy to set a firewall rule so that your email
> > AppVM can only contact with your email server.
> > NB that some of these leaks are dns-based, so ideally you would not
> > allow it to perform any dns query, either.
> >
> >
> can you give an example to the steps to   make such a fw rule,   if it's
> that simple  please ?
>

You need to find out your Email-Server IPs:

https://github.com/one7two99/my-qubes/blob/master/docs/mail-firewall.md

Then you can use iptables in the Email AppVM to block all traffic as
default rule.
Then only adding the traffic to the allowed IPs and ports.

I can send you my firewall script to allow email for outlook.com and Gmail.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vqaXoC%2BEy8s_40wsOn8a%3D6M_vz%3Dr115-aBxcS_kURGNA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

2018-05-14 Thread john


On 05/14/18 14:58, Ángel wrote:

This paper is most interesting for the discovery of multiple ways email
client leak information on visualization.
(not clearly stated in the paper: some of them are already fixed, while
in other cases the developers are still working on providing them)

Luckily, with Qubes it is easy to set a firewall rule so that your email
AppVM can only contact with your email server.
NB that some of these leaks are dns-based, so ideally you would not
allow it to perform any dns query, either.

Best regards

can you give an example to the steps to   make such a fw rule,   if it's 
that simple  please ?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cd72c1d8-8293-0143-b6e8-70da0da12a95%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

[qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?

8 matches

Site Navigation

Mail list logo

Footer information