Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?
On 05/16/2018 11:20 PM, Ilpo Järvinen wrote: > On Wed, 16 May 2018, taii...@gmx.com wrote: > >> On 05/15/2018 01:22 AM, john wrote: >> >>> On 05/14/18 14:58, Ángel wrote: This paper is most interesting for the discovery of multiple ways email client leak information on visualization. (not clearly stated in the paper: some of them are already fixed, while in other cases the developers are still working on providing them) Luckily, with Qubes it is easy to set a firewall rule so that your email AppVM can only contact with your email server. NB that some of these leaks are dns-based, so ideally you would not allow it to perform any dns query, either. Best regards >>> can you give an example to the steps to make such a fw rule, if >>> it's that simple please ? >> I would suggest simply only allowing the ports you need for your email >> client. > > It's much less secure approach than blocking all but the email server > address. With a port filter, the attacker only needs to use that same > port for the attack to succeed. That's true, except HTML engines like the ones used by this attack should disallow eg. loading an image from port 25. For instance, firefox blocks at least ports 993 and 587, the only two that should be used by a reasonably recent and secure email setup. So that's not a solution against an arbitrary attacker, but that's a solution against the currently-spoken-about attack. BTW, if you really want to protect yourself from an arbitrary attacker, you'll want to protect against an attacker that has root on your email VM. And that means 1/ setting firewall rules in the FirewallVM, not in the email VM, as the latter could just be removed by the attacker 2/ all kinds of hardening against side-channels for compromised VM communication, that are currently not possible with Xen (and possibly not even with any widely-spread hypervisor, as that would likely entail a huge performance cost) Another solution for 2/ could be to never run the email VM at the same time as another potentially-compromised VM, but that very much restricts what you can do. And that can maybe (now that's all hypothetical) still be by-passed with side-channels through eg. LVM's thin pool allocator, as IIRC Qubes4 uses LVM thin pools as storage backend. (still haven't migrated…) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/436c6811-9ca0-bd0b-0c21-f2097248d43c%40leo.gaspard.ninja. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?
On Wed, 16 May 2018, taii...@gmx.com wrote: > On 05/15/2018 01:22 AM, john wrote: > > > On 05/14/18 14:58, Ángel wrote: > >> This paper is most interesting for the discovery of multiple ways email > >> client leak information on visualization. > >> (not clearly stated in the paper: some of them are already fixed, while > >> in other cases the developers are still working on providing them) > >> > >> Luckily, with Qubes it is easy to set a firewall rule so that your email > >> AppVM can only contact with your email server. > >> NB that some of these leaks are dns-based, so ideally you would not > >> allow it to perform any dns query, either. > >> > >> Best regards > >> > > can you give an example to the steps to make such a fw rule, if > > it's that simple please ? > I would suggest simply only allowing the ports you need for your email > client. It's much less secure approach than blocking all but the email server address. With a port filter, the attacker only needs to use that same port for the attack to succeed. -- i. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/alpine.DEB.2.20.1805170016590.32415%40whs-18.cs.helsinki.fi. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?
On 05/15/2018 01:22 AM, john wrote: > On 05/14/18 14:58, Ángel wrote: >> This paper is most interesting for the discovery of multiple ways email >> client leak information on visualization. >> (not clearly stated in the paper: some of them are already fixed, while >> in other cases the developers are still working on providing them) >> >> Luckily, with Qubes it is easy to set a firewall rule so that your email >> AppVM can only contact with your email server. >> NB that some of these leaks are dns-based, so ideally you would not >> allow it to perform any dns query, either. >> >> Best regards >> > can you give an example to the steps to make such a fw rule, if > it's that simple please ? I would suggest simply only allowing the ports you need for your email client. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c3f24013-dfa6-a25e-1b25-11976b39ef8b%40gmx.com. For more options, visit https://groups.google.com/d/optout. 0xDF372A17.asc Description: application/pgp-keys
Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?
Hello Eivind, On 05/15 09:24, Eivind K. Dovik wrote: > [...] > Through Qubes VM Manager, I've added the following firewall rule: > > - Deny network access except ... > - IP address of my email server > > This works fine. please keep in mind that most email providers will use load-balancers for incoming requests. As such you might need to add more than one IP to the firewall. If you're using the Qubes GUI to add firewall rules: If you enter a FQDN it will be translated to an IP-address when you enter the rule. As such it might not work next time, if the load balancers route you to another IP. regards [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180516054302.gxex6eovvbetxp65%40my-privmail. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?
Hello, On 15 May 2018 at 09:24, Eivind K. Dovikwrote: > On Mon, 14 May 2018, john wrote: > > On 05/14/18 14:58, Ángel wrote: >> >>> [...] >>> >> >> can you give an example to the steps to make such a fw rule, if it's >> that simple please ? >> >> > Through Qubes VM Manager, I've added the following firewall rule: > > - Deny network access except ... > - IP address of my email server > This works fine. I prefer adding my rules to my AppVM. This is how do it: 1st you can check the connections which are request by running this command in your Email AppVM. watch -n 1 'sudo netstat -tap' It will show you if your email app connects to a server But as most mail providers use more than one IP for load balancing you need to add more IPs (see my posting a few hours ago in this thread how do find the IPs your mail provider is using). This are the rules I am currently applying to my Email AppVM. You can put them into a script which loads on AppVM startup or copy & paste them into a terminal. You need use sudo for the commands or switch to root via sudo -i (if you have sudo installed). If you don't have sudo you can request a root terminal via qvm-run --auto --user root gnome-terminal - - - - 8< - - - - snip - - - - 8< - - - - #show default policy iptables -L -v | grep policy # delete all rules iptables -t filter -F # change default policy to drop iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # allow DNS to gateway 10.137.1.1 (this is the sys-firewall) iptables -A OUTPUT -p udp -d 10.139.1.1 --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s 10.139.1.1 --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -d 10.139.1.1 --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 10.139.1.1 --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT # Allow outgoing ping/echo (only for troubleshooting / can be removed afterwards) iptables -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT ### allow IMAP (valid for germany, use other IPs you're from somewhere else) # Gmail IMAP iptables -A OUTPUT -p tcp -d 108.177.96.0/19 --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 108.177.96.0/19 --sport 993 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d 74.125.0.0/16 --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 74.125.0.0/16 --sport 993 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d 64.233.160.0/19 --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 64.233.160.0/19 --sport 993 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d 108.177.8.0/21 --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 108.177.8.0/21 --sport 993 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d 173.194.0.0/16 --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 173.194.0.0/16 --sport 993 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d 66.102.0.0/20 --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 66.102.0.0/20 --sport 993 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Outlook IMAP iptables -A OUTPUT -p tcp -d 40.96.0.0/13 --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 40.96.0.0/13 --sport 993 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ### allow SMTP #Gmail SMTP iptables -A OUTPUT -p tcp -d 74.125.0.0/16 --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 74.125.0.0/16 --sport 587 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d 108.177.8.0/21 --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 108.177.8.0/21 --sport 587 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d 108.177.96.0/19 --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 108.177.96.0/19 --sport 587 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #Outlook SMTP iptables -A OUTPUT -p tcp -d 40.96.0.0/13 --dport 587 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 40.96.0.0/13 --sport 587 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # allow everything for localhost iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT - - - - 8< - - - - [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to
Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?
On Mon, 14 May 2018, john wrote: On 05/14/18 14:58, Ángel wrote: This paper is most interesting for the discovery of multiple ways email client leak information on visualization. (not clearly stated in the paper: some of them are already fixed, while in other cases the developers are still working on providing them) Luckily, with Qubes it is easy to set a firewall rule so that your email AppVM can only contact with your email server. NB that some of these leaks are dns-based, so ideally you would not allow it to perform any dns query, either. Best regards can you give an example to the steps to make such a fw rule, if it's that simple please ? Through Qubes VM Manager, I've added the following firewall rule: - Deny network access except ... - IP address of my email server This works fine. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cd72c1d8-8293-0143-b6e8-70da0da12a95%40riseup.net. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/alpine.LFD.2.20.1805150921140.1177%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?
Hello John, johnschrieb am Di., 15. Mai 2018, 07:23: > On 05/14/18 14:58, Ángel wrote: > > (...) > > Luckily, with Qubes it is easy to set a firewall rule so that your email > > AppVM can only contact with your email server. > > NB that some of these leaks are dns-based, so ideally you would not > > allow it to perform any dns query, either. > > > > > can you give an example to the steps to make such a fw rule, if it's > that simple please ? > You need to find out your Email-Server IPs: https://github.com/one7two99/my-qubes/blob/master/docs/mail-firewall.md Then you can use iptables in the Email AppVM to block all traffic as default rule. Then only adding the traffic to the allowed IPs and ports. I can send you my firewall script to allow email for outlook.com and Gmail. [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vqaXoC%2BEy8s_40wsOn8a%3D6M_vz%3Dr115-aBxcS_kURGNA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Critical PGP bugs. Do they possibly affect Split-GPG in Qubes?
On 05/14/18 14:58, Ángel wrote: This paper is most interesting for the discovery of multiple ways email client leak information on visualization. (not clearly stated in the paper: some of them are already fixed, while in other cases the developers are still working on providing them) Luckily, with Qubes it is easy to set a firewall rule so that your email AppVM can only contact with your email server. NB that some of these leaks are dns-based, so ideally you would not allow it to perform any dns query, either. Best regards can you give an example to the steps to make such a fw rule, if it's that simple please ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cd72c1d8-8293-0143-b6e8-70da0da12a95%40riseup.net. For more options, visit https://groups.google.com/d/optout.