Re: [qubes-users] I have a bank vm, how do you restrict

[Oleg Artemiev]

On Sat, Feb 11, 2017 at 2:35 AM, Oleg Artemiev  wrote:
> On Wed, Feb 8, 2017 at 2:36 AM, Chris Laprise  wrote:
>> On 02/07/2017 04:47 AM, Oleg Artemiev wrote:
> I have a bank vm, how do you restrict the browser from being able to go
> else
> where? Do you add the iprules in the vm or do you create a proxyvm and
> add
> the iprules there?
 I've tried both solution some time ago and definitly the tinyproxy
 solution
 works much better and can handle nicely dns round robin or servers behind
 load balancers. By the way this solution offer an other nice possibility,
 you can use regular expressions and for example allow .*\.mycompany\.com$
 on
 the conter-part, you will have to trust the dns resolution.
>>>
>>> Look also for modules like 'request policy' and 'no script'  or
>>> 'policeman' that implements nice GUI allowing both types in a single
>>> place.
>>> Request policy + 'ask for reload permission' should be enough to
>>> control in a single VM for a few banks in single place.
>>> Not that secure as proxying and denying in some other VM, but easy +
>>> GUI controls + require some configuration work at start.
>> Good recommendations. I'll add one to that list: HttpsEverywhere.
>> It will keep you from accidentally accessing pages in unencrypted form. You
>> can also set it to allow only https (although some banks may use a mix of
>> https and http).
> look also for uMatrix, Privacy Badger, force cache loading,  For
> banking use of policeman and https everywhere should be enough. Though
> other firefox modules are also good.
forgot to mention uBlock Origin .


-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6Mo6oPKD0i7feBm5qpEW_MNYHAZ%2BesTADLG%2BqthXN%3DXsg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] I have a bank vm, how do you restrict

[Oleg Artemiev]

On Wed, Feb 8, 2017 at 2:36 AM, Chris Laprise  wrote:
> On 02/07/2017 04:47 AM, Oleg Artemiev wrote:
>>
>> On Tue, Feb 7, 2017 at 11:57 AM, '0xDEADBEEF00' via qubes-users
>>  wrote:

 I have a bank vm, how do you restrict the browser from being able to go
 else
 where? Do you add the iprules in the vm or do you create a proxyvm and
 add
 the iprules there?

 I've tried both, and created an email vm with iprules "deny everything
 except"

 But then neither vm(s) will connect.

 Is there a proper way to do this?

 Or will I have to do the tinyproxy thing I've read elsewhere ?
>>>
>>> I've tried both solution some time ago and definitly the tinyproxy
>>> solution
>>> works much better and can handle nicely dns round robin or servers behind
>>> load balancers. By the way this solution offer an other nice possibility,
>>> you can use regular expressions and for example allow .*\.mycompany\.com$
>>> on
>>> the conter-part, you will have to trust the dns resolution.
>>
>> Look also for modules like 'request policy' and 'no script'  or
>> 'policeman' that implements nice GUI allowing both types in a single
>> place.
>>
>> Request policy + 'ask for reload permission' should be enough to
>> control in a single VM for a few banks in single place.
>> Not that secure as proxying and denying in some other VM, but easy +
>> GUI controls + require some configuration work at start.
>>
>
> Good recommendations. I'll add one to that list: HttpsEverywhere.
>
> It will keep you from accidentally accessing pages in unencrypted form. You
> can also set it to allow only https (although some banks may use a mix of
> https and http).
>
look also for uMatrix, Privacy Badger, force cache loading,  For
banking use of policeman and https everywhere should be enough. Though
other firefox modules are also good.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OeKXvXC%2BJpJopqhMGX4YobP5yJj0-KLzHgXLkis0jhVQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] I have a bank vm, how do you restrict

[Chris Laprise]

On 02/07/2017 04:47 AM, Oleg Artemiev wrote:

On Tue, Feb 7, 2017 at 11:57 AM, '0xDEADBEEF00' via qubes-users
 wrote:

I have a bank vm, how do you restrict the browser from being able to go else
where? Do you add the iprules in the vm or do you create a proxyvm and add
the iprules there?

I've tried both, and created an email vm with iprules "deny everything
except"

But then neither vm(s) will connect.

Is there a proper way to do this?

Or will I have to do the tinyproxy thing I've read elsewhere ?

I've tried both solution some time ago and definitly the tinyproxy solution
works much better and can handle nicely dns round robin or servers behind
load balancers. By the way this solution offer an other nice possibility,
you can use regular expressions and for example allow .*\.mycompany\.com$ on
the conter-part, you will have to trust the dns resolution.

Look also for modules like 'request policy' and 'no script'  or
'policeman' that implements nice GUI allowing both types in a single
place.

Request policy + 'ask for reload permission' should be enough to
control in a single VM for a few banks in single place.
Not that secure as proxying and denying in some other VM, but easy +
GUI controls + require some configuration work at start.



Good recommendations. I'll add one to that list: HttpsEverywhere.

It will keep you from accidentally accessing pages in unencrypted form. 
You can also set it to allow only https (although some banks may use a 
mix of https and http).


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/29639edc-2a3b-09cf-848d-321d2400216c%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] I have a bank vm, how do you restrict

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2017-02-07 00:11, elsiebuck...@gmail.com wrote:
> I have a bank vm, how do you restrict the browser from being able 
> to go else where? Do you add the iprules in the vm or do you
> create a proxyvm and add the iprules there?
> 
> I've tried both, and created an email vm with iprules "deny 
> everything except"
> 
> But then neither vm(s) will connect.
> 
> Is there a proper way to do this?
> 
> Or will I have to do the tinyproxy thing I've read elsewhere ?
> 

Previously discussed here:

https://groups.google.com/d/topic/qubes-users/fSiFkQeoqGE/discussion

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYmapOAAoJENtN07w5UDAwQKkP/Rk9PPLXAPtTagkGJssRoOXU
jF50PkiCXSRRGbksmq0KUIAp5JIIlVybMha9RQUdx01z3q4fngSnaU/ORoZx6phN
RwzEc2ADjczAbvRyGZfFnA4dAGyypGlGm5gKMS6qKxDVs5IoI8ja6QK5d4R4QJfq
QD+RwRegRh1f9s5A2j33V5lPHfofgqUQydYdWEz/kEu3PsziDmGu0pptVpxIAERK
O3JzYB8fo0eqzLKduZTiH2IefhH8ZLkjytSe6ddCD0nHCDo9B+8qq6kHTDIhLT5q
vnamGnvv54I11x3KgOXsF4Ld0EYZaMJpSYT4c+Bd6WkH5/mNu736vTVkZ+od6DNA
BT807UeqKi93sMyjc8m5kX0S25wxxs/hfzdf/EV6t7BIA/RsmXM+xrr+4XTTsBch
m3VgxAEBXpgXKQKMMqHyuvfuy3JSzt7SUwLBgryxGYku0Ho+pmMENMBZSIaVUWCp
WuA3a51FwxXoz4QYqmEZriMn5JKQlyFq4NPQ2CXPKdtyW43D+vB0YdsN1j6bAGNW
eusbFrK0CC3Qa/ZAmqetCf78n1HjDCMMCYItVYzFcdYWdSj3ORy70OcVVMTMrwQz
tw8K89TqK6XzqcLmyJEhxEUEP/943HHYasy1ormkNclRqb6xmJZ/O0AK5Sd1FjqD
jDoaX1uRJYumry8UOgFB
=1vaM
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/210d590b-dcbf-525e-2b77-091b1bd83a65%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] I have a bank vm, how do you restrict

[Oleg Artemiev]

On Tue, Feb 7, 2017 at 11:57 AM, '0xDEADBEEF00' via qubes-users
 wrote:
>> I have a bank vm, how do you restrict the browser from being able to go else
>> where? Do you add the iprules in the vm or do you create a proxyvm and add
>> the iprules there?
>>
>> I've tried both, and created an email vm with iprules "deny everything
>> except"
>>
>> But then neither vm(s) will connect.
>>
>> Is there a proper way to do this?
>>
>> Or will I have to do the tinyproxy thing I've read elsewhere ?
> I've tried both solution some time ago and definitly the tinyproxy solution
> works much better and can handle nicely dns round robin or servers behind
> load balancers. By the way this solution offer an other nice possibility,
> you can use regular expressions and for example allow .*\.mycompany\.com$ on
> the conter-part, you will have to trust the dns resolution.
Look also for modules like 'request policy' and 'no script'  or
'policeman' that implements nice GUI allowing both types in a single
place.

Request policy + 'ask for reload permission' should be enough to
control in a single VM for a few banks in single place.
Not that secure as proxying and denying in some other VM, but easy +
GUI controls + require some configuration work at start.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6MEURHmQ38Nc6rY4XpuNEWSknSUdJOCoVUCRV9sQ%2Bq4Tg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] I have a bank vm, how do you restrict

['0xDEADBEEF00' via qubes-users]

Hi,
It's my first contribution on this list.

I've tried both solution some time ago and definitly the tinyproxy solution 
works much better and can handle nicely dns round robin or servers behind load 
balancers. By the way this solution offer an other nice possibility, you can 
use regular expressions and for example allow .*\.mycompany\.com$ on the 
conter-part, you will have to trust the dns resolution.

Best,

0xdeadbeef



Sent with [ProtonMail](https://protonmail.com) Secure Email.


 Original Message 
Subject: [qubes-users] I have a bank vm, how do you restrict
Local Time: February 7, 2017 9:11 AM
UTC Time: February 7, 2017 8:11 AM
From: elsiebuck...@gmail.com
To: qubes-users 

I have a bank vm, how do you restrict the browser from being able to go else 
where? Do you add the iprules in the vm or do you create a proxyvm and add the 
iprules there?

I've tried both, and created an email vm with iprules "deny everything except"

But then neither vm(s) will connect.

Is there a proper way to do this?

Or will I have to do the tinyproxy thing I've read elsewhere ?

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d3a620c9-2fce-45c5-95f9-78a988990849%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/i6YOc4MifJ229V8fukuyAnh2WW1cydMAS7dzUA_0L_HhWziUzxCQE-c6rvq7Te117JTKKs-FCSgBkHeTob8KwAH9JHh0z-66GiI6Ii72J6g%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.