Do you mind cutting and pasting your sources.list (.onions) which works, so that I can edit the wiki somewhere to reflect the correct sources for those wishing to harden their Qubes-Whonix installation?
I’m a little confused which ones we are pointing to and whether it is just tor:// or tor + http:// - what else is new
Reflecting on what we have covered so far, a future wiki entry might look something like that below (with links to relevant wiki entries/stubs). It is better to have it in one place, so users have a quick reference and don’t have to search everywhere for this information:
Qubes-Whonix users can achieve significant hardening of their system by completing a number of additional steps after installation of the base system.
Successful completion of these steps below is dependent upon the user’s skill level and available hardware. Applicable steps are marked with ‘easy’, ‘medium’ or ‘difficult’ tags to reflect this:
- Default the Debian mirrors in sources.list to available .onions (easy);
- Install all available apparmor profiles in the Whonix-Workstation and Whonix-Gateway TemplateVMs (easy);
- Enable seccomp in the Whonix-Gateway TemplateVM torrc file (easy);
- Use the hardened (alpha) Tor Browser series to resist fingerprinting and have additional memory protections (easy);
- Use the (alpha) Tor process sandbox to restrict exploitation opportunities (difficult - not yet implemented in Whonix; requires sandbox compilation - @Patrick, this requires a wiki stub somewhere);
- Implement MAC spoofing for ethernet and/or wi-fi via Qubes user documentation (medium);
- Use all instances of the Whonix-Workstation in a Whonix-Workstation DisposableVM - preferably uncustomized to resist fingerprinting (medium);
- Implement GRSEC templates for Fedora, Debian and Whonix templates in the Qubes system (difficult; only Debian currently available - @Patrick, we need a GrSec stub somewhere in the wiki for future copying of all steps);
- Tweak the Tor Browser to provide ClearClick protections, run the security slider in the highest position, restrict Javascript uniformly, and default to .onion searches via DuckDuckGo (easy);
- Store all login credentials and passwords in an offline vault VM (preferably in a password manager), and cut and and paste into the Tor Browser when required (easy);
- Never type directly into the Tor Browser to resist typing profiling (easy);
- Install newer Tor versions via Whonix config settings i.e. jessie-proposed-updates (easy);
- Install latest versions of the Linux kernel available to benefit from mainlined kernel hardening (easy);
- Use AEM (anti-evil-maid) in Qubes, in combination with a Trusted Platform Module (medium);
- Store encrypted Qubes backups with a sufficiently long (high-entropy) passphrase due to OpenSSL’s weak key derivation scheme, which relies on a single round of md5 or store encrypted backups on a separate back-up disk that is already encrypted with LUKS (easy);
- Install Qubes-Whonix with a sys-usb template to provide protection from malicious compromise of dom0. This requires available USB controllers and, in a desktop configuration, available PS/2 ports and adapters for the keyboard and mouse (medium).
What have I missed?