This was written by Rutkowska on her blog touting the strength of TorVM (emphasis mine):
[quote=“http://theinvisiblethings.blogspot.co.uk/2011/09/playing-with-qubes-networking-for-fun.html”]Our Tor proxy would forward only the Tor traffic, so we don’t have to fear about some Tor-not-aware applications, or even intentionally malicious ones to compromise the privacy of our connection. This is because such applications have no way to generate traffic to the outside world without going through our Tor proxy (unless they could exploit a hypothetical vulnerability in the Tor process running in the Tor VM). Also, the applications running in any VM behind the Tor proxy are not able to determine any globally identifiable IDs, such as the user’s external IP address, the real MAC address used by real NICs, etc.
Interestingly just after writing the above paragraph, I discovered that one of our xenstore keys had wrong permissions and, as a result, any VM could read it and get to know the actual external IP (the key is used by a Net VM to communicate the external IP configuration to the connected Proxy VMs, so they could know when to update the firewall configuration).[/quote]
It seems to me that “interestingly” is a curious choice of words for a bug that could potentially imprison people and/or have their heads cut off? I don’t know much about any relevant topics, so please reassure me that I am overreacting.
I realize Qubes was in an early beta then (this was Sep 2011) but it worries me that Qubes’ design allows for something like this to happen (as opposed to Whonix).
Joanna and other ITL devs have been very positive and receptive to furthering the process of supporting the port of Whonix into the Qubes environment.
Joanna, has in recent months, mentioned ideas of wanting to eventually incorporate Whonix and TorVM, or Torification in general, into the official Qubes installer and GUI.
That said, security and anonymity go directly together. One could also take the reverse position and say that Whonix, Tails, etc, are not serious about anonymity because they can currently be exploited by malware and easily have their Tor anonymity removed.
So I view the ultra strong security provided by Joanna’s Qubes as a fundamental protection to Tor anonymity that all other Tor platforms lack.
And now we have the best of both worlds… Qubes + Whonix
Also, for others wondering, that specific technical issue was patched in Qubes back then in 2011…
Interestingly just after writing the above paragraph, I discovered that one of our xenstore keys had wrong permissions and, as a result, any VM could read it and get to know the actual external IP (the key is used by a Net VM to communicate the external IP configuration to the connected Proxy VMs, so they could know when to update the firewall configuration). The fix for this problem is here, and the update (qubes-core-dom0-1.6.32) is now available for Dom0 (just do qvm-dom0-update to get it installed).
Thanks for the thorough reply. It was irresponsible of me not to mention the prompt patch.
I’m glad things are heading in the right direction and that people like you are bringing the two together.
Joanna has posted in the past that she isn’t a big fan of security by obscurity. I got the impression that Qubes’ motto was: “I don’t care if you know who I am, since you can’t break me.” While Whonix seems to be: “I’ve got vulnerabilities, but while you’re looking for me, I’ve got time to fix them.”
The obvious follow-up question regarding the potential for bugs like in the original post: Is there any benefit to attempt Physical Isolation using 2 Qubes boxes, one hosting Whonix-Gateway and the other running Whonix-Workstation? I don’t know if that’s possible, redundant overkill, or something else…
I don’t think that is what Joanna/Qubes or Patrick/Whonix meant by their statements.
I think you may be mixing up two different concepts:
Security by Obscurity …of computer components (which is what this usually means in computing).
Security by Obscurity …meaning anonymity of human identities.
Computer exploits generally occur because the attacker/malware knows what components exist on a system and what to do with them to break them.
Security by obscurity is the philosophy of not having truly security computer components, but trying to be secure just by avoiding having any attacker/malware know what components make up your computer system.
That’s why security by obscurity is usually dumb as a serious replacement to actually having technically secure hardware/software components in the world of computing.
Human-level security by obscurity is (as in anonymity of identity) is a more worthwhile concept.
Both Qubes and Whonix, or any serious computing system, does not fundamentally rely upon security by obscurity for remaining technically secure as operating system software, since any attacker has the ability to know the publicly used software inside-and-out before doing the attack.
That’s largely from a systems producer perspective. However, as a computer user, it is often wise to not broadcast your individual choice of hardware/software, as it narrows down the process of how to exploit you personally.
Yes. There probably is some benefit.
I’ve thought about doing this 2 Qubes boxes setup myself, but probably won’t get to it anytime soon.
It would primarily act as a security backstop for theoretical exploits to Xen/Qubes, where malware could break out of a Qubes VM and connect directly to the clearnet without going through Tor.
However, a physically isolated Qubes-Gateway probably wouldn’t help much with further guarding your Qubes-Workstation from exploit. Just help with guarding an attacker from accessing the clearnet to identify you without going through Tor anonymity.
But all of that is based upon the notion of Qubes being exploited, which is possible, but one of the highest computer security bars in the world right now.
Joanna describes the basic network routing needed for this 2 Qubes system in this post:
Playing with Qubes Networking for Fun and Profit
Using multiple Net VMs for physically isolated networks:
And Joanna does talk about physical isolation (security problems) vs. Qubes virtual VM networking (better security) in this paper, which should be considered as well.
However, if I remember correctly, I don’t think that paper was written in the context of using 2 Qubes boxes. So I think physical isolation using 2 Qubes boxes would (probably) be the most secure configuration.
Or even multiple separately isolated 2 Qubes setups for separate activities, if wanting ultra paranoid security.
But, I think a much lower bar to protect, with Qubes + Tor/Whonix is one’s typical VM and internet usage posture.
Air-gapping data in Qubes VMs, and other physically air-gapped computers.
Using DispVMs and new fresh VMs as often as possible.
Using standard default VMs without personalization.
Finding alternative encrypted routes to HTTP/non-SSL sites.
Understanding Tor networking protocols and affects upon anonymity of your various internet traffic behaviors.
I’ve actually started developing a new Qubes application, I plan to publicly release this year, that will probably help out with some of this stuff and be a real power tool for using Qubes + Whonix. Skunkworks right now.