Split Browser for Qubes

torjunkie · November 30, 2016, 6:46pm

Split Browser for Qubes

Everyone loves the Whonix approach of running Tor Browser and the tor daemon in two separate Qubes VMs, e.g. anon-whonix and sys-whonix.

Let’s take it a step further and run Tor Browser (or other Firefox versions) in a DisposableVM connecting through the tor VM (or through any other NetVM/ProxyVM), while storing bookmarks and logins in a persistent VM - with carefully restricted data flow.

In this setup, the DisposableVM’s browser can send various requests to the persistent VM:

Bookmark the current page
Let the user choose a bookmark to load
Let the user authorize logging into the current page

But if the browser gets exploited, it won’t be able to read all your bookmarks or login credentials and send them to the attacker. And you can restart the browser DisposableVM frequently (which shouldn’t take more than 10-15 seconds) to “shake off” such an attack.

Seems like a cool idea, but I’d assume it is just as safe to never bookmark anything and just run all Tor Browser instances in a disposable VM as per entr0py’s guide below (with a note to self to check the sys-net is set to sys-whonix):

Using Whonix-Workstation as a DisposableVM (DispVM) Qubes-Whonix

###This thread is now deprecated in favor of the wiki entry: Just starting a topic to share tips and ask for help. And gather items to add to the wiki. Create: Qubes Disposables Customize: Redirecting… Use: Redirecting… Motivation: Since Tor Browser doesn’t save history anyway, there’s no reason to expose the rest of your Workstation to the Internet. Ideally, all browsing should be done in DispVMs. Exceptions, if any, should only be made for trusted, bookmarked, white-listed sites. Dis…

~~In fact, I think it is worth noting somewhere that hardcore Qubes-Whonix recommendations could arguably include:~~

~~all apparmor profiles installed in the WS and GW;~~

~~enabling seccomp in the Whonix GW torrc;~~

~~running hardened alpha Tor Browsers if adventurous due to near-term (December) sandboxing opportunities;~~

~~following Qubes guideline for MAC spoofing (ethernet and/or wi-fi; yes, I’m aware of the wi-fi spoofing problems);~~

~~running all instances of Whonix-WS in a disposable VM;~~

~~possibly running the minimal Fedora templates for all networking;~~

~~purging all unnecessary Whonix files and template applications as per Patrick’s latest blog post;~~

~~possibly (?) running SE Linux in combination with apparmor via kernel changes in dom0, although I am yet to try that or see any reasonable guides or feedback on its success to date.~~

~~We should probably all be doing this to celebrate Rule 41 eve…~~

Moved hardening discussion part here:

https://forums.whonix.org/t/hardening-qubes-whonix

entr0py · November 30, 2016, 8:25pm

I like the idea also and I agree that it’s sensitive enough for me to try to understand the code. Currently, I keep bookmarks and logins in a separate offline VM so there’s a lot of copy/pasting going on. Would love to have a solution that cuts down on that without too much exposure. Need to add that copy/pasting isn’t without risks also - I’m sure I’ve copy/pasted the wrong credentials once or twice. (Probably a good idea to keep clipper running so I can see what’s in there…)

torjunkie · December 1, 2016, 2:55am

Hi,

See my comment on your original dispWhonix-WS thread. Menu items like Tor Browser cannot be added using the guide, due to the shift to XFCE in Qubes 3.2. Thus, it is currently unworkable for most normal users.

Tips?

Patrick · December 24, 2016, 6:08pm

try / review / document qubes-split-browser
https://phabricator.whonix.org/T585