> "there is absolutely no point in not allowing e.g. Thunderbird to remember the password – if it got compromised it would just steal it the next time I manually enter it"
Correct!
> So this was written 6 years ago but it's the latest one I think.
>
> Can't we just create disposable thunderbirds to protect the password?
> Or is disposable not true security? I mean maybe a custom thunderbird would be needed so it never used the password again/instantaneously forgets it after login >.>
no, this is not possible. let me try to explain:
This is going to be looooong thing, i hope anyone will read it, i was
quite inspired; qubes is A-W-E-S-O-M-E-!-!-!
the main reason is that you want to be able to read your mails, so you
can't just drop/delete/forget every received mail on shutdown.
you also can't drop/forget/don't store the password after login because
the way any email work is: login->check if there are new
mails->download->logout
and if you keep it open like me so that it check for new mails every 10
minutes it can't work.
websites with a login works in a different way:
you fill the password and if it is correct they give you a cookie that
your browser store and automatically give back to website every time you
open.
as you can see if you want to be logged in a moment of time you have to
present to the remote side some kind of "secret thing" in that moment of
time. is not that "you login once and the remote side automagically know
that you are logged".
so for the whole time you use the service you must keep in memory a
secret to prove that you are logged.
So where is the difference between Qubes and a normal os? how Qubes
improve the security?
let's think about a normal windows/linux computer:
you have many programs and every program can control the whole pc.
yes, there is admin vs not admin but on windows this means that a not
admin process can't mess with admin processes or can't write in
c:\programs or c:\windows.
but this is useless! a virus can do all the damage it wants also running
as not admin; it can:
-delete all your files (cryptolocker)
-run at boot (persistence)
-spy you from mic/webcam
-steal/upload all your files in internet
-keylogging all what you write
-steal saved passwords
for me this is comparable to "full control of the pc"
the problem with this model is that any single exe that you open can do
pretty much what it want, and you can only hope/hava a bit of trust that
it will not do it.
in such security model it might be good not store passwords because when
you will get a virus it will steal instantly all your saved password
(bad). while if you don't save them it will only steal the one that you
will write while the virus is present for example mail password because
you use it often.
so if we suppose that antivirus delete it after a few days you can hope
that you have used only a few passwords on the compromised pc, and not
all your passwords.
TL;DR: any program you open/have opened in the past might have
read/stealed all your mails/passwords
NOW QUBES OS:
On qubes your pc is splitted in more parts, every part works the way i
said above (in fact they are normal windows/linux os) and is isolated.
the only (important) difference is that only home in linux and c:\users
in windows is preserved if you reboot; this is good because it limits
the places in which a virus can hide (but still there is persistence=run
at boot).
suppose that you get a virus, downloaded from your browser. your mail is
safe because it runs in another vm. simple, isn't?
same for every other action you can do on your pc: play games, reading
documents, ... because all these actions happens in a different vm, not
in the mail vm.
now suppose that you get a virus exactly the mail vm:
the first question is how this can happen?
it's not that virus pop up automagically, most of the time is the user
that open them.
so how can you open a virus from the email?
you can open an attachment or a link, thats all you can do to open a
virus from email.
but on qubes this should not be possible because you should not open
attachments and links in the mail vm, but in a disposable vm! (here is
where the disposable thing became useful!!!)
you can also automate this, so you can't forget to open a link in dispvm.
if the attachment was something bad you simply don't care, close dispvm
and virus is gone.
but sometimes (smaller that always!) you need to store attachments,
because they are work documents, photos, or something important.
but again mail can't be compromised because you save photos and
documents in work vm or somewhere different.
the final question is: can mail vm be compromised?
yes, but since the user can't be tricked to open something bad in the
mail vm the only thing left is a zeroday: some bug in thunderbird that
when it receive the bad email it is instantly compromised because *for
example* the bad guy send 500 attachments and thunderbird can manage
only up to 255 attachments, and this thing lead to code execution in
thunderbird when you receive that mail and tunderbird parse it.
but this is SUPER HARD.
such bugs are a small ammmount, difficult to find, and difficult to use!
suppose that you have found this "crash if more than 255 attachments" is
not that 5 minutes later you can hack any pc running thunderbird.
getting from "it crash" to "it does what i want" is difficult, and not
always possible.
how difficult? there are people who pay you 10000€ if you find such a thing.
so let's do a final comparsion for the email:
normal os linux/windows:
you open 1 bad program (virus) ->someone take full control of your pc
you are hacked using 1 zeroday ->someone take full control of your pc
on qubes:
you open 1 bad program (virus) ->don't care
you are hacked using 1 zeroday ->depends: a zeroday in which program? if
firexox, vlc media player, whatever-> don't care
if it is a zeroday against thunderbird->ONLY your mail is compromised
for *me* THIS IS AWESOME!!!!
a final note:
you might say "hey but pc is not only mail! you are ignoring the rest of
the pc!!!"
not exactly: for example think about "work vm" it has inside:
-documents you personally made (trusted/known good/not virus)
-documents some co-worker sent you *by mail* (see???)
so, yes work vm can compromised by opening 1 bad thing, but bad things
tend to not end up here :)