I am using Qubes daily for a while now. One thing I think is really missing is some sort of identity management. This is most visible when browsing. You shop something on Amazon, then go to check some Facebook updates and look at WhatsApp. Then you browse Hacker News click on this link and that link, end up on Wikileaks by accident then look at which club to visit in the evening... Yes this is shit.
But convenience often wins over security/privacy. Not only do you have to assume that all sites you visit within the same VM knows everything you did in there, but also you have to assume they know all the passwords for all the other sites you visit there and basically have full control over that VM. If you don't assume that, then why are you using Qubes in the first place...
I think what would solve this dilemma is a custom dom0 browser layer. The way this can work is as follows:
* Each identity consists of white-listed domains and HTTPS certificates (like amazon plus all its garbage), bookmarks, history, it's own password & auto-fill store and basically everything else like it's own cookies and the works.
* Trying to visit a non-white-listed website will simply not work without switching identities properly or using a special disposable identity
* Two identities are never used on the same VM
* You always use a new VM for each tab (there is potential for optimization, like sharing a VM per identity as long as this identity has at least one tab still open)
* Each VM is disposable (no home file system sharing) and get's the corresponding identity auto-copied on boot (only the essentials for Firefox)
* The browser gets installed after launch, so no kind of tracking can take place here via installation UUIDs etc.
So the core feature of this dom0 browser is basically identity management and the usual tab-based browser gui with history, settings, etc. But in contrast to what we have now, this dom0 browser will also manage the VMs that run the actual browsers and blit their page view into its dom0 tab.
Is there anything like that under development? Or how would you solve this issue?
Cheers
But that is not the point. First of all, unless your life depends on it, it will be very unlikely that you are actually paying enough attention to where you use which identity. A click on the wrong link can already screw it up because then site X read the tracking data placed on site Y and site X shouldn't know about what you were doing with Y... So you need some sort of white-listing to technically prevent those mistakes. Yes this can be done in different AppVMs and that is exactly what I am proposing here. It's about making what you describe much more convenient without a single drawback in security.
> There's little actual reason to use a hard-separate identity for each
> and every web service you visit; first because they don't usually talk
> to one another (i.e. amazon does not ask facebook for your info, nor
> does this happen the other way around)
Um, that is a bold statement, do you have any data to back that up? Maybe Amazon indeed doesn't talk to Facebook (yet), but no one is stopping them either. Facebook definitely has an interest to read your Amazon visits because this way they can link your true identity to your fake profile... for instance.
> are, in fact, the very same entity (fb and whatsapp, gmail and youtube).
True, and for those you will want to use the same identity (it get's complicated quite quickly which is why I am proposing to aid the user with this chore).
> Third because you usually want to present a "brand" identity of yourself
> around the web. Think of your personal blog or github account presented
> on your linkedin profile: this is a reinforcement of your "brand"
> identity, so you would like to share the connection between your github
> and your linkedin identities.
Maybe, but here we have the same issue again. I have other things in my head than trying to remember which sites shares what data with whom and which idenity I have to use where and which AppVM to start for it, it's just insane... This needs to be much simpler.
> And that's actually the point why I'm replying to your e-mail; this is
> an idea as bad as it gets. The main reason why dom0 does not have
> networking, and should not have, is to prevent exposing data on *all* of
> the VM at once. As a side effect of this, the less software there is on
> dom0 the better.
I think you entirely misunderstand my proposal or maybe I wasn't clear enough. My proposed "dom0" browser has no network at all. In fact, it can't do anything you couldn't do manually already. The point is to automate it. This dom0 browser frontend will know which identity belongs to which domain and which AppVM should be used for each identity and what your passwords & cookies were. It also feeds this data to each AppVm on startup so they can completely be disposable... The "real" browsers still run in AppVMs.
> TL;DR: first, do you really actually need to separate each and every
> identity you use? second, once you realize that many identities can
> co-exist (and indeed, sometimes you would like this to happen) do you
What do you mean by "co-exist"? If I use them at the same time in the same browser/VM I might as well just use one single identity because there is no way to know if either of them wasn't compromised or linked in ways I didn't want. I don't see how identities can co-exist (I am also not talking about sign-in data, I am talking about fake "me"'s, fake people so to speak who consume services to protect the real identity; I simply see no use case of why you ever want to share identities within the same AppVM or browser/site).
> really need that many isolated VMs? third, why would you need to move
> this complexity in dom0?
Because dom0 is the only place where this can meaningfully exist. Think of it as a different way of organizing the AppVM windows (not in the XCFE panel's, but instead as real tabs in a dom0 browser) and a lot of infrastructure code to help you with identity management.
Cheers
> several AppVMs, each one dedicated to a different activity, or as I
> prefer to refer it myself: to different sensitivity levels.
See my reply to Alex, maybe that explains why this is exactly what I was talking about ;).
> - You may have a dedicated Firefox instance still having the infamous
> Flash plugin installed when you need to access some websites requiring
Yes but this could and would be all included in this dom0 browser interface.
> - Use (X)KeePass in a separated, isolated and dedicated AppVM. I suggest
> you to create a "Web" or "Firefox" group, and then create a different
I am using UNIX pass, but it has the same flaw. If you copy passwords this way they won't automatically get purged from the AppVM, which under the assumption that any AppVM is completely compromised at all times, is not much of a big deal, but still it would be nicer if the password was cleared or even better never copied to the clipboard...
Which is why my idea would be to host Mozilla Sync Service in each AppVM and the let the dom0 browser fill this Sync Server with the passwords belonging to the corresponding identity...
> website: you will *not* open this link in the same AppVM but instead
> copy/paste it in your "Random surf" AppVM. Would this site be malicious
Yes but people WILL click the link. It's not a sane assumption to make. Besides it is incredibly annoying to operate this way. I am not some prime target of the NSA ^^, and I doubt many of the people using qubes will be... So you want to be safe, but you still want the convenience... The right way is to block the link, unless it refers to a white-listed domain for this identity. Or even better, pipe it back to dom0 and open it in a new tab & AppVM under the right identity... (this kind of integration is what I am proposing)
> password database is to first hack the forum, and use it as a pivot to
> then be able to hack your computer and get access to your file system.
How he does it is basically immaterial to me as I assume that all AppVMs are evil all the time. The point is to separate them properly so only one identity gets compromised. I want to add that it is generally unlikely that a disposable AppVM with the right configuration will actually be compromised, but it helps to assume them to be to get a better picture of the impact it would have and to minimize that impact.
> (https://addons.mozilla.org/en-US/firefox/addon/secure-login/) so
> Firefox does not dumbly automatically fill any password field without
Yes this looks good.
> like uMatrix or NoScript which allow to better control third-party
Thanks for uMatrix, I didn't know that one. But yes this is pretty much what I imagined also to happen, just in dom0 (which is more trustworthy to me), not in an AppVM.
> It *may* be possible to implement a way to handle different AppVM in
> different tabs instead of different windows, but I'm not sure to see any
> real advantage of this.
The advantage is the same as going back to IE6 times when each tab was its own window and having windows with several tabs in addition to this madness. I don't see how you can not see the advantage of having all browser tabs over all AppVMs organized in a dom0 browser interface as tabs in comparison to having tons of floating windows with sub-tabs each ;).
> instance, personally I set it to not display reduced windows in the
> Alt-Tab menu, so I can focus on the window I am currently working with.
I don't think any of those suggestions really helps with the problem. All in all I think Qubes OS in general lacks a good UI for what it is doing, but I also understand that you have to start somewhere. But in the end the way Qubes does AppVM and identity management at the moment is truly terrible, but it works. All I want to do is to come up with a plan to improve it ^^.
> be useful to have them volatile on a day-to-day basis, and turn them
> non-volatile only to update Firefox's modules or save a change in its
I think the Mozilla Sync Server could be of help here...
> To be honest I did never investigated this, I'm not sure what the
> concrete threats there are.
Are you so sure that your AppVM doesn't have an unique fingerprint that potentially could be exposed via a malicious website, browser extension or the browser? In that case, even using the same base template for disposable VMs could be a privacy disaster (I am not sure Qubes OS has taken any steps, like maybe "Tails", to actually mitigate fingerprinting in disposable VMs)
On top of that have you ever tried to use Panopticlick? Even tails gets more or less uniquely fingerprinted primarily via the non-standard browser window size when it is maximized and also because it seems to apply some uncommon browser settings that maybe only tail users have...
> UUID you really should just use the same UUID as a lot of other people
That requires you to know the UUID, also UUID was more a token for "fingerprintable data", not to be taken literally.
> by using Qubes' bundled Whonix support: this will keep you blended in
> the crowd.
Yes but also dead slow :P. I was more thinking of using separate VPN services for each identity, or maybe even my own VPN server (NSA will likely still be able to cross reference, but at least not my ISP). I don't care much about NSA, since as I said before I am no target for them and the steps I take already make me pretty much invisible in the huge noise (besides mentioning them quite often :D). But I want to basically go "dark" when it comes to normal services and companies.
> Talking about missing features for web-browsing, I would love to see a
> plugin or a solution allowing to open a link in another designated AppVM
> (the "Random surf" VM or a disposable one) with just a right-click
That should be the simplest part of my proposal :D.
Cheers
Well honestly "proposal" is probably too much credit for the time I spent on it so far and I mainly wanted to probe for the idea more. I think I am going to write a true proposal that can actually be reviewed and your input definitely helps to guide that effort, which is also why I asked that question in the first place.
And I am not actually sure I will address a threat model, since it doesn't really do more than you can do manually. It is really more about regaining the convenience while maximizing the additional privacy and security Qubes OS technically provides, you see... But I agree that it is required to be much more specific and clear but I can't do that so quickly in a mail, so I will take this conversation and address the issues raised in a more structured manner ^^.
Thanks & Cheers