Update checking over clearnet instead of Tor?
63 views
Skip to first unread message
Lorenzo Lamas
Apr 1, 2019, 7:24:45 AM4/1/19
to qubes-users
I have set my templateVM's to update over Tor. Even when sys-whonix isn't running, the update Widget shows that there are new updates, so that must mean it checks over clearnet? I think I've also seen this with R3.2, when Qubes Manager showed the updates icon even though there was no sys-whonix running.
There should be a warning on installation when enabling updates over Tor that it still checks over clearnet, or the checking should be disabled by default when the user enables updates over Tor. It would also be nice to have a warning in the Updates section in Global Settings in Qube Manager.
There should be a warning on installation when enabling updates over Tor that it still checks over clearnet, or the checking should be disabled by default when the user enables updates over Tor. It would also be nice to have a warning in the Updates section in Global Settings in Qube Manager.
unman
Apr 1, 2019, 8:43:41 AM4/1/19
to qubes-users
On Mon, Apr 01, 2019 at 04:24:45AM -0700, Lorenzo Lamas wrote:
> I have set my templateVM's to update over Tor. Even when sys-whonix isn't running, the update Widget shows that there are new updates, so that must mean it checks over clearnet? I think I've also seen this with R3.2, when Qubes Manager showed the updates icon even though there was no sys-whonix running.
> There should be a warning on installation when enabling updates over Tor that it still checks over clearnet, or the checking should be disabled by default when the user enables updates over Tor. It would also be nice to have a warning in the Updates section in Global Settings in Qube Manager.
>
It is the qubes that perform update checks and then notify dom0
> I have set my templateVM's to update over Tor. Even when sys-whonix isn't running, the update Widget shows that there are new updates, so that must mean it checks over clearnet? I think I've also seen this with R3.2, when Qubes Manager showed the updates icon even though there was no sys-whonix running.
> There should be a warning on installation when enabling updates over Tor that it still checks over clearnet, or the checking should be disabled by default when the user enables updates over Tor. It would also be nice to have a warning in the Updates section in Global Settings in Qube Manager.
>
accordingly. So if you have a qube connected to clearnet it will check
over clearnet.
You can disable this in clearnet connected qubes - it's the
qubes-update-check service.
Or you can disable globally in qubes-global-settings.
unman
haaber
Apr 1, 2019, 4:19:57 PM4/1/19
to qubes...@googlegroups.com
>
> It is the qubes that perform update checks and then notify dom0
> accordingly. So if you have a qube connected to clearnet it will check
> over clearnet.
> You can disable this in clearnet connected qubes - it's the
> qubes-update-check service.
> Or you can disable globally in qubes-global-settings.
So do I understand that correctly: if I have, say, a debian-XYZ AppVM on
> It is the qubes that perform update checks and then notify dom0
> accordingly. So if you have a qube connected to clearnet it will check
> over clearnet.
> You can disable this in clearnet connected qubes - it's the
> qubes-update-check service.
> Or you can disable globally in qubes-global-settings.
clearnet it will check if the corresponding template needs an update,
unless I de-activate the qubes-update-check service? Thank you
unman
Apr 1, 2019, 8:19:17 PM4/1/19
to qubes...@googlegroups.com
haaber
Apr 1, 2019, 10:21:33 PM4/1/19
to qubes...@googlegroups.com
seems to me to render "aimed attacks" on *my* machine much harder. Is
that a misconception?
Assuming that 'yes', an attacker would typically see clearnet apt-update
preceding a tor-based upgrade -- and could be made a reasonable guess
*who* is upgrading (I don't think there are millions of qubes copies
running, right?). This opens a (admittedly) small, probability-based
attack surface, that comes only with small gain, if ever. Do you agree?
Why wouldn't this also be handled by sys-whonix by default if sys-whonix
is used for upgrades?
Marek Marczykowski-Górecki
Apr 2, 2019, 11:51:15 AM4/2/19
to haaber, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, Apr 02, 2019 at 01:20:54PM +1100, haaber wrote:
> > On Tue, Apr 02, 2019 at 07:19:46AM +1100, haaber wrote:
> > >
> > > So do I understand that correctly: if I have, say, a debian-XYZ AppVM on
> > > clearnet it will check if the corresponding template needs an update,
> > > unless I de-activate the qubes-update-check service? Thank you
> >
> > Yes
> >
>
> Oups ! To me, one of the points of using tor as upgrade-transport-layer
> seems to me to render "aimed attacks" on *my* machine much harder. Is
> that a misconception?
> Assuming that 'yes', an attacker would typically see clearnet apt-update
> preceding a tor-based upgrade -- and could be made a reasonable guess
> *who* is upgrading (I don't think there are millions of qubes copies
> running, right?). This opens a (admittedly) small, probability-based
> attack surface, that comes only with small gain, if ever. Do you agree?
The updates _check_ only needs to download repository metadata, not
actual packages. Qubes based on a template do that from time to time,
using own network connection and report if there are any updates
available.
When you actually download and install those updates (over Tor) in the
template is up to you, it isn't immediately after checking if something
is available, so time based correlation isn't really an issue here.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlyjhOoACgkQ24/THMrX
1yzrVgf/cpAa8ZF7aw1UUkMVW3L+YndBFVOmH0vG1XZ1ppQ3RqG/5OpZnG+eSaQV
l2iyMMWpSDKY6niHEEhXIHBGO17ABmZcybvMe8jGtovm6e+kwRa1ef1yarSI3aLL
W2IcAFoo2XYRVpO+/sGWFD0WHNdIzqcVVNK5o45MKnJPgb+ZQ3+Wg7h9nbU3NCMh
zTlUHjW59gGgx1IKtylc69IM/zgBxKysfrC6SuTRTid2YGpUNfqyMR+oj+FEa2W9
VMoySbjOUnAxrOydvFyUL8vTZ/w1rDNpGAoWyUBcCoUmpDW9ZdfCCYuO1l2fWbE6
SZexjBIGsEzKbDfm2dD9HQT4VPicbQ==
=bswd
-----END PGP SIGNATURE-----
Hash: SHA256
On Tue, Apr 02, 2019 at 01:20:54PM +1100, haaber wrote:
> > On Tue, Apr 02, 2019 at 07:19:46AM +1100, haaber wrote:
> > >
> > > So do I understand that correctly: if I have, say, a debian-XYZ AppVM on
> > > clearnet it will check if the corresponding template needs an update,
> > > unless I de-activate the qubes-update-check service? Thank you
> >
> > Yes
> >
>
> Oups ! To me, one of the points of using tor as upgrade-transport-layer
> seems to me to render "aimed attacks" on *my* machine much harder. Is
> that a misconception?
> Assuming that 'yes', an attacker would typically see clearnet apt-update
> preceding a tor-based upgrade -- and could be made a reasonable guess
> *who* is upgrading (I don't think there are millions of qubes copies
> running, right?). This opens a (admittedly) small, probability-based
> attack surface, that comes only with small gain, if ever. Do you agree?
actual packages. Qubes based on a template do that from time to time,
using own network connection and report if there are any updates
available.
When you actually download and install those updates (over Tor) in the
template is up to you, it isn't immediately after checking if something
is available, so time based correlation isn't really an issue here.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlyjhOoACgkQ24/THMrX
1yzrVgf/cpAa8ZF7aw1UUkMVW3L+YndBFVOmH0vG1XZ1ppQ3RqG/5OpZnG+eSaQV
l2iyMMWpSDKY6niHEEhXIHBGO17ABmZcybvMe8jGtovm6e+kwRa1ef1yarSI3aLL
W2IcAFoo2XYRVpO+/sGWFD0WHNdIzqcVVNK5o45MKnJPgb+ZQ3+Wg7h9nbU3NCMh
zTlUHjW59gGgx1IKtylc69IM/zgBxKysfrC6SuTRTid2YGpUNfqyMR+oj+FEa2W9
VMoySbjOUnAxrOydvFyUL8vTZ/w1rDNpGAoWyUBcCoUmpDW9ZdfCCYuO1l2fWbE6
SZexjBIGsEzKbDfm2dD9HQT4VPicbQ==
=bswd
-----END PGP SIGNATURE-----
Lorenzo Lamas
Apr 4, 2019, 3:59:13 PM4/4/19
to qubes-users
Thanks unman!
Reply all
Reply to author
Forward
0 new messages