Your Battery is syping on you...

111 views
Skip to first unread message

'109384'019834'09128'340932189

unread,
Nov 2, 2016, 5:49:23 PM11/2/16
to qubes-users
Hello,

in Q the Firefox battery fingerprinting is enabled.

https://blog.lukaszolejnik.com/battery-status-readout-as-a-privacy-risk/

Manual you might disable it:

1. start Firefox
2. open the URL about:config
3. scroll down to dom.battery.enabled and disable this feature

It would be nice if the DispVM has running a Firefox, which don't support the fingerprinting (or even better, a real secure-browser...)

Kind Regards

Marek Marczykowski-Górecki

unread,
Nov 2, 2016, 6:46:32 PM11/2/16
to '109384'019834'09128'340932189, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Whatever Firefox provides there, it has no access to actual (hardware)
battery information.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYGmzEAAoJENuP0xzK19csDN4H+QG4jQFTZ5wYQR1o0Cx3mQOl
ffntx7o5ak4to29M476mLz3OxK8cNmtb9S9ZjfPN8lQ8XY5f5wILdFXkTCmoyJND
hPAjCLhARdCHtJ4Q5a0ulSkzZ1k0X/89Mmbk8YgVl11PDod/Q3D0whDu2Mqlofgj
++m40KV+ju2E+LmHkwtR4abC5G9kPq8+8nvnxCsD0PdPhTdBCeb0cpRNZCg9LYCR
FTLIAeZYZhBrlmuk7DKK9TbMeaZEBUmbJlBg87EHSFlkd7G+LhXoBxBruRHeMaVI
Og9ecbny7w8nkZBfgI7qY+mbZlrjEaUols7/xyvm+XIB1LBEiEyi7Bvp7FJXQnw=
=MfmD
-----END PGP SIGNATURE-----

Andrew David Wong

unread,
Nov 3, 2016, 12:54:25 AM11/3/16
to '109384'019834'09128'340932189, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2016-11-02 15:46, Marek Marczykowski-Górecki wrote:
> On Wed, Nov 02, 2016 at 02:49:23PM -0700, '109384'019834'09128'340932189 wrote:
>> Hello,
>
>> in Q the Firefox battery fingerprinting is enabled.
>
>> https://blog.lukaszolejnik.com/battery-status-readout-as-a-privacy-risk/
>
>> Manual you might disable it:
>
>> 1. start Firefox
>> 2. open the URL about:config
>> 3. scroll down to dom.battery.enabled and disable this feature
>
>> It would be nice if the DispVM has running a Firefox, which don't support the fingerprinting (or even better, a real secure-browser...)
>
> Whatever Firefox provides there, it has no access to actual (hardware)
> battery information.
>

Furthermore, you should *not* expect privacy when using vanilla Firefox, even in a DispVM. For that, you should use Whonix.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYGsLrAAoJENtN07w5UDAw2t0QAMBA3lgsCzRlMaCjXIE2b6wN
kVG5ILojLp82bRMTf54PL5608CutuZ09EWkZJRx2H74Q46xj3U2SaOK3DXPqVH1w
YYBdkw7pE9wvzi8ixONO3iS44IX/MR6s8e9IQZ7YvQHNXz+KSHgt4QqUVzpy9Mj5
P7Lqkk1tk020DGFee/rwZHxUQFbMmlWh2QvwOTdKdDHjBxe4MQRC42RGj2FuF1u+
V9kKE2Tt61/roCNbRJVQigb1/wW8fl5DXr12MPZb5ov3i1HG6AMXGOh7GaXWmb/J
5BmiWmjsY0ysq2+1hVeKXN5OWrrHCOCF5fxjBsuiSbQNLJBc2vuEj+L/b3FkZYm2
6uWe8WXZ14PzqygfiOS2p+REhx9KT6YT2fbME09P7PWuWaxZfxLeU+iEi3/N3tnc
RlyEoOfogP/bOQGYTnK/+MAvuNbqbRUd23lrGiVtNE1oHiVddj+BrT1NRl2JVWEs
icJorJjMCVkeKnIyaA1SJ2o636Mvxo9bqBTsgUvXRMLfRQH2MgWo/ebnLX7EVLvV
/9JsHuM/pdj3XLR6zew3AZbq85r0S8ICwwgLAok8zFMbT9+eT2vAHmQUDRwkyjCP
KzWLSN/VZ4g5Yo+1iJMupfX0Qnydc1CR25nRqEv229JBEO/EOTqWcZVemnfsuNRw
In2pOaLu1M7M7u62n0P3
=LPBb
-----END PGP SIGNATURE-----

198730178489710317470139

unread,
Nov 4, 2016, 4:32:52 PM11/4/16
to qubes-users
Hello,

good to know that Firefox and other mainstream-browser's spy-features don't work inside the Q-VMs.

But here are many ways to find out, who is sitting in front of the screen, without get logged in, e.g. also keyboard-typing-patterns and mouse movements...

So for ebanking and free of digital dicriminating shopping I should use Whonix?
And must I run the Tor network in the background, or can I use Whonix also just as the Qubes Secure Browser?

The browser is normally the direct interface to the network, so there might be many reasons, why some organisations have a huge interesst to get this pice of software under their control - instead that you control your laptop (& software).

Today there are many "Secure Browser", e.g. like Kaspersky on the market and every browser claims to be more secure than the competitor (on another definition of security in the background).

For eBanking it would be a nice solution, if the bank offers a digital counter behind the first banking firewall and you can reach this terminal via an screensharing from a safe endpoint and the screensharing has some embedded authentification and strong enryption in place.

But 2016 this sounds like science fiction.

So I thought some good robust Secure Browser, which by the way only need some basic navigation (videos are here not in the scope) and could be more slim and robust than any mainstream browser.

Thanks and Kind Regards

Manuel Amador (Rudd-O)

unread,
Nov 4, 2016, 10:08:19 PM11/4/16
to qubes...@googlegroups.com
Battery access to the system battery is disallowed because the DispVM /
AppVM does not have access to the hardware.


--
Rudd-O
http://rudd-o.com/

Manuel Amador (Rudd-O)

unread,
Nov 4, 2016, 10:11:42 PM11/4/16
to qubes...@googlegroups.com
On 11/04/2016 08:32 PM, 198730178489710317470139 wrote:
> Hello,
>
> good to know that Firefox and other mainstream-browser's spy-features don't work inside the Q-VMs.
>
> But here are many ways to find out, who is sitting in front of the screen, without get logged in, e.g. also keyboard-typing-patterns and mouse movements...
>
> So for ebanking and free of digital dicriminating shopping I should use Whonix?

For ebanking you want to use a normal AppVM that does not have the
Whonix stuff. They will fingerprint you.

For shopping you want to use a separate normal AppVM that does not have
the Whonix stuff. They will fingerprint you.

BUT

Those fingerprints will be different and so sites you visit on your
shopping VM will not know about your banking habits in any way, and vice
versa.

For regular browsing you want to have a separate VM that has hardened
settings and uses stuff like User Agent Spoofer with all the Firefox
fingerprinting settings disabled (battery, gamepad, audio, WebGL, et
cetera), as well as uMatrix to disable HTTP requests that you have not
authorized. This VM can totally be a Whonix browser + Tor combo. I
think I will post a guide for that soon enough.

Just remember: Don't bank where you surf, don't shop where you bank,
don't surf where you shop.


--

Rudd-O
http://rudd-o.com/

021'049528'0943582'094358'0924358098

unread,
Nov 6, 2016, 2:41:23 AM11/6/16
to qubes-users
Hello Rudd-O,

many times technology can be used in both sides good and e*

My first concern with this internet and lack of IT-security is, that in some main-stream browsers you have enough backdoors to book in the second you type in your credit-card information in parallel for you on another place with a another delivering-address of course...

In my eyes a hard browser focused to the financial goals of the owner will be quite helpful in this crazy internet game.

Tor, I'm afraid will be also a perfect tool to deliver a hidden command and control structure (e.g. my QR31 was not updating anything any more...).

"Of the top twenty most popular Tor addresses, eleven are command and control centres for botnets, including all of the top five."

https://www.technologyreview.com/s/519186/security-flaw-shows-tor-anonymity-network-dominated-by-botnet-command-and-control/

So Tor will be useful on a live-QubesOS DVD in a dual mode, if you need Whonix browser + Tor Features, e.g. for security-research without the tracing features of the network.

It's so hard to get an coherent picture about the good and robust internet infrastructure. Perhaps a new kind of network will get this straight out of the box.... one day in the far far future...

A how to do banking, shopping ans surfing-guide will be quite helpful to get a solid baseline towards a better safe internet-experience.

Thanks and Kind Regards

Reply all
Reply to author
Forward
0 new messages