-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
(For compactness, I'm simultaneously replying to 7v5w7go9ub0o,
WhonixQubes, and cprise in this email.)
cprise wrote:
>
> On 12/10/14 15:29, WhonixQubes wrote:
>> Hi 7v5w7go9ub0o, I'll try to clear up a few things for you as
>> well.
>>
>>>
>>> Hey Cprise, Trying to understand the "role" of these
>>> templates, vis-a-vis torvm ......
>>>
>>
>> You might be interested in the "Whonix vs. TorVM" section I
>> compiled here:
>>
>>
https://www.whonix.org/wiki/Qubes#Whonix_vs._TorVM
>>
>>
>>>
>>> 1. Will whonix/qubes do a better job of protecting my privacy
>>> than torvm? How (e.g. it has more common "signatures"; e.g. one
>>> can more easily select exit nodes; etc.)?
>>>
>>
>> The Tor networking protocol is the same, but Whonix does some
>> extra things to help protect your privacy over Tor.
>>
>> For example, of the top of my head:
>>
>> - OS Fingerprinting considerations
>>
This is excellent and much needed!
>> - Tor Browser for Anti-Web Fingerprinting (with Tor-over-Tor
>> disabled)
>>
I don't see a clear advantage of WhonixQubes over TorVM here, since
Tor Browser can be used with both (and needs to be installed
more-or-less manually in both cases, judging by Joanna's email).
Again, I'm having trouble seeing a clear advantage of WhonixQubes over
TorVM here. (Please see my question on this below.)
>> - more I'm not thinking of right now
>>
>
> I recall skimming the Whonix vs Torvm section myself to find a
> clear advantage... didn't spend much time on it, though, so correct
> me if I'm wrong.
>
> Whonix has the regular sanity checks like time syncing... perhaps
> these could easily be adapted to Torvm. Apart from that, I think
> they are mostly the same when looking at /browser-only/ usage
> (assuming you add Torbrowser to the appvm you use with Torvm).
>
> When *whatever* applications are desired for use over Tor, then
> Whonix has a clear advantage (this is where it shines WRT stream
> isolation and anti-fingerprinting).
>
I agree about the OS-level fingerprinting, but it was my understanding
that the stream isolation in TorVM is already "as good as it gets."
- From (
https://wiki.qubes-os.org/wiki/UserDoc/TorVM):
> In order to mitigate identity correlation TorVM makes heavy use of
> Tor's new stream isolation feature.
>
> [...]
>
> TorVM SHOULD prevent identity correlation among network services.
>
> Without stream isolation, all traffic from different activities or
> "identities" in different applications (e.g., web browser, IRC,
> email) end up being routed through the same tor circuit. An
> adversary could correlate this activity to a single pseudonym.
>
> By default TorVM uses the most paranoid stream isolation settings
> for transparently torified traffic:
>
> Each AppVM will use a separate tor circuit (IsolateClientAddr) Each
> destination port will use a separate circuit (IsolateDestPort) Each
> destination address will use a separate circuit (IsolateDestAdr)
>
> For performance reasons less strict alternatives are provided, but
> must be explicitly configured.
Assuming the quoted text above is accurate, I fail to see how
WhonixQubes can be superior to TorVM (and probably vice versa) with
respect to stream isolation. Am I missing something?
> The price you pay is some extra/distracting dialog windows now and
> then, and about 6GB extra disk space used (vs the case where you
> use a regular template for Torvm). I think the Whonix team will
> reduce the required disk space eventually.
>
>>
>>>
>>> 2. Is the Whonix HVM "harder" and/or more "break-in-proof" than
>>> would be a standard Qubes dispvm or appvm? If yes, is this
>>> because it is smaller and leaner? or perhaps grsecurity/selinux
>>> kernel?
>>>
>>
>> Not sure about a comparison of these.
>>
>> There is some AppArmor available in Whonix.
>>
>>
https://www.whonix.org/wiki/AppArmor
>>
>> Not sure what isolation measures exist inside of standard Qubes
>> VM OSes.
>>
AFAIK, none, but this is a conscious design decision.
> Since I'm not necessarily in the lean-ness = better security camp
> when it comes to Qubes templates, its probably not a good question
> for me to answer, either. Especially when it comes to mere apps...
> I think you have to look at breaking integrations that make the
> admin/user experience rewarding when removing features that may
> actually increase risk. But Qubes was created expressly in
> avoidance of security-through-minimalism.
>
> Qubes could have been named "Spheres" instead because spheres that
> are bundled together necessarily touch each other with minimal
> surface area, yet this doesn't stop each sphere from being *ahem*
> /well-rounded/ (i.e. feature rich).
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJUusTBAAoJEJh4Btx1RPV854EP/jFvB3ejRSqSt1QrKfkAyDf6
5U81nCRN4w96DJhyJFuSXSNS2IxkwK5UFaJUuMKXEPUbdSa1b13T7gZ6liuuI47G
PqP+kDOyYVbOgBxIvMrirzv4jsvqiZUMuB+pSAj3xcfJyjVpJxcI5wldbMd0WFMP
VOviPemgRKW0MmK9bQENEszmfR4kDcBMYqIF8St7G2s1QtF8eECF47gxUXtMTkyY
b/0vK9GbQZDzfb51Fa0/Yj42lHhiUIWQge5Gv6cdXOiPMXN/Ku55WNaAuVej6J5Q
JPM+FJTHm3WZgpOsXTbt3aqs1uzM6gXL9FtoVkcan8xryo9SW0JAPm0NVWaDBkJd
ay5cq+C+6HDUX+7VX1uv2gVfs+DgNtw4uNnwLelj3CaHtygxlOmxcw+g6gzzN2XW
mXyBPgK9n8pYJwbmmJFJKJtQqUAGhx+eLifs8gEnmwPf0gmeEfIL5WQAacCamjUn
Lk33yqL5m1LPpRevKKpUWEbmwdoFyKHA3Gvi3i9680NklwSNUBhcSLrwZfGa9x0b
ai63gYkXypD/2UyTcNKlYiMRYhph+pTa8aIMerI6MCl/SKzM/XbAYQ/f/wufsbSh
mByLmAb14NeHsclL41tw55wIVJUvNkRTjkUu2lZiPiJjYPrrmUvIsLLpAgXA4Qn/
B5kFtDqN1pkF4JcCgh9z
=1FJV
-----END PGP SIGNATURE-----