The Qubes machine is sharing its Internet connection.
Let's say the Qubes machine gets hit with a DMA attack.
The 2nd laptop is not a Qubes machine, and therefore doesn't have VT-D for DMA protection.
Can the DMA attack be "carried forward" to the 2nd laptop... or is it killed for good by the Qubes machine..?
or just only allow https in the vm firewall settings.
I do https only on most of my vms. Of course nothing is 100% but i'm not sure if you are saying that would make me more vulnerable? I believe this is common qubes practice among even the devs.
what extra benefits would https everywhere plugin have over the firewall? I do use this plugin on the vms that aren't restricted to only https, I also use ublock origin. I also always use noscript or scriptsafe on all vms. But is there extra settings to use in https everywhere, because all I thought it does was verify certs with the fsf. I use it on all my machines and maybe i'm missing the setting to stop http connections, but I think the firewall is all you need and separate from the browser itself.
But by blocking everything but https is helpful not just against mitm, but say for example in your email vm where you dont' want to accidentally click a bad link. So if some sketchy non http link you would be forced to copy it to a less privileged vm to open it.
oh I see now there is the feature in the plugin ive never used lol. I still think its unescessary if you already blocking that traffic with the firewall, especially if that plugin or browser is compromised, especially with latest news about firefox plugins. For example noscript itself is considered a vulnerability on firefox now.
good points. Yes seems like a good idea to do both.