[Whonix-devel] [qubes-devel] Whonix 15.0.0.3.6 - Development Discussion and Testers Wanted! introduction of sdwdate-gui; Tor Browser first startup popup, disabled whonixcheck “Connecting to Tor…” passive popup

Marek Marczykowski-Górecki marmarek at invisiblethingslab.com
Fri Aug 9 13:18:54 CEST 2019 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, Aug 09, 2019 at 08:00:00AM +0000, Patrick Schleizer wrote:
> The Whonix 15.0.0.3.6 release comes with numerous security enhancements,
> usability improvements and minor bugfixes. [1] The purpose of this post
> is to discuss potentially controversial changes as well as to call for
> testers.
> 
> Potentially controversial changes:
> 
> ##########
> 
> - add Tor Browser first startup popup to ask whether security slider
> should be set to safest [2] [3] - Qubes users will be asked that when
> creating a new Whonix-Workstation AppVM and each time they start a
> DispVM - unless they preseed the answer to the question by changing a
> configuration file as described in the popup.

A popup on every Whonix-based DisposableVM start is an issue. What about
bypassing it in DispVM? Persistent compromise is less of an issue in
DisposableVM, but on the other hand JS could still be used for some
fingerprinting.
Alternative idea: have a firstboot wizard that preseed it in
DisposableVM template. Basically the same thing but only saving the
setting without starting the actual browser. Then we could think how to
integrate it into Whonix installation / update, and fresh Qubes
installation.
Yet another idea, from [2]: use two menu entries for DisposableVM case
specifically. It isn't clear to me how to distinguish it at menu level,
but it shouldn't be hard to figure out (qubes menu scripts change may be
needed).

> ##########
> 
> - disable whonixcheck “Connecting to Tor…”, “Connected to Tor.” messages

No notifications at all? Ok. (I need to adjust tests for this change)
- From time to time, there is also big whonixcheck dialog when it timeout.
Does this change applies to that dialog too?

> - In favor of sdwdate-gui. whonixcheck connectivity check code checks
> Tor as well as sdwdate. Due to Tor/onion slowness it often times out.
> Since improving that code [4] is difficult, sdwdate-gui is used instead
> as a solution that provides better visual feedback to users.
> 
> ##########
> 
> - Start sdwdate-gui [5] [6], which is a systray by default in
> Whonix-Gateway.
> 
> ##########
> 
> - Due to sdwdate-gui, Qubes-Whonix who use multiple Whonix-Gateway [7]
> should note updated instructions for multiple Whonix-Workstation [8] due
> introduction of sdwdate-gui. Essentially, Whonix-Workstation's using any
> Whonix-Gateway named other than sys-whonix need to configure their
> Whonix-Workstation by declaring the name of their Whonix-Gateway VM.
> 
> Sparing users from needing to change this setting would require upstream
> Qubes feature request "way to find out name of gateway from witin VM -
> qubesdb-read /qubes-gateway-name to get implemented" [9] or some other
> solution.
> 
> Not following these instructions would lead to the following confusion.
> Someone who didn't start sys-whonix, starting an AppVM using
> sys-whonix-two would wonder why sys-whonix gets started. It would get
> started by Qubes qrexec. The sdwdate-gui entry for that AppVM would be
> registered in sys-whonix's sdwdate-gui rather than in sys-whonix-two's
> sdwdate-gui.
> 
> I have no idea how many users will be affected. How many are using
> multiple Whonix-Gateway.
> 
> Since the name of the VM running sdwdate-gui is currently pre-configured
> to sys-whonix, I am wondering if sdwdate-gui should run in any other VM
> by default? Do we already have any VM running in Qubes anyhow that would
> be more suitable?

Hmm, I have two thoughts about it:
1. Isn't exposing Whonix Gateway name leaking some potentially
de anonymization info? It can be retrieved only after full compromise of
that VM (command execution), but still.

2. How about using TCP socket for it instead? It would naturally go to
the right Whonix Gateway, without any auxiliary VM name discovery
needed. Since Whonix Workstation has access to this service and network
access to Whonix Gateway anyway, it shouldn't significantly affect
attack surface.
2a. This could break if you put something between Whonix Workstation and
Whonix Gateway (for example VPN). But in that case automatic discovery
of netvm would break too.

> ##########
> 
> Testers wanted!
> 
> How to test?
> 
> Switch to testers repository.
> 
> https://www.whonix.org/wiki/Project-APT-Repository
> 
> Upgrade as usual.
> 
> Cheers,
> Patrick
> 
> [1] (The release announcement is VirtualBox specific but the changelog
> applies to Qubes-Whonix users using Whonix testers repository equally.)
> https://forums.whonix.org/t/whonix-virtualbox-15-0-0-3-6-testers-wanted-stronger-linux-user-account-isolation-and-more-hardening/7891
> 
> [2]
> https://forums.whonix.org/t/add-tor-browser-first-startup-popup-to-ask-whether-security-slider-should-be-set-to-safest/7591
> 
> [3]
> > **First Start of Tor Browser (AnonDist) - Security vs Usability
> Trade-off**
> >
> > In the stock Tor Browser configuration, JavaScript is enabled by
> default for greater usability. The Tor Project provides a rationale for
> this decision.
> >
> > The producers of Tor Browser decided the security slider setting to be
> set to "Standard" by default. Quote Tor Browser Manual:
> >
> >> You can further increase your security by choosing to disable certain
> web features that can be used to attack your security and anonymity. You
> can do this by increasing Tor Browser's Security Settings in the shield
> menu. Increasing Tor Browser's security level will stop some web pages
> from functioning properly, so you should weigh your security needs
> against the degree of usability you require.
> > This popup question does not restrict your freedom to change security
> slider settings at any time.
> >
> > Responsible for this popup question is Tor Browser Starter by Whonix
> developers. It is an usability feature, which might break in future.
> Therefore the user is advised to verify that the security slider has the
> expected setting. Please donate!
> >
> > Preseeding:
> >
> > It is possible to avoid this popup question by preseeding the answer
> to it. For that create a file /etc/torbrowser.d/50_user.conf with the
> follow contents, if you want to answer "Yes".
> >> tb_security_slider_safest=true
> > Or if you want to answer "No".
> >> tb_security_slider_safest=false
> >
> > Technical Details:
> >
> > This script is: /usr/bin/torbrowser
> > Function: tb_security_slider
> > All this would do is copying file
> /usr/share/torbrowser/security-slider-highest.js to
> /var/cache/tb-binary/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js.
> 
> > cp /usr/share/torbrowser/security-slider-highest.js
> /var/cache/tb-binary/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/user.js
> >
> > **Set Tor Browser Security Slider to Safest?**
> 
> [4]
> https://github.com/Whonix/whonixcheck/blob/master/usr/lib/whonixcheck/check_tor_bootstrap.bsh
> 
> [5] https://www.whonix.org/wiki/sdwdate-gui
> [6] https://github.com/Whonix/sdwdate-gui
> 
> [7] https://www.whonix.org/wiki/Multiple_Whonix-Gateway
> [8] https://www.whonix.org/wiki/Multiple_Whonix-Workstation#qubes
> 
> [9] https://github.com/QubesOS/qubes-issues/issues/4117
> 

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl1NVp0ACgkQ24/THMrX
1yzY8wf9ETq0/eG8DzeM3tvKcjLODU58aKiXouIlljVB3xM07sXZ3+9hCOO0AqMm
02fxd39lllgfKo/ZOt2/DVpMMdkKG39AluK3Zy5SMeQNiyjHIUJ89XqoCwGBMor3
vTisk7KHwuHj+79yoBKeSsXEb13Vfts/okmppeVBCWi11aRiK8t3UmHrkvPa33AW
vZmeGb/GJrnj05ucKo6SvVkfZLPt3DJgs+XvhLeD21Xl5VQcjn2aUUFDqw5XaaQN
gq0snKzzL/DahfMoMgZ+LuX3oZSMOIY8Z1ZGkCZhAG3JHoIegydMxsuGB2UheP75
OPcl+Y7DT0fWMN+OOITPqddNCX6YWA==
=PvHD
-----END PGP SIGNATURE-----

More information about the Whonix-devel mailing list