/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Display a privacy risk warning when attempting to change anon-whonix's default_dispvm value #3561

Open
andrewdavidwong opened this Issue Feb 10, 2018 · 5 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.1
2 participants
@andrewdavidwong @awokd
@andrewdavidwong
Member

andrewdavidwong commented Feb 10, 2018
edited
Edited 1 time
  • @andrewdavidwong andrewdavidwong edited Feb 10, 2018 (most recent)

Qubes OS version:

R4.0-rc4

Affected TemplateVMs:

whonix-ws

Steps to reproduce the behavior:

In a default R4.0-rc4 installation, launch a DispVM from anon-whonix.

Change anon-whonix's default_dispvm setting to something other than whonix-ws-dvm.

Expected behavior:

The DispVM uses sys-whonix as its NetVM so that its traffic is Torified.

The user is warned about the privacy implications of doing this.

Actual behavior:

The DispVM uses sys-net as its NetVM, resulting in a high risk of deanonymization.

No warning is given.

General notes:

See: QubesOS/qubes-doc#538 (comment)

CC: @adrelanos

@andrewdavidwong andrewdavidwong added bug privacy C: Whonix labels Feb 10, 2018

@andrewdavidwong andrewdavidwong added this to the Release 4.0 milestone Feb 10, 2018

@andrewdavidwong andrewdavidwong referenced this issue in QubesOS/qubes-doc Feb 10, 2018

Merged

Dispvm 4.0 updates #538

@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Feb 10, 2018

Member

Looks like we might need confirmation about whether the reported behavior is actually the default:

QubesOS/qubes-doc#538 (comment)

Even if it's not the default, however, it might be worth considering having some kind of warning in case the user gets themselves into this situation.
Member

andrewdavidwong commented Feb 10, 2018

Looks like we might need confirmation about whether the reported behavior is actually the default:

QubesOS/qubes-doc#538 (comment)

Even if it's not the default, however, it might be worth considering having some kind of warning in case the user gets themselves into this situation.
@awokd

This comment has been minimized.

Show comment
Hide comment
@awokd

awokd Feb 10, 2018

Fresh install of R4.0rc4 and anon-whonix's default_dispvm is set to whonix-ws-dvm. netvm on both is set to sys-whonix, so out of the box this is not an issue.
Changing the system default dispvm with qubes-prefs does NOT change default_dispvm in anon-whonix or whonix-ws-dvm.
So it's not a default/out of the box concern, but the system does let people shoot themselves in the foot if they start changing anon-whonix or whonix-ws-dvm values around. I'll revise the the doc PR accordingly.

awokd commented Feb 10, 2018

Fresh install of R4.0rc4 and anon-whonix's default_dispvm is set to whonix-ws-dvm. netvm on both is set to sys-whonix, so out of the box this is not an issue.
Changing the system default dispvm with qubes-prefs does NOT change default_dispvm in anon-whonix or whonix-ws-dvm.
So it's not a default/out of the box concern, but the system does let people shoot themselves in the foot if they start changing anon-whonix or whonix-ws-dvm values around. I'll revise the the doc PR accordingly.
@awokd

This comment has been minimized.

Show comment
Hide comment
@awokd

awokd Feb 10, 2018

However @andrewdavidwong , the Qube Setting GUI is a bit buggy. If I use it to view anon-whonix's default_dispvm on the advanced tab, it claims it's set to the qubes-prefs' default_dispvm, even though it's actually using the value in qvm-prefs anon-whonix default_dispvm. I think there might be a similar issue out there too about the kernel value on this tab.
Also, hitting the drop-down for dispvm only lists default and (none), when I'd expect it to list all templates where template_for_dispvms = true.

awokd commented Feb 10, 2018

However @andrewdavidwong , the Qube Setting GUI is a bit buggy. If I use it to view anon-whonix's default_dispvm on the advanced tab, it claims it's set to the qubes-prefs' default_dispvm, even though it's actually using the value in qvm-prefs anon-whonix default_dispvm. I think there might be a similar issue out there too about the kernel value on this tab.
Also, hitting the drop-down for dispvm only lists default and (none), when I'd expect it to list all templates where template_for_dispvms = true.
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Feb 10, 2018

Member

Thanks for checking and documenting, @awokd. I'll update this issue to be one about footgun protection and open another one for the general Qube Setting GUI buginess.
Member

andrewdavidwong commented Feb 10, 2018

Thanks for checking and documenting, @awokd. I'll update this issue to be one about footgun protection and open another one for the general Qube Setting GUI buginess.

@andrewdavidwong andrewdavidwong added enhancement P: minor and removed bug labels Feb 10, 2018

@andrewdavidwong andrewdavidwong modified the milestones: Release 4.0, Release 4.1 Feb 10, 2018

@andrewdavidwong andrewdavidwong changed the title from DispVMs launched from anon-whonix use clearnet by default to Display a privacy risk warning when attempting to change anon-whonix's default_dispvm value Feb 10, 2018

@andrewdavidwong andrewdavidwong added UX C: qubes-manager labels Feb 10, 2018

@andrewdavidwong andrewdavidwong referenced this issue Feb 10, 2018

Closed

The Qube Settings GUI displays information in a misleading way #3565

andrewdavidwong added a commit to QubesOS/qubes-doc that referenced this issue Feb 10, 2018

@andrewdavidwong
Merge branch 'awokd-patch-6' 
The Whonix-related portion of this patch partially addresses
QubesOS/qubes-issues#3561.
Verified
This commit was signed with a verified signature.
@andrewdavidwong andrewdavidwong Andrew David Wong
GPG key ID: 8CE137352A019A17 Learn about signing commits
d6fbeef

@andrewdavidwong andrewdavidwong referenced this issue Feb 17, 2018

Closed

whonix-ws-based VMs lack the anon-vm tag #3595

@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Feb 18, 2018

Member

In #3595 (comment), @mirrorway reports that the one whonix-ws-based VM that happens to be pre-made with the name anon-whonix does not exhibit this problem, but all the subsequent use-created ones do.
Member

andrewdavidwong commented Feb 18, 2018

In #3595 (comment), @mirrorway reports that the one whonix-ws-based VM that happens to be pre-made with the name anon-whonix does not exhibit this problem, but all the subsequent use-created ones do.

@andrewdavidwong andrewdavidwong referenced this issue Feb 18, 2018

Open

DispVMs launched from whonix-ws-based VMs use clearnet by default #3601

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment