Closed mfc closed 7 years ago
marmarek
commented
7 years ago Removing "experimental" tag indeed maybe a good idea. But I'm strongly against enabling routing all the traffic through tor (this is what that option is about - it isn't only about updates). While it may make some targeted attacks harder, in majority use cases it will only greatly degrade user experience.
Do we need an option to download updates (only) over tor? Maybe.
mfc
commented
7 years ago routing all the traffic through tor (this is what that option is about - it isn't only about updates)
I don't think that's an accurate representation of what happens. even if you select this option ("route all traffic through tor [experimental]"), the default qubes that get created and their networking are:
What is does do is make the default networkvm for a new qube sys-whonix, which can be modified in the creation screen they are in.
marmarek
commented
7 years ago Indeed. Anyway, it isn't only about updates currently. And actually IMO the current situation is buggy, as it is neither "everything" nor "updates only".
mfc
commented
7 years ago yes agreed. So I would say:
Default:
whonix-gateway and whonix-workstationsys-firewallOption presented to user:
andrewdavidwong
commented
7 years ago with adequate descriptive text so that users can make an informed decision about whether they want the default or to change it
This is a good candidate for an explanatory tooltip (#2211).
Option presented to user:
- [x] Enable system updates over the Tor anonymity network
Perhaps also:
For some people, using Tor at all is dangerous, illegal, or simply against corporate policy. For such users, there may be no point in installing the Whonix TemplateVMs at all, since they will never be used; doing so may just be a liability.
marmarek
commented
7 years ago Perhaps also:
Install Whonix TemplateVMs.For some people, using Tor at all is dangerous, illegal, or simply against corporate policy. For such users, there may be no point in installing the Whonix TemplateVMs at all, since they will never be used; doing so may just be a liability.
This is already possible in software selection before installation. You can opt-out from installing those templates, and then Whonix-related options in firstboot are inactive.
andrewdavidwong
commented
7 years ago This issue combines two distinct things, so I'm branching the USB qube issue off into a separate ticket: #2665.
mfc
commented
7 years ago @marmarek with whonix set to be included in 4.0-rc2, are we in a position to implement this as well? From your previous comment it looks like you have the logic of it already figured out.
marmarek
commented
7 years ago Yes, I think we can drop "experimental" label. But I'm still not sure about enabling it by default. For most people disadvantages of this (slow updates, timeouts etc) may be greater than advantages (mitigation against targeted attacks). @rootkovska @andrewdavidwong ?
andrewdavidwong
commented
7 years ago But I'm still not sure about enabling it by default. For most people disadvantages of this (slow updates, timeouts etc) may be greater than advantages (mitigation against targeted attacks).
I think that's a reasonable assessment. If it's enabled by default, there may be a lot of people who don't realize they're using it, and they may attribute the slowness to something else or simply be unhappy with their user experience as a result. I think we should just explain the trade-off to the user (e.g., in an explanatory tooltip).
rootkovska
commented
7 years ago Agree, we should not enable Tor updates by default. This option is useful/attractive only to specific groups of Qubes users, not all.
mfc
commented
7 years ago I think if the Whonix templates are selected for installation, then torified system updates should be enabled by default.
rootkovska
commented
7 years ago I think if the Whonix templates are selected for installation, then torified system updates should be enabled by default.
I don't agree. Lots of people might want to install Whonix just out of curiosity, or because "maybe I will use sometime in the future". We should not automatically force them into Torified updates.
h01ger
commented
7 years ago On Wed, Sep 20, 2017 at 12:55:26AM -0700, Joanna Rutkowska wrote:
I don't agree. Lots of people might want to install Whonix just out of curiosity, or because "maybe I will use sometime in the future". We should not automatically force them into Torified updates.
agreed. I want my whonix templates updated via tor, but not others.
-- cheers, Holger
mfc
commented
7 years ago agreed. I want my whonix templates updated via tor, but not others.
we are talking about system updates, not template updates.
I find folks' positions perplexing, given that using Tor for system updates improves the security position of the user which I would have thought a security-focused OS would want to encourage users to adopt, assuming they are interested in using Tor in the first place.
It also reduces the personal information collected by Qubes servers (and other repo servers) of Qubes users (and the intermediaries who see the HTTP traffic), which I imagine would be a benefit towards reducing how much the user has to trust the Qubes team (and others). This usually is a "theme" of Qubes development practice but I guess not in this case?
But apparently I'm in the minority and not going to belabor this point now.
@marmarek have you changed the wording of the option to be more accurate, as previously discussed in this thread? from: route all traffic through tor [experimental] to: Enable system updates over the Tor anonymity network using Whonix. If so, then we can keep this closed.
andrewdavidwong
commented
7 years ago I find folks' positions perplexing, given that using Tor for system updates improves the security position of the user which I would have thought a security-focused OS would want to encourage users to adopt, assuming they are interested in using Tor in the first place.
Torified updates do improve the security position of the user, but the security benefits may not be great enough to outweigh the costs for most users (slow and failed updates, Tor being illegal or against workplace policy, etc.). For example, one of the primary security benefits of Torified updates is that it prevents attackers from selectively withholding updates from you based on your external IP address. But this security benefit is not on par with the core security benefits Qubes provides, e.g., VM isolation. Whereas there isn't any easy way to get secure VM isolation with full integration on a single desktop without Qubes, there are several easy ways to get around selectively withheld updates (e.g., updating from a different location or simply learning of the updates from somewhere else, like a mailing list or social media). The security benefits provided by Torified updates, while valuable, are not essential to the fundamental security goals of Qubes. It makes sense to get them when they're cost effective, but they may not be cost effective for many users. (By contrast, it would never make sense for Qubes to give up on VM isolation due to cost, since that's the whole point of Qubes. If it's too costly for a given usecase, it just means Qubes isn't appropriate for that usecase, probably because the usecase doesn't require much security.)
It also reduces the personal information collected by Qubes servers (and other repo servers) of Qubes users (and the intermediaries who see the HTTP traffic), which I imagine would be a benefit towards reducing how much the user has to trust the Qubes team (and others). This usually is a "theme" of Qubes development practice but I guess not in this case?
Collecting less personal information is also desirable in this case, but again, it's not worth the cost for many users. For those users, we would be collecting less information from them by forcing them to have slow or broken updates or jeopardizing other areas of their lives by getting them flagged as Tor users in places where being a Tor user is dangerous. (Again, I'm only talking about users for whom the tradeoff isn't worth it.) The idea is that if this group constitutes a large portion of our userbase, it's probably not worth turning on Torified updates by default. We'd be doing more harm than good.
mfc
commented
7 years ago again: if a user is installing whonix templates, it is because they would like to use them. if they have made that decision, then helping them take advantage of that added functionality would seem helpful.
if it is against workplace policy, if they are going to killed for using it, then they are probably not going to install the whonix templates. yes?
if they are unsure whether or not they want whonix templates and tor functionality, then we can put some language about tor in a tooltip on first boot, as you previously suggested. they can always deselect the option. and they also get additional language about tor via the first start-up of sys-whonix.
Qubes system updates are usually quite small, tor's slight slowness is not really noticed on them. again by informing the user through the initial tooltip, they can make an informed decision.
if a user is not interested in Qubes' integrated tor-based privacy solutions, then they should not select the whonix templates for installation. if they are interested in them, then we should help them set them up properly.
unman
commented
7 years ago There are people who will want to use Tor for some qubes, while maintaining an apparently clean image the rest of the time. You shouldn't assume that because they want to use Tor some of the time, they want all their system updates to run through Tor. This may or may not be the case, and your assumption is dangerous.
mfc
commented
7 years ago again: we are currently talking about dom0 system updates, not "all their system updates".
if a user wants to use tor "some of the time", then they have clearly made a decision that using tor is not going to kill them, and that tor is actually useful for their desktop experience. your argument that such a default would be "dangerous" makes no logical sense.
as a reminder:
if user installs whonix templates then suggest to user in firstboot:
Enable system updates over the Tor anonymity network using Whonixor perhaps
Enable Qubes OS updates over the Tor anonymity network using Whonixif you want to make even more clear this is not affecting non-whonix template updates.
end result networking-wise is:
sys-whonixsys-firewallsys-firewallsys-whonixh01ger
commented
7 years ago On Sun, Oct 01, 2017 at 09:09:30AM -0700, Michael Carbone wrote:
again: we are currently talking about dom0 system updates, not "all their system updates".
so what? why should installing $some_templates cause changes how dom0 is configured? this makes no sense :)
if a user wants to use tor "some of the time", then they have clearly made a decision that using tor is not going to kill them,
so far, I'm with you…
and that tor is actually useful for their desktop experience. your argument that such a default would be "dangerous" makes no logical sense.
ok, let me try another analogy: using Tor is like (not) carrying a gun. (though I can see how this doesnt work for some. ;) I'll try anyway.) Clearly it's not always useful (not) to carry a gun, sometimes you are more safe when doing so, but sometimes you are more safe when not doing so. (This very much depends on the situation… I hope we can agree that not all situations are the same.)
Some people (of the set of people who have whonix installed) prefer (for whatever reasons) to update dom0 via tor, some not.
The simple fact that whonix is installed doesnt really say anything about the situation / people's preferences.
Using tor doesnt magically add "security" to your internet connection. Depending on "how you see it" (and other factors), it might also make your internet connection less secure. (This is like (not) carrying guns, which also doesn't make every sitution more secure.)
Having an easy way to configure whether tor should be used for dom0 updates obviously is great, because sometimes people preferences change according to situations.
-- cheers, Holger
mfc
commented
7 years ago so what? why should installing $some_templates cause changes how dom0 is configured? this makes no sense :)
because they could not ask Qubes to torify their system updates if they don't have whonix templates installed? and because installing whonix templates is a signal that the user is interested in integrating tor into their desktop?
The simple fact that whonix is installed doesnt really say anything about the situation / people's preferences.
yes it says that they have determined they are not going to immediately die as soon as they use tor, that having tor on their system is not going to get them fired, etc.
Some people (of the set of people who have whonix installed) prefer (for whatever reasons) to update dom0 via tor, some not.
totally. i am simply trying to push for safer/more-privacy-friendly defaults, since many users will not change them.
unman
commented
7 years ago again: we are currently talking about dom0 system updates, not "all their system updates".
Yes, I understand that, but you should realise that "system updates" are not monolithic. At a minimum there are Fedora updates and Qubes updates, and whether a user updates via Tor or clearnet may change from time to time.
if a user wants to use tor "some of the time", then they have clearly made a decision that using tor is not going to kill them, and that tor is actually useful for their desktop experience. your argument that such a default would be "dangerous" makes no logical sense.
No, it's this that doesn't make sense. Someone may want/need the protection of Tor at some times, in some circumstances, while accepting that using Tor may be dangerous. Making updates default to using Tor may expose them and open them to risk. Your flippancy on this is misplaced.
One way of mitigating the risk would be to turn off automatic update checks, with the option to enable it offered as another option to the user.
mfc
commented
7 years ago hey all, sorry for the exasperated tone previously, thanks for your patience with it.
i think once the GUI salt recipe "app store" exists i will be able create ways to make it easier for high-risk, less-tech-savvy people to setup Qubes appropriately for their needs.
instead of arguing for a change of the default in this regard, maybe just have a default-not-selected-option in firstboot that does include both template and system updates over Tor:
that is only possible if the user has chosen to install Whonix templates.
qubesos-bot
commented
7 years ago Automated announcement from builder-github
The package qubes-mgmt-salt-dom0-virtual-machines-4.0.6-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:
sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testingAutomated announcement from builder-github
The package pykickstart-2.32-4.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:
sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testingAutomated announcement from builder-github
The package qubes-mgmt-salt-dom0-virtual-machines-4.0.6-1.fc25 has been pushed to the r4.0 stable repository for dom0.
To install this update, please use the standard update command:
sudo qubes-dom0-updateOr update dom0 via Qubes Manager.
DrCMY
commented
6 years ago Hi, what's the official explanation from Qubes staff about the torified updates? Thank you
The level of adoption of torified system updates is painfully low and not increasing in percentage, according to the stats.
This is primarily due to it not being the default. The level of adoption for a USB qube is probably similarly low because it is not the default. This is a real shame because it is one of the main differentiating points for Qubes.
I think these features have been "out" for long enough that we should remove the "experimental" tag from their description in the firstboot screen. In addition, the USB qube and torifying updates should be selected as default, with adequate descriptive text so that users can make an informed decision about whether they want the default or to change it.