Browser separation and persistence?

Questions about browsers.

  1. If you install chromium in template, make appvm, login to profile w/ mail accounts. It does not remember them on next start. How to make this persist?
  2. If using chromium as above in template, if you create some appvms, how isolated are each of those chrome users from one another?
  3. In general w/ chromium how separated are different “people” on the same appvm ?

As an example of what to avoid-> Chomium on template, tons of appvms w/ chromium installs, bunch of wallets on them. You get a wallet drainer malware on one does it drain all your wallets from every appvm ?

It should, if you have a standard persistent AppVM. Browsers store their configs and cookies and such in your home directory, so if you’ve logged a Chrome install (whyyyyyy? Use Firefox…) into your Google account in the “Personal” AppVM, that should persist across “Personal” AppVM restarts. It’s not?

If you have separate AppVMs, Chrome instances running in them should be as fully isolated as Qubes is capable of providing - separate hardware virtual machines, separate home directories, and while they’re based on the same template, nothing flows between those AppVMs on the root filesystem. Changes are ephemeral to the root filesystem in a standard template-based AppVM.

No specific idea, but I would assume “Not at all.” The threat model implicit in Qubes assumes that anything in an AppVM has full access to anything else in an AppVM.

If you get the malware in the template somehow, yes, it would impact all the AppVMs. But if you get it in one AppVM, it shouldn’t have any access to the other AppVMs.

And now I’ll ask the silly question, “Why on earth would you use the same AppVM for a crypto wallet as for a browser session?” That sort of stuff ought be kept rather separate from each other.

1 Like

Thanks for the detailed response!
->Does chromium need to be installed on the template used for app vms or the appvm for maximum isolation?
→ Entirely separate standalone templates may work, at a cost of more storage, could those be better isolated.
→ Is there a way to have multiple instances of the same Deb 12 template, to prevent template poisoning ?

And to answer your questions:
Why chrome → Need it for plugins yes firefox and its forks are superior
Why broswer + wallet same session → Need some hot wallets, they dont all play well w/ firefox unfortunately

Does it perhaps make sense to leave template untouched, generate a clone of the template for each appvm, and install chrome only on the corresponding cloned template ?

BTW, amnesic logins are quirk of chromium, not a qubes issue.

1 Like

Shouldn’t make a bit of difference. Either you trust the Qubes isolation mechanisms to do what they claim, or you don’t. If you don’t, then I don’t know why you’d trust any other arrangement of VMs in Qubes to provide hard isolation, since you don’t trust the mechanisms of separation.

Certainly. Just create a new templateVM. I typically have a few, for no particular reason of value, beyond “I’m the sort of weird legacy sysadmin who wants people to at least have to work to live off the land.” I’ll typically have one template that’s fairly minimal, one that has a bunch of other “Desktop sort of tools,” and one that’s heavy on the development toolchains. I don’t think it actually gains me anything over simply having all that stuff in one VM, but I’d at least rather make life somewhat harder for attackers than “Oooh, shell, here’s Python!” - not that there’s any real block to them installing it, given passwordless sudo.

But just follow the guides to create a new templateVM.

Though unless you’ve got some particular reason to believe template poisoning is (a) possible, and (b) likely to impact you, see “If you don’t trust the mechanisms, you probably shouldn’t trust Qubes at any level.”