Hi.
I have a question about how to achieve a certain task while respecting the “distrusting the infrastructure” tenet of Qubes OS’s philosophy and about the applicability of the principle in general.
Is this tenet unique to Qubes OS’s philosophy? I.e., is this forum the right place to ask my question, or should I rather head over to a place like Information Security Stack Exchange?
Thanks!
That’s what the “All Around Qubes” category is for, which you can’t see yet due to your trust level. I don’t think the concept is unique to Qubes OS, but it certainly is central to it. I’d say proceed in this thread and if it get’s out of hand we can move it to “All Around Qubes”.
I’ll go ahead then 
I’d be happy if someone with the appropriate permissions would change the title to “Can “distrusting the infrastructure” be applied to any task?”.
Definition of infrastructure:
Within the frame of this discussion, the infrastructure is defined as “the middle” between endpoints; examples of infrastructure mentioned in the FAQ are “hosting providers, CDNs, DNS services, package repositories, email servers, PGP keyservers, etc.”.
Question:
Can one, at least in theory, accomplish any task in such a way that the infrastructure is completely distrusted? I.e., can one accomplish any task in such a way that trust solely lies at the endpoints?
A task that may be useful for the purpose of discussion:
Payment. How does one pay someone without putting trust in any third-party entities between payer and payee?
The secure transfer of information can be accomplished using end-to-end-encryption, where the data is encrypted and only sender/receiver hold the key to decrypt. Anyone and anything in between sees seemingly random bits. Important in this context is the use of public/private key cryptography and both sides keeping their respective private keys secure.
You almost had me post several paragraphs, but this discussion is extremely likely to not stay general but quickly become a dumpster fire of crypto currency nerds battleing each other and defending their favored schemes. That would in fact be super off-topic here, so please let’s not do that.
It’s helpful to think in terms of both layers and encryption. In Sven’s example the sender only has to trust the recipient with the encrypted information, but is implicitly trusting the service provider with the next layer of data, the metadata required to accomplish the transmission. In my mind this is where Qubes shines, because it’s relatively easy to set up VPNs, Tor, firewalls, etc… in a way that allows one to choose whom to trust with each level of data on the network stack.
Metadata is not necessarily an issue depending on your use case / scenario. If you can observe that I exchange data with my wife or my employer I might not mind as long as you have no way to read the contents of the exchange. But granted in some scenarios metadata itself might disclose communication patterns that one might wish to keep confidential. In those cases TOR is the only if imperfect solution easily available.
I don’t see how firewalls fit into this conversation and VPNs if used as intended are a perfect example of end-to-end encryption. If one uses VPNs as glorified proxies the trust is simply shifted to another entity and misses the goal of “distrusting the infrastructure”.
For example, I use the firewall on my email qube to only allow traffic to the servers of my email provider. This prevents tracking pixels, etc…, from sending data directly to untrusted third parties, so that I don’t have to trust my email provider or client to do this for me. Anymore, the marketing companies are unavoidable parts of the email infrastructure.
For the most part, I don’t think “distrusting the infrastructure” is entirely possible once one includes the internet as part of the equation. However, it is possible to distribute our trust is with the goal of minimizing the level of this trust needed, however defined. “Zero knowledge providers” has become a catch-all term to identify infrastructure providers who aim for something like distrusting the infrastructure, but zero knowledge is a hard nut to crack, so I’d treat any claims of this nature with a healthy dose of skepticism.
Here’s an example of distrusting the infrastructure applied to mobile networks, where human and device identities are usually conflated and impossible to hide from untrustworthy carriers. The authors introduce a useful notation to describe decoupling of identity from access and provide comparisons to VPNs and Tor. This kind of notation (shapes/solids) could be useful for labeling qubes in terms of trust levels, where presently we just have color playing this role.