I’ll explain: when you give to user possibility to enable in installation window downloading all updates through tor, you mean that user wants to hide from his ISP the fact that user uses Qubes OS. At least I think this is how user understands this feature (and how I understood it and why I enabled it). BUT in the same time new user may (and most likely) do not know that Qubes still will be leaking to ISP Qubes usage while performing clearnet updates checks. Of course he may disable it later but it most likely will be useless post factum since this leakage most likely will happen before user finds out and takes any action. So it’s much better if such feature will be implemented in installation process.
Two little detours:
Of course you might not mean what I meant and implemented updates through tor just to increase the security process of updates, but this is really important point for many users whose interests to hide the use of Qubes. For example Qubes doesn’t (and as I understand can’t) hide the fact of its usage for apps running in qubes (like Telegram for example). If evil government wants to find such user (and knows that he’s living on its territory) it will use its recources to find number of all Qubes users on its territory and try to figure out which one is he. For example Russia most likely has such possibility since all its ISPs have such feature like “СОРМ” pre-installed (it collects and saves all users traffic. Most likely gives possibility for its quick analysis). So lives may depend on it.
I hope disabling crearnet update checks is enough to prevent Qubes usage leakage (of course if user doesn’t run applications in qubes that have sys-firewall as netvm instead of sys-whonix), but may be not. So could you make it possible if so? To add some special feature that eliminate the threat without user having to use VPNs before tor? Or at least could you create some guide that explains what steps user should do to prevent this threat (if it’s possible to do without using VPN at all). But if it’s possible implementing of special feature in installer of course is the best solution.
what you can do is to not connect to the internet immediately after install, change Global settings to whonix with bridge, this will route all update traffic of Qubes through Tor bridge, hiding usage of tor from ISP combined with the servers of Qubes being pinged from your machine.
bare in mind that before anything, before all of this, you most likely downloaded Qubes through clearnet bare IP, so your ISP already knows if anything, just letting you know.
You probably don’t know that even if you select sys-whonix as update proxy Qubes still performs update checks for Debian, dom0 and Fedora via clearnet (if it is default settings). And you most likely did read my text not carefully. I say that new users most likely find out it when it will be already too late. That update through tor option in installer confuses them and they think that it is implemented to hide Qubes usage from ISP but it is not. So I created this request to convey the idea that it is necessery to add option in installer that gives users possibility to route all updates checks through tor. Yes, they can configure it later but they will do it only if they will know about it and there is high chance that they will know already after their first connection to the net when it will be already too late to hide something. Now understood?
And by the way: it’s better to route time sync through tor too, because even if this operation doesn’t tell ISP that user uses Qubes, it looks suspicious, because if there will be only time sync without any regular OS clearnet activity (like update checks for example) this will give reason to suspect that the user uses Qubes OS (or other anonimous system).
So you think I’m worried that my ISP will find out that I’m using Qubes OS through my updates checks and updates but in the same time I am so idiot to download its image through clearnet? If you only knew how many verifications I performed with this image…
yea, btw i do not disagree with anything you said, you are correct on everything, just throwing it out there what you can do if it’s “too late” at the very least, of for new or potential new users of Qubes if they see this post, you are also lucky IF, you never used Qubes under ISP you are registered with under your name to some extent, less finger print to some extent.
“During installation process” meant “disabling all clearnet update checks” already during installation process instead of doing it after installation. In simple words: instead of adding that “sys-whonix as update proxy” feature they should have add feature that really disables all clearnet update checks, 'cause this is really what regular user thinks about when he reads that line about “updates over Tor”. And you may agree that otherwise updates over Tor make not so much sense.
I haven’t checked it myself, but if it is the case that there are clearnet checks even if sys-whonix is selected as the update proxy, then at the very least the user should be informed – it would be misleading.
There are. I said what to do (what YOU can do) to prevent this. Disable networking for non-whonix qubes (or at least remove them from exceptions when you disabled update checks for all qubes except speciafied ones). Set sys-whonix as update proxy everywhere. You may also disable time syncing to prevent ISP from knowing that you use some Linux OS and the time when you start this OS (or when you connect with it to the network).
At some point, you can’t hide the fact you connect to the Internet, packets must go through your ISP.
A solution would be I2P which can fill the connection all the time passing traffic from other I2P peers, and also put your traffic within, so you appear always busy with the connection. A mixnet (lokinet for instance) could hide traffic pattern too.
Did you mean clearnet traffic, right? 'Cause when it’s about Tor, it hides all traffic in its own Tor traffic and this way real package sizes are also hidden/changed.
I was talking about torified traffic when was saying about disabling time sync. 'Cause time sync remains untorified.
The goal is not to hide the fact that you’re connecting to the network, but to hide what device and OS you’re using for it. For example, when it looks like just regular connection to Tor, how ISP can say if it’s performed not from some Tor Browser on android phone? I mean when you removed all signs that reveal what device and OS you use.
The Tor traffic is still coming through your clearnet ISP and ISP can see the TCP/IP information in the packets. Whonix has some network hardening and prevents some TCP/IP fingerprinting but I don’t know if it prevents all of it or not. https://nmap.org/book/osdetect.html
Moderation note: this thread is quickly turning off-topic. If the original issue was clarified, I’d encourage interested folks to move the network privacy conversation somewhere it’s relevant.