How would I setup an APPvm/Template in this situation?

Hi All,

Been using QubesOS for about 3 months, got it on a test laptop as I learn my way around it.

I would like your guys opinion on this one question I am thinking about.

If I would like to login and transfer information and files with this single one and only website, how would I do it as most secure as possible using qubesOS?

Here are the parameters:

1 - Would be using my ISP’s Internet connection.
2 - Wifi connected laptop to LAN router, DNS set to Quad9 on router
3 - Website requires login to access and transfer mission critical information and files.
4 - Play the Mission Impossible song after the connection is completed

Right now, the only concern would be interception of connection, or logging from ISP.

Your guys thoughts?

Thank you

Well, I would say not really related to QOS.

What is your threat?
Who do you trust?

  • if it is only one website, set your AppVM firewall to limit the traffic to only this IP. https makes your connection secure. Done.

  • I do not trust my ISP: Get a VPN.

  • I do not trust VPN provider: use Whonix

  • I do not trust the Tor network: use Lokinet

Thank you for that response

Like the idea of the firewall limiting the IP address.

Regards

A different approach, not mutually exclusive; you can combine it with others including what @whoami suggests above.

Run the browser in a disposable. If you use the menus to start apps in disposables, set the command line up in the .desktop file to include the name of the site, so that the browser goes there automatically when you open it. If you really dig in to some of the methods used by others here, you can ensure the browser doesn’t remember history, doesn’t save bookmarks, nor cache in any way (belt and suspenders since a dispsable has much the same effect–or maybe you don’t want a disposable). So basically, you click on the browser in the menu (or desktop shortcut), it goes to that site. But you can’t bookmark anything and anything you download goes away.

(If you want to go to that site and be logged in already, it’s a bit more complicated and slightly less secure.)

That (plus the firewall) should discourage you from using that qube for anything else other than visiting the one site.

[I’ll be frank: I never could figure out how to set up a firewall properly–neither how to learn what to set it to, nor how to set it, period. It’s one of those things everyone assumes is well known (and maybe it is), and trying to find out through google leads to thousands of hits on how to turn on your windoze firewall. No, I want to know how to determine which ports I should allow or block, then learn how to do so. I’ve been using sys-firewall but that’s it.]

1 Like

Maybe I do not fully understand your issue here. But to keep it very simple: Open a disposable (browser) AppVM. Browse to i. e. to iplocation.net, search i. e. for iplocation.net. You should get the IP of this webpage: 104.26.7.214. (keep the AppVM / Tab open)

Open another disposable AppVM, go to Settings > Firewall rules and add: 104.26.7.214 tcp 443 (https) only. Open a browser in this disposable AppVM and go directly to iplocation.net. You will see at the bottom that this webpage tries to load a lot of external sources (which do not get through). Now, compare i.e. the section ADVERTISEMENT with your previous disposable browser tab - no ads have been loaded.

This is not a perfect and reliable solution but it works for simple webpages. The issue is that you have do set IPs which is not the best approach. Pi-Hole is much more efficient, reliable and easy to configure.

Great Thank you SteveC and Whoami