Firefox comes configured with worst privacy settings and it takes long time to run arkenfox every time there is new template or an update.
Why does it have to be done like this?
It’s annoying because if I don’t remove firefox from the template there’s a risk some awful Application will decide to open firefox without my permission to load some stupid webpage to try to get me to buy something or sign up to an email list and then suddenly i’m at risk of my unique computer hardware fingerprints being collected. Why does it have to be like this? It would be easier to harden firefox for the templates and let users unharden it if they want.
I would rather have it just not installed automatically then to be there like this. Does anyone else find this annoying?
In Parrot this never has to be done. You run Parrot live or you run it installed and it has nothing in it like this that has no hardening at all. There’s a lot of stuff Parrot can’t do but why is Qubes like this? There’s no automated way to harden each new template that comes with vulnerable browser settings and it’s so time consuming.
It’s not the job of the Qubes developers to provide a modified and hardened version of Firefox. They only provide templates for users to customize as they wish. If you need hardened Firefox, you need to implement it yourself. Since you mentioned arkenfox in your post, it’s easy to install and update if you use the updater script provided in their github repo inside an app qube without touching the template itself. If you don’t want Firefox, you can also remove it.
I know this is the philosophy of Qubes but from fedora 36 to 37 and debian 10 to 11 to 12 every time you have to do it.
Does upgrading the template and upgrading firefox-esr also revert all the changes? I think it does. I can’t even make a cron command to run arkenfox because Firefox generates these random folders with each new install. Does upgrading the template change the directory? I hate firefox and just want it to never open.
Qubes is just so time consuming for things like this and considering that most users of Qubes want it for the hardening aspect of it I just don’t know why it can’t be more hard automatically. I know it goes against the concept of what Qubes is but it just wastes more time.
Firefox creates a profile with all its settings when it is first started. It resides in the user’s home directory (/home/user/.mozilla/firefox/), which means it is persistent within a qube. The Arkenfox rules are in the user.js file, which is loaded every time you open Firefox. When you update Firefox, it is loaded and applied again.
The updater will only update the user.js file to the latest available version. Put it in your profile folder and use /rw/config/rc.local to run it when the qube starts.
It does not have to be, despite those applications behaving this way. I’ve witnessed this at least with Thunderbird, which in my case runs in a firewalled qube - this does not prevent a cybercriminal exploiting my MUA/MTA and leaking my emails this way, but does prevent this behavior of spawning a browser to connect to some website.
Furthermore, you can create an offline disposable template, set it as the default one and run xdg-settings set default-web-browser qvm-open-in-dvm.desktop from the inside of a qube, so it should in theory make those applications try and connect to some website, only failing due to no Internet connection.
It makes more sense for Qubes OS to be a meta-OS providing isolation through easily usable virtual machines, rather than tweaking everything in non-obvious way.
If you install a Fedora template, you almost get a vanilla Fedora system, then you can work your way to harden it the way you want. This is a saner default in my opinion.
What would make more sense would be a community maintained template of a privacy/security hardened distribution that plays nice with Qubes OS, with proper documentation and people willing to maintain it.
What exactly are are the vulnerable insecure settings?
You can install (at least for R4.1 for now) a parrot community template and use firefox with their settings easily there. The default settings for debian/fedora are not the obligation of the Qubes team.
I guess I would be interested in a community guideline for a hardened/more secure firefox setting/user.js in this forum
This is rather misapprehended approach: “I want to do all the things I did, why Qubes doesn’t keep me secure from spilling milk?”
It only leads to a false sense of security and even more careless use of computers. There’s no universal solution and that is why we have to (learn to) develop our own threat models, which would then give us easy solutions for the best possible setups.
And it’s easy to realize how wrong this is by transponding this question to any other device/thing we use in our lives: car, house, TV… Can they be more secure? Why aren’t they?
If we don’t take care of ourselves, no one else will.
It resides in the user’s home directory (/home/user/.mozilla/firefox/),
It’s for this exact reason that it can not just be set once in the template, because the template’s home directory is never shared with any AppVM based upon it.
You could however run the hardening utility on the templates own home configuration and then copy or move that directory to a static read-only staging area, and then when starting an AppVM just move (copy-on-write) that directory into the local home directory thus overlaying the default configuration. Each time you start an AppVM you would begin with the latest pre-configured settings for Firefox and it would only take the time to clone that directory, not running the hardening utility.
EDIT:
You might find this thread interesting:
[Guide] Automatically install extensions and configure new (dispvm) hardened Firefox profiles with arkenfox user.js and policies
Qubes OS with default Firefox that has a lot of secure problems out of the box. User works in a work qube using internet and having some valuable files there.
Any GNU/Linux with pre-tuned Firefox: maybe custom user/prefs.js with basic privacy and security settings, ublock origin addon preinstalled or something like that.
Which OS is more secure for user that works that way? Obviously the second one.
Qubes OS is not more secure than Fedora in this case, because it can be broken from the internet more easily and all the data from the qube (working documents, sources, etc.) will be leaked without any issues.
It makes Qubes OS only as secure, as Fedora for many users. And nobody calls Fedora reasonably secure OS.
P.S. Whonix is not a solution, as majority of people do not want to use tor for their activities, they just do not want no be hacked that easily.
When I first installed Qubes and I saw Firefox was preloaded I did assume it would have default security setting to be more secure out of the box due to the nature of the system. It was kind of shock to me that it was just setup like a straight download off Firefox. This of course lead me to searching how to harden etc, and doing it myself not a big deal for me but could be for some.
However my personal opinion is that having a more secure config preloaded would be the best. The more and more government and everyday companies intrude in normal peoples lives the more normies you’re going to get looking for something like Qubes OS. When I was first learning about Qubes OS I did come into it with the impression I could install it and the base system/apps would be secure by default and I could just use it right away and be “reasonably secure”. The browser imo should be a big part of that. I would have certainly preferred to have it already setup to be secure in a way that makes sense for a majority of user and I could always reset it to default or make other changes I want. Or maybe have mullvad browser as default/second option pre installed.
To sum up. 1. if it comes preinstalled on Qubes it should be setup as “reasonably secure” 2. it saves time for a new user to be able to just load Firefox in the default qubes installed config without needing to learn something right off the bat. 3. IMO it would be better to have it set to start. It doesnt change the users ability to make it how they want but does give a base secure starting point where someone could just pick it up and use it.
Just my personal perspective from someone who has only been using Qubes for a few weeks.
Sorry to notice here misapprehension of Qubes again, because why would you keep anything valuable in a browser dispVM when Qubes allows us not to do that (all kinds of split-whatnots as automated tools, as well as manual steps to achieve the same)? It’s the basic concept of Qubes?
But if you want to login to your gmail and go to your ebank account and torrent account in the same dispVM browser, then no browser or OS would help you… Neither Qubes with hardened as possible Firefox.
But, if in your dispVM you open only ebank account who else could steal your password? Bank? They have to know your password, actually.
The purpose of the QubesOS project is to provide security through compartmentalization. Hardening individual applications is not within that scope - although the infrastructure that supports QubesOS also supports creating and distributing hardened images, which I’m sure everyone agrees would be of benefit to the community.
What is the problem with the default Firefox in the templates? Isn’t it the default Firefox shipped by Debian or Fedora? If those are insecure, all bets are off!
absolutely you’re right. I just wanted to share a perspective from someone with little knowledge about any of this beyond a couple weeks. I figure a view point from an outsider may be beneficial. I know stuff I use everyday I get disillusioned on how accustom I am to it and when I’m training a new employee for example I may think “thats just common sense” without taking into account I’ve used it for days on end and something that is intuitive to me may be a brick wall for others.
I guess regarding Qubes it comes down to two paths. A reasonably secure OS for niche individuals or a reasonably secure OS for the masses. The later will require more hand holding/custom default configs/GUI/prompts, etc. If Qubes only ever aims to be a niche OS I personally wouldn’t care I still want to learn it and utilize it as I’m really enjoying the concept and if they want to just focus on that niche community it’s certainly within their rights and a perfectly viable approach imo. But if the aim is to bring a secure OS into as many homes/hands a possible “dumbing” stuff down is almost always needed when talking about the masses. How many normal Windows users do you think have ever even opened their setting menu in firefox much less change anything, probably the majority. Lets say for fun, an example Best Buy starts to sell laptops with Qubes as an option, big poster above them “most secure OS, use with confidence” or some other marketing lingo. They go home open firefox start browsing etc, how many of those people check the settings? few if any. Then they hop on reddit and find a thread of people complaining firefox settings aren’t secure, they are like “hey I bought an operating system billed as secure and i have to set it all up myself” then get mad etc. < this is just an example of normal consumerism doesnt even have to be firefox, people want stuff done for them. The group of people that want to configure stuff themselves are growing smaller by the day, i mean the next generations prefers to watch people play games instead of playing games themselves, same kind of concept.
Just to state again I’m not arguing for this or anything and doesn’t shape my opinion on if i think Qubes is good, it just takes more self configuration out of the box then I initially had thought and playing devils advocate from a normie/new user perspective.
Edit: - I should add that how Qubes OS is presented within some communities is likely a disconnect from it’s intended purpose as well which may lead to some new user frustrations. For example Qubes OS is recommended by a lot of “privacy” Youtube channels/forums/Reddit r/privacy" and is how I originally got interested in Qubes. The reality I was meet with was that Qubes is no more inherently privacy focused by default than most Linux OS’s unless you exclusively use Whonix/Tor and disposable Qubes. It’s intended for security of your data and integrity of your system. If you want privacy that’s going to take more personal configuration and effort. Qubes absolutely provides the tools to use it in a very privacy oriented way but it’s not it’s core purpose. Leads me to believe that many in those communities who recommend it likely do not use it themselves and parrot it as a privacy system from someone else who actually uses it in that fashion after their own tinkering.
I’d welcome a few community guides on hardening each of the major browsers. I handled it by running through a config of each of them then copying the profile into skel. Probably this leaves some kind of identifiers behind that will link the qubes.
If there were some community provided “hardened browser” Salt recipes, that would probably be valuable for a lot of people. The big complication here is keeping up with new browser features that require changing the config to keep it tight, which means new hardening has to be deployed to all templates and app qubes once in a while.
I should add that how Qubes OS is presented within some communities is likely a disconnect from it’s intended purpose as well which may lead to some new user frustrations. For example Qubes OS is recommended by a lot of “privacy” Youtube channels/forums/Reddit r/privacy" and is how I originally got interested in Qubes. The reality I was meet with was that Qubes is no more inherently privacy focused by default than most Linux OS’s unless you exclusively use Whonix/Tor and disposable Qubes. It’s intended for security of your data and integrity of your system. If you want privacy that’s going to take more personal configuration and effort. Qubes absolutely provides the tools to use it in a very privacy oriented way but it’s not it’s core purpose. Leads me to believe that many in those communities who recommend it likely do not use it themselves and parrot it as a privacy system from someone else who actually uses it in that fashion after their own tinkering.
This is also what I use it for. One of the old blog posts mentions it, how they’re not the same but security is the necessary foundation for doing the other things that achieve privacy. If you don’t have security to begin with, any attempts at staying private will fail. You get secure first, then you can go further and get private.
I’ve seen other forum posts where people think it’s about privacy and get pissed off when it’s contested. Wonder if something like the above explanation should be on the Intro page. I’m extremely grateful for the high security of Qubes because you really can’t build serious privacy without it.