“The most secure OS on the planet” I’d expect more configuring than other OS’s, but maybe that’s just me.

I love the flexibility that Qubes gives, but it can require more configuring. To me, it’s well worth the effort.

It does not have to be, despite those applications behaving this way. I’ve witnessed this at least with Thunderbird, which in my case runs in a firewalled qube - this does not prevent a cybercriminal exploiting my MUA/MTA and leaking my emails this way, but does prevent this behavior of spawning a browser to connect to some website.

Furthermore, you can create an offline disposable template, set it as the default one and run xdg-settings set default-web-browser qvm-open-in-dvm.desktop from the inside of a qube, so it should in theory make those applications try and connect to some website, only failing due to no Internet connection.

It makes more sense for Qubes OS to be a meta-OS providing isolation through easily usable virtual machines, rather than tweaking everything in non-obvious way.

If you install a Fedora template, you almost get a vanilla Fedora system, then you can work your way to harden it the way you want. This is a saner default in my opinion.

What would make more sense would be a community maintained template of a privacy/security hardened distribution that plays nice with Qubes OS, with proper documentation and people willing to maintain it.

What exactly are are the vulnerable insecure settings?

You can install (at least for R4.1 for now) a parrot community template and use firefox with their settings easily there. The default settings for debian/fedora are not the obligation of the Qubes team.
I guess I would be interested in a community guideline for a hardened/more secure firefox setting/user.js in this forum

That’s what whonix and disposable VMs are for.

This is rather misapprehended approach: “I want to do all the things I did, why Qubes doesn’t keep me secure from spilling milk?”

It only leads to a false sense of security and even more careless use of computers. There’s no universal solution and that is why we have to (learn to) develop our own threat models, which would then give us easy solutions for the best possible setups.

And it’s easy to realize how wrong this is by transponding this question to any other device/thing we use in our lives: car, house, TV… Can they be more secure? Why aren’t they?

If we don’t take care of ourselves, no one else will.

It resides in the user’s home directory (/home/user/.mozilla/firefox/),

It’s for this exact reason that it can not just be set once in the template, because the template’s home directory is never shared with any AppVM based upon it.

You could however run the hardening utility on the templates own home configuration and then copy or move that directory to a static read-only staging area, and then when starting an AppVM just move (copy-on-write) that directory into the local home directory thus overlaying the default configuration. Each time you start an AppVM you would begin with the latest pre-configured settings for Firefox and it would only take the time to clone that directory, not running the hardening utility.

EDIT:

You might find this thread interesting:

[Guide] Automatically install extensions and configure new (dispvm) hardened Firefox profiles with arkenfox user.js and policies

This can be done in the template at the right place, this is what OpenBSD does in their Firefox package for shipping system-wide defaults settings.

Save a file in /usr/lib64/firefox/defaults/pref/global-pref.js (it seems pref could be named preferences depending on the firefox platform )

Well, I kind of agree.

Let’s consider 2 cases:

1. Qubes OS with default Firefox that has a lot of secure problems out of the box. User works in a work qube using internet and having some valuable files there.

2. Any GNU/Linux with pre-tuned Firefox: maybe custom user/prefs.js with basic privacy and security settings, ublock origin addon preinstalled or something like that.

Which OS is more secure for user that works that way? Obviously the second one.

Qubes OS is not more secure than Fedora in this case, because it can be broken from the internet more easily and all the data from the qube (working documents, sources, etc.) will be leaked without any issues.

It makes Qubes OS only as secure, as Fedora for many users. And nobody calls Fedora reasonably secure OS.

P.S. Whonix is not a solution, as majority of people do not want to use tor for their activities, they just do not want no be hacked that easily.

Perspective of a new Qubes user.

When I first installed Qubes and I saw Firefox was preloaded I did assume it would have default security setting to be more secure out of the box due to the nature of the system. It was kind of shock to me that it was just setup like a straight download off Firefox. This of course lead me to searching how to harden etc, and doing it myself not a big deal for me but could be for some.

However my personal opinion is that having a more secure config preloaded would be the best. The more and more government and everyday companies intrude in normal peoples lives the more normies you’re going to get looking for something like Qubes OS. When I was first learning about Qubes OS I did come into it with the impression I could install it and the base system/apps would be secure by default and I could just use it right away and be “reasonably secure”. The browser imo should be a big part of that. I would have certainly preferred to have it already setup to be secure in a way that makes sense for a majority of user and I could always reset it to default or make other changes I want. Or maybe have mullvad browser as default/second option pre installed.

To sum up. 1. if it comes preinstalled on Qubes it should be setup as “reasonably secure” 2. it saves time for a new user to be able to just load Firefox in the default qubes installed config without needing to learn something right off the bat. 3. IMO it would be better to have it set to start. It doesnt change the users ability to make it how they want but does give a base secure starting point where someone could just pick it up and use it.

Just my personal perspective from someone who has only been using Qubes for a few weeks.

Sorry to notice here misapprehension of Qubes again, because why would you keep anything valuable in a browser dispVM when Qubes allows us not to do that (all kinds of split-whatnots as automated tools, as well as manual steps to achieve the same)? It’s the basic concept of Qubes?

But if you want to login to your gmail and go to your ebank account and torrent account in the same dispVM browser, then no browser or OS would help you… Neither Qubes with hardened as possible Firefox.

But, if in your dispVM you open only ebank account who else could steal your password? Bank? They have to know your password, actually.

This was discussed so many times…

You should not assume such things, this could lead to real troubles.

The purpose of the QubesOS project is to provide security through compartmentalization. Hardening individual applications is not within that scope - although the infrastructure that supports QubesOS also supports creating and distributing hardened images, which I’m sure everyone agrees would be of benefit to the community.

What is the problem with the default Firefox in the templates? Isn’t it the default Firefox shipped by Debian or Fedora? If those are insecure, all bets are off!

absolutely you’re right. I just wanted to share a perspective from someone with little knowledge about any of this beyond a couple weeks. I figure a view point from an outsider may be beneficial. I know stuff I use everyday I get disillusioned on how accustom I am to it and when I’m training a new employee for example I may think “thats just common sense” without taking into account I’ve used it for days on end and something that is intuitive to me may be a brick wall for others.

I guess regarding Qubes it comes down to two paths. A reasonably secure OS for niche individuals or a reasonably secure OS for the masses. The later will require more hand holding/custom default configs/GUI/prompts, etc. If Qubes only ever aims to be a niche OS I personally wouldn’t care I still want to learn it and utilize it as I’m really enjoying the concept and if they want to just focus on that niche community it’s certainly within their rights and a perfectly viable approach imo. But if the aim is to bring a secure OS into as many homes/hands a possible “dumbing” stuff down is almost always needed when talking about the masses. How many normal Windows users do you think have ever even opened their setting menu in firefox much less change anything, probably the majority. Lets say for fun, an example Best Buy starts to sell laptops with Qubes as an option, big poster above them “most secure OS, use with confidence” or some other marketing lingo. They go home open firefox start browsing etc, how many of those people check the settings? few if any. Then they hop on reddit and find a thread of people complaining firefox settings aren’t secure, they are like “hey I bought an operating system billed as secure and i have to set it all up myself” then get mad etc. < this is just an example of normal consumerism doesnt even have to be firefox, people want stuff done for them. The group of people that want to configure stuff themselves are growing smaller by the day, i mean the next generations prefers to watch people play games instead of playing games themselves, same kind of concept.

Just to state again I’m not arguing for this or anything and doesn’t shape my opinion on if i think Qubes is good, it just takes more self configuration out of the box then I initially had thought and playing devils advocate from a normie/new user perspective.

Edit: - I should add that how Qubes OS is presented within some communities is likely a disconnect from it’s intended purpose as well which may lead to some new user frustrations. For example Qubes OS is recommended by a lot of “privacy” Youtube channels/forums/Reddit r/privacy" and is how I originally got interested in Qubes. The reality I was meet with was that Qubes is no more inherently privacy focused by default than most Linux OS’s unless you exclusively use Whonix/Tor and disposable Qubes. It’s intended for security of your data and integrity of your system. If you want privacy that’s going to take more personal configuration and effort. Qubes absolutely provides the tools to use it in a very privacy oriented way but it’s not it’s core purpose. Leads me to believe that many in those communities who recommend it likely do not use it themselves and parrot it as a privacy system from someone else who actually uses it in that fashion after their own tinkering.

I’d welcome a few community guides on hardening each of the major browsers. I handled it by running through a config of each of them then copying the profile into skel. Probably this leaves some kind of identifiers behind that will link the qubes.

If there were some community provided “hardened browser” Salt recipes, that would probably be valuable for a lot of people. The big complication here is keeping up with new browser features that require changing the config to keep it tight, which means new hardening has to be deployed to all templates and app qubes once in a while.

I should add that how Qubes OS is presented within some communities is likely a disconnect from it’s intended purpose as well which may lead to some new user frustrations. For example Qubes OS is recommended by a lot of “privacy” Youtube channels/forums/Reddit r/privacy" and is how I originally got interested in Qubes. The reality I was meet with was that Qubes is no more inherently privacy focused by default than most Linux OS’s unless you exclusively use Whonix/Tor and disposable Qubes. It’s intended for security of your data and integrity of your system. If you want privacy that’s going to take more personal configuration and effort. Qubes absolutely provides the tools to use it in a very privacy oriented way but it’s not it’s core purpose. Leads me to believe that many in those communities who recommend it likely do not use it themselves and parrot it as a privacy system from someone else who actually uses it in that fashion after their own tinkering.

This is also what I use it for. One of the old blog posts mentions it, how they’re not the same but security is the necessary foundation for doing the other things that achieve privacy. If you don’t have security to begin with, any attempts at staying private will fail. You get secure first, then you can go further and get private.

I’ve seen other forum posts where people think it’s about privacy and get pissed off when it’s contested. Wonder if something like the above explanation should be on the Intro page. I’m extremely grateful for the high security of Qubes because you really can’t build serious privacy without it.

Why would I or majority of users use dispVM for browsing in the first play? People want browser history to be preserved, cache to be used, bookmarks to be saved, auto-login to be working. So, I see no dispVM is most cases in this scenario.

Why? Users do assume and they are right. If Snowden recommends OS as the most secure, everybody calls it the most secure on the market: it is only LOGICAL to assume that browsing in it is not as unsecure as in Fedora mass-market distro.

I like this idea.

Part of my problem with just using whonix workstation for everything is that some apps that access the Internet have to access servers that don’t like tor exit nodes for some stupid reason. (I’m not pointing fingers, but fuck you cloudflare.)

When I try to connect a whonix workstation to a vpn service it results in errors.

A parrot template would solve a lot of these problems if Firefox comes at least a bit hardened. Is there a command I can type to force a 4.1 template to work in 4.2 /s?

Does the Kali template come with a hardened browser? I am not that experienced with Kali. I think it comes with a less hardened browser.

Why not?

Yes this is right.

I’ve applied arkenfox to Firefox in Qubes. It takes a long time and it’s annoying and not intuitive and it does need to be done again whenever there’s a new template. It’s almost as bad as having to customize the tor browser to turn off javascript in about:config every time it updates.