One Guard per App in Qubes? How?

Sorry if wrong category. I think this right forum. Forgive me I Confused.

I read in Whonix docs ‘Increase Protection from Malicious Entry Guards: One Guard per Application’. How to do in Qubes? Does guard mean gateway? Really confused. Please help

You can start a new Whoinx VM for each application, but if all you use is the Tor Browser it happens automatically, each request to a new domain is done in a new circuit.

Thank you for reply!
So one app each Whonix VM and different gateway for every VM, correct? Confused by

Not understand where say:
‘To apply this Increase Protection from Malicious Entry Guards configuration, follow these steps’

Snapshot means clone, yes? Does guard honest just mean gateway?

More confused. New circuit mean entry guard?

Reading Tor Entry Guards - Support - Whonix Forum confused what @adrelanos think to advice except now ‘instructions don’t influence Tor entry guards’ Is @unman lighter TorVM for one Tor entry guard per application Qubes setup less trouble?

Is One Tor Entry Guard per Application not recommend in Qubes?

The recommendation is to use Whoinx, unless you know you need something else.

If you don’t understand what you are doing you shouldn’t try and reconfigure Tor or Whoinx, you are most likely just going to weaken what Tor does.

The general idea behind the guard nodes is that you put all your eggs in one basket, often it doesn’t matter if some or all your traffic goes through a bad guard it’s going to be enough to deanonymize you, this is why a limited pool of guards are used.

Thank you. Understand. Seek the ‘safest possible configuration’
http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Tor_Entry_Guards
'‘Whonix ™ developer HulaHoop recently approached Tor researcher, Tariq Elahi, to discuss how exposure to malicious guards in multi-Workstation scenarios could be measured. It was discovered that 1 guard/client per internet-connected program (not identity!) is the safest possible configuration.’

Exactly why Tariq’s advice to me make sense. Many whonix gw is experiment now or ‘safest possible configuration’?

Could not find howto in qubes so thought ask.

off topic comment

@renehoj saw awesome hcl submit
MSI Pro Z690-A WiFi DDR4 with Alder Lake 12900K
Do you have parts list? Total cost? DM welcome

You can make whonix-1, whonix-2, etc. and use them as sys-net for different qubes, whonix-1 would be for your browsers, whonix-2 you email, etc.

I personally, don’t think the idea with multiple guard nodes makes much sense. If all you whonix qubes have the ability to deanonymize you, making 5 qubes just makes it 5 times more likely you get deanonymized.

I don’t know how much it matters the amount of data you send though the guard it can’t see the data, and I don’t think time correlation require a lot of data.

Agree to disagree. Maybe Tor Entry Guards - Support - Whonix Forum best to discuss merits.

Future ready policy change still confuse me.

Relevant?

Appreciate thoughts and you topic create at Tor Project Forum

Edit: Small update on merits whonix thread at Tor Entry Guards - #9 by HulaHoop - Support - Whonix Forum

Copy your whonix-gw template and performa a guard rotation

However i want to point something out. This:

There may be a subset of guards that are malicious. If you hit one of them and you are a target of the operator, you are fucked either sooner than later. Have 5 guards and this is 5 times as likely, just like @renehoj mentioned.

IF you have a valid reason to do this: Try to absolutely minimize your number of whonix gateways. Something like “This one for normal browsing, this one for stuff that will get the CIA to kill me”.

Indeed. Still is target of the operator necessary? I may misunderstand.

Tor_Entry_Guards#cite_note-10
A malicious guard can compromise all circuits that go through it, if the honest client also picks (or is somehow manipulated into picking) a malicious exit. Then all traffic on this circuit is compromised with certainty. The rate of success for the adversary is proportional to how much bandwidth she can afford and deploy.”

Make think non targeted risk exists. Similar to attackers who run entry nodes and try enumerate all user IP addresses - except harder and cost more. Something like “drive-by” de-anon/de-pseudo?.

When start thread thought Clone then Fresh Tor Entry Guards by Regenerating the Tor State File (or alternate bridges) might be part of answer. Instead learn 1 Guard / App concept not widely accepted. “How?” part of topic now on hold for me. Thank you for replies @Suspicious_Actions and @renehoj

For anyone going further Multiple Whonix-Gateway ™ “…has both advantages and disadvantages. One security benefit is the isolation of separate Whonix-Gateway ™ VM instances. In the event that one Whonix-Gateway ™ is compromised, it is not certain the other(s) will be similarly compromised.”

Needs repeating?
"In general, users should not interfere with Tor guard persistence or the natural rotation of entry guards every few months."

Moderation question

Could this be moved from User Support to General Discussion? Can I? Or is better leave here without solution?

You can’t use a compromised guard without access to the exit node or connection end point.

If you control both the guard and exit nodes, you have access to all the clear net encapsulation data and all unencrypted data.

If you control the guard and the connection end point, you know the relation between the end point and the Tor user

In both cases, you know the real IP of the Tor user, which is what makes multiple guards dangerous.

Multiple guard does limit the access to the encapsulation data, but it increases the chance of you using a compromised guard node.

Yes true.

Ok

Or use “dangerous” single whonix gateway and

which may lower short time odds at price of greater consequence when luck runs out. Sure single whonix gateway may decrease overall userbase odds. Not necessary individual user odds. As @Suspicious_Actions seem say you fucked either sooner or later when unlucky.

It’s dangerous to assume that you safely can send a small amount of traffic though a compromised guard, or that the consequences of doing this are going to be less severe.

If sending any traffic though a compromised guard is deadly, then you very much want to put all your eggs in one basket and pray you picked the right one. At the very least, you should understand that as the number of guards increases, your chance of survival will eventually drop to zero.

Not try misrepresent you @renehoj but above good warnings to repeat.

:pray: :laughing:

Well, if the operator of those malicious nodes is not interested in you, you don’t have a problem. For example they looking for north Korean defectors or darknet vendors, you may be in luck by not being one of them.

Well, it is not that simple, but generally speaking you are in a tight spot if your adversary controls both you guard and your exit. Such attacks need time and the more time your adversary is able to control both points in the network, the higher their confidence in their correlation.

Exactly. As always, it is trading one attack surface against another.

But be assured, that many people tend do vastly overestimate their adversaries capabilities. By using Tor/Whonix/QubesOS you are using state of the art stuff and the Alphabet bois will hate you for doing so. If target or not. :slight_smile:

1 Like