Picking a system for selecting colors/security labels for qubes

(Got good feedback already, so information from comments responding to this post have been added to this post)

Definition of “security labels”: For this document, I’ll refer to all the types of important security related information that would be good to be known about a qube when making decisions about it as “security labels” (colors will be one way of expressing that information)

What we want to express:
Some information we might need to convey through the security labels is

  1. How vulnerable the qube is (example: expressing that it has full network access, restricted network access (which depends on the level of trust of who you are connecting to),no network access, untrusted printer drivers or not, trust level of the applications in that template, etc)
  2. How valuable the information in the qube is. (a example could be “this qube is used for banking” vs “this qube is used for general web browsing” vs “this qube contains my gpg and ssh keys”) (“value” can be alternatively phrased as how costly disclosure of that information would be)
  3. Identity (examples: personal vs work vs secret identity)

So first question is: What other types of security related information might be good to know about when one is making decisions related to a qube?

To help people get ideas, a example of one attempt at categorization is:

Many other attempts (by other countries) are listed here as more examples(with a large amount of overlap from one country to the next):

Options for how we could express it:
Currently, the information from the above security labels could be expressed by several channels:

  • Qube color
  • Qube name
  • Display location (I.E. what workspace it’s on or what monitor it’s on)

So second question would be: Are there any other channels of expressing the security label information that we have not listed above?

Some examples of proposals for possible other channels to express the security label information discussed in github issues are:

Everything after this line is old stuff from the original version of this post (that should probably be removed now):

Any proposals for extending the qubes label/color system to handle this?

I’ll kick things off with the following initial proposal, and see if it inspires anyone with a better proposal:
(Here I had put a proposal that had already been proposed in the github issues)

As I said. I’m hoping for people to improve on this idea. What other options can people think of?


I use a traffic red light / green light scheme. Red for least secure - sys-net, Orange sys-firewall, Yellow, Green sys-vpn for most secure. It doesn’t mean I trust vpn. It’s just the endpoint. Purple (Tor color) for Whonix. An Untrusted qube is red. Anything else like Banking or Work becomes a color of preference. Sometimes I break the traffic scheme and use blue for Fedora and red for Debian, purple for Whonix.

Some related issues:

1 Like

I trust connecting to my home nextcloud server and downloading files from it more than I trust downloading a pdf from a random webpage, so if a qube only connects to my nextcloud server, it gets a different color than if I use it to access the rest of the internet.

So Orange is for any networked VM that could make untrustworthy connections (rss queries to news websites; school for everything school-related). And Yellow (getting colder in colors) is for networked VMs which only connect to my Nextcloud server (productivity,backups). Then Green, Blue, etc are no networking at all. Of course since all traffic goes through sys-firewall, presumably, then you could even sort qubes by which firewall VM they were connected to, and thus which traffic is allowed to enter.

Red is not used for networking, but rather anything untrusted (Whonix DispVMs, sys-net, untrusted, fedora-dvm).

But at the same time defining trust is difficult. For example, using a Whonix DispVM to read documentation is fairly safe, because it is difficult to compromise the entire Tor network and because I have Tor set to block javascript, mitigating many browser attacks. I could, however, use a Whonix DispVM to download experimental software from the DaRk NeT, in which case I would be doing an unsafe activity with the same VM. I could make a DispVM for safe activities, and give it a different color, but I feel like this is way too granular.

I guess I don’t know how useful a fine-grained, riced border system would be (i.e. colors, stripes, polka-dots, emojis) simply because trust is difficult to define for the wide variety of activities that I use my computer for. I’d prefer to have the ability to “tag” certain VMs with the things I trust them with, and have those tags appear written in the border.

If I tell myself I will only access nextcloud with my orange productivity VM, I tag it with traffic: Nextcloud, and then the border appears as: [productivity] -- Nextcloud traffic, or something like that, to remind me what I’ve delegated this qube to handle.

Interesting idea about data value. I guess in the meantime you could simply rename the relevant qubes with -gold, -silver, -bronze text label suffixes.

And instead of value one could consider consequence levels of disclosure borrowing ideas from such Classified information - Wikipedia

Also that proposal about adding 7 new colors… Hope UX people consider colorblind people :frowning:

Are these actually orthogonal dimensions? “general web browsing” ~ full network access, “this qube is used for banking” ~ whitelisted network access, “this qube contains my gpg and ssh keys” ~ no network acesss (e.g. split-gpg). So seems like you only need one dimension here.

An orthogonal dimension instead might be identity (personal vs work vs secret identity i…). But then you can use workspace as the second dimension (with colors as the first).

degree of internet access x identity , loosely mapped to colors x workspaces

They do. It has been brought up many times.

1 Like

Note this is actually difficult in qubes due to everyone using CDN’s with many IP addresses nowdays. (if you’d like to discuss this topic please post in one of the following threads)
One example of the problem:

One proposed solution:

Note: I have updated the original post with information from comments from many users.

1 Like

I wonder what happened to the results of this survey:

I have updated the original post (again) to integrate links from comments from users

1 Like

3 posts were split to a new topic: Updating the original post is a problem for email users

@newbie posted a outline of threat types in another thread and it got me thinking. Just like we have a need to express the identity being used, we may also need to express the threat types that are allowed for a specific qube. I.E. it’s not really a linear dimension