Qubes partitioning dilemma

I have a small dilemma with organizing my qubes.

As per security instructions, I have separated and partitioned my QubesOS system into various qubes. There’s an offline vault qube for KeePassXC password storage, an offline personal qube for documents, an email qube for… well… email, and various web browsing qubes like shopping, banking, personal, untrusted web browsing, etc. Basically, the issue I’m having is how to separate the personal web qube from the untrusted web qube.

I imagined that I would use the untrusted web qube for general browsing, and only use the personal web qube to browse websites where I have an account and need to login… forums, social media, github, etc. Okay, good. But the issue is that whenever I use this personal qube to browse social media sites (reddit, lemmy, mastodon) and forums, it will inevitably turn into an untrusted qube because of course people will post links to other “untrusted” websites that I am subconsciously going to click on. Thus, the personal web qube now automatically becomes the general untrusted web-browsing qube, which I intended to have a separate VM for.

How do you separate general web browsing qube from a trusted-website one?
Is there perhaps some way to make Firefox open URL’s (which are not on a given domain list) in another qube?
How did other people solve this?

I generally advise that “general web browsing” should be done in a
disposable. I separate other activity to diverse qubes according to
security domain, using Qubes networking to limit available target hosts.
You can copy/paste URLs between source qube and a disposable.

Depending on what browser you use, you may be able to set links to
untrusted sites to open in a disposable using a custom mimeapps.list, or
by basic configuration of the browser.

There is a nice browser extension here, but I havent tested it for a
while, and cant vouch for it.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

One of the great things about Qubes OS is that it encourages you to consider important questions and find answers.

This is a question I’ve been pondering repeatedly, and I anticipate revisiting it over time.

Here’s where I’m at:

I no longer trust any websites, not even those of my online bank.

I then explored this question from a different angle, focusing on the concept of “Identity Blast Radius” after reading articles like this following and others. This has led me to move away from a purely “asset-centric” approach.

More information can be found here: Blast Radius: What Does Blast Radius Mean in Cybersecurity | Lumos

Because I tend to “hide in plain sight” like Gustavo Fring, I’m not overly concerned if my eBay or Amazon accounts are compromised. Knowing that someone might discover I bought a used lawnmower on eBay and purchased a book on lawn care on Amazon doesn’t bother me.

I’m comfortable with “big tech” creating profiles about me; they’re mostly unremarkable. (Not that I like the idea at all!)

Moreover, the financial impact is relatively minimal. Platforms like eBay and Amazon have systems in place to mitigate potential damage. The Identity Blast Radius is therefore limited, and everything I do online can (and will!) be observed and analyzed.

Those interested in this specific topic could also benefit from studying the strategies and tactics developed and successfully used during the Soviet era, focusing on the lives of ordinary people.

This study is not only historically relevant but also highly relevant to our future lives in the “Western democracies” that we are currently accustomed to.

To return to Qubes OS, I use a dedicated VM for this type of “public” web traffic.

However, when it comes to my personal and private life, as identified by experts in the field of “Digital Resistance Identity,” a different approach is necessary.

For example, if I were to operate a Tor relay or a Tor web tunnel bridge, or if I were to be involved in circumventing censorship measures in Russia, I would want to keep that identity separate from my “public” identity.

On the other hand, I don’t mind if my Qubes forum account is linked to my Tor forum threads. Anyone interested in Qubes and Tor relays is already likely to be under scrutiny, and whether my visit to the Whonix forum or a privacy-focused community is also involved is of no consequence. Law enforcement agencies are unlikely to be concerned about those details…

Therefore, I also use a separate VM for browsing that kind of topics.

In summary, I strive to minimize the Identity Blast Radius so that no damage occurs to my “Digital Resistance Identity” if one or more of my “public” accounts are compromised.

I welcome any suggestions for improvement.

Heeey! The reason I didn’t use a disposable for general web browsing is because I still needed some persistence to save certain website settings in the browser (e.g. some addons like uBlock Origin need custom filters per domain). For this reason I configured Firefox with Arkenfox to clear history, cookies, storage and cache. Basically, it uses memory cache and doesn’t write to disk at all.

As for the separate personal qube where websites do require a login, well… Perhaps I could allow only certain domains in the firewall for this qube, but that brings some annoyances because many websites also require lots of 3rd-party domains to function (e.g. CDN’s, statics, jquery, etc). Would be a pain to have to identify them each time a new website is added to the list (not to mention they can change over time). Copy/pasting links between qubes is a valid solution, but 20+ years of muscle memory isn’t really helping me out because I can totally see myself subconsciously clicking on a link while forgetting that I’m supposed to open it in an untrusted qube.

I think an in-browser solution would be ideal here. Firefox already has containers that can be configured to open various domains in different isolated environments. It would be nice, if those domains could instead be opened in a different qube.

unman: Thanks for the addon link. I’ll check, if it’s something I can make use of.