I was trying to decide what operating system I should use for as much acquirable security (while being reasonably usable and not living in the forest) as a daily driver.
I know since I’m posting this in the Qubes forum there may be bias towards Qubes, but I wanted to get some opinions on this topic, because I am very interested in learning more about this!
I know QubesOS calls itself a “reasonably secure” operating system, and the virtualization and compartmentalization of Qubes + the Linux OSes it uses do provide that. (I get into Qubes’ security after this)
However, OpenBSD claims to be the most secure system and it has a lot to help back up those claims. OpenBSD is a monolithic kernel (unlike Qubes), but OpenBSD has extremely in depth code audits, security built into the OS (like Qubes), and more, see the OpenBSD security page on Wikipedia.
According to author Michael W. Lucas, OpenBSD “is widely regarded as the most secure operating system available anywhere, under any licensing terms.”
And the OpenBSD security info page:
Our aspiration is to be NUMBER ONE in the industry for security
And finally, their motto: “Only two remote holes in the default install, in a heck of a long time!” But OpenBSD does have criticisms: (see the Wikipedia page above, section “Criticisms”)
Two years later, in 2019, a talk named “A systematic evaluation of OpenBSD’s mitigations” was given at the CCC, arguing that while OpenBSD has some effective mitigations, a significant part of them are “useless at best and based on pure luck and superstition”, arguing for a more rational approach when it comes to designing them.
Plus, some more criticisms (take it with a grain of salt seeing this is some random wordpress site that I found while DuckDuckGo’ing) here, but it does mention concepts like AppArmor, SELinux, and grsecurity. (but this was also written in 2010)
On the other side, QubesOS has Edward Snowden himself promoting and saying that Qubes is the most secure OS available today. On the Qubes website, Qubes shows the security of isolation via Xen and how you can run multiple OSes securely.
In terms of security, here’s what I’ve extrapolated:
-Maybe QubesOS can be compromised easier because it uses multiple operating systems (larger attack surface to send bugs that would theoretically exploit Xen bugs)
-OpenBSD is monolithic, but it uses something called “jails” instead of VMs. Maybe this is less secure?
-Qubes uses disposable VMs, so maybe it may have an advantage in erasing malware off of its system?
-Qubes has Whonix for even more DispVM / AppVM security: Whonix focuses on anonymity via Tor, but the Whonix devs also put a lot of time into security, see the Whonix docs. Some examples of this are all the kernel hardening implemented, along with Whonix being a hardened Debian variant (Kicksecure) if I remember correctly.
So I think the comparison here to make is either between the security of Qubes-Whonix ONLY and Qubes with all the default VMs being utilized as intended against the security of OpenBSD.
I know these are very different systems, but any advice would be welcome as to what to choose between Qubes and OpenBSD.
(Sorry I didn’t source everything, I originally had hyperlinks for most of these claims, but apparently I can’t post more than two links in a new topic for new users, but most of this stuff is just a search away)