hi there, i encountered an issue that can lead to deanonymization. not sure if this needs to be a bug report (will open one if advised to do so)
the TL;DR version is that if you remove the browser from a qube and then click a link in that qube, it will launch another qube and open the link. i found this out in a way that would have led to catastrophic deanonymization under different circumstances.
i have a qube with a separate template for discord. it’s connected to sys-whonix. i am logged in with a personal account that has been used on the clearnet before (which is why the deanonymization isn’t a big deal in this specific case). a few times, i’ve clicked on links without thinking too much about it. my model behavior should be to copy or transcribe the link to a disposable whonix qube. but i wanted to stop the browser for launching entirely to reduce the attack surface, so i uninstalled it, thinking it would just give me an error.
instead, it launched a default-dvm connected directly to sys-firewall, bypassing whonix. all discord links are routed through discord. if you right click a link and select “copy message link”, it gives you a
link, which likely tracks who clicks what from where and where it goes and all manner of tracking it can get along with it. if this was an intentionally anonymized account, it would have led to identity correlation.
i am baffled that this is something that’s possible. clicking a link after removing the browser should fail in a safe way. i had no idea it was possible to automatically launch a different qube like this.
in the meantime, i’ve reinstalled firefox and set it to use a proxy that doesn’t exist. is there another way i could have dealt with this? are there other types of links that might try to open in another qube that i should know / worry about?
Caution: The default disposable template (see the advanced tab) has a different net qube setting than
this qube. This configuration may result in unexpected network access.
For example you may have set this qubes net qube to “None” in order to prevent any data from being transmitted out.
However, if the default disposable template’s net qube is set to “sys-firewall”, then a disposable started from this qube
may be able to transmit data out, contrary to your intention. You may wish to set the default disposable template
for this qube to one with equally restrictive network settings.
thank you, i had seen that option before but didn’t make the connection between it and what was happening earlier. i’m still baffled that it will try to open the links in another qube automatically at all. i feel strongly that the behavior should be that it just fails to open the link without an application installed that can handle it.
Hi @yni_qubesforum and welcome here. Qubes OS is focused on security. Anything related to anonymity might require extra steps. In your case, you might want to create custom policies to prevent that kind of situation.
The behavior you are describing looks good to me, as it is convenient and doesn’t imply security issues, but that is only my point of view.
I appreciate your suggestion to look into custom policies. I haven’t looked into those yet so this makes a good reason to do so. I also need to read up on qrexec it seems.
i’m still baffled that it will try to open the links in another qube
automatically at all. i feel strongly that the behavior should be that
it just fails to open the link without an application installed that
can handle it.
Just set the “default disposable template” to None in the qube
settings, and be done with it. I don’t understand what’s the big
problem here.
I think the issue is that is was surprising that the default action to open a link when no browser was installed is to open a browser in a disposable qube.
This is understandable as it’s something specific to Qubes OS.
I think the issue is that is was surprising that the default action to
open a link when no browser was installed is to open a browser in a
disposable qube.
Well, in QubesOS-specifically, there is the binary /usr/bin/qvm-open-in-dvm, which has the following /usr/share/applications/qvm-open-in-dvm.desktop file:
So, in QubesOS debian/fedora templates, it is not enough to just remove
“firefox” and claim, “but there aren’t any browsers to open web links”;
qvm-open-in-dvm is still associated with http/https mimetypes.
Also, this is not a QubesOS-only issue. There might be other
applications on your debian/fedora OSes that /can/ try to open
http/https links and “baffle you”.
I think this is the root of the problem.
OP had not realised that it was necessary to either change the netvm of
the default disposable, or to not have a disposable at all.
This is basic stuff.
The same issue when people are surprised at update checks over clear.
If you want to be behind Tor, make sure that all your qubes are behind
Tor.
I’m not sure how to make this clearer to users.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
