So whonix talks about making a “anon-printer” VM based on whonix workstation, and setting up the printer in that. However, given :
The model/description string of the printer, and
The ip address of the printer, for example: “10.1.2.3”
the wouldn’t that uniquely identify you to all disposable, anonymous VMs that you have the option to print from?
(Note: not as bad if your network happens to be 192.168.0.0/24)
I don’t know if web sites one visits can access the printer settings in a torbrowser, but it seems like a risk.
Should there be a special sys-cups (or sys-printer) VM that they print to, in order to not uniquely identify to the browser?
Note, I’m just talking about having the expected anonymity of torbrowser dissapear. I’m not worried about the tracking information on the printed pages, or the unencrypted network traffic yet.
Apart from the question if websites could access your printer settings (which is a very interesting one that should definitely be answered by someone knowledgeable), I would always recommend two things:
Deny access from VMs that can access the Internet to your local network and vice versa (using Qubes firewall settings or, if possible, even dedicated network VMs)
Both help with stronger isolation of your digital life in general. If you would want to print something from the Internet you would then:
Print page to PDF in (tor)browser
Navigate to PDF in file system
Right click → View in DispVM (which would open a disposable PDF reader with access to your local printer)
Use the regular print menu from there.
Just make sure you leave the dispVM open long enough for the printjob to be fully transmitted. Especially with larger files, I sometimes close the window before all data has been transmitted to the printer and then the job aborts.
Note to anyone reading this discussion: the discussion he mentioned generated a more detailed version in a “guide” discussion, and I just posted a even more detailed alternate version lower in the same discussion.
(It does successfully solve the issue I was asking about)
A somewhat simpler solution is to use a split-printer, where you print
as usual from a qube, and the print job is passed by qrexec.
The printing qube has no knowledge of the printer at all, or of the
“print” qube, since this is handled at the admin level, so there is no
risk of unique identification. GitHub - unman/qubes-print has some details.