qubes-issues icon indicating copy to clipboard operation
qubes-issues copied to clipboard

Published 20 hours ago verified publisher icon QubesOS

Installer: Set realistic performance expectations about updating over Tor (slowness, failed updates that need to be retried)

Open andrewdavidwong opened this issue 2 years ago • 3 comments

How to file a helpful issue

The problem you're addressing (if any)

Updating over Tor (sys-whonix) is slower and more failure-prone than updating over clearnet (or a VPN), but it comes with security benefits (specifically against targeted update freeze attacks). This is a classic security/convenience trade-off. However, many novice users do not understand how Tor works, so they blame the slowness and update failures on Qubes and incorrectly conclude that the Qubes update system is broken. In reality, if these users were fully informed, many of them would probably not choose the Tor option in this security/convenience trade-off. Instead, many of them would probably opt to have faster, less failure-prone updates over clearnet (or a VPN) while giving up the security benefits of updating over Tor, which are mainly for especially high-risk and/or targeted users anyway.

The solution you'd like

  1. In the installer, when users are required to choose whether to route updates over Tor (sys-whonix), warn them that it will make updates much slower and more failure-prone.

    • Example language: "Routing updates over Tor can protect against certain targeted attacks. However this option will make updates much slower, and you may have to retry failed updates periodically." (The idea is to set more realistic expectations for users who decide to use this option.)

  2. [Edit: This is already the default.] Consider leaving the box unchecked by default, such that a user who doesn't touch any of these installer options will not be updating over Tor. In other words, make it opt-in rather than opt-out.

    • Argument for opt-in: Most users aren't being targeted by update freeze attacks and would benefit significantly from faster updates. (For example, I see even moderately experienced users comment about how they have to devote hours each week just to Qubes updates. Related: #4282)
    • Argument for opt-out: Updating over Tor is a more secure default option, and we should choose the most secure reasonable defaults.

The value to a user, and who that user might be

Users who aren't familiar with Tor and who would rather have faster, less failure-prone updates won't accidentally route all updates over Tor.

andrewdavidwong avatar Feb 15 '23 03:02 andrewdavidwong