Issue with Kicksecure 17 without sys-whonix

Qubes
1

I have Qubes OS 4.2 and the distribution morphing (based on minimal Debian 12)

I would like to use Kicksecure 17 with a appVPN in Net Qube instead of Sys-whonix.

I ran

sudo systemctl disable tor

, but I still get this error message:

Denied whonix.NewStatus + status from AppKicksecure17 to sys-whonix

However, thanks to my Net Qube appVPN, I do have internet access.

How can I resolve the error message, and is using Kicksecure this way still secure?

2

You most likely do not want to do that for a few reasons:

  • Tor is not used for anonymity in Kicksecure. Most of your network connections will go over clearnet (or, in your case, a VPN), not over Tor. The exception is OS updates and time synchronization.
    • OS updates go through Tor in order to prevent a targeted attack by a software update server against a Kicksecure user. The server cannot serve compromised updates just to one individual because of the use of Tor, because it can’t know who is downloading the updates. Either a server would have to distribute compromised updates to everyone (or at least everyone who uses Tor), or to no one, there’s no way to target just you if you download updates over Tor. Thus disabling Tor in Kicksecure reduces security.
    • Time synchronization is done over Tor, because it can be done in a manner far more secure than updating time over NTP. A malicious NTP server could easily provide you an incorrect time, which would trick your system into accepting expired and potentially compromised TLS certificates, among other things.
  • You need to also disable tor@default.service if you want to really disable Tor.

This is sdwdate-gui, which is intended to show the current state of sdwdate in the system tray by communicating info about the sdwdate to sys-whonix (which then displays that info in the sdwdate tray icon). The best way to get this error to go away is to add some policy lines to a file in dom0, such as /etc/qubes/policy.d/30-user.conf, to allow your Kicksecure AppVM to talk to sys-whonix only for the purpose of showing info via sdwdate-gui. The lines should look something like:

whonix.SdwdateStatus +         @tag:anon-gateway ks                allow  autostart=no notify=no
whonix.NewStatus     *         ks                @tag:anon-gateway allow  autostart=no
whonix.GatewayCommand +restart @tag:anon-gateway ks                allow  autostart=no
whonix.GatewayCommand +stop    @tag:anon-gateway ks                allow  autostart=no
whonix.GatewayCommand +showlog @tag:anon-gateway ks                allow  autostart=no

(This is based on https://github.com/QubesOS/qubes-core-admin-addon-whonix/blob/release4.2/qubes-rpc-policy/80-whonix.policy.)

It would be best to leave Tor enabled and configure sdwdate-gui to be able to talk to sys-whonix as described above. Your “normal” Internet traffic should still go through the VPN, and even the torified traffic may end up going through the VPN depending on how it is configured. Disabling Tor has some security risks, whether those are acceptable for your usecase or not depends on your threat model.

3 Likes