Outbound traffic security: Kicksecure and Qubes

FreshStar · May 19, 2025, 10:37am

After my previous question about Kicksecure outgoing traffic was answered, I have a further relevant follow-up question.

When trying to compare Kicksecure Host to Qubes Hypervisor with Whonix: Is Qubes more secure and reliable regarding avoiding outgoing clearnet traffic, because Tor is technically enforced for all outgoing traffic via settings, i.e. there’s always Whonix-Gateway (proxy) in between which acts like a kill switch? From my understanding this is not the case in Kicksecure.

Patrick · May 19, 2025, 11:52am

No.

Nobody is keeping to verify (such as by automated tests) that Qubes maintains radio silence, i.e. avoids accidential clearnet phone home traffic. → Fingerprint, Non-Existing Network Fingerprint Research and Implementation
Not a project (main) objective. → Fingerprint, Project Goal and Non-Goal Comparison

(Documentation improved just now.)

What you would need, and what does not exist yet at time of writing:

A) Whonix-Host Operating System Live ISO, Whonix-Host Installer (non-Qubes); or
B) a Qubes based Whonix-Host (not even planned by anyone); or
C) a Whonix based sys-net for Qubes [1]

[1] C) would still not be as good as A) and B), because it would still not be a main goal of the host operating system. Hence, it would still be possible for users to mess up by wrong configuration (using multiple NetVMs) or bugs. (Important Qubes Anonymity related Networking Issues)

FreshStar · May 19, 2025, 6:47pm

A great write-up! Thanks a lot for this detailed answer and pointing to references.

Please excuse me if I didn’t notice this: What happens in Kicksecure in the case Tor connection is not possible or connection breaks?

I want to exclude that clearnet will be used automatically in this case for checking for updates and downloading updates.

extraextra · May 20, 2025, 12:54am

No connection. But the reason you need to ask this means.

Not possible or at least cannot be really sure.

Disable DNS. Use a firewall.

FreshStar · May 20, 2025, 11:23pm

Could you please clarify if I should assume that updates will be performed via clearnet automatically if Tor connection fails?

Is disabling DNS a general security recommendation for Kicksecure? Is it documented how to do it the right way?

Can you recommend a documentation for proper firewall configuration on Kicksecure for avoiding clearnet connections? Or do you offer assistance?

Patrick · May 21, 2025, 10:19am

There is no fallback to clearnet for default APT package sources files.

No.

Documented just now:
Disable DNS

If you read the documentation fully, you will see why it cannot be considered “the right way”.

No.

Implementing a firewall that reliably allows outgoing traffic for Linux user account debian-tor, loads early enough, has no race conditions, a fail-closed error handling mechanism and does not leak is challenging. Users won’t be able to do this.

Ticket:
Kicksecure Firewall

As said:

And you won’t be able to find a band-aid by asking in any forums either.

FreshStar · May 21, 2025, 11:55pm

Again much appreciated that you take care of these questions, answer them in detail and provide such a great support.