How so? If you kept a disposable VM open and just created new identities in tor browser, how does Qubes mitigate the threat here?

▲

handedness 3 hours ago | parent | next [-]

I believe you are correct, and that this poses a significant risk for people who don't properly understand the underlying concepts.

A Qubes OS user needs to start a new disposable Whonix workstation VM to sidestep this attack, NOT create a new identity in the same disposable VM's browser, which is exactly what this attack targets.

▲

fsflover 7 hours ago | parent | prev [-]

On Qubes, you do not create a new identity in the same VM. This would go against the Qubes approach to security/privacy. Using separate VMs for independent tasks is the whole point of using Qubes.

	▲	handedness 4 hours ago \| parent [-]
		> On Qubes, you do not create a new identity in the same VM. This would go against the Qubes approach to security/privacy. Using separate VMs for independent tasks is the whole point of using Qubes. This is technically incorrect information and could get people in trouble if followed literally. On Qubes OS, if a user creates a new identity inside a Whonix workstation disposable VM via the browser's new identity functionality, the new identity spawns within the same disposable VM. I just tested this on Qubes OS 4.3. That, I assume would expose one to OP's vulnerability, as its still running in the same VM. I would be glad to learn that I'm incorrect in my unverified assumption. Even Qubes OS users still need to be mindful to launch new disposable VM when keeping identities separate to sidestep this attack.