Qubes' answer to the issue thus far has been "Use disposable VMs". But there are many use cases where they're difficult or impossible to use.
Conversation
That doesn't resolve the issue of an application being compromised and an attacker gaining access to everything in that environment. Security against remote compromise and fine-grained containment certainly matters despite coarse-grained isolation chosen by the user higher up.
2
For the secure messaging example, it can be isolated per contact, and handling things like audio / video decoding for video calls can be isolated, as can cryptography, etc. Finer grained isolation than a group of applications for a certain identity / task is very important.
1
I think this approach is really less about containment and more about reducing the complexity of data formats exchanged between subsystems. Even the strong isolation of Qubes relies on the idea of simplified formats used at critical points.
1
Isolating per-contact in a messaging client, per-site in a browser, etc. is applying the same principle of QubesOS at a fine-grained level using existing privacy/security boundaries. Since they're existing boundaries, it doesn't require the user to do anything or be aware of it.
2
OK re per-contact-site isolation.... Now, demote "kernel" to "services" and look to hypervisor+qrexec as the actual kernel.
1
There are implementations of fine-grained isolation within applications using different mechanisms than OS sandboxing. Architecture-level virtualization is one possible approach and has pros / cons, as do other approaches like a higher-level virtual machine, etc.
1
1
The isolation between sites in a browser or contacts in a messaging app are good examples of existing fine-grained trust boundaries to reinforce. There are a lot of other examples and reinforcing those can improve security for a billion users with no more work on their part.
2
IDK if that's literally true. The move to https was itself a form of site isolation & industry was tinkering with hiding URLs altogether when they did about-face out of necessity. We might not have Chrome internal isolation today if not for trend reinforcing site identity in UI.
3
The domain is the site identity. Marking EV identity is on the way out because it isn't actually truly meaningful / helpful for users. They don't know where companies are registered and those names aren't unique while domain names are unique.
Whether or not EV is valuable is open to debate; still an attempt was made to enhance security through UI and make web site identity more distinct.
1
The domain is the distinct identity. EV was an attempt to tie it to real world identities of companies but it can't achieve that goal due to company names not being unique and users not knowing where companies are registered or the full legal naming of the corporation.
It's certainly possible to register another company called "Twitter, Inc." in the US within a different state and that would show up as "Twitter, Inc. [US]" in EV too. The isolation boundary has nothing to do with that identity but rather the domain anyway.