If your security model requires people to never open an untrusted link in their browser, you just cannot allow open Internet access

Isn't this fairly common? I've now worked at several organizations where sensitive information was stored on air-gapped networks. Software updates or data were moved in and out using pre-approved external drives.

I tend to think this is good software dev practice anyway. You ought to be able to test everything on your testing servers, and if this doesn't adequately reproduce the production environment, it's a problem with your test system.

> I've now worked at several organizations where sensitive information was stored on air-gapped networks.

Then you won't be processing email on machines on those networks.

No that is not common.

It is common in the sense that it's done frequently enough that we don't need to reinvent it. Most orgs don't want that level of security & inconvenience. FWIW I personally have never encountered it.

This is kinda ridiculous. You first need the email client to have a bug which enables some kind of cross-site scripting just rendering an email, then a sandbox bug for a webpage to leak into the underlying system, and THEN a bug for the VM to escape to the parent OS.

At that point, I think it's as likely that your airgapped email laptop can hack into your work machine through local network exploits.

If you think a hacker is going to manage all that, you might as well assume that the hacker can trick gmail in to opening the email for you. There's a point at which we have to realistically assume that some layer of security works, and go about our lives.

> airgapped...local network exploits.

I'm curious what definition of airgap you're using?

Like other words whose scope has expanded meaning (e.g., serverless, drone), airgap can simply mean segregated network and not just completely unplugged.

AWS uses it this way: https://aws.amazon.com/blogs/publicsector/announcing-the-new...

1. Nothing about that post says it's just network layer segmentation. C2S is it's own region, with multiple AZs (data centers). Why would you believe those are collocated with commercial AWS and not, as they write, air-gapped.

2. Please don't contribute to giving marketing license to remove what little meaning words still have.

The wrong one I suspect. An Airgapped machine is a term reserved for a pc never connected to the internet, hence the gap. Usually for extreme security concerns like managing a paper crypto wallet or grid infrastructure.

Yeah, I should have just said standalone in this case.

You are confusing executing untrusted code in a VM with opening something in a browser in a VM - would really need to be a double VM escape.

Clearly your threat model adversary is Mossad.

It is a paranoid stance. But if you are a developer in a large company, think about how likely it is that your computer has (direct or not) access to data/funds worth more than $100k to someone, and what kind of exploits that money can buy.