Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Wednesday August 10 2016, @09:03AM   Printer-friendly
from the interesting-reads dept.

Desktop / Laptop privacy & security of web browsers on Linux part 1: concepts and theory

Web browsers today are everywhere, and they are a huge pile of shit code, full of shiny things that hide sometimes bad surprises, but, despite this fact, you want to use it daily cause of too many things today depend on you to visit a web site often requiring you[r] latest web technologies.

Even if many vendor[s] today take browser security seriously, the fast evolution of web standards make [it] very hard to care about that on such big projects, and almost everyday in the wild appear a new method to fuck poor users using the web as a vector of evil code, using both browser vulnerability or user stupidity innocence.

There is no 100% security, if anyone tell[s] you he has the panacea of all evil things and can show you how to be 100% protected online, it's a liar, no exception. Despite that, something can be done to be at least a little bit more secure and block the most common attack vectors, with a cost in terms of usability that is really cheap.

[Continues...]

Desktop / Laptop privacy & security of web browsers on Linux part 2: firejail based sandboxes

There are many tools in the wild to build the sandboxes using the features explained, some more user friendly, other more complex, some more complete, other more specific to one or few features.

After some tests and with the help of many friends from the Veteran Unix Admins group on facebook, the primary tool I've chosen to use is firejail.

Firejail is a great utility aiming to build sandboxes and it match almost perfectly our needs. With just a little bit of shell scripting, a little patch I have sent to firejail and a couple of other tools supported by firejail itself, we have all what is needed for our architecture.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Interesting) by Anonymous Coward on Thursday August 11 2016, @03:53AM

    by Anonymous Coward on Thursday August 11 2016, @03:53AM (#386501)

    I don't quite understand the difference between -X and -Y. The man page mentions trustedness and X11 Security, but that plus my Googlefoo isn't coming up with a real explanation or why one should be chosen over the other. Based on what I've read, it seems -Y is less secure but more likely to work with programs, but I don't get why. Seems to be some sort of vim vs emacs holy war over the options and security of X11.

    Starting Score:    0  points
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  

    Total Score:   1  
  • (Score: 1, Informative) by Anonymous Coward on Thursday August 11 2016, @07:40AM

    by Anonymous Coward on Thursday August 11 2016, @07:40AM (#386542)

    With -X, ssh uses the X11 Security Extension, which is a form of X11 sandboxing. A program running through the X11 Security Extension can only snoop on windows using the same "magic cookie", and each separate connection will use a different cookie, and all of them different than the one used locally.

    When using -Y, the remote software are able to do the exact same things as a program running locally.

  • (Score: 1) by lcall on Thursday August 11 2016, @01:43PM

    by lcall (4611) on Thursday August 11 2016, @01:43PM (#386585)

    Also, with -X, the apps can still copy/paste among each others' clipboards, but apparently not see each others' keystrokes or screen content. With -Y they can see all of those things. I believe there are ways to set specific permissions up with more granularity in between (or without) -X and -Y. (Corrections welcome.)