Desktop / Laptop privacy & security of web browsers on Linux part 1: concepts and theory
Web browsers today are everywhere, and they are a huge pile of
shitcode, full of shiny things that hide sometimes bad surprises, but, despite this fact, you want to use it daily cause oftoomany things today depend on you to visit a web site often requiring you[r] latest web technologies.Even if many vendor[s] today take browser security seriously, the fast evolution of web standards make [it] very hard to care about that on such big projects, and almost everyday in the wild appear a new method to fuck poor users using the web as a vector of evil code, using both browser vulnerability or user
stupidityinnocence.There is no 100% security, if anyone tell[s] you he has the panacea of all evil things and can show you how to be 100% protected online, it's a liar, no exception. Despite that, something can be done to be at least a little bit more secure and block the most common attack vectors, with a cost in terms of usability that is really cheap.
[Continues...]
There are many tools in the wild to build the sandboxes using the features explained, some more user friendly, other more complex, some more complete, other more specific to one or few features.
After some tests and with the help of many friends from the Veteran Unix Admins group on facebook, the primary tool I've chosen to use is firejail.
Firejail is a great utility aiming to build sandboxes and it match almost perfectly our needs. With just a little bit of shell scripting, a little patch I have sent to firejail and a couple of other tools supported by firejail itself, we have all what is needed for our architecture.
(Score: 1, Informative) by Anonymous Coward on Wednesday August 10 2016, @09:20AM
https://firejail.wordpress.com/ [wordpress.com]
(Score: 5, Interesting) by boltronics on Wednesday August 10 2016, @10:08AM
I've been running Firejail for almost all my desktop apps that connect to the Internet, for just over a year now. My web browser, XMPP client, ownCloud client, mail client, Steam, Scudcloud, etc. I too have a set of shell scripts to manage it all, which I intend to publish and explain when I get some free time... but it's working quite nicely. It's not perfect, but it's pretty good and all major bugs have been addressed by now. You do need to keep in mind its limitations.
For example, if I have Thunderbird in one jail, and want to click on a link in an e-mail to have it open in Firefox, and I have the firefox command configured to run in a firejail, Firefox won't open correctly or at all (depending on the way the jails have been configured) - because firejail requires elevated privileges (it runs suid) to do its thing, and jails generally aren't permitted to elevate privileges. However if I start Firefox first (so it's already running in its own jail) and then click the link in Thunderbird, it will detect the Firefox process is already running and open the link successfully.
There is a bug in the current Debian Stretch packages, where it will add slashes to ampersand characters in links, causing broken URLs. A work-around is to copy the link and paste it into a browser. This bug has been fixed upstream for a while now though.
One thing I really like is using firejail with Steam, where I have a unique directory that Steam thinks is my actual home directory. Then I can easily see and keep track of all the random file locations various games try to sprinkle around my home directory.
I also have firejail environments created for various pieces of untrusted code. eg. I have pythonjail configured to bring up a Bash shell with a remapped home directory and limited privileges so packages installed via pip can't do too much damage. Same with ruby for rbenv, nodejs for npm, etc. I don't like to put more trust in code from those kind of repositories than absolutely necessary.
It's GNU/Linux dammit!
(Score: 1, Insightful) by Anonymous Coward on Wednesday August 10 2016, @10:52AM
Same with ruby for rbenv, nodejs for npm, etc. I don't like to put more trust in code from those kind of repositories than absolutely necessary.
Don't worry. Almost all software distribution out there is done with very very little security. Sure, you have Debian and others signing their archives, but what good is signing if upstreams don't care about that? Almost all upstreams don't sign their software releases, and that is a more educated crowd than most users.
(Score: 2) by boltronics on Wednesday August 10 2016, @11:43PM
At the very least, most distribution package managers record a checksum of the original upstream code. You can at least gain some confidence you haven't been targeted specifically. I also have greater trust in most distributions having a package manager that is effective at thwarting MITM attacks.
Incidentally, that's why I've never used Arch GNU/Linux. I know package security was not a priority for them for a long time.
It's GNU/Linux dammit!
(Score: 2) by opinionated_science on Wednesday August 10 2016, @12:51PM
yes, I was introduced to this a year or so ago - it would be nice to have a setup profile tool of usage - common things etc... Currently I use the firefox/chromium etc... profiles to keep different uses apart, although I would like to have the extra layer of OS in case the browser bugs become more invasive....
(Score: 0) by Anonymous Coward on Wednesday August 10 2016, @01:11PM
Can you (easily) use firejail to run a different vpn in each jail? So, for example, all my firefox traffic goes through one vpn while all my thunderbird traffic traffic goes through a different vpn?
(Score: 1) by WillR on Wednesday August 10 2016, @08:37PM
(Score: 0, Offtopic) by anubi on Wednesday August 10 2016, @10:38AM
One word will fix this. Accountability.
When the RIAA saw their ox being gored, they lobbied Congress for accountability, so they could address the problem directly with legal means.
Our ox is being gored, and we have yet to demand Congress pass law for us as well.
This whole mess would have best been done as part of the DMCA, as each denial of accepting responsibility could have been countered with a denial of enforceability. Its easier to get agreement with the rightsholders if they haven't got what they wanted yet.
They got what they wanted. We didn't.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Wednesday August 10 2016, @10:54AM
One word will fix this. Accountability.
So when will gun manufacturers be liable for gun deaths? Or even car manufacturers for car collision deaths?
If your solution is "no software, no security problem" then I have you found it.
(Score: 0) by Anonymous Coward on Wednesday August 10 2016, @01:32PM
When will microsoft be liable for Ribbon Rage?
Right.
(Score: 3, Funny) by darkfeline on Wednesday August 10 2016, @03:46PM
More like, when will car manufacturers be liable when your car randomly explodes? They already are.
If the automobile had followed the same development cycle as the computer, a Rolls-Royce would today cost $100, get a million miles per gallon, and explode once a year, killing everyone inside.
-- Robert X. Cringely
Join the SDF Public Access UNIX System today!
(Score: 2) by jmorris on Wednesday August 10 2016, @04:30PM
So when will gun manufacturers be liable for gun deaths?
If your gun malfunctions and causes death or serious injury you can sue. Congress only stopped the stupid notion of suing the manufacturer of a lawful product when it is used by a criminal but otherwise performs exactly as designed.
Or even car manufacturers for car collision deaths?
Do you get TV in your world? Car manufacturers are constantly being sued, settling and issuing recalls to correct defects in cars. But like guns, when they are operating as designed and operator error causes death they aren't liable.
Logic isn't your strong suit I gather? Perhaps a knowledge of this lack is why you lack the confidence to use an account?
Now let us apply you notion properly. When Microsoft has been aware of a security impacting bug for longer than a year and an exploit causes massive economic damage they should be liable. They specifically state their software is not to be used in life critical applications so a death would fall squarely on the consultant that misused it for such a purpose.
Meanwhile, someone suffering a loss due to the Linux kernel gets nothing because it was licensed under the GNU GPL (Version 2) which disclaims all warranties. If you used it for something and lost, you lost. RHEL has very specific contractual (not a EULA with dubious legality) obligations, consult your attorney if you suffer a loss on a RHEL system, but you are probably hosed there too. This should not be a viable business model though, selling a supported product should include liability and as soon as customers begin to demand it the vendors will up their game and worry about security instead of pushing an endless stream of rewrites and new shiny.
(Score: 2) by bob_super on Wednesday August 10 2016, @10:47PM
> Congress only stopped the stupid notion of suing the manufacturer of a lawful product when it is used by a criminal but otherwise performs exactly as designed.
I'll sue for that. You can't grow up in an environment where Bad Guys Can't Shoot, only to find out, at the worst possible time, that some insane manufacturer thought it was a problem worth solving.
(Score: 3, Informative) by rob_on_earth on Wednesday August 10 2016, @10:58AM
For that last couple of weeks I have been doing all my web browsing in a VM that at the end of the session I just close and restore to previous snapshot.
Although there is VM escape code, keeping the VirtualBox up to date seems to be more secure method thatn trying to patch browsers, plugins, blacklists etc.
Most reports indicate that malware that detects VM environments will actively shutdown to avoid detection.
(Score: 2) by bzipitidoo on Wednesday August 10 2016, @01:50PM
I sometimes su to a user account I created expressly for browsing dubious websites. Maybe not as secure, but a lot lighter than running a VM.
(Score: 1) by driven on Thursday August 11 2016, @05:10PM
Have a look at Running GUI apps with Docker [fabiorehm.com] to run Firefox or whatever browser inside a Docker container. Destroy the container when your browser session is done. Should be able to run as many containers as you want, too.
(Score: 0) by Anonymous Coward on Wednesday August 10 2016, @04:27PM
Can you run virtualbox rootless?
By that I mean have the application's windows appear like native apps in the x server rather than run in a pseudo-desktop window?
(Score: 2) by butthurt on Thursday August 11 2016, @01:13AM
If you can get these these possibly outdated instructions to running virtualbox in windowless/headless mode to work:
http://www.thatsgeeky.com/2012/03/windowless-virtualbox-vms-windows-host/ [thatsgeeky.com]
then set up a host-only network interface on your VM, have sshd listen on that interface, and connect to that with ssh -X from your host, it should do what you have in mind.
(Score: 2) by frojack on Thursday August 11 2016, @01:39AM
Late versions of Virtualbox run headless with no drama. (at least in linux)
VBoxManage startvm "VM name" --type headless
I prefer to talk to mine with vnc, as it at least pretends to be secure.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Thursday August 11 2016, @01:38AM
It takes some work, but you can do this: https://www.virtualbox.org/manual/ch04.html#seamlesswindows [virtualbox.org] VMWare and most others have a similar, but differently named, feature.
(Score: 1, Interesting) by Anonymous Coward on Wednesday August 10 2016, @04:17PM
I've been using "ssh -X" (and sometimes -Y, but judiciously) with keys set up from a console screen (so X doesn't allow apps to capture the passphrases), to have different accounts open apps on the same desktop, then I separate browsing and other activities by account based on how secure they need to be. Or for some things I open X in a separate console window (e.g., Ctrl+Alt+F2, then log in as a user with less security needs for general browsing/news etc, and type startx, on debian, and switch back among consoles with Ctrl+Alt+F7 etc). So privilege escalation and X security becomes the main worry. This has some minor glitches but overall works well for me.
But OpenBSD has pledge, which restricts binaries to known-allowed operations, and has been applied to chromium:
http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/pledge.2 [openbsd.org]
http://undeadly.org/cgi?action=article&sid=20160107075227 [undeadly.org]
...which combined with OpenBSD's kernel security (low likelihood of privilege escalation) seems like a good solution also. I used it as my desktop for a while.
(Score: 1, Interesting) by Anonymous Coward on Thursday August 11 2016, @03:53AM
I don't quite understand the difference between -X and -Y. The man page mentions trustedness and X11 Security, but that plus my Googlefoo isn't coming up with a real explanation or why one should be chosen over the other. Based on what I've read, it seems -Y is less secure but more likely to work with programs, but I don't get why. Seems to be some sort of vim vs emacs holy war over the options and security of X11.
(Score: 1, Informative) by Anonymous Coward on Thursday August 11 2016, @07:40AM
With -X, ssh uses the X11 Security Extension, which is a form of X11 sandboxing. A program running through the X11 Security Extension can only snoop on windows using the same "magic cookie", and each separate connection will use a different cookie, and all of them different than the one used locally.
When using -Y, the remote software are able to do the exact same things as a program running locally.
(Score: 1) by lcall on Thursday August 11 2016, @01:43PM
Also, with -X, the apps can still copy/paste among each others' clipboards, but apparently not see each others' keystrokes or screen content. With -Y they can see all of those things. I believe there are ways to set specific permissions up with more granularity in between (or without) -X and -Y. (Corrections welcome.)
(Score: 0) by Anonymous Coward on Thursday August 11 2016, @01:32PM
I forgot to mention that I also, on every system, set the default umask in /etc/profile to 0077, so that each user's files aren't world-readable by default.