~Toughbooktalk~

Hey guys, sorry for letting this one slide. Browser security is still a very important topic for me. It should be to you as well, especially if you're running an OS that allows you to sudo everything without a password, but I'll leave that topic for another thread. So far I've tried a few things.

Making a full chroot OS is possibly the safest but it comes with a few caveats. Everything you do in that browser is stuck in the chroot, including uploading and downloading files. There are ways to work around this but it gets messy. I'd use this only if I were really paranoid about visiting dangerous sites, like for testing and forensics. It's also a pain to setup and use.

Sandfox is descibed as the poor man's sandbox and seemed promising at first. However it seemed buggy and sometimes it would crash or not work at all. With a bit more research I'm sure I would have managed to get it right, but I gave up. It might actually work much better on other distributions without modifying the script. I still think this might be worth a second look.

Firejail seems like a decent compromise between ease of use and a full chroot jail. This is what I'm running now. It's also on Debian repositories so it's as easy as running apt-get install firejail and running firejail firefox or firejail google-chrome from the command line to get decent security. It only causes problems with certain Firefox extensions that rely on external programs to work, like Video Downloader conversion utilities or Open in Chrome.

I started reading your link about FireJail, and am going to try the debian version on a trusty toughbook when I get home, using LMDE 2 Betsy. I found another interesting link at the end of your source, that lists an interesting independent distribution built from scratch:
•Void Linux, a rolling-release Linux distribution build from scratch, with its own packet manager and runit init system also includes Firejail, http://www.voidlinux.eu/
More things to dabble into and try....Thanks

UNCNDL1 wrote:More things to dabble into and try....Thanks

Let me know how that works out. Looks interesting indeed!




Anybody ever think about using a user-agent override? In web browsers, the User Agent string is a bit of text that your browser reports to servers that it visits to let it know about your browser application and OS. To see what I mean, visit this link: http://whatsmyuseragent.com/

This is useful for web sites to check your browser version and capabilities in order to serve you content that works better for your platform, such as automatically showing an optimized version of a website for mobile devices. It also lets malicious web sites know how to better infect your computer or track you.

Some Firefox extensions allow you to change this string to fool sites into thinking you're something else entirely. My latest thing is to run one of these extensions on my Linux browsers to make them think I'm actually running Windows.

This exactly the reason why sandboxing your browser is of utmost importance.

Firefox users have been urged to update to browser version 39.0.3, following the discovery of a vulnerability which allows an attacker to read and steal sensitive local files on the victim's computer via the browser's PDF reader.

According to Mozilla:

On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients.
On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts.

More here:
http://www.theregister.co.uk/2015/08/07 ... n_exploit/