Hi everybody. I don't want to start a holy war, but what do you consider the most secure web browser for a laptop/desktop OS? Academic replies are also welcome. zatím /mario
Netcat. On 14.3.2014 00:14, Mario Lombardo wrote:
Hi everybody. I don't want to start a holy war, but what do you consider the most secure web browser for a laptop/desktop OS? Academic replies are also welcome. zatím /mario
Brmlab mailing list Brmlab@brmlab.cz http://brmlab.cz/cgi-bin/mailman/listinfo/brmlab
Hey!
<snark>
Tell me more about your usecase. One can get pretty far, by installing chromium on the raspberri pi, setting the "read only" physical switch on your SD card to true, connecting to the PI via VNC, and rebooting the pi on every page refresh. If you want to do "tabbed browsing" you can have a stack of 5 or six Pi's on your desk, with one Pi per tab. How secure do you need?
</snark>
Joking aside, chromium has a security model of putting each tab in it's own user namespace. This should be pretty secure, though privilege escalation attacks on Linux are far from unheard of. Firefox, on the other hand, has many more security options in terms of "limiting attack surfaces". On firefox you can "lock the browser down" by dissabling scripts, images, multimedia, ect.
<snark> Other good browsers, for the extremely paranoid, are the text based ones. This comes from the ease with which one can do a practical version of my previous Raspberi pi stacking joke, throw links or elinks(both browsers of Czech heritage) into a VM running something light like busybox, and ssh in to browse the web. Make sure your VMs are stateless(the same as having that physical read only switch turned on on the raspberry pi) and that you restart them every couple of minutes while web browsing. These text based browsers have an advantage, for us brmlab members. If you choose to use, say elinks, then you can personally go and beat the shit out of pasky if you find a security flaw in it. This should motivate him to ensure high coding standards, and not to waste time doing useless biolab research and other time-wasters like sleeping.
While we're dealing with security, we have yet to discuss such security methods as proxies and tor. Of course you don't want an attacker to gain access to your system. One of the greatest threats is physical access. If the police come to your house, break down your door, and steal your laptop they may be able to access your bank account information. To limit these risks, of course encrypted memory, and writing nothing to disk can help. I like to make it an integral part of my houses alarm system, that if the door is opened unexpectedly, my computer restarts, thus ensuring all my data (which is held in an encrypted ram disk, is safely lost). However, there is still risk. So in order to escape that risk, we use TOR and other services. My recommendation is to not use TOR directly but through several layers of proxy.
</snark>
Timothy
---------- Původní zpráva ---------- Od: Mario Lombardo mario@alienscience.com Komu: Brmlab: Hackerspace Prague (main discussion) brmlab@brmlab.cz Datum: 14. 3. 2014 0:14:30 Předmět: [Brmlab] most secure web browser for a laptop/desktop computer
"Hi everybody. I don't want to start a holy war, but what do you consider the most secure web browser for a laptop/desktop OS? Academic replies are also welcome. zatím /mario
_______________________________________________ Brmlab mailing list Brmlab@brmlab.cz http://brmlab.cz/cgi-bin/mailman/listinfo/brmlab"
Hi, you can actually run the browser in virtual machine. No need for complicated setup, liveCD should be fine. If you would like to configure it deeply, install the virtual system and make a clear ready-to-use snapshot.
The network communication can be even obfuscated by proxies/TOR as needed without any knowledge/influence of the hosting system.
sachy
---------- Původní zpráva ---------- Od: timothyhobbs@seznam.cz Komu: Brmlab: Hackerspace Prague (main discussion) brmlab@brmlab.cz Datum: 14. 3. 2014 9:44:03 Předmět: Re: [Brmlab] most secure web browser for a laptop/desktop computer
" Hey!
<snark>
Tell me more about your usecase. One can get pretty far, by installing chromium on the raspberri pi, setting the "read only" physical switch on your SD card to true, connecting to the PI via VNC, and rebooting the pi on every page refresh. If you want to do "tabbed browsing" you can have a stack of 5 or six Pi's on your desk, with one Pi per tab. How secure do you need?
</snark>
Joking aside, chromium has a security model of putting each tab in it's own user namespace. This should be pretty secure, though privilege escalation attacks on Linux are far from unheard of. Firefox, on the other hand, has many more security options in terms of "limiting attack surfaces". On firefox you can "lock the browser down" by dissabling scripts, images, multimedia, ect.
<snark> Other good browsers, for the extremely paranoid, are the text based ones. This comes from the ease with which one can do a practical version of my previous Raspberi pi stacking joke, throw links or elinks(both browsers of Czech heritage) into a VM running something light like busybox, and ssh in to browse the web. Make sure your VMs are stateless(the same as having that physical read only switch turned on on the raspberry pi) and that you restart them every couple of minutes while web browsing. These text based browsers have an advantage, for us brmlab members. If you choose to use, say elinks, then you can personally go and beat the shit out of pasky if you find a security flaw in it. This should motivate him to ensure high coding standards, and not to waste time doing useless biolab research and other time-wasters like sleeping.
While we're dealing with security, we have yet to discuss such security methods as proxies and tor. Of course you don't want an attacker to gain access to your system. One of the greatest threats is physical access. If the police come to your house, break down your door, and steal your laptop they may be able to access your bank account information. To limit these risks, of course encrypted memory, and writing nothing to disk can help. I like to make it an integral part of my houses alarm system, that if the door is opened unexpectedly, my computer restarts, thus ensuring all my data (which is held in an encrypted ram disk, is safely lost). However, there is still risk. So in order to escape that risk, we use TOR and other services. My recommendation is to not use TOR directly but through several layers of proxy.
</snark>
Timothy
---------- Původní zpráva ---------- Od: Mario Lombardo mario@alienscience.com Komu: Brmlab: Hackerspace Prague (main discussion) brmlab@brmlab.cz Datum: 14. 3. 2014 0:14:30 Předmět: [Brmlab] most secure web browser for a laptop/desktop computer
"Hi everybody. I don't want to start a holy war, but what do you consider the most secure web browser for a laptop/desktop OS? Academic replies are also welcome. zatím /mario
_______________________________________________ Brmlab mailing list Brmlab@brmlab.cz http://brmlab.cz/cgi-bin/mailman/listinfo/brmlab" _______________________________________________ Brmlab mailing list Brmlab@brmlab.cz http://brmlab.cz/cgi-bin/mailman/listinfo/brmlab"
Wow! Impressive discussion, everybody. Thanks! I had no idea links and elinks were children of the CZ. And elinks grown in our very own lab a-la pasky?? Sweet! :)
So Tom, when you refer to Chromium, you are not referring to Google's Chrome, rather the FOSS browser?
My usecase isn't so high-profile although it probably should be mine and everyone's regular practice like using GPG. I've just read some security reviews, and I'm becoming increasingly tired of Google, Inc. That's what started my inquiry. I'm interested in hearing more. I'm going to check out netcat as mrkva mentioned to see how far I can get with it.
/mario
On 14 Mar 14, at 10:19, sachy@lainspira.net sachy@lainspira.net wrote:
Hi, you can actually run the browser in virtual machine. No need for complicated setup, liveCD should be fine. If you would like to configure it deeply, install the virtual system and make a clear ready-to-use snapshot.
The network communication can be even obfuscated by proxies/TOR as needed without any knowledge/influence of the hosting system.
sachy
---------- Původní zpráva ---------- Od: timothyhobbs@seznam.cz Komu: Brmlab: Hackerspace Prague (main discussion) brmlab@brmlab.cz Datum: 14. 3. 2014 9:44:03 Předmět: Re: [Brmlab] most secure web browser for a laptop/desktop computer
Hey!
<snark>
Tell me more about your usecase. One can get pretty far, by installing chromium on the raspberri pi, setting the "read only" physical switch on your SD card to true, connecting to the PI via VNC, and rebooting the pi on every page refresh. If you want to do "tabbed browsing" you can have a stack of 5 or six Pi's on your desk, with one Pi per tab. How secure do you need?
</snark>
Joking aside, chromium has a security model of putting each tab in it's own user namespace. This should be pretty secure, though privilege escalation attacks on Linux are far from unheard of. Firefox, on the other hand, has many more security options in terms of "limiting attack surfaces". On firefox you can "lock the browser down" by dissabling scripts, images, multimedia, ect.
<snark> Other good browsers, for the extremely paranoid, are the text based ones. This comes from the ease with which one can do a practical version of my previous Raspberi pi stacking joke, throw links or elinks(both browsers of Czech heritage) into a VM running something light like busybox, and ssh in to browse the web. Make sure your VMs are stateless(the same as having that physical read only switch turned on on the raspberry pi) and that you restart them every couple of minutes while web browsing. These text based browsers have an advantage, for us brmlab members. If you choose to use, say elinks, then you can personally go and beat the shit out of pasky if you find a security flaw in it. This should motivate him to ensure high coding standards, and not to waste time doing useless biolab research and other time-wasters like sleeping.
While we're dealing with security, we have yet to discuss such security methods as proxies and tor. Of course you don't want an attacker to gain access to your system. One of the greatest threats is physical access. If the police come to your house, break down your door, and steal your laptop they may be able to access your bank account information. To limit these risks, of course encrypted memory, and writing nothing to disk can help. I like to make it an integral part of my houses alarm system, that if the door is opened unexpectedly, my computer restarts, thus ensuring all my data(which is held in an encrypted ram disk, is safely lost). However, there is still risk. So in order to escape that risk, we use TOR and other services. My recommendation is to not use TOR directly but through several layers of proxy.
</snark>
Timothy ---------- Původní zpráva ---------- Od: Mario Lombardo mario@alienscience.com Komu: Brmlab: Hackerspace Prague (main discussion) brmlab@brmlab.cz Datum: 14. 3. 2014 0:14:30 Předmět: [Brmlab] most secure web browser for a laptop/desktop computer
Hi everybody. I don't want to start a holy war, but what do you consider the most secure web browser for a laptop/desktop OS? Academic replies are also welcome. zatím /mario
Brmlab mailing list Brmlab@brmlab.cz http://brmlab.cz/cgi-bin/mailman/listinfo/brmlab _______________________________________________ Brmlab mailing list Brmlab@brmlab.cz http://brmlab.cz/cgi-bin/mailman/listinfo/brmlab _______________________________________________ Brmlab mailing list Brmlab@brmlab.cz http://brmlab.cz/cgi-bin/mailman/listinfo/brmlab
Also, check out the Tails live distro - https://tails.boum.org/
It's specifically designed to be secure, anonymous and not leaving trace anywhere.
OM
On 03/14/2014 01:04 PM, Mario Lombardo wrote:
Wow! Impressive discussion, everybody. Thanks! I had no idea links and elinks were children of the CZ. And elinks grown in our very own lab a-la pasky?? Sweet! :)
So Tom, when you refer to Chromium, you are not referring to Google's Chrome, rather the FOSS browser?
My usecase isn't so high-profile although it probably should be mine and everyone's regular practice like using GPG. I've just read some security reviews, and I'm becoming increasingly tired of Google, Inc. That's what started my inquiry. I'm interested in hearing more. I'm going to check out netcat as mrkva mentioned to see how far I can get with it.
/mario
On 14 Mar 14, at 10:19, <sachy@lainspira.net mailto:sachy@lainspira.net> <sachy@lainspira.net mailto:sachy@lainspira.net> wrote:
Hi, you can actually run the browser in virtual machine. No need for complicated setup, liveCD should be fine. If you would like to configure it deeply, install the virtual system and make a clear ready-to-use snapshot.
The network communication can be even obfuscated by proxies/TOR as needed without any knowledge/influence of the hosting system.
sachy
---------- Původní zpráva ---------- Od: timothyhobbs@seznam.cz mailto:timothyhobbs@seznam.cz Komu: Brmlab: Hackerspace Prague (main discussion) <brmlab@brmlab.cz mailto:brmlab@brmlab.cz> Datum: 14. 3. 2014 9:44:03 Předmět: Re: [Brmlab] most secure web browser for a laptop/desktop computer
Hey! <snark> Tell me more about your usecase. One can get pretty far, by installing chromium on the raspberri pi, setting the "read only" physical switch on your SD card to true, connecting to the PI via VNC, and rebooting the pi on every page refresh. If you want to do "tabbed browsing" you can have a stack of 5 or six Pi's on your desk, with one Pi per tab. How secure do you need? </snark> Joking aside, chromium has a security model of putting each tab in it's own user namespace. This should be pretty secure, though privilege escalation attacks on Linux are far from unheard of. Firefox, on the other hand, has many more security options in terms of "limiting attack surfaces". On firefox you can "lock the browser down" by dissabling scripts, images, multimedia, ect. <snark> Other good browsers, for the extremely paranoid, are the text based ones. This comes from the ease with which one can do a practical version of my previous Raspberi pi stacking joke, throw links or elinks(both browsers of Czech heritage) into a VM running something light like busybox, and ssh in to browse the web. Make sure your VMs are stateless(the same as having that physical read only switch turned on on the raspberry pi) and that you restart them every couple of minutes while web browsing. These text based browsers have an advantage, for us brmlab members. If you choose to use, say elinks, then you can personally go and beat the shit out of pasky if you find a security flaw in it. This should motivate him to ensure high coding standards, and not to waste time doing useless biolab research and other time-wasters like sleeping. While we're dealing with security, we have yet to discuss such security methods as proxies and tor. Of course you don't want an attacker to gain access to your system. One of the greatest threats is physical access. If the police come to your house, break down your door, and steal your laptop they may be able to access your bank account information. To limit these risks, of course encrypted memory, and writing nothing to disk can help. I like to make it an integral part of my houses alarm system, that if the door is opened unexpectedly, my computer restarts, thus ensuring all my data(which is held in an encrypted ram disk, is safely lost). However, there is still risk. So in order to escape that risk, we use TOR and other services. My recommendation is to not use TOR directly but through several layers of proxy. </snark> Timothy ---------- Původní zpráva ---------- Od: Mario Lombardo <mario@alienscience.com <mailto:mario@alienscience.com>> Komu: Brmlab: Hackerspace Prague (main discussion) <brmlab@brmlab.cz <mailto:brmlab@brmlab.cz>> Datum: 14. 3. 2014 0:14:30 Předmět: [Brmlab] most secure web browser for a laptop/desktop computer Hi everybody. I don't want to start a holy war, but what do you consider the most secure web browser for a laptop/desktop OS? Academic replies are also welcome. zatím /mario _______________________________________________ Brmlab mailing list Brmlab@brmlab.cz <mailto:Brmlab@brmlab.cz> http://brmlab.cz/cgi-bin/mailman/listinfo/brmlab _______________________________________________ Brmlab mailing list Brmlab@brmlab.cz <mailto:Brmlab@brmlab.cz> http://brmlab.cz/cgi-bin/mailman/listinfo/brmlab
Brmlab mailing list Brmlab@brmlab.cz mailto:Brmlab@brmlab.cz http://brmlab.cz/cgi-bin/mailman/listinfo/brmlab
Brmlab mailing list Brmlab@brmlab.cz http://brmlab.cz/cgi-bin/mailman/listinfo/brmlab
There is also one heavy solution I am used to mention in discussions like this, there is an PoC made by security researcher Joanna Rutkowska, which is Xen virtualization based OS [1], where applications runs in their own virtual domain [2]. Reasons why I am not using it are just my dislike of KDE (i've seen some screenshots with xfce!) and Fedora as primary system. Its hungry on resources solution, but they're solving things like communication between X apps, clipboard sharing, network filtering, etc. I had it installed years ago, afaik there been plans to support Windows domains also.
tldr: https://www.youtube.com/watch?v=Kq3gzEFhCZo#t=25s
[1] http://qubes-os.org/ [2] https://en.wikipedia.org/wiki/File:Qubes-OS-Desktop.png [3] https://en.wikipedia.org/wiki/Qubes_OS [4] http://qubes-os.org/trac/wiki/SystemDoc
On 03/14/2014 01:27 PM, Ondrej Mikle wrote:
Also, check out the Tails live distro - https://tails.boum.org/
It's specifically designed to be secure, anonymous and not leaving trace anywhere.
OM
Hi!
On Fri, Mar 14, 2014 at 09:44:03AM +0100, timothyhobbs@seznam.cz wrote:
These text based browsers have an advantage, for us brmlab members. If you choose to use, say elinks, then you can personally go and beat the shit out of pasky if you find a security flaw in it.
;-)
Note that I do not maintain ELinks since 2004. I think it may be a good choice if you want to avoid low-effort or untargeted attacks. If anyone cares enough to hire someone to find a security bug to exploit you, the game is over as I suspect there may be a few undiscovered vulnerabilities inside, the code was never properly audited. Also, ELinks' SSL support is incomplete, sometimes it fails to even establish connection (maybe some newer protocol version, no idea) and you really want to look into its current SSL certificate handling before relying on that (I'm not sure what state it's in, but it might not be pretty).
But if you are just looking for an uncommon browser to visit some suspect pages, ELinks should be a very fine choice.
Petr "Pasky" Baudis
-
Mario Lombardo -
Ondrej Mikle -
Pavel Ruzicka -
Petr Baudis -
Radek Pilar -
sachy@lainspira.net -
timothyhobbs@seznam.cz