thanks for the explanation. so it would be less work to try to chroot a browser then to make a virtual machine? perhaps its even a better way of isolating?
i googled around a bit and found some threads about people trying to chroot their browsers, but i couldnt find any successful story. is it practically doable? looking at other troublesome programs; they come chooted by default on openbsd. is there any effort being made by others than vmware to isolate browsers? seems to me like it would be a step in the right direction? On 12/14/05, J. C. Roberts <[EMAIL PROTECTED]> wrote: > On Wed, 14 Dec 2005 05:41:30 -0800, Bob Smith <[EMAIL PROTECTED]> wrote: > > >vmware recently released a program which kind of > >chroot jails the browser. > >http://www.vmware.com/vmtn/vm/browserapp.html > > > >im not a programmer myself, but i was wondering > >if perhaps using a similar technique we could lock > >down the browsers in openbsd? > > > >seems to me that would increase security greatly > >for us who surf the web on openbsd boxes? or > >am i mistaking? > > You need to understand the tech being used a bit better. There's a big > difference between a chroot/jail and a virtual machine. They both try to > isolate an application from interacting with the rest of the system but > the way the two go about it is vastly different. > > Obviously, isolation is a good thing but you need to understand that > writing a complete virtual machine in C that works on all supported > OpenBSD architectures is a *MASSIVE* amount of work. > > Even VMware supports only one architecture for their "player" (x86-32) > and only two possible host operating systems on that architecture (linux > and ms-windows). > > You may also want to realize that no attempted isolation is perfect. > There are ways for attackers to break out of jails/chroots and similar > is true for virtual machines. By using such methods you've only added a > _layer_ of security which only stops _some_ (possibly many) attackers. > It's not completely bullet proof (nothing is) but it does help. > > Kind Regards, > JCR
