Re: [Tails-dev] Consider adding -D_FORTIFY_SOURCE=3 to some applications (e.g., web browser)?
> On Sep 19, 2022, at 2:21 PM, jvoisin via Tails-dev wrote: > >>> Has anyone looked into adding -D_FORTIFY_SOURCE=3 to some >>> It's unclear how much the performance impact is; probably the only way to >>> know is to try it. > > I'd argue that it's also unclear what security benefits it would bring > to a web-browser :P I don't know what Firefox's numbers are, but 70% of Chrome's vulnerabilities over the last few years were memory safety vulnerabilities: https://www.zdnet.com/article/chrome-70-of-all-security-bugs-are-memory-safety-issues/ I would expect the Firefox numbers would be similar. In Firefox the *Rust* parts with safety enabled would be immune, but a large amount of Firefox isn't written in the safe subset of Rust. So yes, hardening against memory safety problems is a *good* thing to do for web browsers in general. It's not clear if this *specific* change is worth doing, but I think it's worth considering. --- David A. Wheeler ___ Tails-dev mailing list Tails-dev@boum.org https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Consider adding -D_FORTIFY_SOURCE=3 to some applications (e.g., web browser)?
Hi, jvoisin (2022-09-19): > Do you have a link to the bug you opened intrigeri? https://bugs.debian.org/1020275 Cheers! ___ Tails-dev mailing list Tails-dev@boum.org https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Consider adding -D_FORTIFY_SOURCE=3 to some applications (e.g., web browser)?
>> Has anyone looked into adding -D_FORTIFY_SOURCE=3 to some >> It's unclear how much the performance impact is; probably the only way to >> know is to try it. I'd argue that it's also unclear what security benefits it would bring to a web-browser :P But having it enabled in Debian by default would indeed by sweet. Do you have a link to the bug you opened intrigeri? o/ ___ Tails-dev mailing list Tails-dev@boum.org https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Consider adding -D_FORTIFY_SOURCE=3 to some applications (e.g., web browser)?
Hi, David A. Wheeler (2022-09-18): > Has anyone looked into adding -D_FORTIFY_SOURCE=3 to some > applications that directly interact with data from the Internet, > such as t eh , web browser or parts of the Tor implementation? I did not, thanks for the pointer! I've just suggested the Tor Browser team to consider it: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40625 As for the tor client, and other software that use the Debian build system, it'll require changes to the Debian toolchain. I've just sent a bug report against dpkg-dev to suggest it. Cheers! ___ Tails-dev mailing list Tails-dev@boum.org https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.