Re: making firefox less insecure

Check out Fortress Linux, possibly using a version of xombrero, not sure https://www.fortresslinux.org/ Myself I was planning to use a separate login for web browser, streaming audio visual, etc, alongside an offline desktop for work on documents but with ports open to read and send e-mail, access

Re: making firefox less insecure

On Thu, Nov 27, 2014 at 01:07, Jonathan Thornburg wrote: > Summary > --- > As described in another thread > (), > I'm trying to run firefox as a non-privileged user _firefox, talking > to my X server (no Xephyr yet) via an ssh tunnel. But

Re: making firefox less insecure

Jonathan Thornburg wrote: > Summary > --- > As described in another thread > (), > I'm trying to run firefox as a non-privileged user _firefox, talking > to my X server (no Xephyr yet) via an ssh tunnel. But I've discovered > a serious

Re: making firefox less insecure

In message , I wrote > [For twm, 'cut-n-paste' means double- or > triple-left-click to select, then middle-click to paste.] Oops, that's wrong -- there are also other ways to select in twm. The distinction between different ways of selecting

Re: making firefox less insecure

Summary --- As described in another thread (), I'm trying to run firefox as a non-privileged user _firefox, talking to my X server (no Xephyr yet) via an ssh tunnel. But I've discovered a serious flaw in this scheme: cut-n-paste is comple

Re: making firefox less insecure

On Sun, Nov 23, 2014 at 02:41:10PM -0500, Jonathan Thornburg wrote: > > I can see several possible forms of exploit-mitigation: > > (a) use the noscript firefox extension to block javascript > > (b) use capsicum to sandbox forefox and any plugin processes > > (c) run firefox in a chroot jail > > (d

Re: making firefox less insecure

In message I wrote: > Web browsers scare me: they're huge pieces of code, un-audited, they > have embedded Turing-complete interpreters, they live in a horribly > imsecure environment, [[...]] > > So, I'm thinking about how to exploit-mitiga

Re: making firefox less insecure

Quoting frantisek holop : Jorge Gabriel Lopez Paramount, 16 Nov 2014 15:55: >Seems heavy, and probably harder to set up and maintain than (e) and (f). Sure it's harder to set up, but believe me, after setting up the maintenance is almost zero. I restart every week that server as read-write to

Re: making firefox less insecure

Jorge Gabriel Lopez Paramount, 16 Nov 2014 15:55: > >Seems heavy, and probably harder to set up and maintain than (e) and (f). > > Sure it's harder to set up, but believe me, after setting up the maintenance > is almost zero. I restart every week that server as read-write to patch it as if the br

Re: making firefox less insecure

I use bookmarks, but I have them in my Drupal portal so no need to remember links, that by the way is restricted using apache authentication. The basic idea is this: any time I need to set something in Firefox I have to restart the VM as read-write, and while on it do not open any site. The firs

Re: making firefox less insecure

On 17/11/14 10:55, Jorge Gabriel Lopez Paramount wrote: [snip] > I restart every week that server as read-write to patch it and that's > all, [snip] > I have been using that VM more than half a year and invested like 4 > hours setting it up. Is it not worth 4 hours a software that you use > every

Re: making firefox less insecure

Altho' I'm currently just using a) and don't do things like banking, (rather go check out the tellers if I've got to do banking... eases the agravation) I think that c would be reasonable if you had an automated setup that had already identified the dependancies firefox has. This would allow rei

Re: making firefox less insecure

Quoting Jason Adams : On 11/16/2014 12:15 PM, Jorge Gabriel Lopez Paramount wrote: I have other approach that has worked for me so far: I created a virtual machine with Debian GNU/kFreeBSD (sorry but I'm new here), and installed Firefox there and other software I would need like image and PD

Re: making firefox less insecure

On 11/16/2014 12:15 PM, Jorge Gabriel Lopez Paramount wrote: > I have other approach that has worked for me so far: I created a virtual > machine with Debian > GNU/kFreeBSD (sorry but I'm new here), and installed Firefox there and other > software I would need > like image and PDF viewers. After

Re: making firefox less insecure

On 11/16/2014 11:08 AM, Jonathan Thornburg wrote: > (e) maybe have firefox go through an ssh tunnel to localhost > (f) run firefox as an unpriviliged user _firefox, group _firefox, and > use Unix file permissions to deny that user access to $HOME/ I think these two in conjunction would be suff

Re: making firefox less insecure

Quoting Daniel Dickman : On Sun, Nov 16, 2014 at 2:08 PM, Jonathan Thornburg wrote: Are there other practical ways of securing an OpenBSD web browser? [I'm afraid "just say no" fails the "practical" test. :( ] one practical thing I'd love to see is for someone to port the Quark web browser:

Re: making firefox less insecure

On Sun, Nov 16, 2014 at 2:08 PM, Jonathan Thornburg wrote: > Web browsers scare me: they're huge pieces of code, un-audited, they > have embedded Turing-complete interpreters, they live in a horribly > imsecure environment, [...snip...] > > Are there other practical ways of securing an OpenBSD w

making firefox less insecure

Web browsers scare me: they're huge pieces of code, un-audited, they have embedded Turing-complete interpreters, they live in a horribly imsecure environment, [I have to put in a plug here for James Mickens' classic rant "To Wash It All Aawy" (Usenix ;login, March 2014, p.2-8):