Re: [tor-dev] More tor browser sandboxing fun.

2016-09-21 Thread grarpamp
There is VM's, and Multiple X server can isolate on up to all available vty's. There is also program shipped by X11 called Xnest. But the more concern than apps and keyboards above, is probably the driver / kernel portion of security surface. ___ tor-dev

Re: [tor-dev] Tor Browser downloads and updates graphs

2016-09-21 Thread Aaron Johnson
> > Log files are sorted as part of the sanitizing procedure, so that > request order should not be preserved. If you find a log file that is > not sorted, please let us know, because that would be a bug. That’s great! It just appeared ordered in that multiple related requests appeared in

Re: [tor-dev] More tor browser sandboxing fun.

2016-09-21 Thread Yawning Angel
On Wed, 21 Sep 2016 23:31:27 +0200 Stanisław Kosma wrote: > At this point no further audit of X11 is necessary. It is well > understood that it is insecure by design. In fact why would you need > an audit, take look at X11 API for yourself: > * X11 client: Please send me all

Re: [tor-dev] More tor browser sandboxing fun.

2016-09-21 Thread Stanisław Kosma
On 21.09.2016 19:57, grarpamp wrote: > On Wed, Sep 21, 2016 at 5:33 AM, Yawning Angel > wrote: >> Where: https://git.schwanenlied.me/yawning/sandboxed-tor-browser > >> X11 is a huge mess of utter fail. Since the sandboxed processes get direct >> access to the host X

Re: [tor-dev] More tor browser sandboxing fun.

2016-09-21 Thread grarpamp
On Wed, Sep 21, 2016 at 5:33 AM, Yawning Angel wrote: > Where: https://git.schwanenlied.me/yawning/sandboxed-tor-browser > X11 is a huge mess of utter fail. Since the sandboxed processes get direct > access to the host X server, this is an exploitation vector. Is

Re: [tor-dev] Tor Browser downloads and updates graphs

2016-09-21 Thread Karsten Loesing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Aaron, On 20/09/16 15:43, Aaron Johnson wrote: >> >> Good thinking! I summarized the methodology on the graph page >> as: The graph above is based on sanitized Tor web server logs >> [0]. These are a stripped-down version of Apache's "combined"

[tor-dev] More tor browser sandboxing fun.

2016-09-21 Thread Yawning Angel
Hi, Note: * Don't use this unless you are capable of debugging it. * Don't use this if you need strong security (though the author believes it is an improvement over unsandboxed Tor Browser, and the previous sandboxing attempts). * Don't re-package it, it's not ready for that. In