Web Browsers

classic Classic list List threaded Threaded
33 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Web Browsers

nixlists nixlists
Hi. People on this list are security-conscious. I wonder what browsers they use?
What browsers do you consider more secure than others?
Granted, they're all full of all kinds of holes, but what do you do to
tighten their security?

Thanks.

Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

openbsd user - misc mailing list
On Fri, 18 Dec 2009 19:25 +0000, "nixlists" <[hidden email]> wrote:
> Hi. People on this list are security-conscious. I wonder what browsers
> they use?
> What browsers do you consider more secure than others?
> Granted, they're all full of all kinds of holes, but what do you do to
> tighten their security?

I like Firefox with noscript and adblock to stop the javascript.

Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

Jesus Sanchez
El 18/12/2009 20:50, Brad Tilley escribis:

> On Fri, 18 Dec 2009 19:25 +0000, "nixlists"<[hidden email]>  wrote:
>    
>> Hi. People on this list are security-conscious. I wonder what browsers
>> they use?
>> What browsers do you consider more secure than others?
>> Granted, they're all full of all kinds of holes, but what do you do to
>> tighten their security?
>>      
> I like Firefox with noscript and adblock to stop the javascript.
>
>
>    

+1

Firefox it's a good browser.

Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

ropers
In reply to this post by openbsd user - misc mailing list
2009/12/18 Brad Tilley <[hidden email]>:
> On Fri, 18 Dec 2009 19:25 +0000, "nixlists" <[hidden email]> wrote:
>> Hi. People on this list are security-conscious. I wonder what browsers
>> they use?
>> What browsers do you consider more secure than others?
>> Granted, they're all full of all kinds of holes, but what do you do to
>> tighten their security?
>
> I like Firefox with noscript and adblock to stop the javascript.

Some people wouldn't consider these strictly *security* features, but
if you're using Firefox it helps to be aware of
  firefox -ProfileManager
and use that to keep stuff separate. Additionally, you can also use
-no-remote and -P <profilename> to concurrently run two or more
firefox instances with different profiles. Cf.:
  http://kb.mozillazine.org/Command_line_arguments

Also be aware that even after you've deleted all traditional cookies,
so-called "Flash cookies" (LSOs) may still persist, and sneaky sites
do use those to track you as well.
One add-on that you can use to kill those is this;
  http://netticat.ath.cx/BetterPrivacy/BetterPrivacy.htm
(And even after deleting all cookies and LSOs, sites can still tell
what other places on the web you've been to, due to CSS leaking that
info, which may be unfixable, cf. e.g.
http://www.amirharel.com/2009/09/20/css-privacy/ )

Finally, if you use Adblock Plus, you owe it to yourself to also use
Element Hiding Helper.

This will not necessarily make Firefox "more secure than others", and
there are lots of things about Firefox that suck ass, but the above
will, "tighten [its] security", at least for some value of security.

--regards,
ropers

Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

ropers
PS: I don't actually know to what extent the LSO issues apply to
OpenBSD, as there is only limited Flash compatibility, but anyway.

2009/12/18 ropers <[hidden email]>:

> 2009/12/18 Brad Tilley <[hidden email]>:
>> On Fri, 18 Dec 2009 19:25 +0000, "nixlists" <[hidden email]> wrote:
>>> Hi. People on this list are security-conscious. I wonder what browsers
>>> they use?
>>> What browsers do you consider more secure than others?
>>> Granted, they're all full of all kinds of holes, but what do you do to
>>> tighten their security?
>>
>> I like Firefox with noscript and adblock to stop the javascript.
>
> Some people wouldn't consider these strictly *security* features, but
> if you're using Firefox it helps to be aware of
>  firefox -ProfileManager
> and use that to keep stuff separate. Additionally, you can also use
> -no-remote and -P <profilename> to concurrently run two or more
> firefox instances with different profiles. Cf.:
>  http://kb.mozillazine.org/Command_line_arguments
>
> Also be aware that even after you've deleted all traditional cookies,
> so-called "Flash cookies" (LSOs) may still persist, and sneaky sites
> do use those to track you as well.
> One add-on that you can use to kill those is this;
>  http://netticat.ath.cx/BetterPrivacy/BetterPrivacy.htm
> (And even after deleting all cookies and LSOs, sites can still tell
> what other places on the web you've been to, due to CSS leaking that
> info, which may be unfixable, cf. e.g.
> http://www.amirharel.com/2009/09/20/css-privacy/ )
>
> Finally, if you use Adblock Plus, you owe it to yourself to also use
> Element Hiding Helper.
>
> This will not necessarily make Firefox "more secure than others", and
> there are lots of things about Firefox that suck ass, but the above
> will, "tighten [its] security", at least for some value of security.
>
> --regards,
> ropers

Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

Marco Peereboom
In reply to this post by nixlists nixlists
firefox + adsuck

On Fri, Dec 18, 2009 at 07:25:13PM +0000, nixlists wrote:
> Hi. People on this list are security-conscious. I wonder what browsers they use?
> What browsers do you consider more secure than others?
> Granted, they're all full of all kinds of holes, but what do you do to
> tighten their security?
>
> Thanks.

Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

Bryan Irvine
In reply to this post by nixlists nixlists
On Fri, Dec 18, 2009 at 11:25 AM, nixlists <[hidden email]> wrote:
> Hi. People on this list are security-conscious. I wonder what browsers they use?
> What browsers do you consider more secure than others?
> Granted, they're all full of all kinds of holes, but what do you do to
> tighten their security?

I use netcat.

Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

Antoine Jacoutot-7
In reply to this post by nixlists nixlists
On Fri, 18 Dec 2009, nixlists wrote:

> Hi. People on this list are security-conscious. I wonder what browsers they use?
> What browsers do you consider more secure than others?
> Granted, they're all full of all kinds of holes, but what do you do to
> tighten their security?

"I send mail to a demon which runs wget and mails the page back to me."

--
Antoine

Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

nixlists nixlists
In reply to this post by Marco Peereboom
On Fri, Dec 18, 2009 at 9:07 PM, Marco Peereboom <[hidden email]> wrote:
> firefox + adsuck

What is your opnion on Chrome, OpenBSD gurus? Okay we all know about
it's privacy and identity leakage concerns. It's designed by Google
with this built-in - they want to know everything about you and don't
care about your privacy, yada yada. But what about its supposedly more
secure multi-process design. Is it really better than Firefox and
others in this regard?

Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

Bryan Irvine
In reply to this post by Antoine Jacoutot-7
On Fri, Dec 18, 2009 at 3:01 PM, Antoine Jacoutot <[hidden email]> wrote:
> On Fri, 18 Dec 2009, nixlists wrote:
>
>> Hi. People on this list are security-conscious. I wonder what browsers they use?
>> What browsers do you consider more secure than others?
>> Granted, they're all full of all kinds of holes, but what do you do to
>> tighten their security?
>
> "I send mail to a demon which runs wget and mails the page back to me."

Richard is that you?

CPB
Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

CPB
In reply to this post by Antoine Jacoutot-7
Antoine Jacoutot wrote:

> On Fri, 18 Dec 2009, nixlists wrote:
>
>  
>> Hi. People on this list are security-conscious. I wonder what browsers they use?
>> What browsers do you consider more secure than others?
>> Granted, they're all full of all kinds of holes, but what do you do to
>> tighten their security?
>>    
>
> "I send mail to a demon which runs wget and mails the page back to me."
>
>  
Well you really shouldn't use DEMONS to do your computer work.
They should never be trusted.

But a daemon is OK :)

--
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders,
give orders, cooperate, act alone, solve equations, analyze a new
problem, pitch manure, program a computer, cook a tasty meal, fight
efficiently, die gallantly. Specialization is for insects.
   -- Robert Heinlein

Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

Marco Peereboom
In reply to this post by nixlists nixlists
All your ads are belong to us.

Max Headroom might have an opinion too.

On Fri, Dec 18, 2009 at 11:12:14PM +0000, nixlists wrote:
> On Fri, Dec 18, 2009 at 9:07 PM, Marco Peereboom <[hidden email]> wrote:
> > firefox + adsuck
>
> What is your opnion on Chrome, OpenBSD gurus? Okay we all know about
> it's privacy and identity leakage concerns. It's designed by Google
> with this built-in - they want to know everything about you and don't
> care about your privacy, yada yada. But what about its supposedly more
> secure multi-process design. Is it really better than Firefox and
> others in this regard?

Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

Internet Retard
In reply to this post by Bryan Irvine
> Date: Fri, 18 Dec 2009 15:24:25 -0800
> Subject: Re: Web Browsers
> From: [hidden email]
> To: [hidden email]
> CC: [hidden email]
>
> On Fri, Dec 18, 2009 at 3:01 PM, Antoine Jacoutot <[hidden email]>
wrote:
> > On Fri, 18 Dec 2009, nixlists wrote:
> >
> >> Hi. People on this list are security-conscious. I wonder what browsers
they use?
> >> What browsers do you consider more secure than others?
> >> Granted, they're all full of all kinds of holes, but what do you do to
> >> tighten their security?
> >
> > "I send mail to a demon which runs wget and mails the page back to me."
>
> Richard is that you?



Only his mom calls him Richard. To us, he is RMS.



Your Friend,



IR


_________________________________________________________________
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/soci
al-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010

Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

Bob Beck-4
In reply to this post by nixlists nixlists
2009/12/18 nixlists <[hidden email]>:

> On Fri, Dec 18, 2009 at 9:07 PM, Marco Peereboom <[hidden email]> wrote:
>> firefox + adsuck
>
> What is your opnion on Chrome, OpenBSD gurus? Okay we all know about
> it's privacy and identity leakage concerns. It's designed by Google
> with this built-in - they want to know everything about you and don't
> care about your privacy, yada yada. But what about its supposedly more
> secure multi-process design. Is it really better than Firefox and
> others in this regard?
>
>

Well, in theory, if they can stick to it, a privsep design is more
secure from the point of view of the application.

When done right.

Now, is it a small and secure program? I dunno: You decide:



# uname -a
OpenBSD cthulhu.cns.ualberta.ca 4.6 GENERIC.MP#27 amd64
# pwd
/usr/local/chrome
# ldd chrome
chrome:
        Start            End              Type Open Ref GrpRef Name
        0000000000400000 0000000002c9f000 exe  1    0   0      chrome
        0000000209b99000 000000020a0cc000 rlib 0    14   0
/usr/X11R6/lib/libX11.so.12.0
        0000000210dbf000 00000002111c8000 rlib 0    7   0
/usr/X11R6/lib/libXrender.so.5.0
        00000002069ca000 0000000206ddb000 rlib 0    7   0
/usr/X11R6/lib/libXext.so.10.0
        0000000212468000 0000000212877000 rlib 0    1   0
/usr/local/lib/libexecinfo.so.0.0
        000000021037f000 0000000210bab000 rlib 0    1   0
/usr/local/lib/libgtk-x11-2.0.so.1402.0
        00000002111f4000 00000002116aa000 rlib 0    2   0
/usr/local/lib/libgdk-x11-2.0.so.1402.0
        0000000214671000 0000000214a8c000 rlib 0    3   0
/usr/local/lib/libgdk_pixbuf-2.0.so.1402.0
        0000000204490000 000000020489d000 rlib 0    3   0
/usr/local/lib/libpangocairo-1.0.so.1801.0
        000000020a660000 000000020aa62000 rlib 0    3   0
/usr/X11R6/lib/libXinerama.so.5.0
        000000020ff75000 000000021037f000 rlib 0    3   0
/usr/X11R6/lib/libXi.so.10.1
        00000002058fc000 0000000205d04000 rlib 0    3   0
/usr/X11R6/lib/libXrandr.so.6.1
        000000020db06000 000000020df10000 rlib 0    3   0
/usr/X11R6/lib/libXcursor.so.4.0
        00000002029e5000 0000000202de8000 rlib 0    3   0
/usr/X11R6/lib/libXcomposite.so.3.0
        0000000202e4d000 0000000203250000 rlib 0    3   0
/usr/X11R6/lib/libXdamage.so.3.1
        00000002065c0000 00000002069c5000 rlib 0    6   0
/usr/X11R6/lib/libXfixes.so.5.0
        0000000211fc2000 00000002123e0000 rlib 0    2   0
/usr/local/lib/libatk-1.0.so.2800.0
        000000020ce25000 000000020d2b0000 rlib 0    4   0
/usr/local/lib/libcairo.so.9.2
        0000000213dfc000 0000000214236000 rlib 0    5   0
/usr/X11R6/lib/libpixman-1.so.15.8
        000000020976e000 0000000209b99000 rlib 0    5   0
/usr/local/lib/libglitz.so.2.0
        000000020df10000 000000020e338000 rlib 0    1   0
/usr/local/lib/libpng.so.9.0
        000000020efb6000 000000020f3d2000 rlib 0    15   0
/usr/X11R6/lib/libxcb.so.2.0
        0000000205d04000 0000000206105000 rlib 0    16   0
/usr/X11R6/lib/libpthread-stubs.so.0.0
        000000020d532000 000000020d935000 rlib 0    16   0
/usr/X11R6/lib/libXau.so.9.0
        00000002130c2000 00000002134c7000 rlib 0    16   0
/usr/X11R6/lib/libXdmcp.so.10.0
        0000000207434000 00000002078e1000 rlib 0    4   0
/usr/local/lib/libgio-2.0.so.1802.0
        00000002156c4000 0000000215af4000 rlib 0    4   0
/usr/local/lib/libpangoft2-1.0.so.1801.0
        0000000204a99000 0000000204ee3000 rlib 0    5   0
/usr/local/lib/libpango-1.0.so.1801.0
        000000020610a000 000000020654a000 rlib 0    12   0
/usr/local/lib/libgobject-2.0.so.1802.0
       000000020c7da000 000000020cbdd000 rlib 0    10   0
/usr/local/lib/libgmodule-2.0.so.1802.0
        000000020eb7a000 000000020efb1000 rlib 0    6   0
/usr/X11R6/lib/libfontconfig.so.6.0
        0000000204ee3000 0000000205307000 rlib 0    7   0
/usr/lib/libexpat.so.9.0
        0000000209038000 00000002094ba000 rlib 0    7   0
/usr/X11R6/lib/libfreetype.so.17.0
        0000000214a8c000 0000000214ea0000 rlib 0    8   0
/usr/lib/libz.so.4.1
        00000002079f7000 0000000207dfb000 rlib 0    3   0
/usr/local/lib/libgthread-2.0.so.1802.0
        000000020fa0e000 000000020fed7000 rlib 0    15   0
/usr/local/lib/libglib-2.0.so.1802.0
        0000000203e02000 000000020420d000 rlib 0    16   0
/usr/local/lib/libintl.so.4.0
        000000020326b000 0000000203764000 rlib 0    17   0
/usr/local/lib/libiconv.so.6.0
        000000020b96a000 000000020bea5000 rlib 0    3   0
/usr/local/lib/libnss3.so.24.0
        0000000212c95000 00000002130c2000 rlib 0    1   0
/usr/local/lib/libsmime3.so.24.0
        00000002116aa000 0000000211af0000 rlib 0    1   0
/usr/local/lib/libsoftokn3.so.24.0
        000000020e73c000 000000020eb75000 rlib 0    1   0
/usr/local/lib/libssl3.so.24.0
        00000002152c1000 00000002156c4000 rlib 0    6   0
/usr/local/lib/libplds4.so.21.0
        000000020e338000 000000020e73c000 rlib 0    6   0
/usr/local/lib/libplc4.so.21.0
        0000000206de0000 0000000207219000 rlib 0    8   0
/usr/local/lib/libnspr4.so.21.0
        0000000214236000 0000000214671000 rlib 0    1   0
/usr/local/lib/libgconf-2.so.6.2
        000000020898a000 0000000208df8000 rlib 0    2   0
/usr/local/lib/libORBit-2.so.3.0
        000000020aa62000 000000020aeb0000 rlib 0    3   0
/usr/local/lib/libdbus-1.so.7.1
        0000000214ea0000 00000002152c1000 rlib 0    13   0
/usr/lib/libm.so.5.2
        0000000207e58000 000000020828d000 rlib 0    1   0
/usr/local/lib/libjpeg.so.63.0
        000000020a0d1000 000000020a622000 rlib 0    1   0
/usr/local/lib/libxml2.so.11.0
        00000002134c7000 00000002139d8000 rlib 0    1   0
/usr/local/lib/libestdc++.so.11.0
        000000020b0ec000 000000020b5cd000 rlib 0    3   0
/usr/lib/libc.so.53.0
        00000002139d8000 0000000213dfc000 rlib 0    1   0
/usr/lib/libpthread.so.12.0
        0000000212877000 0000000212c95000 rlib 0    5   0
/usr/local/lib/libnssutil3.so.24.0
        0000000215f1f000 0000000216347000 rlib 0    4   0
/usr/local/lib/libpng.so.8.1
        0000000215af4000 0000000215f1f000 rlib 0    15   0
/usr/local/lib/libpcre.so.2.3
        0000000216347000 00000002167b5000 rlib 0    1   0
/usr/local/lib/libsqlite3.so.13.3
        00000002167b5000 0000000216bd7000 rlib 0    1   0
/usr/local/lib/libdbus-glib-1.so.4.2
        000000020f600000 000000020f600000 rtld 0    1   0
/usr/libexec/ld.so
#

Well at least it'll give shared library randomization something to do:

# pwd
/tmp/chromium-4.0.251.0
# find . -type f -name \*.c -exec cat "{}" >> /tmp/chromium_c \;
# find . -type f -name \*.cc -exec cat "{}" >> /tmp/chromium_cc \;
# wc -l /tmp/chromium_c
 1334153 /tmp/chromium_c
# wc -l /tmp/chromium_cc
 1300305 /tmp/chromium_cc
# find /usr/src/sys -type f -name \*.c -exec cat "{}" >> /tmp/kernel_c \;
# find /usr/src/sys -type f -name \*.cc -exec cat "{}" >> /tmp/kernel_cc \;
# wc -l /tmp/kernel_c
 1949871 /tmp/kernel_c
# wc -l /tmp/kernel_cc
       0 /tmp/kernel_cc
# find /usr/src/usr.bin/ssh -type f -name \*.c -exec cat "{}" >>
/tmp/ssh_c \;
# find /usr/src/usr.bin/ssh -type f -name \*.cc -exec cat "{}" >> /tmp/ssh_cc \;
# wc -l /tmp/ssh_c
   58501 /tmp/ssh_c
# wc -l /tmp/ssh_cc
       0 /tmp/ssh_cc
# find /usr/src -type f -name \*.c -exec cat "{}" >> /tmp/openbsd_c \;
# find /usr/src -type f -name \*.cc -exec cat "{}" >> /tmp/openbsd_cc \;
# wc -l /tmp/openbsd_c
11205682 /tmp/openbsd_c
# wc -l /tmp/openbsd_cc
  138555 /tmp/openbsd_cc

Still plenty of potential for issues in there, draw your own
conclusions. About the most complicated privsep program that gets it
right I know of is ssh.

process separation may make the browser itself harder to compromise,
but won't really do fuck all for you if the exploit is javascript. and
at the moment I haven't
seen anything that works as an effective selective javascript blocker
for chrome like noscript - they just expect you to let google decide
what sites are safe so far.

Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

Christopher Linn
In reply to this post by nixlists nixlists
On Fri, Dec 18, 2009 at 07:25:13PM +0000, nixlists wrote:
> Hi. People on this list are security-conscious. I wonder what browsers they use?
> What browsers do you consider more secure than others?
> Granted, they're all full of all kinds of holes, but what do you do to
> tighten their security?

I'm not telling.

cel

Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

David Vasek
In reply to this post by Bob Beck-4
On Fri, 18 Dec 2009, Bob Beck wrote:

> 2009/12/18 nixlists <[hidden email]>:
>> On Fri, Dec 18, 2009 at 9:07 PM, Marco Peereboom <[hidden email]> wrote:
>>> firefox + adsuck

[...]

> and at the moment I haven't seen anything that works as an effective
> selective javascript blocker for chrome like noscript - they just expect
> you to let google decide what sites are safe so far.

Can anybody comment on privoxy?
Junkbuster used to be simple, but privoxy seems to be quite complex to set
up.

Regards,
David

Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

Dirk Mast
In reply to this post by ropers
ropers wrote:

>
> Finally, if you use Adblock Plus, you owe it to yourself to also use
> Element Hiding Helper.

> --regards,
> ropers

Wow, thank you, I've always wanted an addon like this.

Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

Julian Leyh-2
In reply to this post by nixlists nixlists
nixlists schrieb:
> I wonder what browsers they use?

lynx

Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

Ted Unangst-2
In reply to this post by nixlists nixlists
On Fri, Dec 18, 2009 at 6:12 PM, nixlists <[hidden email]> wrote:
> On Fri, Dec 18, 2009 at 9:07 PM, Marco Peereboom <[hidden email]> wrote:
>> firefox + adsuck
>
> What is your opnion on Chrome, OpenBSD gurus? Okay we all know about
> it's privacy and identity leakage concerns. It's designed by Google
> with this built-in - they want to know everything about you and don't
> care about your privacy, yada yada. But what about its supposedly more

You know, it's really trivial to run chrome and watch the network and
see just what terrible secrets it's transmitting back to the mother
ship.  But be aware that if you do that, you may find you no longer
have any conspiracies to complain about.

> secure multi-process design. Is it really better than Firefox and
> others in this regard?

Compared to every version of firefox I've ever used, chrome is crazy
fast.  Also, it can render pages with a lot of html instead of pooping
itself.  As for security, I guess it's better.  Certainly, it's nicer
to have one tab crash and not bring down the whole browser.

Reply | Threaded
Open this post in threaded view
|

Re: Web Browsers

Robert Bronsdon
> On Fri, Dec 18, 2009 at 9:07 PM, Marco Peereboom <[hidden email]>  
> wrote:
> What is your opnion on Chrome, OpenBSD gurus? Okay we all know about
> it's privacy and identity leakage concerns.

Privacy and Google are interesting.

Obviously it makes sense for Google to collect as much data on you as  
possible (tin foil hat removed), as a marketing company its their job to  
do so. However Google have always stated Chrome is an attempt to get  
people using more javascript to create larger javascript based  
applications (similar to Wave). This clearly increases their market for  
ad. revinue etc.

Google are clearly clever enough to know that upsetting the 'tin-foiled'  
geeks, by 'spying' on them would be enough to disrupt its browser.  
Especially given its lowly market share, just a little bad press would  
stop this thing ever taking off.

As has been said though, look at your own traffic yourself, does it  
contain anything it shouldn't? If not then its not a problem. If it does,  
then I'm sure many would like to know about it.

> secure multi-process design. Is it really better than Firefox and
> others in this regard?

I don't think many people could put it better than Bob already has.


--
Using Opera M2: http://www.opera.com/mail/

12