securing web browser

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

securing web browser

mediomen27
Hi, anyone has some advices to make more secure a  browser like firefox ?
chroot + systrace ?



Thank you.

Reply | Threaded
Open this post in threaded view
|

Re: securing web browser

Andrew-2
On 8/14/15, Frank White <[hidden email]> wrote:
> Hi, anyone has some advices to make more secure a  browser like firefox ?
> chroot + systrace ?

This previoius thread is one solution. Plus read a subsequent thread
on pdf viewers.

http://marc.info/?l=openbsd-misc&m=142676615612510&w=2

Reply | Threaded
Open this post in threaded view
|

Re: securing web browser

dan mclaughlin
In reply to this post by mediomen27
On Fri, 14 Aug 2015 16:45:52 +0000 Frank White <[hidden email]> wrote:
> Hi, anyone has some advices to make more secure a  browser like firefox ?
> chroot + systrace ?
>
>
>
> Thank you.
>

apparently it's been done. David Coppa reported that he succeeded chrooting
firefox here: https://marc.info/?l=openbsd-tech&m=143645383725835&w=2.

i think he was following this ('isolating untrusted programs in ssh chroot
jails'): https://marc.info/?l=openbsd-misc&m=142676615612510&w=2 which
details chrooting. that post also links to J. Thornburg's earlier work
securing firefox.

Reply | Threaded
Open this post in threaded view
|

Re: securing web browser

Luke Call
On 08/14/15 12:08, dan mclaughlin wrote:

> On Fri, 14 Aug 2015 16:45:52 +0000 Frank White <[hidden email]> wrote:
>> Hi, anyone has some advices to make more secure a  browser like firefox ?
>> chroot + systrace ?
>>
>>
>>
>> Thank you.
>>
> apparently it's been done. David Coppa reported that he succeeded chrooting
> firefox here: https://marc.info/?l=openbsd-tech&m=143645383725835&w=2.
>
> i think he was following this ('isolating untrusted programs in ssh chroot
> jails'): https://marc.info/?l=openbsd-misc&m=142676615612510&w=2 which
> details chrooting. that post also links to J. Thornburg's earlier work
> securing firefox.
>
To achieve what might be the same goal, I simply open a new
terminal window, 'ssh -X otherusername@localhost' (having
ssh authorized_keys and sshd_config all set up to allow it),
and run the browser or other apps from there.  It has been
working well
for me, and I hope it's secure though I don't know all the
possible downsides within X security-land.

For one java IDE I have to do 'ssh -Y otherusername@localhost'
instead, before launching it, since apparently it needs things
that -X doesn't allow, and I haven't learned enough yet about
X security to be more specific in what is allowed.

One downside is that the first term window above can't launch
new windows after a while, but that's easy to work around.

There was more discussion on similar things at the thread
(sorry I don't have a link handy) from march 2015, subject
"running multiple simultaneous X sessions as different users".