Why not just run the browser on ur regular openbsd desktop computer but run it with chroot/bubblewrap/firejail so that even if it will execute some Java cancer (all Java is cancer^^) that will rm -rf / your system won't be fucked
On May 12, 2017 3:41:05 AM GMT+02:00, Kim Blackwood <bluechildcry...@yandex.com> wrote: >Hi, > >I am at novice level of security, studying and trying to understand >some of the different aspects of running an OS and applications as >securely as possible. > >I have been running OpenBSD for years and understand a little of what's >being done to make it more secure, albeit not the technical details of >programming as much as I am not a C programmer. > >A friend of mine, who is computer a scientist with speciality in >security, suggested Qubes-OS as a secure "solution" to security >problems related to OS's and applications on a personal computer. > >I read up about the project and tested it out, but I am not convinced >that it is a good solution at all. > >I am writing to this list because I know that a lot of people on this >list is very security-minded. > >I found the reading "An Empirical Study into the Security Exposure to >Hosts of Hostile Virtualized Environments" very insightful. > >http://taviso.decsystem.org/virtsec.pdf > >First, I cannot really see the difference between an OS and a >hypervisor. Both runs on the "bare metal" and both perform similar >tasks. In the specific case with Qubes-OS, there isn't really a >difference as it's "just" Fedora with Xen. > >Possibilities of exploiting the hypervisor isn't lower than >possibilities of exploiting the OS. And specifically in the case of >OpenBSD as the OS, that has been developed from the ground up with >security in mind, the possibilities are much lower than a hypervisor >that hasn't even been developed with security measures from the >beginning. > >Second, the virtualization part as I see it, just ads another level of >tons of code. > >If I am running Firefox on OpenBSD and Firefox gets exploited, the >cracker finds himself on a very secure OS that's really hard to >compromise. > >If I am running Firefox in some virtualization container on Qubes-OS >and Firefox gets exploited, then the cracker finds himself inside a >container that could possible contain lots of exploitable security >holes that again runs on a hypervisor with possibly lots of security >holes, stuff that hasn't been developed with security in mind and has >perhaps never been audited. > >Qubes-OS seems to me as a solution of "patching". > >OpenBSD on the other hand is a completely different story. > >Rather than running something like Qubes-OS, which IMHO provides a fake >feeling of security, with it's different "qubes", I would think of >another situation that's much better. > >I either set up 3 different computers, or one computer where I can >physically change the hard drive and I then have 3 different hard >drives. > >On one box I setup OpenBSD and the most secure-minded browser I can >find (do such a thing even exist?). On this particular setup I *ONLY* >do my home banking. Absolutely nothing else. > >On the second box I also setup OpenBSD and the most secure-minded email >client I can find and I do all my email there. I possibly also setup an >office application for writing letters, etc. I don't use a browser on >this setup, if someone sends an email with a link, I write the link >down for latter usage. > >And on the third box I also setup OpenBSD with a browser and possible >other applications like a video player, and this box I use for all the >other casual stuff, the links from emails, etc. I possibly even run >this from a non-writeable CD or SD card. > >It will be an inconvenience to shift between the drives, but no more >than using Qubes-OS. > >IMHO the setup with the different OpenBSD installations provides a >much more security alternative than running Qubes-OS. > >Am I completely of track here? > >Kind regards, > >Kim -- Take Care Sincerely flipchan layerprox dev
