Re: browser security in OpenBSD

On 2019-01-05, Mihai Popescu wrote: > Hello, > > I see there is some work in Chromium to implement secure browsing. I > was using both Chromium and Firefox over the past years. If I got it > right, here is a summary of implementations: > Chromium: W^X, pledge, unveil chromium doesn't have W^X

Re: browser security in OpenBSD

On Sat, Jan 05, 2019 at 03:38:16PM +0200, Mihai Popescu wrote: > Hello, > > I see there is some work in Chromium to implement secure browsing. I > was using both Chromium and Firefox over the past years. If I got it > right, here is a summary of implementations: > Chromium: W^X, pledge, unveil >

browser security in OpenBSD

Hello, I see there is some work in Chromium to implement secure browsing. I was using both Chromium and Firefox over the past years. If I got it right, here is a summary of implementations: Chromium: W^X, pledge, unveil Firefox: W^X I don't want to start a brosers' war, but what is best to run

Re: HTTPS Only 3.1 (Detailed Analysis, Browser Security, Open Source, Python)

> On Thu, 24 Mar 2016, Kevin Chadwick wrote: > > BTW, only allowing Javascript to come from the primary domain over SSL > > would be a far saner idea, but lets see you get that past Google, > > facebook and all the other tracking sites? > > It's possible with content

Re: HTTPS Only 3.1 (Detailed Analysis, Browser Security, Open Source, Python)

On Thu, 24 Mar 2016, Kevin Chadwick wrote: > BTW, only allowing Javascript to come from the primary domain over SSL > would be a far saner idea, but lets see you get that past Google, > facebook and all the other tracking sites? It's possible with content security

Re: HTTPS Only 3.1 (Detailed Analysis, Browser Security, Open Source, Python)

> Now, let's look at threats: > 1. Man in the middle - it's fixed. > 2. Phishing always requires the browser to load attacker's website, so it's > permanently dead here. > 3. Drive-by Download - dead(if applied strictly, unable to download the > executable) > 4. Clickjacking - dead(attacker's

Re: HTTPS Only 3.1 (Detailed Analysis, Browser Security, Open Source, Python)

> To secure browser which is very fragile, the approach of HTTPS Only 3.1 is > exceptionally simple: Please help make widespread browsers "Simple" firefox now takes > 200M mem without any tabs open and chrome is > 70M to download. Xombrero uses 30-45 M of mem > 1. Only HTTPS URLs(no other

HTTPS Only 3.1 (Detailed Analysis, Browser Security, Open Source, Python)

Hello all! http://seclists.org/fulldisclosure/2016/Mar/77 HTTPS Only 3.1 (Detailed Analysis, Browser Security, Open Source, Python) From: David Leo Date: Wed, 23 Mar 2016 01:58:43 -0700

Re: improving browser security

On 03/01/2015 01:36 PM, Ted Unangst wrote: Nevertheless, the policy is only advisory. Writeable executable memory is only an mmap or mprotect away. Thanks for your work. Is there a simple way to turn on enforcement W^X on a system, to see what breaks?

Re: Almost offtopic question to the Improving Browser Security question

On 2015-03-03, someone thisistheone8...@gmail.com wrote: Wow, copying the .Xauthority to the separated user worked! But I'm still thinking that the separated user can give out the command: xinput test 6 and can see what anyone types in via X. See xauth(1) about generating an untrusted auth

Almost offtopic question to the Improving Browser Security question

Hello, If I: pkg_add firefox-esr then I cannot see any separated user for it: grep -i firefox /etc/passwd When will OpenBSD have a separated user for the webbrowser by default? If someone gets in via the webbrowser... it will have the id_rsa, the *.kdb, etc. If it will not be default

Re: Almost offtopic question to the Improving Browser Security question

Wow, copying the .Xauthority to the separated user worked! But I'm still thinking that the separated user can give out the command: xinput test 6 and can see what anyone types in via X. On Tue, Mar 3, 2015 at 5:56 PM, Ryan Freeman r...@slipgate.org wrote: On Tue, Mar 03, 2015 at 05:51:27PM

Re: Almost offtopic question to the Improving Browser Security question

On Tue, Mar 03, 2015 at 05:51:27PM +0100, someone wrote: Hello, If I: pkg_add firefox-esr then I cannot see any separated user for it: grep -i firefox /etc/passwd When will OpenBSD have a separated user for the webbrowser by default? I think Ted specifically stated that jailing

Re: Almost offtopic question to the Improving Browser Security question

http://blogs.gnome.org/alexl/2015/02/17/first-fully-sandboxed-linux-desktop-app/ h, great, looks like X is not soo good regarding security.. maybe Wayland.. On Tue, Mar 3, 2015 at 6:09 PM, someone thisistheone8...@gmail.com wrote: Wow, copying the .Xauthority to the separated user worked!

Re: improving browser security

On 03/01/2015 10:36 AM, Ted Unangst wrote: A few words about a project I've started working on today with support from the OpenBSD Foundation. This is a good idea. I just threw some more coin in the donations bin. At the risk of feature creep: There was a thread on this list about browser

Re: improving browser security

At the risk of feature creep: There was a thread on this list about browser installation such that it would, for each user be sandboxed in a clean room, denying any scripts access to the users files. I don't know if this is at all appropriate for this project, and I just throw it out there

improving browser security

A few words about a project I've started working on today with support from the OpenBSD Foundation. As you may know, OpenBSD has a W^X (write xor execute) policy for memory. This mitigates many forms of exploit, either by preventing the exploit from overwriting the program's executable code or

Re: improving browser security

On Sun, March 1, 2015 1:36 pm, Ted Unangst wrote: I'd like to thank the OpenBSD Foundation for supporting this effort, and the many donors who have supported the Foundation. The Foundation wouldn't be in a position to support projects like this if it weren't for you. My thanks, as well.

Re: poor-man's sandbox (for web browser security, etc.)

In message http://marc.info/?l=openbsd-miscm=141848398918562w=1, Joel Rees wrote: I've used sudo to make a poor-man's sandbox in the past, like this: http://reiisi.blogspot.jp/2011/08/simple-sandbox-for-firefox.html Trying this on openbsd seems to work [[...]] It seems to run firefox

poor-man's sandbox (for web browser security, etc.)

I don't know whether this is a good idea, a bad idea, or worth the trouble, but I've used sudo to make a poor-man's sandbox in the past, like this: http://reiisi.blogspot.jp/2011/08/simple-sandbox-for-firefox.html Trying this on openbsd seems to work: --- # Added a

Re: browser security - restricted user

On Wed, Dec 14, 2005 at 10:48:28AM -0800, Bob Smith wrote: Just a thought: sudo -u $some_restricted_user $your_preffered_browser ? good that you brought this up; i been wondering about this too. does it help? if so how come there isnt a default non-privileged user created for, say,

browser security

vmware recently released a program which kind of chroot jails the browser. http://www.vmware.com/vmtn/vm/browserapp.html im not a programmer myself, but i was wondering if perhaps using a similar technique we could lock down the browsers in openbsd? seems to me that would increase security

Re: browser security

On Wed, 14 Dec 2005 05:41:30 -0800, Bob Smith [EMAIL PROTECTED] wrote: vmware recently released a program which kind of chroot jails the browser. http://www.vmware.com/vmtn/vm/browserapp.html im not a programmer myself, but i was wondering if perhaps using a similar technique we could lock down

Re: browser security

--On 14 December 2005 06:38 -0800, J.C. Roberts wrote: Even VMware supports only one architecture for their player (x86-32) They do actually support x86-64 on the player (I'm not sure if this changed recently - 'player' is out of beta as of a day or two ago). and only two possible host

Re: browser security

--On 14 December 2005 05:41 -0800, Bob Smith wrote: vmware recently released a program which kind of chroot jails the browser. Actually, they released a disk-image with an installation of Ubuntu Linux including Firefox, that runs in their free-of-charge 'player' for x86 Linux/Windows (basic

Re: browser security

thanks for the explanation. so it would be less work to try to chroot a browser then to make a virtual machine? perhaps its even a better way of isolating? i googled around a bit and found some threads about people trying to chroot their browsers, but i couldnt find any successful story. is it

Re: browser security

On Wed, Dec 14, 2005 at 05:41:30AM -0800, Bob Smith wrote: vmware recently released a program which kind of chroot jails the browser. http://www.vmware.com/vmtn/vm/browserapp.html im not a programmer myself, but i was wondering if perhaps using a similar technique we could lock down the

Re: browser security

-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Smith Sent: Wednesday, December 14, 2005 11:37 AM To: J. C. Roberts Cc: misc@openbsd.org Subject: Re: browser security thanks for the explanation. so it would be less work to try to chroot

Re: browser security

On Wednesday 14 December 2005 17:37, Bob Smith wrote: thanks for the explanation. so it would be less work to try to chroot a browser then to make a virtual machine? perhaps its even a better way of isolating? i googled around a bit and found some threads about people trying to chroot their

Re: browser security - restricted user

Just a thought: sudo -u $some_restricted_user $your_preffered_browser ? good that you brought this up; i been wondering about this too. does it help? if so how come there isnt a default non-privileged user created for, say, firefox when the pkg is installed? like there is for bitlbee

Re: browser security

On Wed, 14 Dec 2005 08:37:16 -0800, Bob Smith [EMAIL PROTECTED] wrote: thanks for the explanation. so it would be less work to try to chroot a browser then to make a virtual machine? perhaps its even a better way of isolating? i googled around a bit and found some threads about people trying to

Re: browser security

On 14/12/05, J.C. Roberts [EMAIL PROTECTED] wrote: When you think about all the crap a graphical browser needs just to run (fonts, mime types, library dependencies, plugins, cache, user preferences, ...), it will probably be a major pain to chroot the beast because you'll be duplicating tons

Re: browser security

On Wed, 14 Dec 2005 19:32:18 +, Simon Morgan [EMAIL PROTECTED] wrote: On 14/12/05, J.C. Roberts [EMAIL PROTECTED] wrote: When you think about all the crap a graphical browser needs just to run (fonts, mime types, library dependencies, plugins, cache, user preferences, ...), it will

Re: browser security

On 14/12/05, J. C. Roberts [EMAIL PROTECTED] wrote: On Wed, 14 Dec 2005 19:32:18 +, Simon Morgan [EMAIL PROTECTED] wrote: I've just had the most awesome idea: chroot the entire operating system! It seems your mother never warned you that such levels of sarcasm usually results in

Re: browser security

-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Morgan Sent: Wednesday, December 14, 2005 2:32 PM To: J.C. Roberts Cc: misc@openbsd.org Subject: Re: browser security On 14/12/05, J.C. Roberts [EMAIL PROTECTED] wrote: When you think about

Re: browser security

On Wednesday 14 December 2005 19:48, Bob Smith wrote: Just a thought: sudo -u $some_restricted_user $your_preffered_browser ? good that you brought this up; i been wondering about this too. does it help? if so how come there isnt a default non-privileged user created for, say, firefox when

Re: browser security

On Wed, 2005-12-14 at 21:58 +0100, viq wrote: On Wednesday 14 December 2005 19:48, Bob Smith wrote: Just a thought: sudo -u $some_restricted_user $your_preffered_browser ? good that you brought this up; i been wondering about this too. does it help? if so how come there isnt a default

Re: browser security

Bob Smith wrote: vmware recently released a program which kind of chroot jails the browser. http://www.vmware.com/vmtn/vm/browserapp.html im not a programmer myself, but i was wondering if perhaps using a similar technique we could lock down the browsers in openbsd? seems to me that

Re: browser security

On Wed, Dec 14, 2005 at 11:50:53AM -0500, Will H. Backman wrote: Anyone dare try making a systrace policy for firefox? and where's difficulty in writting such policy? It's 20'' of work: use ``wizard'' or automatic policy generation, and then clean up the ruleset looking through syscalls and

Re: browser security

On 14/12/05, Fletch [EMAIL PROTECTED] wrote: Isn't this a mute point. I mean, unless you are surfing the web as root, any remote browser exploit would only effect the user and a logoff and login again would sort out *most* problems associated with remote exploits. Once a remote attacker has

Re: browser security

On Wednesday 14 December 2005 23:15, James Strandboge wrote: systrace could provide an effective jail for firefox. 'man systrace'. Yes, it was mentioned, and it sounds like a good idea. While we're at systrace, I was wondering - could systrace reduce the risks associated with running apache

Re: browser security

On Wed, 2005-12-14 at 23:38 +0100, viq wrote: On Wednesday 14 December 2005 23:15, James Strandboge wrote: systrace could provide an effective jail for firefox. 'man systrace'. Yes, it was mentioned, and it sounds like a good idea. While we're at systrace, I was wondering - could

Re: browser security

On Thu, 2005-12-15 at 03:02 +0100, Andreas Bartelt wrote: Hi, James Strandboge wrote: ... While we're at systrace, I was wondering - could systrace reduce the risks associated with running apache with PHP? Default apache is already chrooted, so systracing it won't be as much of a

Re: browser security

Hi, James Strandboge wrote: On Thu, 2005-12-15 at 03:02 +0100, Andreas Bartelt wrote: ... Apache forks children with reduced priviledges (user www) while, at the same time, there's always an Apache process running as root. Therefore, a useful systrace policy for Apache probably won't be easy