On 2019-01-05, Mihai Popescu wrote:
> Hello,
>
> I see there is some work in Chromium to implement secure browsing. I
> was using both Chromium and Firefox over the past years. If I got it
> right, here is a summary of implementations:
> Chromium: W^X, pledge, unveil
chromium doesn't have W^X
On Sat, Jan 05, 2019 at 03:38:16PM +0200, Mihai Popescu wrote:
> Hello,
>
> I see there is some work in Chromium to implement secure browsing. I
> was using both Chromium and Firefox over the past years. If I got it
> right, here is a summary of implementations:
> Chromium: W^X, pledge, unveil
>
Hello,
I see there is some work in Chromium to implement secure browsing. I
was using both Chromium and Firefox over the past years. If I got it
right, here is a summary of implementations:
Chromium: W^X, pledge, unveil
Firefox: W^X
I don't want to start a brosers' war, but what is best to run
> On Thu, 24 Mar 2016, Kevin Chadwick wrote:
> > BTW, only allowing Javascript to come from the primary domain over SSL
> > would be a far saner idea, but lets see you get that past Google,
> > facebook and all the other tracking sites?
>
> It's possible with content
On Thu, 24 Mar 2016, Kevin Chadwick wrote:
> BTW, only allowing Javascript to come from the primary domain over SSL
> would be a far saner idea, but lets see you get that past Google,
> facebook and all the other tracking sites?
It's possible with content security
> Now, let's look at threats:
> 1. Man in the middle - it's fixed.
> 2. Phishing always requires the browser to load attacker's website, so it's
> permanently dead here.
> 3. Drive-by Download - dead(if applied strictly, unable to download the
> executable)
> 4. Clickjacking - dead(attacker's
> To secure browser which is very fragile, the approach of HTTPS Only 3.1 is
> exceptionally simple:
Please help make widespread browsers "Simple" firefox now takes > 200M
mem without any tabs open and chrome is > 70M to download.
Xombrero uses 30-45 M of mem
> 1. Only HTTPS URLs(no other
Hello all! http://seclists.org/fulldisclosure/2016/Mar/77 HTTPS Only 3.1
(Detailed Analysis, Browser Security, Open Source, Python)
From: David Leo
Date: Wed, 23 Mar 2016 01:58:43 -0700
On 03/01/2015 01:36 PM, Ted Unangst wrote:
Nevertheless, the policy is only advisory. Writeable executable memory is only
an mmap or mprotect away.
Thanks for your work. Is there a simple way to turn on enforcement W^X
on a system, to see what breaks?
On 2015-03-03, someone thisistheone8...@gmail.com wrote:
Wow, copying the .Xauthority to the separated user worked!
But I'm still thinking that the separated user can give out the command:
xinput test 6
and can see what anyone types in via X.
See xauth(1) about generating an untrusted auth
Hello,
If I:
pkg_add firefox-esr
then I cannot see any separated user for it:
grep -i firefox /etc/passwd
When will OpenBSD have a separated user for the webbrowser by default?
If someone gets in via the webbrowser... it will have the id_rsa, the
*.kdb, etc.
If it will not be default
Wow, copying the .Xauthority to the separated user worked!
But I'm still thinking that the separated user can give out the command:
xinput test 6
and can see what anyone types in via X.
On Tue, Mar 3, 2015 at 5:56 PM, Ryan Freeman r...@slipgate.org wrote:
On Tue, Mar 03, 2015 at 05:51:27PM
On Tue, Mar 03, 2015 at 05:51:27PM +0100, someone wrote:
Hello,
If I:
pkg_add firefox-esr
then I cannot see any separated user for it:
grep -i firefox /etc/passwd
When will OpenBSD have a separated user for the webbrowser by default?
I think Ted specifically stated that jailing
http://blogs.gnome.org/alexl/2015/02/17/first-fully-sandboxed-linux-desktop-app/
h, great, looks like X is not soo good regarding security.. maybe
Wayland..
On Tue, Mar 3, 2015 at 6:09 PM, someone thisistheone8...@gmail.com wrote:
Wow, copying the .Xauthority to the separated user worked!
On 03/01/2015 10:36 AM, Ted Unangst wrote:
A few words about a project I've started working on today with support from
the OpenBSD Foundation.
This is a good idea. I just threw some more coin in the donations bin.
At the risk of feature creep:
There was a thread on this list about browser
At the risk of feature creep:
There was a thread on this list about browser installation
such that it would, for each user be sandboxed in a clean room, denying any
scripts access to the users files. I don't know if this is at all
appropriate for
this project, and I just throw it out there
A few words about a project I've started working on today with support from
the OpenBSD Foundation.
As you may know, OpenBSD has a W^X (write xor execute) policy for memory.
This mitigates many forms of exploit, either by preventing the exploit from
overwriting the program's executable code or
On Sun, March 1, 2015 1:36 pm, Ted Unangst wrote:
I'd like to thank the OpenBSD Foundation for supporting this effort, and
the
many donors who have supported the Foundation. The Foundation wouldn't be
in a
position to support projects like this if it weren't for you.
My thanks, as well.
In message http://marc.info/?l=openbsd-miscm=141848398918562w=1,
Joel Rees wrote:
I've used sudo to make a poor-man's sandbox in the past,
like this:
http://reiisi.blogspot.jp/2011/08/simple-sandbox-for-firefox.html
Trying this on openbsd seems to work
[[...]]
It seems to run firefox
I don't know whether this is a good idea, a bad idea, or worth the
trouble, but I've used sudo to make a poor-man's sandbox in the past,
like this:
http://reiisi.blogspot.jp/2011/08/simple-sandbox-for-firefox.html
Trying this on openbsd seems to work:
---
# Added a
On Wed, Dec 14, 2005 at 10:48:28AM -0800, Bob Smith wrote:
Just a thought: sudo -u $some_restricted_user $your_preffered_browser ?
good that you brought this up; i been wondering about this too.
does it help? if so how come there isnt a default non-privileged user
created for, say,
vmware recently released a program which kind of
chroot jails the browser.
http://www.vmware.com/vmtn/vm/browserapp.html
im not a programmer myself, but i was wondering
if perhaps using a similar technique we could lock
down the browsers in openbsd?
seems to me that would increase security
On Wed, 14 Dec 2005 05:41:30 -0800, Bob Smith [EMAIL PROTECTED] wrote:
vmware recently released a program which kind of
chroot jails the browser.
http://www.vmware.com/vmtn/vm/browserapp.html
im not a programmer myself, but i was wondering
if perhaps using a similar technique we could lock
down
--On 14 December 2005 06:38 -0800, J.C. Roberts wrote:
Even VMware supports only one architecture for their player (x86-32)
They do actually support x86-64 on the player (I'm not sure if this
changed recently - 'player' is out of beta as of a day or two ago).
and only two possible host
--On 14 December 2005 05:41 -0800, Bob Smith wrote:
vmware recently released a program which kind of
chroot jails the browser.
Actually, they released a disk-image with an installation of Ubuntu
Linux including Firefox, that runs in their free-of-charge 'player' for
x86 Linux/Windows (basic
thanks for the explanation.
so it would be less work to try to chroot a browser then to make a
virtual machine? perhaps its even a better way of isolating?
i googled around a bit and found some threads about people trying to
chroot their browsers, but i couldnt find any successful story. is it
On Wed, Dec 14, 2005 at 05:41:30AM -0800, Bob Smith wrote:
vmware recently released a program which kind of
chroot jails the browser.
http://www.vmware.com/vmtn/vm/browserapp.html
im not a programmer myself, but i was wondering
if perhaps using a similar technique we could lock
down the
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
Bob Smith
Sent: Wednesday, December 14, 2005 11:37 AM
To: J. C. Roberts
Cc: misc@openbsd.org
Subject: Re: browser security
thanks for the explanation.
so it would be less work to try to chroot
On Wednesday 14 December 2005 17:37, Bob Smith wrote:
thanks for the explanation.
so it would be less work to try to chroot a browser then to make a
virtual machine? perhaps its even a better way of isolating?
i googled around a bit and found some threads about people trying to
chroot their
Just a thought: sudo -u $some_restricted_user $your_preffered_browser ?
good that you brought this up; i been wondering about this too.
does it help? if so how come there isnt a default non-privileged user
created for, say, firefox when the pkg is installed? like there is for
bitlbee
On Wed, 14 Dec 2005 08:37:16 -0800, Bob Smith [EMAIL PROTECTED] wrote:
thanks for the explanation.
so it would be less work to try to chroot a browser then to make a
virtual machine? perhaps its even a better way of isolating?
i googled around a bit and found some threads about people trying to
On 14/12/05, J.C. Roberts [EMAIL PROTECTED] wrote:
When you think about all the crap a graphical browser needs just to run
(fonts, mime types, library dependencies, plugins, cache, user
preferences, ...), it will probably be a major pain to chroot the beast
because you'll be duplicating tons
On Wed, 14 Dec 2005 19:32:18 +, Simon Morgan [EMAIL PROTECTED]
wrote:
On 14/12/05, J.C. Roberts [EMAIL PROTECTED] wrote:
When you think about all the crap a graphical browser needs just to run
(fonts, mime types, library dependencies, plugins, cache, user
preferences, ...), it will
On 14/12/05, J. C. Roberts [EMAIL PROTECTED] wrote:
On Wed, 14 Dec 2005 19:32:18 +, Simon Morgan [EMAIL PROTECTED]
wrote:
I've just had the most awesome idea: chroot the entire operating system!
It seems your mother never warned you that such levels of sarcasm
usually results in
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
Simon Morgan
Sent: Wednesday, December 14, 2005 2:32 PM
To: J.C. Roberts
Cc: misc@openbsd.org
Subject: Re: browser security
On 14/12/05, J.C. Roberts [EMAIL PROTECTED] wrote:
When you think about
On Wednesday 14 December 2005 19:48, Bob Smith wrote:
Just a thought: sudo -u $some_restricted_user $your_preffered_browser ?
good that you brought this up; i been wondering about this too.
does it help? if so how come there isnt a default non-privileged user
created for, say, firefox when
On Wed, 2005-12-14 at 21:58 +0100, viq wrote:
On Wednesday 14 December 2005 19:48, Bob Smith wrote:
Just a thought: sudo -u $some_restricted_user $your_preffered_browser ?
good that you brought this up; i been wondering about this too.
does it help? if so how come there isnt a default
Bob Smith wrote:
vmware recently released a program which kind of
chroot jails the browser.
http://www.vmware.com/vmtn/vm/browserapp.html
im not a programmer myself, but i was wondering
if perhaps using a similar technique we could lock
down the browsers in openbsd?
seems to me that
On Wed, Dec 14, 2005 at 11:50:53AM -0500, Will H. Backman wrote:
Anyone dare try making a systrace policy for firefox?
and where's difficulty in writting such policy? It's 20'' of work: use
``wizard'' or automatic policy generation, and then clean up the ruleset
looking through syscalls and
On 14/12/05, Fletch [EMAIL PROTECTED] wrote:
Isn't this a mute point. I mean, unless you are surfing the web as
root, any remote browser exploit would only effect the user and a logoff
and login again would sort out *most* problems associated with remote
exploits.
Once a remote attacker has
On Wednesday 14 December 2005 23:15, James Strandboge wrote:
systrace could provide an effective jail for firefox. 'man systrace'.
Yes, it was mentioned, and it sounds like a good idea.
While we're at systrace, I was wondering - could systrace reduce the risks
associated with running apache
On Wed, 2005-12-14 at 23:38 +0100, viq wrote:
On Wednesday 14 December 2005 23:15, James Strandboge wrote:
systrace could provide an effective jail for firefox. 'man systrace'.
Yes, it was mentioned, and it sounds like a good idea.
While we're at systrace, I was wondering - could
On Thu, 2005-12-15 at 03:02 +0100, Andreas Bartelt wrote:
Hi,
James Strandboge wrote:
...
While we're at systrace, I was wondering - could systrace reduce the risks
associated with running apache with PHP?
Default apache is already chrooted, so systracing it won't be as much of
a
Hi,
James Strandboge wrote:
On Thu, 2005-12-15 at 03:02 +0100, Andreas Bartelt wrote:
...
Apache forks children with reduced priviledges (user www) while, at the
same time, there's always an Apache process running as root. Therefore,
a useful systrace policy for Apache probably won't be easy
44 matches
Mail list logo