RE: Hardening browser
Haai, "Tomasz Rola" wrote: > On Thu, Mar 05, 2020 at 12:25:56PM +0100, zeurk...@volny.cz wrote: >> > > I use lynx a lot, very nice tool. It also helped me to restart my > browsing of gopher sites. There was plenty of them 20+ years ago, now > it is just a handful of servers. But still, better than nothing. Menever quite was into Gopher, but mereally should try and have a look someday... >> Occasionally, when really pressed, meruns 'tails', a specialized Lunix >> distro, from a DVD on a spare craptop; at least that way, mecan get rid >> of the bloated, buggy shit by simply turning off the machine. > > I do not know tails, only read about it. > > Using separate computers for different roles might be a way of the > future. A very convoluted way. But one cannot count too much on > security offered by modern popular cpus and there is always a chance > to be struck by something unexpected: I have just read that bmp file > from game server might make buffer overflow on client side. So, one > machine for gaming, one for reading, one for shopping and one for > work. And one for listing the music. 2003 came calling ;) Seriously: what you fear has already come to pass, for many people, long ago. It's even in the mainstream now: there, it's considered good practice to design an "app" so that a luser can seamlessly use it across the various "devices" in its possession. Or is merunning behind and did that idea die? > I will never propose this kind of solution to normal people. :-) Thankfully, we're not normal here =) >> -- >> Friggin' Machines! > > Oh no, it is not the machines. It is their masters. And their creators. The phrase is from an old Quake map that me's long since forgotten the name of. --zeurkous. -- Friggin' Machines!
Re: Hardening browser
On Sat, Mar 07, 2020 at 11:55:59AM -0700, Luke A. Call wrote: > On 03-07 19:19, whistlez...@riseup.net wrote: [...] > > As I know many sites without js doesn't work. Anyway I don't understand > > how switching off js defend you from 0day browser bug. > > Maybe you mean that because many 0day concern javascript ? > > Yes, as well as the general category of speculative execution CPU > attacks, rowhammer-type attacks, evercookies that use javascript, > and/or whatever else I don't know about that is enabled by javascript. > It just seems to be required for many attacks that one reads about, over > time, and given that trend, probably some future ones, all from > downloading unknown code to run locally. For those fewer times when I do > enable it, I'm glad for OBSD's various protections, to further lower > risk. I think switching js off is one (very important) thing. But, there is more of it. Which is why I try to not load page-provided fonts and css at all. In css (or in certain browser-specific variation), one can embed js code, and same with svg file. I wonder if switching js off in browser would then result in not executing embedded js as well? Another fun read: Krebbs describes how browser extension has been sold by original author and then used by new owner to detect if user works on Wordpress or Joomla. If so, the "Page Ruler" injected small js snippet into edited webpage. https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/ I guess extensions work even with js switched off... Etc etc -- Regards, Tomasz Rola -- ** A C programmer asked whether computer had Buddha's nature. ** ** As the answer, master did "rm -rif" on the programmer's home** ** directory. And then the C programmer became enlightened... ** ** ** ** Tomasz Rola mailto:tomasz_r...@bigfoot.com **
Re: Hardening browser
On Thu, Mar 05, 2020 at 12:25:56PM +0100, zeurk...@volny.cz wrote: > Me's been following this discussion w/ some interest. > > Personally, meuses lynx(1) (w/o the ports patches, as they interfere w/ > text field editing among other things), in image_links mode w/ feh(1). > Works like a charm :) I use lynx a lot, very nice tool. It also helped me to restart my browsing of gopher sites. There was plenty of them 20+ years ago, now it is just a handful of servers. But still, better than nothing. [...] > Occasionally, when really pressed, meruns 'tails', a specialized Lunix > distro, from a DVD on a spare craptop; at least that way, mecan get rid > of the bloated, buggy shit by simply turning off the machine. I do not know tails, only read about it. Using separate computers for different roles might be a way of the future. A very convoluted way. But one cannot count too much on security offered by modern popular cpus and there is always a chance to be struck by something unexpected: I have just read that bmp file from game server might make buffer overflow on client side. So, one machine for gaming, one for reading, one for shopping and one for work. And one for listing the music. I will never propose this kind of solution to normal people. :-) [...] > --zeurkous. > > -- > Friggin' Machines! Oh no, it is not the machines. It is their masters. -- Regards, Tomasz Rola -- ** A C programmer asked whether computer had Buddha's nature. ** ** As the answer, master did "rm -rif" on the programmer's home** ** directory. And then the C programmer became enlightened... ** ** ** ** Tomasz Rola mailto:tomasz_r...@bigfoot.com **
Re: Hardening browser
On 03-07 19:19, whistlez...@riseup.net wrote: > On Thu, Mar 05, 2020 at 07:32:36AM -0700, Luke A. Call wrote: > > I just leave javascript off for usual browsing, with a tab sitting open > > in chromium or iridium to turn it on for the occasional temporary need, > > or added to the browser's exception list to allow permanently for > > certain sites. This partly because it seems easy, and partly since I > > probably won't know if a browser extension is sold to a malicious entity, or > > otherwise compromised (so, seems a smaller attack surface, but still usually > > convenient.) > As I know many sites without js doesn't work. Anyway I don't understand > how switching off js defend you from 0day browser bug. > Maybe you mean that because many 0day concern javascript ? Yes, as well as the general category of speculative execution CPU attacks, rowhammer-type attacks, evercookies that use javascript, and/or whatever else I don't know about that is enabled by javascript. It just seems to be required for many attacks that one reads about, over time, and given that trend, probably some future ones, all from downloading unknown code to run locally. For those fewer times when I do enable it, I'm glad for OBSD's various protections, to further lower risk. -- Luke Call My thoughts: http://lukecall.net (updated 2020-02-18)
Re: Hardening browser
On Thu, Mar 05, 2020 at 07:32:36AM -0700, Luke A. Call wrote: > On 03-05 04:18, Tomasz Rola wrote: > > On Wed, Mar 04, 2020 at 02:06:40AM +0100, whistlez...@riseup.net wrote: > > > Hi, > > > in the following message: > > > https://marc.info/?l=openbsd-misc&m=158110613210895&w=2 > > > Theo discourages to use unveil instead of chroot. > > > I asked if he suggests the same for the browser but he asked that chroot > > > is onlye for *root*. > > > Then what should I do to hardening the most exposed piece of code that > > > we use everyday ? > > > Now I'm using unveil+chrome... > > > Thank you. > > [] > > As of me, I use the trick with multiple users for different roles > > (similar to other person who posted in this thread). I also employ > > noscript in some of the roles. > > I just leave javascript off for usual browsing, with a tab sitting open > in chromium or iridium to turn it on for the occasional temporary need, > or added to the browser's exception list to allow permanently for > certain sites. This partly because it seems easy, and partly since I > probably won't know if a browser extension is sold to a malicious entity, or > otherwise compromised (so, seems a smaller attack surface, but still usually > convenient.) As I know many sites without js doesn't work. Anyway I don't understand how switching off js defend you from 0day browser bug. Maybe you mean that because many 0day concern javascript ?
Re: Hardening browser
On Wed, Mar 04, 2020 at 03:28:35PM +, Kevin Chadwick wrote: > On 2020-03-04 11:38, Ottavio Caruso wrote: > > Probably not what you were looking for but, back in the days when I > > was ultra paranoid about my web browsing, I used to use stripped down > > live usb installations of Linux distros (DSL was one of them that I > > remember). I ignore if OpenBSD comes with such a solution out the box, > > but I'm sure it wouldn't be difficult to make your own read-only > > install. Then, you could either reboot from it or run it through an > > emulator. > > A live cd is read-only and is also something I did for a while in my teenage > years. Knoppix, Insert were examples and STD was another aptly named one as it a read only cd don't give you any defense againt uefi rootkit > > However, considering OpenBSD replaces it's whole base every upgrade with > signed > binaries, then you get all of that for free. You can even double check the > bios > with flashrom (less so on laptops), bootloader, signing keys, packages etc., > if > you want to. > if your kernel is infected with uefi rootkit most probably double check uefi or bios with flashrom is absolutely not useful. > If this effort is really worth it, then it probably makes more sense than > trusting someone else to package up a usb linux distro or CD. > the problem is not trusting people that make package, the problem is the sites you visit.
Re: Hardening browser
On Wed, Mar 04, 2020 at 11:38:40AM +, Ottavio Caruso wrote: > On Wed, 4 Mar 2020 at 01:06, wrote: > > > > Hi, > > in the following message: > > https://marc.info/?l=openbsd-misc&m=158110613210895&w=2 > > Theo discourages to use unveil instead of chroot. > > I asked if he suggests the same for the browser but he asked that chroot > > Probably not what you were looking for but, back in the days when I > was ultra paranoid about my web browsing, I used to use stripped down > live usb installations of Linux distros (DSL was one of them that I > remember). I ignore if OpenBSD comes with such a solution out the box, > but I'm sure it wouldn't be difficult to make your own read-only > install. Then, you could either reboot from it or run it through an > emulator. > My opinion is that in the last 10 years the world of hackers groups was deeply changed. Deface or big worms that make big damages are not in fashion anymore. Today the hackers group want just only be as hidden as they can. Then today the biggest problems are the uefi/bios malware, if you use a read only live cd or usb don't stop someone infect your firmwares. And when you reboot your machine you are hacked. Maybe with an hypervisor that can isolate processes and kernels the job is more hard. One of the biggest criticism I make to openbsd is that the everyone processes are visible to everyone. So that if you use muliple account for multiple application you don't stop an infected process to see if you run a browser, a irc session and maybe what network you are connected, if you opened pdf, if you used vim for code and what code and so on. And the last but first for importance if you are sniffing your traffic to search a covert channel. If my browser is infected with a malware the first thing I do is try to sniff the traffic to detect strange destinations, but if the infected process can see if I'm running a sniffer all my investigations are absolutely unuseful. If a very skilled hacker exploit your browser, take the root and infect your uefi, you must trash your laptop. And of course if you discover it, because if someone infect your uefi most problably you will never know it!
Re: Hardening browser
On 03-05 04:18, Tomasz Rola wrote: > On Wed, Mar 04, 2020 at 02:06:40AM +0100, whistlez...@riseup.net wrote: > > Hi, > > in the following message: > > https://marc.info/?l=openbsd-misc&m=158110613210895&w=2 > > Theo discourages to use unveil instead of chroot. > > I asked if he suggests the same for the browser but he asked that chroot > > is onlye for *root*. > > Then what should I do to hardening the most exposed piece of code that > > we use everyday ? > > Now I'm using unveil+chrome... > > Thank you. > [] > As of me, I use the trick with multiple users for different roles > (similar to other person who posted in this thread). I also employ > noscript in some of the roles. I just leave javascript off for usual browsing, with a tab sitting open in chromium or iridium to turn it on for the occasional temporary need, or added to the browser's exception list to allow permanently for certain sites. This partly because it seems easy, and partly since I probably won't know if a browser extension is sold to a malicious entity, or otherwise compromised (so, seems a smaller attack surface, but still usually convenient.) > Actually my browsing routine now employs more primitive browsers. Yes, sometimes, if practical. -- Luke Call My thoughts: http://lukecall.net (updated 2020-02-18)
RE: Hardening browser
Me's been following this discussion w/ some interest. Personally, meuses lynx(1) (w/o the ports patches, as they interfere w/ text field editing among other things), in image_links mode w/ feh(1). Works like a charm :) Mecan only agree with the sentiment that if something does not work in a normal (i.e. not overly bloated, and without ``backdoors'' like javashit) browser, it's the fault of the webmaster, not us as readers. Occasionally, when really pressed, meruns 'tails', a specialized Lunix distro, from a DVD on a spare craptop; at least that way, mecan get rid of the bloated, buggy shit by simply turning off the machine. Not that me's too impressed w/ 'tails': it does, but the maintainers appear to have mostly a broad, and thus not very deep, grasp of security. If me'd know of a similar, OpenBSD-based alternative, me'd of course use it. But, to me, anything is better than installing and maintaining a load of overweight, clumsy, not-very-UNIXy packages *just* to do the occasional javashit-bloated thing. Just me half-stiver :) --zeurkous. -- Friggin' Machines!
Re: Hardening browser
On Thu, Mar 05, 2020 at 04:18:00AM +0100, Tomasz Rola wrote: [...] > As a side note, I sometimes get a bit obsessed upon seeing a program > which "sits idle" but scratches my disk every n seconds (and/or loads > my cpu with empty loops). A daemon can be hunted down and nailed. No > big deal. But a browser, it its grandiose form (say, ff) cannot be > nailed and used at the same time. I (partially) solved the problem by > putting ~/.cache-mozilla and ~/.mozilla on the ram disk. Now scratch > me if you can, browser. Actually, ~/.cache-mozilla and ~/.mozilla are I meant, ~/.cache/mozilla is a dead symlink. -- Regards, Tomasz Rola -- ** A C programmer asked whether computer had Buddha's nature. ** ** As the answer, master did "rm -rif" on the programmer's home** ** directory. And then the C programmer became enlightened... ** ** ** ** Tomasz Rola mailto:tomasz_r...@bigfoot.com **
Re: Hardening browser
On Wed, Mar 04, 2020 at 02:06:40AM +0100, whistlez...@riseup.net wrote: > Hi, > in the following message: > https://marc.info/?l=openbsd-misc&m=158110613210895&w=2 > Theo discourages to use unveil instead of chroot. > I asked if he suggests the same for the browser but he asked that chroot > is onlye for *root*. > Then what should I do to hardening the most exposed piece of code that > we use everyday ? > Now I'm using unveil+chrome... > Thank you. I seriously doubt the browser as it is today can be ever made secure - in the form of ff or ch or ie, loading software, fonts, pictures from around the world and executing it straight away. Because the whole idea that page of text is a program is wrong and crime enabling. I guess using unveil etc just keeps the rotten stink out of other parts of the os. And html email is, to me at least, an apocalyptic disaster in the making. So, on the grand plane of things, I suspect we are fucked (minus some people who would try to avoid being so, but the big picture is not going to change). Basically, I would describe the problem as "people have alergy for plain text, so the careless mob will pull with themselves the caring few straight to hell". As of me, I use the trick with multiple users for different roles (similar to other person who posted in this thread). I also employ noscript in some of the roles. In every browser, I turn font loading off, set the default fonts/sizes to something I can look at, and I set the minimum font size to some visible limit (so I can easily see that something is there). And black on white, if possible. There is already enough pages displaying brown text on navy-blue background. I am not sure if I do anything else with ff, security-wise. Sure my security might be bypassed, but so far I think I did what I could (always happy to learn, however, even if it makes me look like an idiot for a moment). In old Opera, there was a way to customize what parts of css will be executed. Alas, I will not use Opera anymore, because they went multithreaded. With old one, a poorly written script would have kept only one of my cores fully loaded. With multiple threads, I am on the road to total madness, so no go. Otherwise, I consider this old Opera (12.x) to be near ideal for me. However, this one, too, kept writing to my disk, sometimes, see below. In ff, I routinely turn css off when I think this would be a good thing to improve "reading experience". But the results often disappoint. I have to scroll down ten or twenty screens of bloody huge face and bird icons, each the size of my 22'' monitor - can you imagine it? Then I finally come to the tiny scrap of five lines of text, which I wanted to read, which is the so called article. This paragraph is bigger. Actually my browsing routine now employs more primitive browsers. I have found out that many sites display sufficiently (or excellently, even) in dillo - and guess what, no efing bird icons (because my version cannot svg). Just text and those images which dillo knows how to display (sometimes clicking on empty place of image loads it). In the case of dillo, I have set up things to - kind of - emulate a text terminal with it. So font is of monospace kind, bg is black and fg is some light, non-aggressive green. The config files are a bit hotdge-podge (with leftovers of fierce experimenting), but show what I like to see. You guessed it, no loading of css. Speaking of terminals, of course they all use monospace fonts. I am not sure if there is any security risk with varied-width fonts, but simple should be more secure, right? And if a line always has eighty chars of length... When I come to something new to display, I often use lynx, elinks or w3m, in no particular order, and as many users, too. About 70-90% of cases one of the mentioned programs does the job. If the site cannot perform, not my fault. Sometimes I open it in ff, or not. If the site politely suggests I am wrongdoing them, because I do not display their ads, well, not my fault, the retards had not sent me anything I could display. As a side note, I sometimes get a bit obsessed upon seeing a program which "sits idle" but scratches my disk every n seconds (and/or loads my cpu with empty loops). A daemon can be hunted down and nailed. No big deal. But a browser, it its grandiose form (say, ff) cannot be nailed and used at the same time. I (partially) solved the problem by putting ~/.cache-mozilla and ~/.mozilla on the ram disk. Now scratch me if you can, browser. Actually, ~/.cache-mozilla and ~/.mozilla are symlinks, when system is booted they are dead, but after I call a makeshift script, the contents of dot_mozilla.tar and dot_cache_mozilla.tar are being unpacked into proper locations on the ramdisk and the dead links become live. Then the offender is started. Pros: now it only drives me slightly mad few times a year. Cons: I have to manually correct tar files and they are always the same, same session, same settings, same everything a
Re: Hardening browser
On 03-04 12:03, Luke A. Call wrote: > Partly as a possible approach, and partly for feedback/suggestions on > it: [] > multiple user logins and their corresponding X sessions running > at the same time, among which I would switch with Ctrl-Alt-F* keys, > hoping that if one account (where I did most of the general browsing, > etc) was compromised, it would not compromise the other accounts, where > I restricted the activites to more trusted binaries or sites. Then, > text file sitting in /home where different accounts could read/write info. > > Now, on obsd, I do that sort of thing, but with ssh -X across users > in a single X session and a bit of scripted xclip usage where I can, > and a systemwide default of umask 0077, and limit my root access to > run only from a console -- which you can consider. (PS: In doing this multi-account stuff in a single X session, I am careful not to put sensitive info on the clipboard, as then any other account could read it. Same for anything typed while any app requiring "ssy -Y..." is running.)
Re: Hardening browser
On 03-04 02:06, whistlez...@riseup.net wrote: > in the following message: > https://marc.info/?l=openbsd-misc&m=158110613210895&w=2 > Theo discourages to use unveil instead of chroot. > I asked if he suggests the same for the browser but he asked that chroot > is onlye for *root*. > Then what should I do to hardening the most exposed piece of code that > we use everyday ? > Now I'm using unveil+chrome... Partly as a possible approach, and partly for feedback/suggestions on it: Back when I used Debian/Devuan Linux more, I isolated things with multiple user logins and their corresponding X sessions running at the same time, among which I would switch with Ctrl-Alt-F* keys, hoping that if one account (where I did most of the general browsing, etc) was compromised, it would not compromise the other accounts, where I restricted the activites to more trusted binaries or sites. Then, lacking copy/paste between them, I had a single "chmod a+rw ..." text file sitting in /home where different accounts could read/write info. Now, on obsd, I do that sort of thing, but with ssh -X across users in a single X session and a bit of scripted xclip usage where I can, and a systemwide default of umask 0077, and limit my root access to run only from a console -- which you can consider. But I've wondered, if obsd were suited to multiple concurrent X sessions, whether that could be interesting as well to address this common issue. -- Luke Call My thoughts: http://lukecall.net (updated 2020-02-18)
Re: Hardening browser
On 2020-03-04 11:38, Ottavio Caruso wrote: > Probably not what you were looking for but, back in the days when I > was ultra paranoid about my web browsing, I used to use stripped down > live usb installations of Linux distros (DSL was one of them that I > remember). I ignore if OpenBSD comes with such a solution out the box, > but I'm sure it wouldn't be difficult to make your own read-only > install. Then, you could either reboot from it or run it through an > emulator. A live cd is read-only and is also something I did for a while in my teenage years. Knoppix, Insert were examples and STD was another aptly named one as it contains outdated tools that really need to be upto date, otherwise they can do more harm than good. Scarily it is still downloadable and quite a dangerous but equally interesting learning tool. Comes with mozilla firebird that starts super fast and uses twenty something meg of ram, lol. There was also a guide to build your own OpenBSD live cd with X/packages. However, considering OpenBSD replaces it's whole base every upgrade with signed binaries, then you get all of that for free. You can even double check the bios with flashrom (less so on laptops), bootloader, signing keys, packages etc., if you want to. If this effort is really worth it, then it probably makes more sense than trusting someone else to package up a usb linux distro or CD.
Re: Hardening browser
On Wed, 4 Mar 2020 at 01:06, wrote: > > Hi, > in the following message: > https://marc.info/?l=openbsd-misc&m=158110613210895&w=2 > Theo discourages to use unveil instead of chroot. > I asked if he suggests the same for the browser but he asked that chroot > is onlye for *root*. > Then what should I do to hardening the most exposed piece of code that > we use everyday ? > Now I'm using unveil+chrome... > Thank you. Probably not what you were looking for but, back in the days when I was ultra paranoid about my web browsing, I used to use stripped down live usb installations of Linux distros (DSL was one of them that I remember). I ignore if OpenBSD comes with such a solution out the box, but I'm sure it wouldn't be difficult to make your own read-only install. Then, you could either reboot from it or run it through an emulator. -- Ottavio Caruso
Re: Hardening browser
On 2020-03-04 01:06, whistlez...@riseup.net wrote: > in the following message: > https://marc.info/?l=openbsd-misc&m=158110613210895&w=2 > Theo discourages to use unveil instead of chroot. > I asked if he suggests the same for the browser but he asked that chroot > is onlye for *root*. I thought that he was quite clear in the context of a privilege separated daemon in "discouraging" carte blanche replacement of all chroot cases (chroot is simpler and has been found secure without issue when done correctly on OpenBSD for a long time and so is being conservative). He even replied to the browser question in your link! If Theo has some concerns about complexity in unveil then I am sure he would be worried sick if implementing the Linux equivalents. > Then what should I do to hardening the most exposed piece of code that > we use everyday ? > Now I'm using unveil+chrome... Javascript is probably your biggest threat and unveil will help but by "STUPID CRAZY DESIGN!" it is permitted to do a great deal more, than it should be. Nothing can protect you very well from something designed like that, except prudence! Chrome/Firefox are unveiled on OpenBSD, so isolate your browsing (umatrix for javascript or separate hardware) or only visit trusted sites if you must. Html email is "arguably" more of a risk, as the html comes to you, though javascript and even links are sometimes disabled, so perhaps it isn't. Not sure if Thunderbird has the unveil support that Firefox has recently had endowed upon it.
Hardening browser
Hi, in the following message: https://marc.info/?l=openbsd-misc&m=158110613210895&w=2 Theo discourages to use unveil instead of chroot. I asked if he suggests the same for the browser but he asked that chroot is onlye for *root*. Then what should I do to hardening the most exposed piece of code that we use everyday ? Now I'm using unveil+chrome... Thank you.