Securing web browser

paean · Mar 3, 2010

This isn't so much a question of installing/maintaining ports and packages as much as securing certain ports (web browsers specifically). Before anything is said, I'm aware there's no substitute for selective browsing and not clicking on everything you see. ( ;

I've read Cert's recommendation on how to secure a web browser, but I'm wondering what additional steps FreeBSD users are taking.

Assuming there WILL be hostile web code running on browsed pages, what are some good courses of action?

Running the web browser in a jail?
Perhaps certain browsers and plugins be run in lower priveledge modes?

Thanks in advance to those who continually share their ideas and experience.

Oko · Mar 4, 2010

paean said:
Running the web browser in a jail?

It is highly non-trivial to jail Browser because it is such complex application.

paean said:

Perhaps certain browsers and plugins be run in lower priveledge modes?
Thanks in advance to those who continually share their ideas and experience.

Click to expand...

Why would you run any plugins to begin with? Some of the measure I personally take are

0. Running browser in special low privileged account.
1. Using OpenDNS as my DNS server.
2. Using very tight PF with very restrictive out bound policies. Usually people block in-bound traffic but neglect filtering out-bound traffic
3. Using Proxy server Squid
4. Using Clamav anti-virus to filter the content.
5. Using Privoxy to filter content.
6. Crypting tmp (swap is crypted by default on OpenBSD which I use).
7. No Java.
8. No Flash (it is not even possible on OpenBSD)
9. Non third party cookies.
10. Clearing cash when I close browser.
11. Avoid Java script by all means.
12. Use the safest full featured browser (Opera).
13. Do NOT visit forums. You are attracting attention.

paean · Mar 6, 2010

Oko said:
It is highly non-trivial to jail Browser because it is such complex application.

So you consider it very important to put your browser in a jail? In the past I've run firefox and opera in disposable VMs and often wondered if jails would be a more efficient way of locking down potentially dangerous web code.

Oko said:
Why would you run any plugins to begin with? Some of the measure I personally take are

0. Running browser in special low privileged account.
1. Using OpenDNS as my DNS server.
2. Using very tight PF with very restrictive out bound policies. Usually people block in-bound traffic but neglect filtering out-bound traffic
3. Using Proxy server Squid
4. Using Clamav anti-virus to filter the content.
5. Using Privoxy to filter content.
6. Crypting tmp (swap is crypted by default on OpenBSD which I use).
7. No Java.
8. No Flash (it is not even possible on OpenBSD)
9. Non third party cookies.
10. Clearing cash when I close browser.
11. Avoid Java script by all means.
12. Use the safest full featured browser (Opera).
13. Do NOT visit forums. You are attracting attention.

Great list. I've already been doing a few of your suggestions, although it may be too late for #13. ( ;

I'd like to know how you came to learn that opera is currently the safest browser. I use both opera, firefox and safari on a variety of machines but am not sure which security features offer realistic protection. Without knowing the most common web hacks, their severity and the likelihood that my most commonly visited websites serve such code then I have no assurance I'll not exchange web fluids with someone out there.

I suppose with my level of paranoia, I'm best off chatting in an openbsd irc channel.

kpedersen · Mar 6, 2010

Oko said:
...
12. Use the safest full featured browser (Opera).
...

Oko, are you running Opera on OpenBSD? Is this with Linux binary compatibility, FreeBSD compatibility or... wine?

(Does wine even work on OpenBSD?)

cheers,

Anonymous · Mar 7, 2010

What I red and what sysadmin from my work told me about browsers there are not much differences between Opera and Firefox.
And the Internet is same as big cities vs villages: live in Paris or New York or choose a small village and be safe.

Oko · Mar 7, 2010

kpedersen said:
Oko, are you running Opera on OpenBSD? Is this with Linux binary compatibility, FreeBSD compatibility or... wine? (Does wine even work on OpenBSD?)

cheers,

Linux binary which is on life support. FreeBSD compatibility is practically non-existing. It is only with FreeBSD 5.xxx. Wine of course does NOT work on OpenBSD

because it has bugs. As you know OpenBSD is unforgiving

Oko · Mar 7, 2010

lumiwa said:
What I red and what sysadmin from my work told me about browsers there are not much differences between Opera and Firefox.

Your sysadmin doesn't know what he is talking about. Firefox and Opera are two completely different browsers. Although I could agree that running any full featured browser is inviting trouble we live in a real world. For me running browser is acceptable risk. As you know the heart of any browser is layout (rendering) engine. There are several major layout engines.

Presto (Opera)
Gecko (Firefox)
KHTML (Konqueror)
Trident (Internet Explorer)
WebKit (Safari, Google Chrome, Midori, etc)

Presto and KHTML are widely considered the safest rendering engine. Currently the unsafest engine is WebKit which is developed rapidly. WebKit is open source project and it is BSD licensed.

There is little or no difference in terms of the security between Trident and Gecko engines. Firefox without add-on-s is probably safer than Internet Explorer if for no other reasons but for the fact that Internet Explorer includes as default Java Virtual Machine made by Microsoft. It is a very bad one which is not updated many years. SUN took M$ to court because of that crap many years ago.

KHTML is not very actively developed although it is OK browser.

That leaves us with Presto. Hopefully in the distant future might become open source project but for now even as proprietary thing is about as safe as it gets.

Oko · Mar 7, 2010

paean said:
So you consider it very important to put your browser in a jail? In the past I've run firefox and opera in disposable VMs and often wondered if jails would be a more efficient way of locking down potentially dangerous web code.

Sure. The problem is that in order to Jail browser you will have to put in the cheroot everything that browser uses. Are you going to jail printing spooling system, many X libraries, OpenSSL, and gazzilion other things that browser uses. Sure you can. I know few people who do that but it is just way too complicated even for very competent system admin.

Oko · Mar 7, 2010

paean said:
I'd like to know how you came to learn that opera is currently the safest browser.

http://secunia.com/

Anonymous · Mar 7, 2010

Oko said:
Your sysadmin doesn't know what he is talking about. Firefox and Opera are two completely different browsers. Although I could agree that running any full featured browser is inviting trouble we live in a real world. For me running browser is acceptable risk. As you know the heart of any browser is layout (rendering) engine. There are several major layout engines.

My sysadmin works with UNIX system more than 20 years.
Thank you for the link http://secunia.com/advisories/38820

Oko · Mar 7, 2010

lumiwa said:
My sysadmin works with UNIX system more than 20 years.
Thank you for the link http://secunia.com/advisories/38820

Have you checked the number of advisories for Gecko?

paean · Mar 7, 2010

Oko said:
Sure. The problem is that in order to Jail browser you will have to put in the cheroot everything that browser uses. Are you going to jail printing spooling system, many X libraries, OpenSSL, and gazzilion other things that browser uses. Sure you can. I know few people who do that but it is just way too complicated even for very competent system admin.

Ahh, gotcha. \ =

Oko said:
http://secunia.com/

Very cool. Thanks.

Securing web browser

paean

Oko

paean

kpedersen

Anonymous

Guest

Oko

Oko

Oko

Oko

Anonymous

Guest

Oko

paean