Why don't browsers use sandbox on FreeBSD?

[drhowarddrfine]

Firefox explicitly doesn't do this.

Then one of us is confused and, looking through some of the replies, it seems we're not all on the same page, but Firefox explicitly does sandbox tabs.
Didn't check to see if this was related: Mozilla Sandbox

 

[George]

pkg info -D firefox

firefox-68.0.1:
Always:
======================================================================

Some features available on other platforms are not implemented:
...
- Process sandboxing (requires Capsicum backend)
...

 

[Pwkepkw]

pkg info -D firefox

firefox-68.0.1:
Always:
======================================================================

Some features available on other platforms are not implemented:
...
- Process sandboxing (requires Capsicum backend)
...

Thanks for showing this.

I mean, everyone suggested to run the browser in jail, But I think it's hard to understand configuring jails. And apparently the browser doing the same thing by default on the linux.

 

[Deleted member 30996]

I mean, everyone suggested to run the browser in jail,

What exactly are you afraid you're going to pick up? JavaScript trojan? My extensions cover all that. A jail is overkill IMO.

I still occasionally go to what used to be my favorite site online. Content was lost, the owner became more interested in click revenue and none too picky who he sold ad space to. In the past it was Google flagged as downloading malware and reported to have infected fellow forum members Windows machines. I never saw the red Google page, script driven ads, their payload, worried about being infected or stopped going due to that.


I wasn't as lucky as Wozzeck.Live with my WIn98 machine. My old chat m8t's used to be able to crash my browser at will. I'd log back into chat and they could tell me what AntiVirus software I was using and laugh about it. I'd unplug my modem and reformat. That had to change and did in my favor. It's why I'm here and where I am today. And why at times I may seem overzealous about Internet Security.

I owe them a great debt and often think fondly of them. They don't share the sentiment. As long as they don't bother me anyplace else I don't bother them in chat and that's worked fairly well for the past 20 years or so. I had to show up a couple years ago when they tested my patience. They knew who I was, what Jigoku meant and why I was there. Seeing me there was anything but funny to them, that's all it took. I left without another word and took Hell with me.

 

[shkhln]

What exactly are you afraid you're going to pick up?

Let me restate the original question in a bit more relatable way. Suppose the aforementioned Capsicum backend for Firefox is finally implemented. Would you be comfortable with saying something like "Meh, FreeBSD doesn't need this. I feel safe enough as it is". Would you disable it?

JavaScript trojan?

FWIW, I also use NoScript. First, apparently WebExtensions are a bit flaky and (post-XUL) Firefox occasionally silently disables it until restart. Second, NoScript itself tends to allow small javascript snippets (such as inline onclick handlers in html), while reporting javascript being completely disabled.

 

[shkhln]

As for what process sandbox is actually supposed to contain… Consider the newer web APIs such as WebGL or WebUSB (yep), or whatever. Each of this APIs requires a javascript binding to yet another C library, which means more potential VM escape exploit opportunities. Then there is Widevine and similar DRM technologies, available without source code. No sense in running that with full access to user files either.

 

[Deleted member 30996]

Let me restate the original question in a bit more relatable way. Suppose the aforementioned Capsicum backend for Firefox is finally implemented. Would you be comfortable with saying something like "Meh, FreeBSD doesn't need this. I feel safe enough as it is". Would you disable it?

It's doubtful I would disable it but feel safe with my current config after I dig through about:config. As long as we don't adopt a GUI I'm good with about anything. NoScript claims to beat Specter and Meltdown. I've never been afraid to go to any site no matter what it was hosting as far as being infected or compromised. I'm no stranger to Russian sites and have visited many. That's where the music never stops playing. I would made a day of it listening to Britney Spears fast as I could go.

I go to very few sites anymore, 3-4 regular sites and to check on mine unless I'm researching something, so the chances of me being exploited are less likely now than ever. I gave up word games, I dominate those forums as it is. I don't work on Demonica anymore or visit that community. She can take care of herself and they rarely post their bot transcript since seeing mine,

I haven't used a sandbox application since Windows XP or Vista. I looked to find the name and see that Windows10 has a sandbox feature. I never did feel safe using Win10Pro. Even after doing everything within my power to lock it down still felt like I was vulnerable to exploit the whole time I was online. I accidentally installed FreeBSD on that HDD but am happier with Win7 on the same laptop since the only thing I do on Windows is play Oblivion and it stays offline.

FWIW, I also use NoScript. First, apparently WebExtensions are a bit flaky and (post-XUL) Firefox occasionally silently disables it until restart. Second, NoScript itself tends to allow small javascript snippets (such as inline onclick handlers in html), while reporting javascript being completely disabled.

I've used Firefox since it came out and the selling point was quick loading. I hate FireFox Quantum Strangeness and what it's done to my extensions.

I'm sure it sends a list of which extensions you have installed back home. I found it before but too tired to look my rant up now. DownLoadThemAll! Mass Downloader was not something I would have chosen to advertise I had installed on my machine. Sounds like something a Pirate would use... ☠

I check NoScript at virtually every site I visit and have never seen it been disabled without my knowledge. Can you provide a link to show it allows small JS snippets?

It's the reason I was alerted to an IP belonging to my ISP wanting JS enabled when I visited some new sites. I made a pf rule to block incoming from that IP#. Later that night it alerted me that IP# was still showing up and I had to make a block outgoing rule to defeat it. Probably due to snooping the throttled 30GB download package I didn't agree to they signed me up for anyway.

 

[Deleted member 9563]

I've never been afraid to go to any site no matter what it was hosting as far as being infected or compromised. I'm no stranger to Russian sites and have visited many.

Same here. I have always gone to any site my little heart desired. It is possible that I have some bad choice in my security related settings, but in any case I don't think that a malicious site would look like it was malicious if they were serious about compromising a slightly more advanced user than average.

As for the Russian thing, that's a bit of a joke nowadays. I agree that there are lots of Russian sites that are good and relevant to us in the West. But apart from that, I use dot ru domains specifically because of the cachet (and because they're cheap). http://slumlord.ru is mine, for example. That's hosted in USA, but I also host sites on a server in Moscow. I'm not even vaguely Russian otherwise. It's all in good fun, and just goes to show that the very popular term "Russian sites" does not actually have an internet related definition.

 

[Beastie]

I wasn't as lucky as Wozzeck.Live with my WIn98 machine. My old chat m8t's used to be able to crash my browser at will. I'd log back into chat and they could tell me what AntiVirus software I was using and laugh about it. I'd unplug my modem and reformat.

Ah, the golden age of script kiddies and their two favorite tools, Sub7 and Back Orifice, and the wonderfully secure Windows 98/SE/ME!!! The nineties were such a piece of s great decade!

 

[kpedersen]

I mean, everyone suggested to run the browser in jail, But I think it's hard to understand configuring jails.

I suppose because I use them daily, jails are pretty much there and set up. However I can see your point that they might be a bit of a faff to use *just* for a web browser.

I think if you just make a new user account specifically for web browsing, then use something like sudo to log in and run the web browser as that user, you will generally be pretty safe. With some scripting you can even reset the profile after each session.

That said... Jails are a great thing to learn if you have time

 

[Deleted member 30996]

As for the Russian thing, that's a bit of a joke nowadays. I agree that there are lots of Russian sites that are good and relevant to us in the West.

These sites were in Cyrillic with maybe a little English interspersed. One was a Russian speaking only forum where kind people shared locally recorded Russian folk songs en mass. I don't read Cyrillic but know how a forum and websites work so can make my way around.

Ah, the golden age of script kiddies and their two favorite tools, Sub7 and Back Orifice, and the wonderfully secure Windows 98/SE/ME!!! The nineties were such a piece of s great decade!

I'll always think of Win98 as the Swiss Cheese of Operating Systems. I had ran an AppleII but the only thing I knew how to do with my shiny new Gateway when I set it up was press the power button to turn it on. It was all new to me but taught me the importance of learning about Internet Security. I started looking at Linux Live CD's and eventually found a FreeBSD variant that got me to the desktop. I took it from there.

It's not 1337 h4x0r skills they phear, it's the havoc I can cause in a chatroom. I'd been there 4-5 days playing games before I got tired of it and made myself known.

 

[Phishfry]

I don't think a browser needs a sandbox. Unzipping files from the internet does.

 

[Deleted member 9563]

I don't think a browser needs a sandbox. Unzipping files from the internet does.

I think that basically nails the subject of this thread.

 

[shkhln]

Can you provide a link to show it allows small JS snippets?

I don't have any examples. I might have misinterpreted "Attempt to fix JavaScript links" or "Script Surrogates" features.

 

[shkhln]

I think that basically nails the subject of this thread.

I don't think shoot-the-messenger attitude will do us any good.

 

[Deleted member 9563]

I don't think shoot-the-messenger attitude will do us any good.

Can you explain what you mean by that? I don't use a sandbox for my browser so I'm not familiar with its use as a messenger, or what information I could glean from it that I might need.

 

[shkhln]

Can you explain what you mean by that?

Even if you don't understand the importance of exploit mitigation, the Firefox port maintainer apparently thought it was important enough to mention it in the package notes. That alone should be enough of an argument against knee-jerk dismissals.

 

[hukadan]

I think if you just make a new user account specifically for web browsing

This is the recommanded way according to the DragonFlyBSD Handbook : https://www.dragonflybsd.org/docs/handbook/RunSecureBrowser/

 

[Pwkepkw]

Trying to compensate the lack of security by plugins like NoScript,uMatrix or uBlock is not the thing I would do. It's like covering all window spaces with tape while all of them is open.


(Firefox for Windows)

AFAIK, The sandbox is not only for keeping browser exploits away from the computer, it does protect individual tabs from each other too. This is how it works on Windows. I don't know how UNIX is different, though.

FreeBSD does not have ASLR - Phoronix Forums

Anything off-topic.

www.phoronix.com

FreeBSD gets ASLR

Implement Address Space Layout Randomization (ASLR) With this change, randomization can be enabled for all non-fixed mappings. It means that the base address for the mapping is selected with a guar…

firmwaresecurity.com

FreeBSD got ASLR.., in 2019.

 

[getopt]

FreeBSD got ASLR.., in 2019.

Thank you for pointing to the long awaited ASLR.

Address Space Layout Randomization (ASLR)

Support for Address Space Layout Randomization was added in FreeBSD HEAD (13-CURRENT) in base r343964. It is disabled by default.

Architectures

ASLR is enabled on a per-ABI basis, and currently only allowed on FreeBSD native i386 and amd64 (including compat 32bit) ABIs. Support for additional architectures will be added after further testing.

Please be advised that 13-CURRENT is NOT YET a supported version.
If there is any doubt about this see https://www.freebsd.org/releases/
For announcements it is advisable to use the official ones.

 

[shkhln]

Trying to compensate the lack of security by plugins like NoScript,uMatrix or uBlock is not the thing I would do. It's like covering all window spaces with tape while all of them is open.

Hey, NoScript is very handy for blocking popups, autoplaying videos, animated advertisements and all kinds of junk. I wouldn't describe experience as inconvenient at all.

AFAIK, The sandbox is not only for keeping browser exploits away from the computer, it does protect individual tabs from each other too. This is how it works on Windows. I don't know how UNIX is different, though.

Tabs are protected from each other by browser security policy, which is enforced on javascript VM level. Process sandbox is an additional layer of isolation on top of that. Exploits are pretty much its only concern.

 

[kpedersen]

Hey, NoScript is very handy for blocking popups, autoplaying videos, animated advertisements and all kinds of junk. I wouldn't describe experience as inconvenient at all.

Agreed, whilst it will not solve all security issues; it makes many sites actually bearable

That said, I know nothing about the guys behind this plugin or uBlock Origin so I imagine there is scope for some info slurping through these two.
A brief look at it now suggests that uBlock is already getting a little seedy in terms of competing implementations trying to pretend to be the main one.

 

[Deleted member 30996]

I hate FireFox Quantum Strangeness and what it's done to my extensions.

I'm sure it sends a list of which extensions you have installed back home.

I was right. www/firefox-esr now has personalized extension recommendations:

To better predict what extensions you may find interesting, Firefox uses the Telemetry-Aware Add-on Recommender (TAAR) system—a Mozilla service that recommends extensions by examining basic browser Telemetry. This means TAAR analyzes usage statistics from a large number of other Firefox users, looks at other extensions you may have installed, and considers general characteristics about your Firefox profile (like language preference). Based on this information, TAAR surfaces extension recommendations tailored just for you.

You can opt out but it's enabled by default.

I just finished updating it and it's already crashed once trying to post this.