How safe am I with Firejailed browser

MsMattie · 2016-08-05 23:54:32

Just general thoughts on Firejail, which I have been messing with to protect from potential malicious web sites while browsing with Firefox or Chrome or Chromium...

I'm wondering how totally safe I am using it. I use NoScript to block scripts but more and more that is impractical. Even big reputable web sites now have layers of stuff loading up on the browser, and if you don't allow it then you can't even read the news on the site. So, if I open permissions on the browser but have it all firejailed, does that mitigate for safety. Can I just turn off NoScript and let it all fly, knowing that when I close the browser down that anything on those scripts will disappear...gone.

In a similar line of thought, could I safely use firejailed Midori or Quipzilla browsers, which I read in this forum that Debian stated are not updated with security updates. Is this safe, with any bad stuff from malicious sites kept firejailed and then disappearing into oblivion when I close the browser?

Any thoughts on this...

Last edited by MsMattie (2016-08-05 23:57:49)

Head_on_a_Stick · 2016-08-06 18:46:48

If you are using firejail then the only advantages of using noscript are in respect of privacy, anonymity and preventing exploits such as clickjacking.

could I safely use firejailed Midori or Quipzilla browsers

That is a fiendishly cunning plan, I like it

However, the un-updated webkit packages would probably adversely affect usability and functionality as well as security.

KrunchTime · 2016-08-09 07:26:59

@MsMattie: I don't think you need to run Chrome/Chromium under Firejail as both browsers automatically run under their own sandbox by design. I do run Qupzilla and Midori under Firejail. For newer versions of Qupzilla or Midori (under Debian Stable), check the respective sites and use the versions from there.

I wish there was a Linux app similar to Sandboxie for Windows. I absolutely love that app and run it on Windows 8.1 under a VM. It's fairly easy to use.

Last edited by KrunchTime (2016-08-09 07:30:45)

Head_on_a_Stick · 2016-08-09 07:31:14

KrunchTime wrote:

For newer versions of Qupzilla or Midori (under Debian Stable), check the respective sites and use the versions from there.

That is not advised because the browsers would still make use of the Debian jessie webkit libraries which are unpatched.

For example, from the Midori site:

Note that they do not include any dependencies, and may not be updated with the rest of your system by the package manager. Typically, Debian will require several dependencies to be updated past their universally available version, which can lead to severe complications.

http://midori-browser.org/download/debian/

They are significantly understating the b0rkage level there, IMO.

Head_on_a_Stick · 2016-08-09 07:34:14

KrunchTime wrote:

I wish there was a Linux app similar to Sandboxie for Windows. I absolutely love that app and run it on Windows 8.1 under a VM. It's fairly easy to use.

Rather than running Windows in a VM, why not just run another instance of GNU/Linux in a secure KVM virtual machine?

If your processor supports KVM it offers near bare metal speeds in the virtualised system

MsMattie · 2016-08-10 00:57:46

KrunchTime wrote:

@MsMattie: I don't think you need to run Chrome/Chromium under Firejail as both browsers automatically run under their own sandbox by design.

It's not just about security. One of the main reasons I have been firejailing any browser is privacy. As I understand the way it works, when I close down the firejailed browser, all cookies and traces of anything that was running or left behind are obliterated. I rather like that. And don't care for being logged, cataloged, categorized and tracked by doubleclick and all the many, many others. And not by Google, either. So, I tend towards Chromium and Firefox.

And only have Flash installed on Chrome for the few times when I am forced to use it to look at Flash content.

On another line of thought, if I have Chrome firejailed and blunder into a malicious web site and my Flash version is vulnerable, does a firejailed browser offer protection from that?

Last edited by MsMattie (2016-08-10 00:59:44)

KrunchTime · 2016-08-11 08:02:55

@HoaS: I run Windows in a VM for particular apps for which I've not found viable alternatives for the Linux environment. I'm also running Windows in case I need to use Microsoft Office...if I can ever get a job.

@MsMattie: If privacy is your concern, you don't need a sandboxing application for that. You can use the privacy tab/browsing function in a number of browsers. You can use different size browser windows so that you can't be easily identified. There may be browser plugins that might help you to better retain your privacy, although I don't have any recommendations. You can also use a personal VPN service. There are free ones, but I don't know how good they are. And if you're doing something that you're really paranoid about being identified, then use the TOR browser.

Sorry, I use firejail, but I can't really say how effective/useful it is at preventing malware from transferring to your system. Perhaps checking out the firejail site and a bit of Internet sleuthing might provide more info.

stevep · 2016-08-13 01:23:34

There's also a much newer libwebkitgtk 2.4.11 in jessie-backports, along with a current Midori 0.5.11, that fixes a lot of the holes. Qupzilla 2 now needs a newer Qt 5 than what Jessie has.

Last edited by stevep (2016-08-13 01:25:48)

ohnonot · 2016-08-15 07:18:33

MsMattie wrote:

It's not just about security. One of the main reasons I have been firejailing any browser is privacy. As I understand the way it works, when I close down the firejailed browser, all cookies and traces of anything that was running or left behind are obliterated. I rather like that. And don't care for being logged, cataloged, categorized and tracked by doubleclick and all the many, many others. And not by Google, either. So, I tend towards Chromium and Firefox.

i think you are confusing things here.
cookies are saved by default in firefox or chrom/e/ium - i don't think firejailing it prevents that. but a firefox preferences setting does.
firejail does not prevent doubleclick or google* from tracking you, either, but an addon like requestpolicy does.

Last edited by ohnonot (2016-08-15 07:19:32)

MsMattie · 2016-08-16 16:16:11

I will give RequestPolicy add-on a try.

I've also been using Click&Clean add-on to clear out cookies when I close down the browser. I assume this stops tracking, at least stops tracking from browser session to browser session...

Head_on_a_Stick · 2016-08-16 20:04:31

MsMattie wrote:

I've also been using Click&Clean add-on to clear out cookies when I close down the browser.

With Firefox, I use Preferences → Privacy → Use custom settings for history → Keep [cookies] until I close Firefox

Works for me

If you are concerned about anonymity then I recommend Tails but be aware that persistent use of Tor-ified connections may attract attention from counter-terrorist investigators who have much better things they could be doing with their time...

barnabyh · 2016-08-16 20:41:21

What KrunchTime said regarding Chromium. Sandboxing only keeps the application separate from the others in terms of rights in address space, and also places restrictions regarding use of the file system if correct. It doesn't really help with privacy in terms of browsing.

If you like that you may also want to try installing app-armor from the repositories or use Qubes https://www.qubes-os.org/ https://distrowatch.com/table.php?distribution=qubes for anything internet related. Also just saw a new one called RancherOS that "runs the entire operating system as Docker containers" which sounds similar.

So now that you have addressed security I would, like other posters, recommend a few good plugins and a VPN for privacy. Plus emptying your cache, history, cookies etc. every time if not already surfing in Private/Incognito Mode (which I think by itself is not enough). Check for IP leakage in particular from Flash.

MAC the Bloody · 2016-08-16 22:23:38

Have a look at https://prism-break.org/en/categories/gnu-linux/ They list a very good selection of tools for privacy minded people.

Of course there's more to privacy than just the software. There is also how you use it. Otherwise known as OPSEC or Operational Security. How much trouble you go to depends on your needs.

Some general observations. Why not think in terms of compartmentalizing? News websites are some of the absolute worst for using multiple tracking methods. I use a non-logging VPN for all my news reading. It runs in a VM with a different browser profile than what I use for things like these forums. In fact my VM even reports a different screen size as well.

Then there is tor. One might use that for yet another type of activity. For example if you were a political activist you could use tor for all activities related to that. DuckDuckGo even has a search that works from a hidden .onion site.

The point is, if you use a few basic privacy enhancing plugins for your "normal" browser, and then a VPN for certain types of things, and tor for certain other things, you have split up your online activities into different categories that are not easily connected with each other identity wise.

Think about what works for you and use as much or as little of the above as you feel is worthwhile for you personally. Have a good look at some of the tools posted in the link I gave and see what fits.

Last edited by MAC the Bloody (2016-08-16 22:25:37)

barnabyh · 2016-08-17 09:35:14

^Good advice. I never went to these lengths but it's worth thinking about.

#1 2016-08-05 23:54:32

How safe am I with Firejailed browser

#2 2016-08-06 18:46:48

Re: How safe am I with Firejailed browser

#3 2016-08-09 07:26:59

Re: How safe am I with Firejailed browser

#4 2016-08-09 07:31:14

Re: How safe am I with Firejailed browser

#5 2016-08-09 07:34:14

Re: How safe am I with Firejailed browser

#6 2016-08-10 00:57:46

Re: How safe am I with Firejailed browser

#7 2016-08-11 08:02:55

Re: How safe am I with Firejailed browser

#8 2016-08-13 01:23:34

Re: How safe am I with Firejailed browser

#9 2016-08-15 07:18:33

Re: How safe am I with Firejailed browser

#10 2016-08-16 16:16:11

Re: How safe am I with Firejailed browser

#11 2016-08-16 20:04:31

Re: How safe am I with Firejailed browser

#12 2016-08-16 20:41:21

Re: How safe am I with Firejailed browser

#13 2016-08-16 22:23:38

Re: How safe am I with Firejailed browser

#14 2016-08-17 09:35:14

Re: How safe am I with Firejailed browser

Board footer