On 06/28/2013 07:02 AM, Werner Koch wrote:
On Fri, 28 Jun 2013 12:06, mjr@phonecoop.coop said:
I'd love it if we shared good practice and encourage people to install things like noscript.net.
The problem with noscript is that you need to add temporary exceptions way to often. It is a good tool, nevertheless.
But better also run your browser under a different account and a second X server or with Xephyr. Coping and pasting lacks quite some comfort then but that is the price to be a little bit safer.
Javascript is the future of the web, it makes no sense to fight it, it has already won, but it is not all for the worst.
Major browser have good sandboxing technology and their security is improved every day.
However should you not trust your browser and/or some website you want to visit, then you can run OS level sandoboxing. I do it this way:
sandbox -i $HOME/.mozilla/extensions -i $HOME/.mozilla/plugins -i $HOME/.mozilla/firefox/abcdefgh.sandbox -i $HOME/.mozilla/firefox/profiles.ini -w 1024x900 -t sandbox_web_t -M -X /usr/bin/firefox -P sandbox $*
It requires at least a basic SeLinux Policy installed and the sandbox program, but it is really neat in that it completely isolates the browser and crates a completely new environment for it to run. The template you start from is copied from the referenced template and superimposed via name spaceing, and the binary itself is prevented access to anything in the user's home directory. This also means that any configuration change is lost on closing it, but that is intentional as it will erase any change an exploit may attempt to make as well.
Simo.