InformAction Forums

tlu wrote:While I understand that redundancy is a good thing there is also a drawback: The more addons you're using, the more unique is your browser (fingerprint).

Good point.

tlu wrote:One aspect not mentioned here are ETags. The only way to prevent them, AFAIK, is by disabling your disk cache: user_pref("browser.cache.disk.enable", false);

EDIT: As a compromise you could choose to delete the cache at shutdown since FF 11 (similar to session cookies).

Please see the cache settings recommended at this article from GHacks, kindly posted by Thrawn here.

I've always set to delete everything (cookies, cache, history, etc.) at shutdown, both in the browser and in Sandboxie.

tlu wrote:(I should add that I don't use silverlight nor java so I'm not sure about them.)

I don't use Silverlight. I use Java at one site only, a trusted HTTPS-secured site.

*Personal* Best Practice is always to close all browsers and start a new one before doing anything sensitive, like online banking, etc., then to close that browser and start a new one before resuming usual insecure browsing. Takes a few seconds extra for a large gain in security and privacy. IMHO. YMMV.

Tom T. wrote: *Personal* Best Practice is always to close all browsers and start a new one before doing anything sensitive, like online banking, etc., then to close that browser and start a new one before resuming usual insecure browsing. Takes a few seconds extra for a large gain in security and privacy. IMHO. YMMV.

Maybe you need Ubuntu, so that you can set up multiple accounts and run them simultaneously on different windowing sessions. That way you can run your banking and your web browsing in entirely separate and locked-down accounts, and switch between them with Ctrl+Alt+F-key.

You can try it out as a non-invasive dual-boot using Wubi, if you want. It installs and uninstalls like a regular Windows application, setting up an Ubuntu virtual disk inside a normal file on your Windows partition and hooking the bootloader.

Thrawn wrote:

Tom T. wrote: *Personal* Best Practice is always to close all browsers and start a new one before doing anything sensitive, like online banking, etc., then to close that browser and start a new one before resuming usual insecure browsing. Takes a few seconds extra for a large gain in security and privacy. IMHO. YMMV.

Maybe you need Ubuntu, so that you can set up multiple accounts and run them simultaneously on different windowing sessions. That way you can run your banking and your web browsing in entirely separate and locked-down accounts, and switch between them with Ctrl+Alt+F-key.

You can try it out as a non-invasive dual-boot using Wubi, if you want. It installs and uninstalls like a regular Windows application, setting up an Ubuntu virtual disk inside a normal file on your Windows partition and hooking the bootloader.

I could presumably do that by running a separate instance of Firefox, using a separate profile, and trusting that there will never be any leakage anywhere between them. Or perhaps use a portable and a native install at the same time, which is even more separated, as the portable's profile is inside its own folder on the flash drive (though still loaded into memory as needed, of course.) And paid versions of Sandboxie offer the ability to have more than one sandbox, presumably with each completely isolated from each other, as well as from the rest of the HD. But being the tinfoil-hat type , I prefer this (almost) certain method.

Interesting idea about the virtual Ubuntu (I'd need another Fx for *nix, right?), but seems like a lot of time and effort (plus being very protective of my bootloader), vs. a fresh browser -- which I do often anyway.

Also, then I'd have two OSs to keep patched and updated, right? Thanks for the brainstorming.

Tom T. wrote:Interesting idea about the virtual Ubuntu (I'd need another Fx for *nix, right?),

He talked about non-virtual Ubuntu, although virtual Ubuntu would be an option too (although I would recommend later only if you have a modern machine).
And yes you would need another Firefox installation but there should be ways to share the profile.

Thrawn wrote: Maybe you need Ubuntu, so that you can set up multiple accounts and run them simultaneously on different windowing sessions. That way you can run your banking and your web browsing in entirely separate and locked-down accounts, and switch between them with Ctrl+Alt+F-key.

Ubuntu is always a good choice But creating separate accounts for online banking is overkill, IMHO, particularly if you're using Linux. Using an extra profile is definitely enough: Start Firefox with the parameter -p, create a new profile with Profile Manager, call it "banking" or whatever and create the following shortcut

firefox -P banking -no-remote

From now on you can easily start Firefox with your default profile and/or with your banking profile which is completely separate from your default one. It has its own bookmarks, its own add-ons, its own settings. That's more than enough. Just my 2 cents

dhouwn wrote:

Tom T. wrote:Interesting idea about the virtual Ubuntu (I'd need another Fx for *nix, right?),

He talked about non-virtual Ubuntu, although virtual Ubuntu would be an option too...

I was referring to:

Thrawn wrote:You can try it out as a non-invasive dual-boot using Wubi, if you want. It installs and uninstalls like a regular Windows application, setting up an Ubuntu virtual disk inside a normal file on your Windows partition and hooking the bootloader.

dhouwn wrote:And yes you would need another Firefox installation but there should be ways to share the profile.

I thought we were talking about using a different profile, to make sensitive activity safer ... ?


@ tlu: Yes, I've used the profile manager and am familiar with the procedure you described, although it was fine to post it for others following the thread who may not be aware of these procedures.

Big Picture was whether one could *avoid* the restart before and after banking, etc., where the restart is used to ensure a clean cache, cookies, ETags...

My existing profile is already well locked-down, so it wasn't a question of creating a banking-only profile -- I run in full Tinfoil-Hat Mode all the time.
I think the issue on the table was the idea of running a separate instance and separate profile, with the question of how secure is the isolation between the two (including in memory). Any thoughts on that?

Yes it's a virtual disk, but it's not running on a virtualised machine, like it would in say VirtualBox.

dhouwn wrote:Yes it's a virtual disk, but it's not running on a virtualised machine, like it would in say VirtualBox.

So, then, it offers no additional protection, which a VM would?

I guess when Thrawn said:

That way you can run your banking and your web browsing in entirely separate and locked-down accounts, and switch between them with Ctrl+Alt+F-key.

he was implying that Ubuntu user accounts are far more isolated than Windows accounts. And that you can log on as two users (two accounts), each with an instance of Fx, but with strong separation? ... or just that you log on to one account, but the two instances of Firefox are more strongly isolated?

Tom T. wrote:

dhouwn wrote:Yes it's a virtual disk, but it's not running on a virtualised machine, like it would in say VirtualBox.

So, then, it offers no additional protection, which a VM would?

Well, it's a virtual disk, but I suspect that it has access to the full disk, so no. Virtual Linux environments are certainly an option if you want to go that way.

Tom T. wrote: I guess when Thrawn said:

That way you can run your banking and your web browsing in entirely separate and locked-down accounts, and switch between them with Ctrl+Alt+F-key.

he was implying that Ubuntu user accounts are far more isolated than Windows accounts. And that you can log on as two users (two accounts), each with an instance of Fx, but with strong separation? ... or just that you log on to one account, but the two instances of Firefox are more strongly isolated?

Indeed, you can strongly restrict what each account is allowed to do - eg no write permissions outside its home directory, no access to CD or USB drives, etc - and you can run multiple windowing sessions at once, each of which can have a different account logged in. You could, eg, never run a web browser under your own account, but have a separate locked down account for it, and just toggle to that windowing session when you want to browse.

Tom T. wrote: I guess when Thrawn said:

That way you can run your banking and your web browsing in entirely separate and locked-down accounts, and switch between them with Ctrl+Alt+F-key.

he was implying that Ubuntu user accounts are far more isolated than Windows accounts. And that you can log on as two users (two accounts), each with an instance of Fx, but with strong separation? ... or just that you log on to one account, but the two instances of Firefox are more strongly isolated?

Thrawn wrote:Indeed, you can strongly restrict what each account is allowed to do - eg no write permissions outside its home directory, no access to CD or USB drives, etc - and you can run multiple windowing sessions at once, each of which can have a different account logged in. You could, eg, never run a web browser under your own account, but have a separate locked down account for it, and just toggle to that windowing session when you want to browse.

Very nice. I wish Windows would do that, but don't hold your breath.

no write permissions outside its home directory,

So, what happens in the banking browser is absolutely, totally inaccessible to the other browser running (simultaneously) for "normal" use, and vice versa -- under either scenario? Their memory areas are rigidly separated?

(I would still probably want some kind of sandbox to prevent all writes to the HD except for those expressly permitted, such as bookmarks, NS options, etc.)

Has this been thoroughly pen-tested by recognized experts (read, "hackers"), and have there been any flaws or known exploits in it over the years?

Don't go to a lot of trouble, but if there are a couple of reports by recognized sources, they would be interesting reading, thanks.

Tom T. wrote:

Thrawn wrote: no write permissions outside its home directory,

So, what happens in the banking browser is absolutely, totally inaccessible to the other browser running (simultaneously) for "normal" use, and vice versa -- under either scenario? Their memory areas are rigidly separated?

(I would still probably want some kind of sandbox to prevent all writes to the HD except for those expressly permitted, such as bookmarks, NS options, etc.)

Has this been thoroughly pen-tested by recognized experts (read, "hackers"), and have there been any flaws or known exploits in it over the years?

Don't go to a lot of trouble, but if there are a couple of reports by recognized sources, they would be interesting reading, thanks.

Well, that kind of isolation isn't a bolt-on feature with Linux, it's been part of the core design since day 1...it's always been a multiuser system. Not sure exactly how the memory isolation works (except that it has been around for decades, and it's open-source, so I'm sure it's hardened), but locking things down so accounts can't read each other's files is just a matter of file system permissions; you give read-write-execute permissions to the file/directory owner, and no permissions to anyone else (can be done recursively, so it's fast).

I'm sure there have been exploits before, but my guess is that they revolve around breaking into the superuser account, which bypasses file permissions. Happily, Linux also provides the sudo mechanism, which makes it practical to administer your system without needing to log in as the superuser in almost all cases. Use strong passwords, and you should be safe there.

If you're really keen, then Ubuntu comes with an AppArmor profile for Firefox, which you can enable (opt-in). AppArmor is a kernel module for specifying program permissions, and being in the kernel, it can restrict even the activities of the superuser. I haven't as yet delved into its language and tweaked it, though, just switched on the default protections.

I must confess to being a bit put off when a product's home page makes it hard to find the security updates.

I had to do a web search to find http://www.ubuntu.com/usn
and there were tons of vulns, about 140 in 2012 alone, some for servers, some for desktop, some specifically for Firefox.
You may find them interesting; I believe that some involved memory, including this snippet:

...discovered memory safety issues affecting Firefox.

Also, articles on how to harden the default install.

It's probably true, as claimed, that it's more secure than OOB Windows (What isn't? ), and some of the advice was similar to Windows: Disable unneeded services, etc.

Bottom line: Sounds like it would mean having two OSs to keep patched and updated.
OR commit to *nix exclusively.

Both are fine choices for those with the time and motivation, but given this user's need to make a living in the Real World, desire to devote time here, and once in a while, have an actual life , I think I'll pass, in favor of restarting Firefox before and after banking, thanks.

The "OSS is inherently safer" argument sounds good in theory; reality varies per product. Theoretically, Firefox code is vetted by many eyes, but it still has critical vulns found after release. Windows is closed-source, but what I like about XP is that it's had eleven years of vetting, and probably by a much larger community of both white- and black-hats. (I don't like getting the first release of *anything*. )

To reiterate, not knocking it at all; MS would do well to follow the ownership, privilege, and other policies of Ubuntu. Just not right for one user (who's spent a considerable amount of time locking down Win, and reducing attack surface). But others reading this thread may decide to give it a try.

Thanks again.