Security and Javascript

Fri Jun 28 13:20:07 UTC 2013

On 06/28/2013 07:02 AM, Werner Koch wrote:
> On Fri, 28 Jun 2013 12:06, mjr at phonecoop.coop said:
>
>> I'd love it if we shared good practice and encourage people to install
>> things like noscript.net.
>
> The problem with noscript is that you need to add temporary exceptions
> way to often.  It is a good tool, nevertheless.
>
> But better also run your browser under a different account and a second
> X server or with Xephyr.  Coping and pasting lacks quite some comfort
> then but that is the price to be a little bit safer.

Javascript is the future of the web, it makes no sense to fight it, it 
has already won, but it is not all for the worst.

Major browser have good sandboxing technology and their security is 
improved every day.

However should you not trust your browser and/or some website you want 
to visit, then you can run OS level sandoboxing. I do it this way:

sandbox -i $HOME/.mozilla/extensions -i $HOME/.mozilla/plugins -i 
$HOME/.mozilla/firefox/abcdefgh.sandbox -i 
$HOME/.mozilla/firefox/profiles.ini -w 1024x900 -t sandbox_web_t -M -X 
/usr/bin/firefox -P sandbox $*

It requires at least a basic SeLinux Policy installed and the sandbox 
program, but it is really neat in that it completely isolates the 
browser and crates a completely new environment for it to run.
The template you start from is copied from the referenced template and 
superimposed via name spaceing, and the binary itself is prevented 
access to anything in the user's home directory. This also means that 
any configuration change is lost on closing it, but that is intentional 
as it will erase any change an exploit may attempt to make as well.

Simo.

-- 
Simo Sorce - s at ssimo.org
No good deed goes unpunished - http://ssimo.org/blog