Re: Jailing Firefox

Stefan Patric <not@xxxxxxxxxxxxxxx> wrote:

On Sun, 26 Jul 2009 03:01:18 +0200, Sidney Lambe wrote:

Stefan Patric <not@xxxxxxxxxxxxxxx> wrote:

On Sat, 25 Jul 2009 18:19:39 +0200, Sidney Lambe wrote:

Ever since I encountered a website that crashed my computer
with malicious javascripts I haven't trusted firefox (or any
browser like it) and only use it when absolutely necessary,
on sites that are trusted.

I was thinking that it might be a good idea to put firefox
in jail and run it from there.

1. Create a ramdisk

[snip]

That's a lot of work. Wouldn't it be easier just to
"turn-off" javascript and Java in Firefox?

There's more to it than that. Firefox is a big and complex
program I simply don't trust.

And it's buggy, too, but not as bad as it used to be. However,
it still crashes on a regular basis. But it's no better or
worse than any of the other graphical browsers out there.

Dillo is a LOT better.

So, I keep two or three others on my system just in case
Firefox has problems. And have a Windows in a VM for those
sites that won't even work unless you have Windows and Internet
Explorer.

<shudder>

I don't allow M$ software on my boxes. Or anywhere near them.

Of course, that means about 90% of the web sites out there
won't work properly.

Hardly. I rarely have trouble with websites using a simple
textmode browser with no javascript.

FWIW, a few years ago, I came across a commercial travel site
that, except for a few lines of HTML at the beginning of the
Home page, was all javascript based. 100% dynamically laid
out. If you had javascript turned off or your browser didn't
support it, all you got was a blank, white page even if you
used a text based browser.

I encounter those now and again. And move on. Some other site
will have the information I want.

A few weeks later, they had changed
the code to so you could choose whether you wanted a standard
HTML or javascript site.

But I don't hang out on commercial sites as a rule.

Since a lot of my business is dealing with businesses, I'm on
commercial sites a lot. And then there's my banks, cell phone
company, even the public library, etc.

Doing business on-line is asking for trouble.

I don't do it.

I find stuff to buy on the Web but I don't buy it through
the web. I use the phone and snail mail.

My ISP gets a money order in the mail and if I have to
talk with them, which is hardly ever, I use the phone.
I don't use their website at all.

If I am away from home and need to check my mail, I
log into my box and do if from there.


The world-wide-interactive-boob-tube is not my thing.

I don't frequent those "socializing" sites either.

Or.... Just run a minimal install on a virtual machine--it's
isolated from the real system. So, even if it gets hacked,
there's no place for the hacker to go. Nothing he can really
damage. It's just bits and bytes in virtual space. Your ram
disk system isn't really isolated.


That's what Bit Twister is suggesting too. But I disagree with
you. My home spun version of VM is quite isolated. Chroot is
very effective at that.

A virtual machine is even more isolated, and for all intents
and purposes looks like a "real" machine to the outside world.
You RAM system shows as a RAM system to the outside world,
doesn't it?

I don't think so.

And that makes it vulnerable.

That's why my webserver and ftpserver both use "chroot jails".

Most of the server admins I know are now running most
everything in VMs for security as well as cost effectiveness.
One of them told me that he'd never go back to the "old ways."

The VM is a good idea, though. I will study up on it.

But if it turns out to be a massive application that takes a
year of study to learn to use, I'll pass.

I'm using VirtualBox (http://www.virtualbox.com/). Very easy to
install and use. Good documentation and HOWTOs. It uses a GUI
interface, but can also be run from the commandline. I use it
mainly to test Linux distros, and run Windows when I need to.

You might also look at QEMU (http://www.qemu.com/). It's
commandline based and highly configurable. It was the first VM
I experimented with a few years ago. Be sure to run the QEMU
Acclerator (KQEMU) for greatly increased emulation speed. Apps
run about 97% native speed.

I suggest you look at QEMU first. You being a commandline guy
and all.

As far as learning and setting up: an hour or so of reading
with either is more than sufficient to get you up and running.
Very simple.


Stef

Thanks for the guidance. I'll make some notes and look into both
of those VM apps.

Sid

.

Relevant Pages

  • Re: Racing Post website - Google Chrome 1st- Firefox 3 2nd - IE8 3rd Best !
    ... Right, well I have been using the Seamonkey browser for a while now and it seems that this browser has really suffered by the extra use of JS/Ajax on the new Racing Post site so I'm going to have to ditch it as a browser which is a shame as it has a number of features that I find very useful, mainly the built in mail and newsgroups function. ... I then ran through the SunSpider Javascript Benchmark Utility which performs a number of Javascript tests in the browser and compared the Seamonkey results to the IE8 Beta results. ... I then decided to perform the same tests comparing Seamonkey to Firefox 3 as this guy has done and was amazed to see a x6.42 jump in performance which means Firefox is roughly x2.8 times faster than IE. ...
    (uk.sport.horseracing)
  • Re: Racing Post website - Google Chrome 1st- Firefox 3 2nd - IE8 3rd Best !
    ... much javascript in use on the site. ... well I have been using the Seamonkey browser for a while now (don't ... Seamonkey results to the IE8 Beta results. ... I then decided to perform the same tests comparing Seamonkey to Firefox 3 ...
    (uk.sport.horseracing)
  • Re: Jailing Firefox
    ... malicious javascripts I haven't trusted firefox (or any browser like ... javascript and Java in Firefox? ... browser with no javascript. ... I'm using VirtualBox. ...
    (comp.os.linux.misc)
  • Re: JavaScript does not work in Firefox
    ... I subscribed to a photographic pictures-hosting website which is heavy ... My preferred latest browser Mozilla Firefox does not ... mention in the previous posting that I checked the "JavaScript Enable" ... Maybe they are browser sniffing in the wrong way, ...
    (alt.html)
  • comp.lang.javascript FAQ - META 2009-03-04
    ... The official Big 8 Usenet newsgroup dealing with javascript is ... relates to javascript in a web browser. ... Questions that are specific to Microsoft's JScript may also ... This FAQ provides URLs to further information about ECMAScript ...
    (comp.lang.javascript)