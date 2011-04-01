Hacker News new | comments | show | ask | jobs | submit login
How to Run a More Secure Browser (dragonflybsd.org)
Aren't jails one of the things that BSD is known for? (Now that Docker is a thing.) And the primary goal of jails in the first place was security, so what does this offer over running your browser in a jail?

There are a ton of rebuttals I can imagine but I don't know nearly enough about any of the stuff involved here to determine whether any of them are true.

Firejail (https://firejail.wordpress.com/) seems a good first step before jumping through those hoops. (Though, to be fair to the post, you can't use firejail on a *BSD, since it needs seccomp-bpf and other Linux specific things.)

Hmm... I don't think this is actually a secure approach, as by default X is not secure. Any client with access can do things like sniff and inject keystrokes (even forwarded over SSH, depending on the value of ForwardX11Trusted in ssh_config):

http://theinvisiblethings.blogspot.de/2011/04/linux-security...

I could be wrong. Apparently X11 has the SECURITY and XACE extensions which are theoretically capable of preventing this, but nobody uses them (except SSH, see above). It's possible that DragonFlyBSD has these integrated somehow and makes the directions secure, but I don't think so.

Even if these extensions are being used I'm sure the attack surface of X11, it's extensions and it's drivers is large enough to make it trivial to breach. Even compared to a modern browser like Chrome.

