Re: Open_Source

On Wed, Jun 03, 2009 at 08:49:50AM +0200, Wojciech Puchar wrote:

I mean things like sending private data to someone else, scanning for
other programs i have on disk, my addressbook etc.

Given enough incentive, it unfortunately seems even open source
developers will resort to sneaky tactics:
http://arstechnica.com/open-source/news/2009/05/mozilla-ponders-policy-change-after-firefox-extension-battle.ars

but it's at least much more difficult. And - my other rule fits very well
here. Avoid OVERCOMPLEX programs.

Unfortunately there are no well done WWW browsers for unix in the world.
links -g is an exceptions, but in the same time it's quite limited.
But have best fonts :)

You're right: browser code is overly complex, and a nightmare to audit
properly for security purposes.

That's why when working in a sensitive environment, I browse the web
primarily with elinks (with JavaScript disabled, of course), and
secondarily and only when absolutely necessary with the usual
firefox+noscript+abp... both browsers running in a virtual box (qemu,
virtualbox) dedicated to this purpose and this purpose only.

Of course, I'm taking more precautions, as running in a box may still
not be 100% secure, if someone creative enough found a way to break
out of the guest OS into the host OS; but everything else is just
irresponsible and way too risky, from a security point of view.

Surely, not everyone has the same security requirements, and YMMV. ;-)

-cpghost.

--
Cordula's Web. http://www.cordula.ws/
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • [TOOL] HTML Manglizer - Automatically Check For HTML Parsing Flaws
    ... Get your security news from a reliable source. ... All browsers but Microsoft Internet Explorer kept crashing on a regular ... basis due to NULL pointer references, memory corruption, buffer overflows, ... A gallery of quick examples I examined to locate the offending tag (total ...
    (Securiteam)
  • Re: Writing a file in Response
    ... As before I got this working we had the client side application being invoked from an URL, but as it was being invoked from a https source it would complain of leaving the secure zone. ... If you try to do this via AJAX, you will have other security rules and MS has rules that overrides the "standard security" - which is ... it makes portable code for different browsers more difficult. ... Some browsers, which is really unfortunately, have began to REMOVE the user options to turn some of this off, like Javascript. ...
    (microsoft.public.dotnet.languages.vb)
  • RE: [Full-Disclosure] Microsoft and Security
    ... Some large sites are written only for late model IEs. ... They play to the user who has ... browsers, and those that used text based browsers, a cliet could browse ... Of course, security companiees, though advocating that active c0ntent not ...
    (Full-Disclosure)
  • Re: To Anyone who has Internet Explorer Installed or any other browser (Everybody)
    ... > patch the affected versions. ... the article doesn't say that Microsoft has had ample warning. ... versions of the browsers!" ... >>the context of the local zone, and a patch which fixes security ...
    (alt.computer.security)
  • Re: why do iceweasel et al have more frequent security issues?
    ... > requiring updates far more frequently than other browsers like Konqueror ... the more lucrative is it to find security holes and damage ... desktop environment session as root, which, if more people did, ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ...
    (Debian-User)