this post was submitted on 25 Feb 2024
33 points (83.7% liked)

Linux

48375 readers
1483 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

cross-posted from: https://lemmy.ml/post/12400033 (Thank you https://lemmy.ml/u/Kory !)

I first used Linux about 5 years ago (Ubuntu). Since then, I have tried quite a few distros:

Kali Linux (Use as a secondary)

Linux Mint (Used for a while)

Arch Linux (Could not install)

Tails (Use this often)

Qubes OS (Tried it twice, not ready yet)

Fedora (Current main)

For me, it has been incredibly difficult to find a properly privacy oriented Linux distro that also has ease of use. I really enjoy the GNOME desktop environment, and I am most familiar with Debian. My issue with Fedora is the lack of proper sandboxing, and it seems as though Qubes is the only one that really takes care in sandboxing apps.

Apologies if this is the wrong community for this question, I would be happy to move this post somewhere else. I've been anonymously viewing this community after the Rexodus, but this is my first time actually creating a post. Thank you!

UPDATE:

Thank you all so much for your feedback! The top recommended distro by far was SecureBlue, an atomic distro, so I will be trying that one. If that doesn't work, I may try other atomic distros such as Fedora Atomic or Fedora Silverblue (I may have made an error in my understanding of those two, please correct my if I did!). EndeavourOS was also highly recommended, so if I'm not a fan of atomic distros I will be using that. To @[email protected], your suggestion for Linux Mint Debian Edition with GNOME sounds like a dream, so I may use it as a secondary for my laptop. Thank you all again for your help and support, and I hope this helps someone else too!

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 9 months ago* (last edited 9 months ago) (17 children)

Does Librewolf (RPM) work?

I only know that Chromium browsers use userns or setuid namespaces to isolate tabs. This is not allowed by the flatpak seccomp filter (applied for all apps) which is why bubblejail is a thing. But bubblejail is veeeeery alpha, portals, theming, running random binaries etc all broken or difficult.

Flatpak Chromium browsers use zypak instead, which will have a weaker seccomp filter than the tab sandbox in Chromium (because flatpak apps do more than browser tabs and there is only a single filter for them all).

No idea about firefox, they just support the flatpak without any mention if the sandboxing is better, worse, unaffected etc.

Librewolf builds firefox themselves, if they just add allow-replace-malloc or how its called in their mozconfig it works with hardened_malloc. And I think that is the easiest solution. If they dont add that it should probably not launch. Flatpak works for some reason, probably because somehow it doesnt use hardened_malloc.

  • different name
  • already privacy optimized (only problematic if you need a vanilla profile)

Tbh I want to compile firefox and the kernel with -O4 as I have a x86_64-v4 CPU. They will not do that as people run old hardware.

Thunderbird is the same, btw everything is built on the same codebase. My dream would be to build Firefox, Thunderbird and Torbrowser on COPR (or Github so the Fedora people dont kill me) with hardened configs.

I've also experienced some issues recently with boot times taking a lot more time than previously.

Longer than on vanilla fedora, or longer than before on secureblue? They distrust the hardware and generate random values as far as I understood, also use kernel lockdown mode. Those are important and increase boot times but not performance. Btw also if your CPU is affected by spectre/meltdown attacks it will automatically disable hyperthreading. Very cool karg that should totally be the default.

Yeah secureblue is nice and very needed. Wanted to do something similar (as did a lot of other people) and found qoijjjs awesome ground work. He invests hours in that project, look at the "secureblue Chromium vs Vanadium" table its crazy.

[–] Throwaway1234 1 points 9 months ago (16 children)

Does Librewolf (RPM) work?

Have not tested it. I rely on the flatpak.

I only know that Chromium browsers use userns or setuid namespaces to isolate tabs. This is not allowed by the flatpak seccomp filter (applied for all apps) which is why bubblejail is a thing. But bubblejail is veeeeery alpha, portals, theming, running random binaries etc all broken or difficult.

Isn't bubblejail mostly a frontend to bubblewrap? Therefore, is it perhaps possible that, if well-understood, reliance on bubblewrap instead should translate to a less buggy (but indeed harder) experience?

Flatpak Chromium browsers use zypak instead, which will have a weaker seccomp filter than the tab sandbox in Chromium (because flatpak apps do more than browser tabs and there is only a single filter for them all).

I've often heard that the flatpak Chromium browsers are (somehow) less secure, but never heard why that's the case. Thank you for offering a very concise explanation on the matter!

My dream would be to build Firefox, Thunderbird and Torbrowser on COPR (or Github so the Fedora people dont kill me) with hardened configs.

WOW, that would be awesome! You've already found yourself a 'client'/'customer' :P . And I'm sure that a lot of others would be interested as well.

Longer than on vanilla fedora, or longer than before on secureblue?

Yes. To be clear, it's both longer than on vanilla Fedora Atomic and also longer than before on secureblue.

as did a lot of other people

Reminds me of this project, I wanted to wait until it stabilized..., but it never got that far 😅. But I hope its maintainer will join team secureblue, if they haven't yet*.

He invests hours in that project, look at the “secureblue Chromium vs Vanadium” table its crazy.

For reference; WOW, we definitely can't deny their commitment. I feel indebted. Perhaps I should support them 😅. Do you happen to know if there are any other channels besides Github to support them (and the project)?

[–] [email protected] 2 points 9 months ago* (last edited 9 months ago) (15 children)

Bubblejail allows to create different seccomp filters per app. This means you can allow the browsers to create namespaces, which fixes that problem. There are tons of problems though.

Yup needed some time to understand that zypak thing too. I think it boils down to that issue, they will be okay but less secure than possible, so... why not use something else?

Yeah there are a ton of hardening arguments. Currently I cant build that damn stuff anymore because somehow I have missing build deps that I have installed and added to my path 100%.

In this repo I collect my mozconfig, and if everything goes well I will use github builder to make RPMs. That would be lit, because I would have all of them hardened, but for v3 and v4 optimized. Put in a directory, do some rpm repo magic and I have my own repo.

Feel free to help me figure that stuff out. Librewolf has a nice build pipeline, I created a PR to just support replacing the malloc, that would be the easiest and best solution.

Then fedora firefox and librewolf would allow that, only flathub firefox missing really. Replacing the malloc is a very unsupported case for flatpak though, as the apps should be OS-unspecific.

[–] Throwaway1234 1 points 9 months ago* (last edited 9 months ago) (1 children)

Librewolf has a nice build pipeline, I created a PR to just support replacing the malloc, that would be the easiest and best solution.

That's very neat! Hopefully it comes through!

Then fedora firefox and librewolf would allow that, only flathub firefox missing really. Replacing the malloc is a very unsupported case for flatpak though, as the apps should be OS-unspecific.

But even with the ability to replace malloc, isn't Firefox still vastly inferior compared to Chromium if security is desired? Or are they actually operating in close proximity of each other in terms of security features?

[–] [email protected] 2 points 9 months ago (2 children)

Arguable. Chromium is just horrible to use. No sync, that would require something NOT Brave or Vivaldi to step up. Floccus is overcomplicated, xbrowsersync unmaintained.

Firefox had core components rewritten in rust too.

[–] Throwaway1234 1 points 9 months ago (1 children)

Chromium is just horrible to use.

Hard agree, except for PWAs; those at least work on Chromium-based browsers.

But honestly, it's just very unfortunate that the closest we have to an ungoogled, secure, private and anonymous web browser is particularly platform-locked; I'm indeed referring to Vanadium.

On the desktop side of things, it's just a mess; at least in my opinion*. I guess our best bet would be like running Tor Browser or Mullvad Browser in a disposable qube on Qubes OS 🤣. Furthermore, it would have to be connected through their respective network of choice; be it Tor network (and/)or VPN. And, ideally, without additional configuration changes to blend in as much as possible. Which comes down to foregoing your favorite extensions and even not maximizing the app window.

*sigh*, such a drag...

[–] [email protected] 2 points 9 months ago (1 children)

I guess our best bet would be like running Tor Browser or Mullvad Browser

Those are just Firefox. Using some other routing doesnt improve security.

Vanadium might be degoogled and not send critical platform data, but it is not fingerprint resistant afaik.

On mobile, browsers cant really be that though. On Desktop there only is ungoogled Chromium which is a beginning. But especially secureblue doesnt use it for some reason.

[–] Throwaway1234 1 points 9 months ago (1 children)

Those are just Firefox. Using some other routing doesnt improve security.

Never said or implied they were. Security is achieved through

Tor Browser or Mullvad Browser in a disposable qube on Qubes OS

Tor and Mullvad are only for preferred for the sake of anonymity as every user runs the exact same config on the same type of network.

Vanadium might be degoogled and not send critical platform data, but it is not fingerprint resistant afaik.

Hmm, you might be right. TIL. Thank you! Somehow, I was having high expectations for it... *sigh*

On mobile, browsers cant really be that though.

Do you happen to know why that's the case?

On Desktop there only is ungoogled Chromium which is a beginning. But especially secureblue doesnt use it for some reason.

If I recall correctly, ungoogled-chromium has (at least in the past) been slacking on security. Don't know if that's still a thing though.

[–] [email protected] 2 points 9 months ago (1 children)

QubesOS is interesting, I think overcomplex but needed until better systems are in place. Bubblejail would be an alternative that runs on normal hardware.

I dont know how resistant Vanadium is, it for sure doesnt send critical data, but screen size, hardware specs etc cant be not send without having no GPU acceleration and a letterboxed screen.

mobile browsers have limited screens size and every SOC has a different GPU basically. So if you avoid hardware rendering, you would still need to pretend to be the smallest phone comparable, and pixel density etc. may still be different.

Ungoogled Chromium is a set of patches. These should totally be applied to Secureblue chromium, but currently it is saving effords by just using Fedora chromium and a few policies.

[–] Throwaway1234 1 points 8 months ago (1 children)

First of all, apologies for the late response. I had written a response, but something happened before I sent it and the cache of my phone wasn't able to recollect my writing. I got so discouraged by this that I didn't bother with it right away.

QubesOS is interesting, I think overcomplex but needed until better systems are in place.

Well said!

Bubblejail would be an alternative that runs on normal hardware.

I hope Bubblejail will indeed reach the level of sandboxing solutions we find on e.g. mobile devices. Though, a lot of work has to be put into portals (and others) before a feat as such is achieved.

I dont know how resistant Vanadium is, it for sure doesnt send critical data, but screen size, hardware specs etc cant be not send without having no GPU acceleration and a letterboxed screen.

Would you be so kind to elaborate upon the bolded part? I'm simply unaware of the link between GPU acceleration and protection against fingerprinting.

Furthermore, just to be clear. I would like to retract my earlier statements that I've made regarding Vanadium and that were negative in nature. While there's definitely truth in the fact that it does not provide fingerprinting protection (or spoofing) like what we find on Firefox (or Brave), but they have spoken out their ambitions and intentions to improve that. It's simply that they haven't put a lot of resources yet to the cause. And this is not for saving efforts or whatsoever, but rather because they intend to offer a more robust solution (eventually). We should also not disregard that, as is, GrapheneOS does offer some level of anonymity (in combination with best practices; i.e. VPN etc) merely by the virtue of only a select number of devices being supported by GrapheneOS and thus if two users are in relatively close proximity to one another and have their VPNs enabled and use the same device with GrapheneOS, then it might be hard for others to distinguish them from one another. Finally, at least regarding this topic, I don't see them implementing letterboxing as we find on Firefox (as screen sizes are small anyways and only select number of screen sizes exist anyways, because only few devices are supported). Thus, as screen dimensions are not obfuscated, there's less need to obfuscate the GPU in the first place.

mobile browsers have limited screens size and every SOC has a different GPU basically. So if you avoid hardware rendering, you would still need to pretend to be the smallest phone comparable, and pixel density etc. may still be different.

You may find some of my thoughts in the previous paragraph.

Ungoogled Chromium is a set of patches. These should totally be applied to Secureblue chromium, but currently it is saving effords by just using Fedora chromium and a few policies

Is it strictly beneficial for security? IIRC, privacy is (unfortunately) not regarded as a design goal for secureblue.

Btw, apologies if my sentences were more convoluted and confusing than they are otherwise. Thank you for your attention and consideration!

[–] [email protected] 2 points 8 months ago (1 children)

Yeah know that deleting post fun. Jerboah is very good at recovering them.

Bubblejail just got an update that should fix DNS on Fedora! Just has to arrive in Secureblue (rusty-snakes fedora-extras, qoijjjs fork, COPR)

If you use your GPU that model is fingerprintable through WebGL stuff. There is a firefox addon that spoofs random values though. Same for screen size.

Yes, secure projects are nice, if they do something then right.

Yes a Pixel is less trackable than some random phone. But still, trackable. Letterboxing and software rendering could be needed by people.

Secureblue does not implement privacy over security, but if patches make a browser stay just as securely I think that would be fine.

The thing is, for example we had some arguments about manifest v2 extensions (which can download stuff they then use, i.e. no control by Google and thus "less secure"). If Chromium does things like Connect to Google for security stuff like Safe Browsing, this will totally not be removed.

Also you can install any browser you like, just not Firefox (as that is override-removed). I have a PR open to make Librewolf work with hardened-malloc, hope they react soon...

Secureblue is not GrapheneOS too. It is just a (huge) compilation of patches and patched images. Basically every Desktop with Wayland support, currently 86 (!!!!) images.

Doing something like hardened degoogled Chromium with sync capabilities would happen outside of the project.

[–] Throwaway1234 1 points 8 months ago (1 children)

Yeah know that deleting post fun. Jerboah is very good at recovering them.

TIL about Jerboa. Thank you!

If you use your GPU that model is fingerprintable through WebGL stuff. There is a firefox addon that spoofs random values though. Same for screen size.

IIRC, so-called 'naive scripts' will indeed be spoofed. However, it has been shown at great length that JavaScript is not even required to to acquire screen size in the first place. Furthermore, methods that rely on badness enumeration are deemed inferior.

Secureblue does not implement privacy over security, but if patches make a browser stay just as securely I think that would be fine.

That would require someone to put effort into showing that ungoogled-chromium is at least as secure as Chromium. Is that even established in the first place?

The thing is, for example we had some arguments about manifest v2 extensions (which can download stuff they then use, i.e. no control by Google and thus “less secure”). If Chromium does things like Connect to Google for security stuff like Safe Browsing, this will totally not be removed.

Perhaps the desire to minimize attack surface is what's been decisive.

Secureblue is not GrapheneOS too. It is just a (huge) compilation of patches and patched images. Basically every Desktop with Wayland support, currently 86 (!!!) images.

Surely, it would take a lot more effort to get it to GrapheneOS levels. However, I don't find any fault with the desire to be inspired from GrapheneOS' methods and implementations.

[–] [email protected] 2 points 8 months ago (1 children)

Yeah for sure the not-badness-enumeration approach would be to not use the GPU and set a defined screen size and pixel density.

ungoogled chromium is likely less secure, no 1 is to have regular updates. With CI/CD those patches should be applied automatically. Would be a cool project but not for me, I prefer Firefox.

[–] Throwaway1234 1 points 8 months ago

Thanks for the conversation! 😊

Yeah for sure the not-badness-enumeration approach would be to not use the GPU and set a defined screen size and pixel density.

Hopefully one day.

ungoogled chromium is likely less secure, no 1 is to have regular updates.

Agreed.

With CI/CD those patches should be applied automatically. Would be a cool project but not for me, I prefer Firefox.

Hehe, fair.

[–] [email protected] 1 points 9 months ago (1 children)

@Pantherina @Throwaway1234
GrapheneOS authors stated that Firefox is less secure. The biggest issue is that Android is very reliant on WebView and so you inevitably have to increase your attack surface if you install a new browser.

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago)

We are talking about different platforms here.

Firefox on Android (fenix) has no process isolation at all. Same with all those tiny browsers that use the webview (every Browser with less than 50MB download size uses the webview, like Edge, DDG "privacy browser", the common FOSS browsers and likely more).

Currently for some reason 3rd party Browsers cant use the Chrome Trichrome library to use the full process isolation stuff, but need to ship it in their APK.

Then on Linux Firefox (gecko) has process isolation, which for some reason is supposed to be compatible with sandbox. I opened an issue about that, asking for an explanation as there is none afaik.

Only on Windows does Firefox have some form of advanced memory protection, which is unfortunate.


So on Android, full Chromium Browsers have sandboxing, fenix and webview wrappers (and every app) can only spawn a single process.

Also on Android there is a Webview based on Chromium, which most apps utilize, which can lead to the assumption (firefox on Android increases attack surface). Not though, that apps only connect to dedicated websites mostly. Also, this only makes a difference if hackers would target Firefox mobile, which has tiny marketshare.

Meanwhile it should be more likely they target Chromium on mobile, do not using Chromium could spare you of some attacks targeted at the most commonly used Browser on mobile.


Then to the usability issues

  • no containers i.e. different profiles for different logins needed
  • lack of many good addons
  • no UI customizability for users
  • worse stability than Firefox on Linux (may be due to Secureblue hardening)
  • no sync of passwords, bookmarks, session, etc.

And the privacy problems

  • getting hacked is very unlikely with both browsers, but Chromium sends data to Google ootb (dont know if Vanadium has this removed)
  • Chromium is less fingerprintable due to being the most common browser, but most active antifingerprint measurements are nonexistent, unlike on Firefox.
load more comments (13 replies)
load more comments (13 replies)
load more comments (13 replies)