Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Debian 11 includes both chromium and chromium-sandbox.
It's my understanding that, while on the one hand, chromiums-sandbox prevents some attacks, it also increases other risks by being setuid.
What's the net effect? Is there a consensus on this?
===
I also noticed, by running aa-status, that AppArmor is running, and it confines some apps, like evince and man, but it does nothing for firefox-esr and chromium. Isn't this odd, considering that browsers are probably the most dangerous things you run?
Chrome gets 200+ CVEs/year, and Firefox gets 100 CVEs/year (some say the latter number is only smaller because Firefox gets less attention).
Probably not.
If you MUST run something chromium based, go straight and simple if you can.
Beyond that it depends upon what you do with and in your browser, and what features are important to you.
chromium is technically superior from a security standpoint. But that's all about it's design - not the number of CVEs.
Quote:
Originally Posted by max.b
Security researchers seem to very strongly favor[etc]
No. Wrong.
A self styled "security researcher" who authors some random blog and is anonymous (roughly translated - "college kid"). His main contributions on github are to his own website and some sparse contributions to a project called "whonix" (from his blog you'd imagine he was one of the key developers...). Check for yourself - yes always check your sources before reposting them.
He put up a typically sensationalist, skewed and narrow focused, not to mention ill-researched, article on OpenBSD - the usual attempted destruction, laden with rhetoric and security buzzwords.
His articles read like compilations of other material from other sources. Someone posted to openbsd-misc quoting that one and it, rather unsurprisingly, attracted little interest among software developers who actually understand security and actually write code.
We need to see Mr Anonymous' code contributions first... and of course his patches to address all of these issues he found in OpenBSD and other OS and web browsers - to date there haven't been any. The poster of the article on OpenBSD misc was a clear troll - he addressed mailing list users as "fans" from the off, then when failing to get a bite, resorted to a tangential attack regarding cryptography, before exposing himself completely, and going off on more tangents trolling about Linux and systemd, etc. He was only individual who reposted that worthless article on OpenBSD's mailing list.
Mr Anonymous' biggest success had been in finding willing dupes to quote and repost his agenda driven FUD all over the web. How naive do you have to be, to have your opinions and personal choices continually swayed by random bloggers...?
So only the misinformed and obvious trolls are reposting links to this particular blogger's articles.
chromium is technically superior from a security standpoint. But that's all about it's design - not the number of CVEs.
That's precisely my point (and what the security researcher wrote). Read more carefully next time, would you?
Quote:
No. Wrong.
A self styled "security researcher" who authors some random blog and is anonymous (roughly translated - "college kid"). His main contributions on github are to his own website and some sparse contributions to a project called "whonix" (from his blog you'd imagine he was one of the key developers...). Check for yourself - yes always check your sources before reposting them.
He put up a typically sensationalist, skewed and narrow focused, not to mention ill-researched, article on OpenBSD - the usual attempted destruction, laden with rhetoric and security buzzwords.
His articles read like compilations of other material from other sources. Someone posted to openbsd-misc quoting that one and it, rather unsurprisingly, attracted little interest among software developers who actually understand security and actually write code.
We need to see Mr Anonymous' code contributions first... and of course his patches to address all of these issues he found in OpenBSD and other OS and web browsers - to date there haven't been any. The poster of the article on OpenBSD misc was a clear troll - he addressed mailing list users as "fans" from the off, then when failing to get a bite, resorted to a tangential attack regarding cryptography, before exposing himself completely, and going off on more tangents trolling about Linux and systemd, etc. He was only individual who reposted that worthless article on OpenBSD's mailing list.
Mr Anonymous' biggest success had been in finding willing dupes to quote and repost his agenda driven FUD all over the web. How naive do you have to be, to have your opinions and personal choices continually swayed by random bloggers...?
So only the misinformed and obvious trolls are reposting links to this particular blogger's articles.
Let me get this straight. This person writes a long post explaining in much technical detail how Firefox is inferior to Chrom(ium) from the security perspective. While you agree with the statement, and can't refute any of the statements, you claim (anonymously) that this person's writing is worthless because he's anonymous, and doesn't have enough contributions on github (under his account)? He also links 9 other security researchers writing on this topic, which you ignore.
if you are really paranoid use a VM, run whatever browser you want and browse whatever site you want and destroy the full VM when you are done. Or just open every page/site in another VM. That is definitely safer than a sandbox.
Anyway, security always depend on the user [and usage, configuration] and must not rely only on any tool (and default settings).
That's precisely my point (and what the security researcher wrote). Read more carefully next time, would you?
Let me get this straight. This person writes a long post explaining in much technical detail how Firefox is inferior to Chrom(ium) from the security perspective. While you agree with the statement, and can't refute any of the statements, you claim (anonymously) that this person's writing is worthless because he's anonymous, and doesn't have enough contributions on github (under his account)? He also links 9 other security researchers writing on this topic, which you ignore.
You're either trolling (badly) or you have reading comprehension problems, or both.
Read and digest what the "security researcher" wrote as many times as you like. Knock yourself out - if you want to get your information from random anonymous blogs, probably posted by college kids, then be my guest. Once again: That "blog" did not get a single response when posted by a troll on the OpenBSD mailing lists. Most could see it for what it was - click bait for the fickle and gullible. IlJa Van Sprundel's actual research, did and resulted in patches and vulnerabilities being fixed.
I've seen and read enough of the sources, most being reddit, twitter (two corporate reps) and other troll's blogs from between 2015 to 2017, the last "researcher" admits he doesn't know the difference between firefox and chromium from a security perspective. I don't care to read any more of it. Ironically, the most relevant citation about firefox and chromium is Theo de Raadt's posting from 2018 (ironically that's the lead developer of the OS he set out to defame and debase in another blog entry). The others are mostly one liners and all are about the "tor browser bundle" - the tor browser bundle is primarily about privacy, which is why it uses firefox and not a product from the biggest data mining and telemetry shop in the world... did you honestly read any of the sources?
I know which of the sources are legit and which are on the payroll of some interested party and which are just skewed opinion pieces from random individuals. I've also come across numerous other sites over the years (one of which is his main source for the OpenBSD posting) - they deploy weasel words, cherry picked "facts" and are completely worthless. They set out to reach a conclusion and then proceed to fill in the blanks around that, then throw a bone, as a footnote to give the illusion of fairness.
You have descended through a chain of attacking firefox in Debian, supposedly considering moving to chromium, then attacking Debian after you supposedly discovered that chromium is unmaintained and has all those CVEs listed against it. You're brought this incredible material into it in an attempt to bolster your case. The material would have some merit if your focus was on firefox insecurity and comparisons with chromium - that is not the case. Your intent has been to attack Linux and these threads of yours are just you laying the foundations for those attacks.
//edit:
Your original intent was to simply attack Debian and other Linux distributions, as you have been doing in your now numerous troll threads at this site:
In those two recent ones, you've now played your hand and it's up to others here to decide if they actually want to continue wasting their time making legitimate responses...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.