What's the best way to container multple web browsers for security?

jessepage1989 · February 3, 2018, 3:31pm

Running ubuntu 16.04 on my old latitude e6410. I’m looking to be more security conscious when it comes to online transactions and banking. Was looking for a method a little lighter than running multiple VMs. I have no idea what other methods there are now. I’ve heard of docker and flatpak and snap but I’m not sure exactly how they work or if they are a viable option for such compartmentalization. What are you suggestions? I would be looking at running 3 or 4 different isolated instances of firefox.

anon79053375 · February 3, 2018, 3:55pm

Ublock Origin, Ghostery, https, verify certificates.

Docker is far from security in most cases. Running nested VMs isn’t going to protect against a keylogger or someone breaching your bank’s database.

Maybe I don’t understand what you’re asking…

glang0 · February 3, 2018, 3:59pm

I recommend some unprivileged LXC containers. Because they provide better security and isolation over the basic UNIX chroot. You can also look into this, though I have never done it myself: http://blog.z3bra.org/2016/03/hand-crafted-containers.html#

Baz · February 3, 2018, 4:16pm

There’s firejail that has ootb profiles for firefox and chromium, it can even run the containerized programs isolated from the rest of your X environment by using Xephyr.
Iirc it doesn’t isolate multiple instances of the same program tho, for that there’s another easy solution, SELinux sandboxes, but for that you need SELinux and the appropriate software packages, which are available in CentOS, Redhat & Fedora.

anon37371794 · February 3, 2018, 6:15pm

IMO with a desktop PC the best way is to use a couple (or a number) of small SSDs with a Linux install on them, which you put in a hotswap bay so you can boot from them. That way you don’t have to worry about having a keylogger in your main OS.
That’s basically how I set mine up.

With a laptop … well … yours has a DVD tray so you can get a caddy in which you mount the SSDs.
It’d be a lot more work than a regular hotswap bay and it’ll be slower due to having to reboot instead of just firing up a VM, but it is doable.
The question is how much convenience you’re willing to give up for increased security.

nx2l · February 3, 2018, 6:35pm

qubesOS

alwaysFlOoReD · February 3, 2018, 8:24pm

Could you use an USB docking station for the SSD? Rather than removing the dvd drive.

pokgak · February 3, 2018, 9:11pm

There’s a workshop during the recent LinuxConf Au that talks about using LXC to contain apps on desktop.

cotton · February 4, 2018, 4:50pm

I think this OS may do exactly what I’m describing in the thread below. Have you use this OS?

Considering switching to rolling release disto

Okay okay okay. On lasting idea then I’ll stop bothering L1T with this. Let’s hypothetically say I run a headless proxmox box. It has a Winderz 7 install, a git server and a FreeBSD box. On the FreeBSD box install X, Gnome, and an RDP client. At this point I’ll have a physical Linux box, who cares the distro it’s a burner) and I can ssh into the FreeBSD box which is my baby. I would never save anything totnhe burner box. I’d wipe it and reinstall when it needed to be updated. My question is - from the burner box can I ssh into the FreeBSD box start X and GNOME and have a full desktop? I’d just admin the Winderz box off the BSD box assuming I can get an x session and GNOME interface via ssh from my burner box. Can you do that? Install X on a box and GNOME ssh into it and start a full GUI?

nx2l · February 4, 2018, 5:27pm

Proxmox or Qubes?

cotton · February 4, 2018, 5:30pm

Qubes

nx2l · February 4, 2018, 5:32pm

Used it briefly months ago… I been wanting to convert over to it… but I havent had the time to yet.

anon37371794 · February 4, 2018, 6:36pm

That could be possible as long as you’re using Linux (Windows has issues booting full installs from USB).

jessepage1989 · February 6, 2018, 11:31pm

That’s a good point. I have an esata port on the laptop I could just get a dock and some cheap old 64gb ssds