Off-Topic > Off-Topic - Tiny Tux's Corner
FIrefox is the most insecure browser?
JoXo009:
--- Quote from: bmarkus ---And the user itself is one of the most risky element in the system.
--- End quote ---
Yes and no.
Yes, in terms of 'safer-unsafer' it is the user. A user unaware of the 1,000 different security risks may be 99% unsafe wheras a skilled user may be 1% unsafe only.
But in terms of 'how to eleminate 99% of these 1,000 different risks alltogether' it's not the user, it's always the system. And succeeding in this category would create security for the unskilled user too.
So let's talk about this system security and about the main problem, insecurty coming through the web.
How about putting the web into a sandbox, just by using a virtual machine.
Deleting all network connections of the host machine - browsing etc only from within the virtual machine.
And using two virtual machines - one for crazy browsing, one strictly for banking only.
--- Quote from: jpeters ---For instance, ... entering of passwords via the keyboard.
--- End quote ---
I think, even a keylogger - working in the 'crazy browsing virtual machine - wouldn't be able to log keyboard input into the banking virtual machine.
As long as there is no bug chain (bug for highjacking the machine and bug for breaking out of the virtual machine) that seems technically safe.
Or do I oversee anything?
---------- edited
--- Quote from: tclfan ---... let us say fresh reboot TC, start browser and start online banking.
--- End quote ---
Think, you are right. Never mind which browser using, this seems technically safe too.
And TC is ideal for that purpose.
Either by usb or as a super small system working within a virtual machine.
tclfan:
JoXo009:
I think this is absolutely great idea. I have been using this for years, starting with VMware player and VMware provided original secure browser based on stripped Ubuntu, then creating a virtual machine xubuntu, zenwalk, etc...
Here I do not want to get into discussion which is better - VMware or VirtualBox. I am testing the VB 3.1 and I am not taking any position at this point...
I did not go as far as your idea of disabling internet connection on the host machine, though, but such idea is great if we can get away with it...
TC virtual machine should have additional value that pristine state can be automatically restored on each boot of Virtual Machine, so 'crazy' browsing would be harmful only for the current session...
On the keyloggers in VM, they would most likely not be able to reach to host keyboard or keybord in other VMs, just curious if any keylogger on the host is able to read keystrokes in VMs...
jpeters:
Example of a fradulent email, allegedly from the FDIC:
You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets. You need to visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage:
Visit FDIC website
Download and open your personal FDIC Insurance File to check your Deposit Insurance Coverage
JoXo009:
--- Quote from: jpeters ---Example of a fradulent email ... Download and open your personal ... File
--- End quote ---
Just a provacative question: Why not open it?
Naturally I wouldn't open that email - not because I fear a virus, but because I don't like to waste my time on such kind of mail. But that's another aspect.
We are talking about security and from the security point of view to my opinion it's absolutely contraproductive to seek for security on the level of human behaviour.
What's needed is a technical solution to open even fradulent email without risking the ballance of your bank account.
As explained by tclfan it's possible with a TC usb install - after plugging it off, anything is away.
And it's possible with the sandbox environment of a virtual machine - after restoring last snapshot anything is away.
It doesn't matter which browser you use, it doesn't matter if an email is faked, it doesn't matter if an infected web site has become a new drive-by attacker.
With the solutions described above you needn't to worry about, you are just safe for technical reasons.
Or did I overlook something?
jpeters:
--- Quote from: JoXo009 on December 12, 2009, 03:17:17 AM ---
We are talking about security and from the security point of view to my opinion it's absolutely contraproductive to seek for security on the level of human behaviour.
What's needed is a technical solution to open even fradulent email without risking the ballance of your bank account.
Or did I overlook something?
--- End quote ---
yes, phishing
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version