Mastodawn

How do security-aware people feel about downloading and installing web browsers from "the Internet"? For example, for FreeBSD there is Pale Moon, but there is no port/package for it. On Linux, at least some distros don't have LibreWolf. So, you have to go and download these from their respective websites. (Well, on Linux I could maybe use DistroBox if I could find a LibreWolf package in another distro.)

I'm sure bad actors could manage to hide malicious code in packages that you get via your OS/distro repos as well, but it feels a little bit more secure when someone from the OS/distro has gone through the trouble of creating and releasing a package via their own package system.

Basically, how can I trust a tool I download from the Internet with quite sensitive data?

Am I just being naive? Should I *always* run all web browsers inside jails or use flatpaks etc so they can't access files in my $HOME dir etc?

#security #librewolf #palemoon

Show thread

Dendrobatus Azureus

@dbdemon

In short

Nothing from the internet should be trusted

From that perspective it would mean that you would have to write / program all code of everything that you need yourself, including the whole Operating System and all the kernel modules.

In reality that's not doable

You take the same amount of risks when you use a distribution. Provided that you download those sources from the websites from the coders themselves.

You're not being naive, you asking a valid question however it's a chicken egg conundrum

#InfoSec #payload #malicious #Source #programming #POSIX #BSD #Linux

Show thread

clever boi Jul 24

@dendrobatus_azureus @dbdemon Well said all around.

I think the answer to the original question is, yes, your browser should be jailed. Nothing should have access to HOME that doesn't explicitly need it.