Seen how insecure web browsers are, what would be a good way to surf under Linux?
I have an account that I use only for GMail and my bank's website (the latter using a physical device answering cryptographic challenge so nobody is abusing that [when wiring money to a new account number, the account number of the recipient itself is part of the cryptographic challenge, there's no MITM, no nothing that can work against that]).
Then I have an account only for browsing. The user owning this account on my machine has user ID 1007.
This user is not even allowed to connect to localhost. I don't want to know. All he can do is surf the web, using iptables like this:
iptables -I OUTPUT -m owner --uid-owner 1007 -j REJECT
iptables -I OUTPUT -m owner --uid-owner 1007 -p tcp --dport 80 -j ACCEPT
iptables -I OUTPUT -m owner --uid-owner 1007 -p tcp --dport 443 -j ACCEPT
iptables -I OUTPUT -m owner --uid-owner 1007 -p udp --dport 53 -j ACCEPT
Are there others simple things I could do to deal with security hazard that these browsers are?
Things I could do about this user's home directory permissions? Disable his SSH? etc.
Basically I think I'd like to have an account that can "do nothing but run Firefox".
Or is there an easy, lightweight (lightweight as in "I don't necessarily want to virtualize a full OS just to run a browser", way to sandbox a browser?
In other words, I consider the "security" of all the browsers to be a bad joke and I regard running a browser basically the same as executing "omgWindozeServer2012Crack.exe" on my machine and I'd like any hint from people who are surfing in a "safer" way.
Wow, if you're that paranoid, here's something you might want to try.
Install PCLinuxOS 2007 onto a hard drive. Now update it, install your your favorite programs, tune your personal settings, add your bookmarks, email accounts, software updates, and such.
When you get it to where you like it, then
( in PCLinuxOS ) do a remaster onto a CD or DVD.
( sudo, remasterme )
When finished, remove your remastered CD/DVD and shut your machine down.
You now have a live cd version of your operating system, WITH all of your personal settings and preferences.
For all subsequent boots and browsing sessions, you can now just pop your remastered CD/DVD into your machine, boot into the LiveCD ( or DVD ), and browse to your hearts content. You'll have your bookmarks, email account settings and all right there on the CD / DVD, which can't be over written. Viruses and trojans have not figured out how to write to a burn once CD or DVD yet, so anything you get exposed to will not infect your system, As long as you do not mount any of your hard drives.
As you use your LiveCD/DVD, Put any changes you want to keep ( emails you want to keep, new bookmarks, etc ) onto a flash drive.
Once a week, or once a month, update your LiveCD/DVD with the info you've been saving on the flash drive, and then remaster a new CD/DVD with your updates.
So now you have a Operating System that works well, has all of your personal settings, bookmarks, emails and account settings, is portable ( you can most likely boot your LiveCD/DVD in most any other computer with a reboot ), can't be over written by malware since it's burned onto a CD/DVD, can be updated as often as you like, or not, and if you do update and remaster weekly, you now have weekly backups on the older remasters.
Just an option for you that should keep your browser and OS fairly safe.