How secure is Internet browsing in Bookwormpup?

[JusGellin]

I was wondering how safe is internet browsing since the browser is run as root. I see there is a firewall that is on. Is there anything else I need to do for this or be concerned about? I'm using Bookworm Pup64.
Thanks

[mikeslr]

OOTB, questionable.
And it doesn't matter whether you run as Root or Spot. A dedicated hacker targeting you can evade spot's folder restriction. The same applies to 'Major Distros' insistence that you run as 'User', and even if you employ a firejail. If you're really concerned, run web-browsers in a container --i.e. use EasyOS-- or a Chroot. But note the last paragraph regarding maximizing Pupmode 13's security potential.

If you're referring to Bookworm's firefox-esr there are several things you can do to enhance security and privacy. I recommend running any Puppy under Pupmode 13. See, https://www.forum.puppylinux.com/viewto ... 183#p97183. Under Pupmode 13 nothing is preserved unless you want it. Just shut-down without Saving. If you need to preserve something, do so after rebooting and before accessing the internet: download to a safe place, reboot, install.
firefox, both 'regular' and esr, offers many addons among them those it's evaluated and recommends. These are the ones I use:

Privacy & Security.png (142.35 KiB) Viewed 545 times

Most you just install. A couple have to be configured once. Clear Browsing Data and Clear Cache I add to the Toolbar and use frequently as I surf. Cache builds up in RAM, very quickly. Its not for your benefit: its so that web-sites don't have to download data again. By Clearing Browsing Data often the chance that all necessary components to assemble malware will be on you system at the same time is reduced.

As PupMode 13 has no effect on Portables run from Storage, the Addons --particularly Ublock Origin and Privacy Badger-- are particularly important.

Chromium and it 'clones' --including Google-Chrome-- offer similar addons, but called extensions.

Maximizing PupMode 13's Security Potential: Puppy's 'weak-link' is its SaveFile/Folder. It alone is write-able. OOTB Bookworm's firefox is contained in its adrv.sfs. This is a READ-ONLY file-system. However, changes to it will be written to your SaveFile/Folder. Before 'fleshing out' any Puppy except to establish any necessary wifi settings and desktop configurations, you can use the Save2SFS module of nicOS-Utility-Suite, https://www.forum.puppylinux.com/viewto ... 983#p12983 to (a) enhance firefox with addons, configure it and add your bookmarks and/or (b) include another web-browser of your choice --even portables at /opt; then run Save2SFS to modify the adrv.sfs.

When thereafter you boot 'pfix=ram' after boot-up ALL partitions are dismounted posing two hurdles to hackers and creators of malware: (a) having to mount partitions; then (b) having to modify READ-ONLY files. If Puppy is booted from a USB-Stick, you can unplug the Stick creating a hurdle that can't be overcome. Slightly less secure would be to mount a drive/partition other than that on which Puppy is located. From that partition you can load SFSes and LAUNCH portables; and onto that partition you can copy just the data you want to preserve.

[JusGellin]

Great! Thanks for all that good informaton. I'm fixing mine now.

[mikewalsh]

@JusGellin :-

As they come, OOTB, the Chrome, Brave and Ungoogled_Chromium 'portables' all run-as-spot, with their own self-contained, 'mini'-spot directories for the browser profile. The profile is written within the browser directory; any downloads, etc, are written to /home/spot (which is nowadays linked into /root/spot. /root/spot used to be its own directory, but Google themselves put paid to that some years ago; we had to modify Puppy to make it compliant with the operating method Google expected everyone to be using.....i.e., running as "just a user".)

Brave is not directly related to Chromium/Chrome, but it, too, seems to hate running as root.....thus, we took the decision to make it run as spot. Much simpler when you're not trying to fight the thing..!

The Iron-, SlimJet-, Opera- and MSEdge-portables all run as root, though I have added the ability to Iron and Slimjet for the user to decide whether they want to run as root OR as 'spot'.

(With the Chromium 'clones', if running as spot the internal sandboxing is all enabled. When running as root, it's disabled....)

Mike.

[JusGellin]

Thanks @mikewalsh
This will help to know when I try some of those other browsers.

[dancytron]

I've never done it because i don't care that much and just aren't doing anything that important, but I've always thought the most secure setup for chrome type browsers would be to put the portable app in an adrv or remastered into the main sfs in /opt and then delete the cache, remaster and put the chrome user settings in there too. Then remaster it every time you update chrome or make a serious change in your user settings.

Then run pupsave13 with everything in ram, don't mount anything and don't save.

[wizard]

Note that Chrome is now blocking the install of Ublock Origin. Think this also applies to AdBlock. Also means that the Chrome derivatives are blocked. See more details here: https://www.pcmag.com/news/rip-ublock-o ... extensions

You may be able to get around this by manually installing Ublock, haven't tried it yet.

In the meantime "Hello Firefox"

wizard

[williwaw]

but I've always thought the most secure setup for chrome type browsers would be to put the portable app in an adrv or remastered into the main sfs in /opt and then delete the cache, remaster and put the chrome user settings in there too. Then remaster it every time you update chrome or make a serious change in your user settings.

Then run pupsave13 with everything in ram, don't mount anything and don't save.

If I understand your thinking, you would put both the executable and the configs in .cache and .config into a readonly filetype?
Just curious if there has been a case reported where something malignent has corrupted the executable itself or whether the risk for infection lies entirely within the configs and cache?

[dancytron]

but I've always thought the most secure setup for chrome type browsers would be to put the portable app in an adrv or remastered into the main sfs in /opt and then delete the cache, remaster and put the chrome user settings in there too. Then remaster it every time you update chrome or make a serious change in your user settings.

Then run pupsave13 with everything in ram, don't mount anything and don't save.

If I understand your thinking, you would put both the executable and the configs in .cache and .config into a readonly filetype?
Just curious if there has been a case reported where something malignent has corrupted the executable itself or whether the risk for infection lies entirely within the configs and cache?

Just .config. Delete .cache before you remaster or run save2flash.

[williwaw]

In the meantime "Hello Firefox"

wizard

I have been blocking ads globally with dns configured on the router
https://www.opennic.org/ click "view all"
not all DNS servers block ads, but lately Iiberops has worked well

[mouldy]

My notion of probably the most absolutely secure way to surf, first make your own modified iso with stuff you need, ad blockers, etc. Then burn it to dvd and boot from that with no save file. Have at it hackers, cant modify a burned dvd that doesnt allow further additions. At best you might corrupt the dvd, but first would have to even figure out somebody is running from a live dvd. And guess even further get a dvdrom without writing capabilities to boot the dvd. Now try it, cant even corrupt the dvd. LOL At best you might crash somebody's system, but you arent going to modify it.

Honestly though if you arent stupid in use of internet, highly unlikely you will ever have security problems. Most problems are from users making stupid decisions. Not from lack of safety measures built into the system.

[wizard]

@mouldy

dvd that doesnt allow further additions

If you don't have an optical drive, a USB created in ISO-9660 format will do the same.

wizard

[JusGellin]

Thanks to everyone for all your ideas on this.
I really like knowing how others think about this and it is beneficial for any that look in too. There are things to think about and try or not.