I personally like flatpak and its build system. Flatpak applications are sandboxed by default and don't require root during any part of installation, reducing the risk of malicious/broken software damaging the host. They also are available for basically any base distro, meaning i can use the same apps if a ever distrohop and i can even just copy over the config folders as if nothing happened.
It's a panel of tests for browsers. It isn't the clearest what each mean (without doing a little research) and not all categories and subcategories have equal importance. I still like this website though just for the listed information.
It seems like an interesting setup. I don't really have too much to say other than nitpicks.
Why not use Mullvad browser for both scenarios. Mullvad with security level safest should block all JS. You could create a 2nd profile for safest only mode.
Using Linux .desktop launcher scripts, you could:
Create a .desktop launcher (in ~/.local/share/applications/) for each profile
Edit default desktop launcher to always prompt to choice profile on start (using the launch option -P)
Edit the default launcher to offer a menu option for each profile.
Related to your choice of host OS, I personally avoid Debian for desktop because it is slow to adapt (cus its Debian). I know it isnt directly applicable to situation since your main concern seems to be anti-fingerprinting, but a secure base is important. I'd like to know your reason for picking it. I don't dislike Debian and I still use it for different things (mostly VMs and some dev work).
I think it may also help some people to create simple decision flowcharts to help with acting consistent and avoid making simple mistakes with a complex threat model. Basically a scenario and the decision tree. Say for example someone is using QubesOS and needs to keep consistent what each qube is for and why.
Of course creating charts that show your strategy and make your decision predictable is itself just even more privileged information you now need to protect.
Also, any effective threat model also requires consistent reevaluation to assess the effectiveness of your methods and adjust with the evolution of threats.
It wont be a problem because from the Live USB you can mount the encrypted drive in the file explorer app (Dolphin on KDE) after supplying the encryption password.
If you are relying on community sandboxing profiles and not making your own, i can understand why Firejail is interesting as a choice because of its large community.
If you are making your own, consider checking out Bubblewrap (available on most Linux systems), Bubblejail), Crablock, and Sydbox, which all use unprivileged sandboxes.
It really isnt any defense. All a website can do is initiate a download, websites are sandboxed by default. You still have to run the executable, which doesnt really apply to Linux because the file will have no executable permission.
This made me immediately think of how old American homes in the back of the mirror cabinet of the bathroom just had a slot that fed into the space between the drywall so you could through your razerblades away. Good luck to the renovators in 50 years when they need to remove that drywall and pick up a thousand rusty butterfly-style razerblades. Can't throw those suckers in a plastic trashbag either cus it'll cut right through.
Understandable, thank you for your (and contributor's) work on this project. I am happy that i dont need to compile Fennec with hardening from source for each update.
My logic was that it is much more likely that someone will spoof there useragent already if they are on Linux. If threat actor is targeting not just Windows but also Linux, they probably would understand the very real likelyhood of platform spoofing.
To a slightly lesser extent, Id also suggest avoiding noscript for the same reason. uBlock Origin can do everything that NoScript can and NoScript contributes as a metric to create your overall fingerprint. If need strong protection against fingerprinting, use Mullvad or Tor Browser. Use Librewolf if you need to customize, or want to change the defaults.
That isnt a great defense against malware "imho". Security through assuming the threat actor is lazy is just not security. It doesnt take like any effort on their part to just use some off-the-shelf OS fingerprinting code. It isnt worth it either because it contributes to your overall fingerprint, since normal RFP users have a standardized useragent for Windows and Linux separately.
Secondly, do you block all JS? NoScript is not a silver bullet and doesnt stop fingerprinting, it is itself identified by the CreepJS test site. It may in this case reduce the chance of OS fingerprinting, but pure CSS methods exist as well.
Additionally, NoScript is laregly redundant with uBlock Origin since you can do everything that it offers, such as blocking 3rd party scripts/iframes/all, block fonts, block JS, and it is very granular.
It is trivial to identify OS platform because browser work differently on each platform. Wjat Librewolf does with useragent on Linux actually is makes users stand out more because it isn't what privacy.resistFingerprinting (RFP) reports on normally.
Hackers (like the comment scenario i was responding to) are substantially more likely to employ platform fingerprint than trust a fale useragent. And loads general websites employ fingerprinting, meaning deviation from default RFP behaviour makes you stand out (more than you already do by using RFP since it is a small pool already).
N.E.P.T.R @ Neptr @lemmy.blahaj.zone Posts 4Comments 242Joined 8 mo. ago
I personally like flatpak and its build system. Flatpak applications are sandboxed by default and don't require root during any part of installation, reducing the risk of malicious/broken software damaging the host. They also are available for basically any base distro, meaning i can use the same apps if a ever distrohop and i can even just copy over the config folders as if nothing happened.