I also experience with Secureblue, so here are my answers:
I used GNOME because it is the only DE that protects the screen copy API. I used GNOME extensions because native methods of customizing UI/UX are very limited.
I personally re-enabl Xwayland because many apps (eg Steam) still use/require XOrg.
Yes I recommend use and recommend Bubblejail as a simple way of sandboxing some apps. Not a "super tight" but much better than unsandboxed. FYI, AppImages don't work with Bubblejail, or Secureblue (cus they remove the unmaintained FUSE dependency).
Fingerprinting is a complex beast and nearly impossible protect against. RFP (created and upstreamed by Tor Browser) protects and normalizes most fingerprintable metrics (timezone, display viewport dimensions, user agent, audio devices, installed system languages/fonts, etc) to a stable value for each Firefox version. Canvas is the only metric which is randomized. The purpose of this is to create a shared stable browser fingerprint for all RFP users, creating a crowd for people to blend in with each other.
While RFP is strong, its anti-fingerprinting strategy was created for Tor Browser, which users are not supposed to customize. The same can not be expected of all other Firefox users, resulting in most users being much easier to distinguish from each other. RFP also can cause some site breakage and doesnt offer a granular way to toggle specific features per website (eg. Canvas protections breaks your webcam in conference calls).
There is no good solution. Best options are use Firefox (or a fork like Librewolf) for casual use, and Mullvad/Tor Browser for more critical situations. Always use uBlock Origin (except with Tor).
On the Chromium-side, Cromite and Brave randomize some fingerprintable metrics, but they aren't as exhaustive and aren't upstreamed to Chromium (for obvious reasons).
Online tests of uniqueness are skewed by the population who uses them, aka privacy-conscious aren't the typical user even if a dataset overrepresents.
My point was introducing Canvas noise isnt going to make you less fingerprintable, actually quite the opposite. Firefox's RFP is much better at normalizing fingerprintable metrics and is native. Canvas is one of many many other fingerprinting vectors.
If you go the route of trying to protect against fingerprinting through randomization, use the extension JShelter which seems to do much more noise than Canvas blocker does. I am still very skeptical of it (and other anti-fingerprinting extensions) because of how complex fingerprinting is.
Not an exhaustive solution which results in easier unique fingerprinting. Plus Firefox already randomizes Canvas noise with both FPP or RFP modes (FPP is default).
Only use it if you (can) read the the Flatpak manifest and make sure its safe. Clone the repo and build it yourself locally if you trust the code but want to recheck each update.
Docker guest still shares a kernel with host. Use a custom OCI runtimes like kata-containers (VM) or gVisor/sydbox-oci (unprivileged application kernel) to reduce the kernel attack surface and protect against privelege escalation.
Just because a system doesnt have a CVE doesn't make it secure. It needs proper exploit mitigations. Read why Linux isn't secure here.. The article is written by the lead developer of Whonix OS (Security hardened Debian with a focus on anonymity). If you had checked out any of the references from my previous comments you would have learned more about why I have this opinion.
Kali isn't any more secure than regular Debian, while also having a larger attack surface, and no kernel hardening, protecting of GUI, or application isolation. What makes it "secure"?
N.E.P.T.R @ Neptr @lemmy.blahaj.zone Posts 4Comments 242Joined 8 mo. ago
Nah I did too.