Icecat and ungoogled chromium in a container

Icecat and ungoogled chromium in a container

[Gottfried]

[-- Attachment #1.1.1: Type: text/plain, Size: 626 bytes --]

Hi

1.
would it be a significant improvement for security if I used
Icecat and ungoogled chromium always in a container?
(I am using Icecat with the Tor browser)
(Or at least ungoogled chromium).

2.
If I am using an external hard-disk with USB connected to my laptop
can somebody/or a programme when I am using icecat/ungoogled chromium or 
simply being connected to the Internet,
access my data on the external hard-disk, which I have connected to my 
laptop?

Would it be better to connect my external harddisk with my data
only if I am not connected to the router/Internet.

Kind regards

Gottfried


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3191 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: Icecat and ungoogled chromium in a container

[Dr. Arne Babenhauserheide]

[-- Attachment #1: Type: text/plain, Size: 671 bytes --]


Gottfried <gottfried@posteo.de> writes:
> would it be a significant improvement for security if I used
> Icecat and ungoogled chromium always in a container?
> (I am using Icecat with the Tor browser)

I’m not sure about security of a container there — it could help if
there’s an unpatched vulnerability in icecat, but not so much otherwise.

But what can already help a lot is having a separate profile. Here’s an
example script that creates a locked-down profile on the fly:

https://github.com/hyphanet/browser/blob/main/freenetbrowser.in#L177

Best wishes,
Arne
-- 
Unpolitisch sein
heißt politisch sein,
ohne es zu merken.
draketo.de

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1125 bytes --]

Re: Icecat and ungoogled chromium in a container

[Gottfried]

[-- Attachment #1.1.1: Type: text/plain, Size: 890 bytes --]

Hi,

thank you.

I downloaded this file with wget.

But how can I now use it? What do I have to do?

Is it only for icecat? or can I use it also for chromium?

Kind regards

Gottfried


Am 01.03.23 um 18:04 schrieb Dr. Arne Babenhauserheide:
> 
> Gottfried <gottfried@posteo.de> writes:
>> would it be a significant improvement for security if I used
>> Icecat and ungoogled chromium always in a container?
>> (I am using Icecat with the Tor browser)
> 
> I’m not sure about security of a container there — it could help if
> there’s an unpatched vulnerability in icecat, but not so much otherwise.
> 
> But what can already help a lot is having a separate profile. Here’s an
> example script that creates a locked-down profile on the fly:
> 
> https://github.com/hyphanet/browser/blob/main/freenetbrowser.in#L177
> 
> Best wishes,
> Arne

-- 



[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3191 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: Icecat and ungoogled chromium in a container

[Wojtek Kosior via]

[-- Attachment #1: Type: text/plain, Size: 5417 bytes --]

> Hi,
> 
> thank you.
> 
> I downloaded this file with wget.
> 
> But how can I now use it? What do I have to do?
> 
> Is it only for icecat? or can I use it also for chromium?
> 
> Kind regards
> 
> Gottfried

It seems the file Arne showed you is a shell script (well, bash
script). This script can be used to configure a Firefox-based browser
to access a peer-to-peer filesharing network called "Freenet".

I believe Arne didn't want you to run this script as-it-is (it's not
a Freenet-related thread, after all). He probably wanted you to take
inspiration from a part of it that creates and configures an actual
Firefox profile and starts the browser with it. Here's the relevant part

#+BEGIN_SRC shell-script
# if the profile does not exist yet, create it
if ! test -d ${PROFILE_DIR}; then
    mkdir -p ${PROFILE_DIR}
    # setup freenet as proxy and optimize settings
    cat > ${PROFILE_DIR}/prefs.js <<EOF
//Firefox Default Settings
//set proxy server settings
user_pref("network.proxy.http", "$IP");
user_pref("network.proxy.http_port", $PORT);
user_pref("network.proxy.ssl", "$IP");
user_pref("network.proxy.ssl_port", $PORT);
user_pref("network.proxy.gopher", "$IP");
user_pref("network.proxy.gopher_port", $PORT);
user_pref("network.proxy.ftp", "$IP");
user_pref("network.proxy.ftp_port", $PORT);
user_pref("network.proxy.socks", "$IP");
user_pref("network.proxy.socks_port", $PORT);
user_pref("network.proxy.no_proxies_on", "127.0.0.1:8080"); // allow FMS
user_pref("network.proxy.type", 1);
user_pref("network.proxy.socks_remote_dns", true);
// optimize settings for Freenet
user_pref("browser.urlbar.showSearchSuggestionsFirst", false);
user_pref("network.http.max-persistent-connections-per-proxy", 640);
user_pref("network.http.max-persistent-connections-per-server", 240);
user_pref("network.http.max-urgent-start-excessive-connections-per-host", 100);
user_pref("network.http.tcp_keepalive.long_lived_connections", false);
user_pref("network.http.tcp_keepalive.short_lived_connections", false);
user_pref("network.proxy.share_proxy_settings", true);
EOF
fi

BROWSER=$(command -v icecat || command -v waterfox || command -v firefox)

# actually start the browser
# if the first argument is zero, start the default page.
if test -z $@; then
    $BROWSER --profile ${PROFILE_DIR} --no-remote --new-instance http://freenet.local
elif test x"${1:0:4}" = x"USK@" || test x"${1:0:4}" = x"SSK@" || test x"${1:0:4}" = x"CHK@"; then
    $BROWSER --profile ${PROFILE_DIR} --no-remote --new-instance http://freenet.local/$1
else
    $BROWSER --profile ${PROFILE_DIR} --no-remote --new-instance $@
fi
#+END_SRC


In case you don't know: profiles are a feature that allows you to have
multiple browsing environments with just one browser. For example, if
multiple family members are using a single user account on a single
computer, you can have each of them use a separate browser profile.
This way each person can have a separate set of bookmarks, browser
extensions, remembered passwords, browsing history, etc. Independently
of other users.

Probably the more common way of utilizing browser profiles is for one
person to isolate different tasks for better security and privacy. For
example, I have one browser profile with some privacy-enhancing flags
turned off so that I can develop webgl animations in it. And separate
from that, I have another profile for normal browsing.

Although Chromium-based browsers also allow you to use profiles, this
script from Arne is Firefox-specific.

I hope I clarified things a bit :) In case you want to experiment with
profiles, you can navigate to about:profiles in your browser. Shell
scripts are not necessary unless you desire to automate something ;)

Wojtek

P.S. Arne, this looks pretty useful. Do you also happen to know ways to
install Firefox extensions and configure per-site cookie settings from
a script? I'd be very happy to have a way to do it without having to
run Selenium ;)

-- (sig_start)
website: https://koszko.org/koszko.html
PGP: https://koszko.org/key.gpg
fingerprint: E972 7060 E3C5 637C 8A4F  4B42 4BC5 221C 5A79 FD1A

♥ R29kIGlzIHRoZXJlIGFuZCBsb3ZlcyBtZQ== | ÷ c2luIHNlcGFyYXRlZCBtZSBmcm9tIEhpbQ==
✝ YnV0IEplc3VzIGRpZWQgdG8gc2F2ZSBtZQ== | ? U2hhbGwgSSBiZWNvbWUgSGlzIGZyaWVuZD8=
-- (sig_end)


On Thu,  2 Mar 2023 14:27:41 +0000
Gottfried <gottfried@posteo.de> wrote:

> Hi,
> 
> thank you.
> 
> I downloaded this file with wget.
> 
> But how can I now use it? What do I have to do?
> 
> Is it only for icecat? or can I use it also for chromium?
> 
> Kind regards
> 
> Gottfried
> 
> 
> Am 01.03.23 um 18:04 schrieb Dr. Arne Babenhauserheide:
> > 
> > Gottfried <gottfried@posteo.de> writes:  
> >> would it be a significant improvement for security if I used
> >> Icecat and ungoogled chromium always in a container?
> >> (I am using Icecat with the Tor browser)  
> > 
> > I’m not sure about security of a container there — it could help if
> > there’s an unpatched vulnerability in icecat, but not so much otherwise.
> > 
> > But what can already help a lot is having a separate profile. Here’s an
> > example script that creates a locked-down profile on the fly:
> > 
> > https://github.com/hyphanet/browser/blob/main/freenetbrowser.in#L177
> > 
> > Best wishes,
> > Arne  
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: Icecat and ungoogled chromium in a container

[Dr. Arne Babenhauserheide]

[-- Attachment #1: Type: text/plain, Size: 1537 bytes --]


Wojtek Kosior <koszko@koszko.org> writes:
>>> https://github.com/hyphanet/browser/blob/main/freenetbrowser.in#L177

> It seems the file Arne showed you is a shell script (well, bash
> script). This script can be used to configure a Firefox-based browser
> to access a peer-to-peer filesharing network called "Freenet".

To be precise, it’s the automake source file for such a shell script,
but the essence is correct :-)
(especially since I actually don’t use the features automake provides)

> I believe Arne didn't want you to run this script as-it-is (it's not
> a Freenet-related thread, after all). He probably wanted you to take
> inspiration from a part of it that creates and configures an actual
> Firefox profile and starts the browser with it.

Yes, that’s what I meant.

> P.S. Arne, this looks pretty useful. Do you also happen to know ways to
> install Firefox extensions and configure per-site cookie settings from
> a script? I'd be very happy to have a way to do it without having to
> run Selenium ;)

I can’t tell you off-hand, but you can find most of such configuration
by starting with a specialized script like the configured one and then
only installing the extension and the settings you need. Many parts of
the configuration are in plain text. That’s how I found those settings
here :-)

Though not everything is as convenient as the parts I configure
automatically.

Best wishes,
Arne
-- 
Unpolitisch sein
heißt politisch sein,
ohne es zu merken.
draketo.de

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1125 bytes --]

Re: Icecat and ungoogled chromium in a container

[Philip McGrath]

Hi,

On Wed, Mar 1, 2023, at 11:30 AM, Gottfried wrote:
> (I am using Icecat with the Tor browser)

I’m not sure I understand your configuration, and I rarely use Tor myself, but I wanted to make sure you’re aware that changing even innocuous-seeming settings can expose you to fingerprinting risks:

https://blog.torproject.org/browser-fingerprinting-introduction-and-challenges-ahead/

There’s an especially concise summary at
<https://support.torproject.org/tbb/tbb-14/>:

> If your copy of Tor Browser has a unique fingerprint, your browsing activities can be deanonymized and tracked even though you are using Tor Browser.
>
> Basically, each browser's settings and features create what is called a "browser fingerprint". Most browsers inadvertently create a unique fingerprint for each user which can be tracked across the internet. Tor Browser is specifically engineered to have a nearly identical (we're not perfect!) fingerprint across its users. This means each Tor Browser user looks like every other Tor Browser user, making it difficult to track any individual user.

-Philip