Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 24 Oct 2023 18:56:27 +0200
From: Martin Hecht <martin.hecht@...s.de>
To: oss-security@...ts.openwall.com
Subject: Re: with firefox on X11, any page can pastejack you
 anytime

On 20/10/2023 17:21, Turistu wrote:
> On Fri, Oct 20, 2023 at 03:27:41PM +0200, Solar Designer wrote:
>>
>> Or isolate Firefox to its own X server (or at least a separate one from
>> where you run terminal emulators managing important stuff), like it
>> happens when you run it in its own VM (or perhaps many instances of it
>> in many VMs) on Qubes OS.  Indeed this also removes the convenience of
> 
> If you do that, notice that you will also have to run a window manager
> inside that separate X server, because firefox (which never implemented
> the X11 and icccm protocols correctly) needs a wm in order to function
> properly (more precisely a point-to-focus wm or one that simulates
> point-to-focus just to keep firefox and some other horrors like old atk
> java apps happy).

there was a recommendation to run firefox as a different user, e.g. 
firefox, some time ago:
https://seclists.org/fulldisclosure/2014/Jun/84

this firefox user doesn't have access to the primary and secondary 
selection buffer. Some details have changed, but basically I'm using 
this approach since then. It's a bit uncomfortable in daily use (like 
most security measures), because copy&paste out of firefox doesn't work 
anymore. But there is also this addon as a workaround, which lets me 
save text selected within firefox to a well-defined file, from where I 
can pick it up after careful inspection under my regular user:
https://addons.mozilla.org/en-US/firefox/addon/save-text-to-file/

But still, we are left with the problem that within firefox scripts can 
do all kind of bad things. NoScript addon can help here to some extend:
https://addons.mozilla.org/en-US/firefox/addon/noscript/

But unfortunately more and more web pages refuse to display anything if 
no scripts are allowed at all by default, which forces me to either 
admit tons of javascript on those pages or just leave them without 
reading... Ok, using separate browser profiles for different kinds of 
web pages is another approach (separate profiles for online banking, 
admin guis, regular browsing, another one for pages you trust less...)

best regards, Martin


Download attachment "smime.p7s" of type "application/pkcs7-signature" (5924 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.