Is it ok to casually browser the web? Can i get hacked more easily while using Debian?
For frozen distributions such as Debian, package maintainers are expected to backport patches to fix vulnerabilities rather than bump the software to the “next version” released by the upstream developer. Some security fixes (particularly for less popular software) do not receive a CVE ID at all and therefore do not make it into the distribution with this patching model. As a result, minor security fixes are sometimes held back until the next major release.
5 Likes
Debian pushes important security updates regularly on Debian stable. My understanding is that the more niche a program is and/or the smaller the attack surface area, the less likely it will be patched in of Debian.
If you are using Chromium or Firefox ESR from the Debian repo, these receive security patches regularly/automatically when you check for updated packages. Here is a list of security updates, with the most Chromium/Firefox ESR patches happening last week:
Alternatively, you can use Flatpak (or snap) to run the browser in a secure container.
2 Likes
In my non-expert opinion, you can achieve adequate and above average security relative to most common threat models using a stable release like Debian Stable, Ubuntu LTS or RHEL, if your other habits and choices are reasonably prudent.
(I think this has become even more true in recent years with technologies like distrobox, flatpak, snap, and containers in general, which to some degree have decoupled application and OS updates)
I personally think that many people tend to get tunnel vision and/or exaggerate the practical impact of release cycle/cadence. I’m not saying it is a non-issue (and I personally prefer a faster update cadence), I just think that it’s not as black and white, and in the bigger picture, not one of the most impactful factors or decisions for most peoples’ threat models. I’ve used rolling releases, lts releases, and everything in between, I do not personally feel meaningfully more or less secure on one or the other.
With that said, Debian stable would not be one of my personal top choices for a daily driver desktop distro. But that is a personal preference mostly unrelated to privacy & security.
7 Likes
If you have to use a Debian based distro, you may want to consider Kicksecure, depending on your threat model
If you have already installed Debian, you can even turn it into Kicksecure
Debian Stable is considered one of the most secure Linux distributions, precisely because they don’t update to the latest shinny version of anything unless it’s for security patches.
2 Likes
Keep in mind that Debian doesn’t offer Out-of-the-box support for Secure Boot (unlike Fedora, openSUSE, Ubuntu) :
“While Debian does support Secure Boot, you’ll have to enroll your own MOK certificate and sign the kernel yourself. That also means you cannot install Debian without first disabling Secure Boot.”
1 Like
This can’t be true. I installed Debian 12 stable with secure boot enabled. After installation i checked and secure boot was enabled and active for my installation.
2 Likes
Yes, I can confirm that Debian has secure boot no special action needed
1 Like
Sorry, my source (see above) may be outdated…
How did you do this, please ?
Generally you check this in the BIOS if it’s enabled. For my part, I am on Surface, so if Secure Boot is disabled I have a big Red warning on boot
It is technically less secure, but with good opsec and basic security measures, I would say you’re very safe, definitely moreso than the average Windows user.
For all desktop Linux installations, I recommend installing AppArmor, using rootfs encryption, using sudo and locking root, getting software from trusted sources (developers, Debian repos, verified Flatpaks), and using a browser with a content blocker like Firefox and uBlock Origin.
A lot of Debian stable packages get security backports so I wouldn’t worry. I would moreso think about if stable is really what you want for your use case or if you would prefer testing. Either way, Debian stable is definitely fine to use, and it only isn’t recommended by Privacy Guides because it doesn’t represent the “ideal”.
2 Likes
For me, just having Secure Boot enabled and installing Debian functions perfectly fine.
I never thought Debian could even be compared to Windows in terms of security.
Is it really possible for a Debian install to be less secure than Windows 10/11?
This has been discussed quite a few times already by the community, but I would summarize the answer like this: By default, Linux is less secure than Windows and MacOS but is more private.
- Generally speaking, Linux has limited to no sandboxing functionality out of the box.
- Lack of verified boot (separate from Secure Boot), which is somewhat mitigated by HEADS firmware from an Qubes OS-certified OEM like NovaCustom.
- It is written in a memory-unsafe language which makes it vulnerable to security flaws
- Now combine all that with the fact Debian tends to freeze its packages (huge oversimplification as stated earlier in this discussion)
If your threat model involves targeted attacks, you could follow the ultra paranoid route of having a hardened MacOS daily driver and a secondary laptop for Qubes OS/Tails.
Despite what I just said, if you’re trying to improve your privacy, a basic Debian installation works just fine as it doesn’t include the telemetry found in Windows and MacOS. You won’t suffer from using it on a daily basis.
4 Likes
I’m sort of curious what the real-world implications of those Mac and Windows telemetries are?
I’m aware that Linux is less secure, but if I don’t download anything like files and attachments, then I guess the security problem is mitigated?
I don’t think this is different than Windows or MacOS?
1 Like
Debian has many insecurities out of the box, just to name a few: unrestricted access to su, IPv6 leakage of MAC address, and a firewall that accepts all incoming/outgoing traffic. Substantial hardening is needed to make Debian anywhere near secure. Debian has a security manual that explains many hardening measures.
People with experience can speak to it better but altho avoiding risky files/attachments is the most prevalent risk factor for the average user, there is still a lot of security risk that could additionally be manually mitigated for popular distros.
My understanding is that by default, any traditionally installed app has access to $HOME and can view any docs/apps/configs that have general read access. That means that theoretically a Linux app can find your browser and scan your history to see what sites you’ve visited.
A distribution’s official repository is kind of like gated communities that aims to stop bad guests before they enter. This makes things more secure, however bad guests might still find a way in occasionally. Alternatively, someone who has lived in the community forever might have been vouched for at the gate, but people inside suddenly realize that there are big issues that need to be addresssed (CVEs). Once we accept that the people working the gate aren’t perfect and the people already in the community aren’t perfect, we can see how short-sighted it is to leave our doors unlocked so anyone can walk in (not sandboxing your apps) or have a bathroom post-it note of the safe’s code (saving passwords unencrypted). In security, the concept is called defense-in-depth.
In addition to having a person manning the gate, you would still take proactive steps to decrease highly likely attacks (or less likely attacks that would be very harmful). My understanding is that the highest risk app on most computers is the browser and so it should be installed via flatpak/snap (or, if you install it from an official repo, use it in combination w/ bubblewrap/firejail to cordon it off).
Other ways to improve your security if the first line of defense fails include keeping current with security updates, becoming better versed in using pre-packaged containerized software from flatpak/snaps/docker, building your own containers for apps via bubblewrap/firejail/systemd-nspawn/etc and restricting program capabilities via SELinux/apparmor.
The downside is that outside of security updates, every other security solution creates friction for the user, and will lead to much much more debugging than if you didn’t use them. That is why they are largely disabled across popular distros but also why popular distros are not as secure as they could/should be.
4 Likes
I never said that is different. At least MacOS and Windows have implemented some form of sandboxing by default.
Besides invasive targeted advertising methods utilized in the industry, a lot of concerns around telemetry revolve around trust. Do you trust the telemetry data collected by Windows 11 to not be used against you in the future?