I gave an example of what could be considered PII in scope of secureblue’s project (Trivalent as their browser).
Is this a real example or an imaginary one? If it’s real, open a bug report with evidence. If it’s imaginary, say so
will reduce the chances of specially crafted attack that targets a specific visitor on some website.
Your assumption is in thinking that hardening makes this easier. It’s the opposite. Users are already trivially fingerprinted, and hardening measures make entire categories of vulnerability go away. So it makes an attacker’s life harder.
tracking
This is another nebulous term that would need more definition
spoof that you have such hardening enabled
None of this seems security related so I’m not terribly keen on continuing further.
Sorry for causing drama)
I use firefox for vpn extension to separate profiles on the trusted websites that I rarely visit. I use chromium based browsers for most of the time.
While I strongly recommend simply downloading your provider’s wireguard configs and importing them into GNOME (or your DE of choice), you can also layer the mullvad vpn rpm by adding their repo if you want. This unfortunately requires ujust toggle-unconfined-domain-userns-creation since mullvad vpn’s desktop app is an electron app You also need to enable the mullvad systemd service. This is standard stuff for mullvad, not specific to secureblue, aside from the userns toggle. I don’t use their app but there are folks who do use it on secureblue who can advise on discord if you run into issues.
You can be security hardened while still thwarting naive fingerprinters; if a script is naive, you don’t need a crowd. Most people should only be concerned about naive fingerprinters.
If your threat model involves advanced scripts, that requires Tor Browser, as stated previously
Giving SecureBlue an honest go. I realize its counter to SecureBlue’s goal, but I do want to run PG’s recommended browser of FireFox + Arkenfox, and ideally also Mullvad Browser.
I’ve definitely been having issues, as expected:
ujust with-standard-malloc flatpak run org.mozilla.firefox
[2] Sandbox: CanCreateUserNamespace() clone() failure: EPERM
ExceptionHandler::GenerateDump attempting to generate:/home/glanham/.mozilla/firefox/nq7rpoxn.default-release/minidumps/5d91430f-39d3-adea-b231-be7c7e521f6b.dmp
ExceptionHandler::GenerateDump cloned child 52
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
ExceptionHandler::WaitForContinueSignal waiting for continue signal...
ExceptionHandler::GenerateDump minidump generation failed
Can’t quite ascertain what security measures I’d need to disable in order to run FireFox (and by extension Mullvad Browser if I could).
Unsure if this has been discussed on the Discord, but I’m attempting to not join.
Also having issues running toolbox as well with Podman. Ideally I won’t install docker, but the issue seems strange as well. Unsure if this is a bug or is intended.
[foobar@fedora ~]$ toolbox
Error: failed to get the Podman version
[foobar@fedora ~]$ podman --version
podman version 5.5.2
If you’ve already enabled container domain user namespaces per the FAQ, then this could be a toolbox upstream issue. Does distrobox work? ujust distrobox-assemble
I meant to say its expected for me to run into an issue and get stuck due to being extremely new to atomic distros + hardened distributions this solved my problem - and thanks for your very quick reply!
Given the great discoverability of ujust, which I’ve been quite happy with, what if there was a ujust toggle-flatpak-hardened-malloc which simply sets/unsets the env variable for the specified flatpaks? Then if you attempt to run ujust with-standard-malloc and see flatpak run as the first two commands, the tool could echo you probably wanted to toggle flatpaks, run 'ujust toggle-flatpak-hardened-malloc instead?' [Y/n] (WARNING: this will disable/enable malloc until you run the command again). This also solves the problem if I accidentally deleted every flatpak’s env variable for hardened malloc and forgot the path to the hardened malloc library.
The other feedback I have is as a layman user, I don’t really know how to toubleshoot a failing application that well. I only knew to disable the malloc for FireFox as it was previously posted here. i.e., I installed the Bitwarden app and definitely going through a trial error process. Having a common troubleshooting steps for Flatpaks might be nice (try disabling hardened malloc, then try disabling X, then Y, then Z).
This worked, thank you!
I searched toolbox in the FAQ and it came up empty, so I just sort of scratched my head. I also searched for the specific error I encountered, specifically the Podman version not found, and got nothing.
I’m quite new to atomic distros, and didn’t realize there was a dichotomy between distrobox and toolbox. Even as an application developer my eyes begin to glaze over as I get in the weeds of this one day I’ll hope to contribute. Maybe if you like the idea of the suggested CLI tool I could push a PR somewhere to help out?
All that said, appreciate the replies. I’m now posting this from FireFox, and have Mullvad Browser up and running for when I need it going to start testing in the development environment for some other FOSS projects I’m working with.
which simply sets/unsets the env variable for the specified flatpaks? Then if you attempt to run ujust with-standard-malloc and see flatpak run as the first two commands, the tool could echo you probably wanted to toggle flatpaks, run 'ujust toggle-flatpak-hardened-malloc instead?' [Y/n]
This is an interesting idea. I’m not entirely opposed, but we really want to push people in the direction of learning to use Flatseal (or the flatpak permissions KCM on Kinoite). Clicking permissions toggles, including for hardened_malloc, is significantly easier for new users and is something users should be familiar with in general (like with on Android). Adding a ujust for this would be both redundant and a less newbie-friendly way to do the same thing.
I searched toolbox in the FAQ and it came up empty, so I just sort of scratched my head. I also searched for the specific error I encountered, specifically the Podman version not found, and got nothing.
Toolbox is just a different frontend for essentially the same thing. We already point users to distrobox here: FAQ | secureblue
I’m now posting this from FireFox, and have Mullvad Browser up and running for when I need it
Makes sense. I suppose the quicker feedback loop for this could be with-standard-malloc say you are trying to run flatpak on with-standard-malloc, which you should use Flatseal to configure this, continue anyway? [y/N]. Its like inlining the FAQ in the tool for other people that did not rtfm lol.
Apologies, I meant the flatpak Bitwarden desktop application, not the extension.
A nit, but its not pointing users from toolbox => distrobox, and assumes a-priori knowledge of the two utilities. I was coming from a working set of knowledge here. I’d recommend adding even a simple blurb saying “we recommend distrobox over toolbox because of XYZ”.
Makes sense. I suppose the quicker feedback loop for this could be with-standard-malloc say you are trying to run flatpak on with-standard-malloc, which you should use Flatseal to configure this, continue anyway? [y/N]. Its like inlining the FAQ in the tool for other people that did not rtfm lol.
I’m not opposed
Apologies, I meant the flatpak Bitwarden desktop application, not the extension.
If I recall, I think it requires X11, so you’ll need Xwayland.
A nit, but its not pointing users from toolbox => distrobox, and assumes a-priori knowledge of the two utilities. I was coming from a working set of knowledge here. I’d recommend adding even a simple blurb saying “we recommend distrobox over toolbox because of XYZ”.
Ah, I see
image
Out of curiosity, what do you need FF/Mullvad for? i.e. are there gaps in Trivalent that are in scope that we should be filling?
This is me going in blind a bit, but at PG it’s recommended to use Mullvad Browser for resisting fingerprinting. I don’t have knowledge if Trivalent meets this use case, and would be happy to switch if so. For me, I’m opting for Privacy over Security for this specific use case. Browsers are the largest attack vector, so it’s sad that Firefox can’t support hardened malloc.
For regular FireFox, I’m just sitting on a dying hill being too stubborn to give up the fight for the last major non chromium browser. Arkenfox applies more sane secure defaults. But yeah, it’s dying.
Short answer: no. Trivalent is great and I will use it in specific scenarios.
resisting fingerprinting. I don’t have knowledge if Trivalent meets this use case, and would be happy to switch if so.
No, to my knowledge the only way to accomplish this is to use Tor Browser. Outside of that it’s largely theater.
Browsers are the largest attack vector, so it’s sad that Firefox can’t support hardened malloc.
Trivalent/chromium-based browsers don’t use it either. The sad part isn’t that Firefox doesn’t support hardened_malloc. The sad part is just how far behind Firefox is on security features like site isolation and internal sandboxing. If anything over the past several years, Chromium continues to pull significantly further ahead in this regard.
Arkenfox applies more sane secure defaults.
Arkenfox is more akin to a fresh paint job for your aging car. It might look and feel better, but you can’t configure your way out of the issues Firefox has. It requires the development of major security features that Chromium already has and is building on. If your car needs an engine rebuild, no amount of paint and reupholstering can help.
This may be a diverging discussion point, but would value your opinions on the matter. Mullvad Browser is a fork of Tor Browser, just without the tor, iirc. I don’t have sufficient knowledge to evaluate them further, and would defer to staff to justify their recommendation over say Trivalent.
just differences in perspective
You also need to enable the mullvad systemd service. This is standard stuff for mullvad, not specific to secureblue, aside from the userns toggle. I don’t use their app but there are folks who do use it on secureblue who can advise on discord if you run into issues.
one day I’ll hope to contribute. Maybe if you like the idea of the suggested CLI tool I could push a PR somewhere to help out?
going to start testing in the development environment for some other FOSS projects I’m working with.
