Is secureblue really more secure if browsers have to be installed in flatpaks?

Hi all,

I’ve been trying out secureblue on a second laptop but run into some major issues.

  1. firefox based browsers don’t work with hardened malloc

  2. I can’t seem to install either librewolf or mullvad on an atomic distro anyway.

This means that AFAIK I can’t install mullvad browser at all and I would need to install librewolf/tor as flatpaks and then disable hardened malloc for those flatpaks.

As I understand it flatpaks reduce security for browsers (as opposed to increasing it for most apps) as the flatpak sandboxing interferes with the browser sandboxing stopping it from working.

While most of the security tweaks to secureblue look great, if it decreases security on such a vital app as a browser does it really work out more secure?

Thanks

ujust with-standard-malloc firefox

run0 dnf config-manager addrepo --from-repofile=https://repository.mullvad.net/rpm/stable/mullvad.repo

rpm-ostree install mullvad-browser

ujust set-unconfined-userns on // https://secureblue.dev/faq#unconfined-userns

ujust with-standard-malloc mullvad-browser

It’s also worth mentioning that Trivalent (Secureblue’s default browser) is worth a try if you are going to use or need a chromium based browser.

Particularly Trivalent has better SELinux confinement than most (if not all) other desktop Linux browsers.

I tried your mulvad browser install process and got “Packages not found mullvad-browser” I got the same issue when I treid to install librewolf using a similar process.

Do you have the .repo files in /etc/yum.repos.d/?

/etc/yum.repos.d/mullvad.repo

/etc/yum.repos.d/librewolf.repo

Edit:

If you are a Mullvad VPN user, you could also try ujust install-vpn and select mullvad, which installs Mullvad VPN and enables the repo allowing you to also install mullvad-browser.

mullvad.repo is present (for some reason there is also a mullvad.repo.1 but librewolf.repo is not

It may but it will also have a very unique fingerprint and lacks both an in-built add blocker and manifest V2 support so I’d rather use something else.

I also tried installing brave browser on the host system. That worked but when I attempted to run it, it didn’t launch. I tried using the with-standard-malloc command you recommended but I first got a “permission denied (13)” error and then when I tried running the command with run0 a “fatal allocated error: invalid uninitialized allocatator usage” error

@any1 : You might want to add a step to enable user namespaces for unconfined_t. FAQ | secureblue

See above.

FYI as an update I worked out how to install librewolf and mullvad (I’d missed some documentation) but you have to turn off hardened malloc to do it and apparently firefox’s sandboxing is significantly worse than chromiums.

I tried brave as well but there too you have to turn off hardened malloc to make it work. Which is a shame as it reduces secuirty on the thing which arguably needs it most (the browser).

Trivalent is impressive from a security standpoint, however, as it doesn’t have manifest V3 it doesn’t have a great ad blocker and it’s also got a unique fingerprint so it’s not great from a privacy standpoint.

Why not appimage?

As for the ad blocker, why not just add “uBlock” from the extension store? (note: I use Trivalent)

Ad blockers basically rely on blocking a tonne of domains, manifest V3 severely limits the number of domains that can be blocked, so while ublock is still good the manifest V3 version is much worse than the manifest V2 version as it can’t block nearly so many ads/trackers.

Firefox blockers don’t have this issue and because brave’s ad blocker is built in it doesn’t have it either.

Newer AppImages, which use the type2-runtime, do not rely on fuse2 anymore

however, as it doesn’t have manifest V3 it doesn’t have a great ad blocker

I personally feel not difference between uBO and uBOL. What it disabled is MV2 btw.

it’s also got a unique fingerprint so it’s not great from a privacy standpoint.

Every browser has a unique fingerprint. Only Safari has reasonable strategy. Selecting a Browser - Chromium Hardening Guide

I tried Brave and Firefox built-in anti-fingerprint, they can’t even beat fingerprint.com

I’m questioning this source at least on Mullvad browser, they seem a little too happy to clown on it.

Mullvad is Tor browser without Tor, it has literally no advantages and only regresses on Tor’s base anti-fingerprinting model.

One advantage is that you’re using VPN IPs instead of Tor exits which will have better IP reputation.

It adds uBlock Origin, which can cause nearly infinite variation in users by filter versions and custom filters, and fingerprinting system uptimes based on that.

Tor is going to add uBlock Origin, so it must be an acceptable compromise…

A big part of Tor’s resistance to fingerprinting is the Tor network, Mullvad substitutes this by using their own VPN service, but not all users have that so the benefit is significantly weaker.

Mullvad browser substitutes some anonymity with some convenience because more sites will accept you on VPN IPs than Tor IPs.

It also isn’t randomized where you connect, so it is still feasible to track you through Mullvad IPs.

Actually there’s a feature that randomizes your server.

Fundamentally this is a downstream of a downstream, that being Tor and Firefox, so updates will be twice as delayed. It is roughly in the same ballpark as Librewolf, in that it actually has very little to offer beyond convenience of setup.

There was a comment in a thread that explained the downstreamness, but I can’t find it. This may be true, but the browser’s goal is more anonymity on the web.

MB and TB get pretty much released in tandem

Most browsers try to defeat fingerprinting by making all users look the same, brave’s approach is a little different they randomise a bunch of stuff. So each user actually has a unique fingerprint fingerprint but that changes from session to session and is as divorced from anything about them as brave is able to reasonably make it Fingerprint randomization | Brave

Because most fingerprint checkers check for the “make everyone look the same” approach brave gets flagged as having a unique fingerprint, which is true, but (unintentionally) misrepresents brave’s fingerprinting protection. The eff’s tool does account for randomisation and brave is rated well on that https://coveryourtracks.eff.org/

The developers of secureblue are focused on security not privacy and don’t seem to care that much about privacy (for gods sakes they recommend chrome) or open source. TBH the more I read the more confused I am by their attitude, because if you want a secure system but don’t care about open source or privacy then why not use a mac? Though I’m still happy the project exists as it helps improve linux security and hopefully the security improvements they’ve made can make their way into more linux distros.

Secureblue is for people who want to use Linux as a first priority and want it to be secure as a second priority.