A Week Browsing Virtually

On a recent episode of Security Now (520) Steve Gibson placed forward the idea of using a virtual machine to browse the web securely with minimal worry. This is not new to me — I’ve actually done it for compatibility reasons with Virtual PC and Windows 2000 back when some websites did required specific browsers to function, namely IE and Windows. What’s novel, for me, is to browse on a VM for the sake of privacy and security.

And why not? With the browser and it’s internet-enabled supports (Java, flash, Acrobat) as major targets ripe for exploitation it makes sense. Tools such as Adblock, HTTPS Everywhere, NoScript, and Sandboxie, while useful, are not enough. And with virtual machine technology quite mature and available — again, why not?

For the last week I have actually switched doing my browsing through a virtual machine.


My virtual machine of choice for this project was VirtualBox, but Parallels or one of VMWare‘s many VMs will work too.

I got a copy of the Net Installer of Debian and installed a minimal set of packages (just SSL and System Utilities) along with sudo. Since I wanted to have the Guest Additions installed, I went ahead and got the build-essentials, module-assistant, appropriate Linux-headers, and dkms installed as well. The GA seems like an odd thing to install, but it allows several niceties, namely Seamless Mode which allows your programs’ window to run on along with your system’s windows.

When it comes time to install Firefox, you’ll need wget. To get the i686, US English, version 40.0.2, from the terminal:

wget https://download-installer.cnd.mozilla.net/pub/firefox/releases/40.0.2/linux-i686/en-US/firefox-40.0.2.tar.bz2
tar xjf firefox-40.0.2.tar.bz2
sudo mv firefox /usr/local

Also, don’t forget to enable Tracking Protection!

To get Chrome, again from the terminal:

wget https://dl.google.com/linux/direct/google-chrome-stable_current_i386.deb
sudo dpkg -i google-chrome-stable_current_i386.deb

If that fails:

sudo apt-get -f install

to install the missing dependencies, and try again.

Actually Using The Dang Thing

To me it was a very straight-forward transition once Debian and the browsers were up and running with my favorite extensions and settings. I made a snapshot of the system as soon as I reached a ‘stable’ point to where I can jump back once I finish my session: it’s a permanent private mode, Yay! I use Firefox Sync to keep my bookmarks between sessions and devices in order as well as Chrome’s sync features. Outside of that it was mostly unremarkable; everything worked as expected, even my work’s site.

There are a few caveats for those who decide to try it:

You’ll need to be a bit more aware of operating system and browser updates and install these, and the snapshots, accordingly. Firefox is fine—it will tell you when they’re available—but Chrome won’t!
In my experience, there can be a somewhat noticeable slowdown under games or flash-heavy sites, but since I’m not a gamer it doesn’t concern me much.


Will I keep using it? I see no reason not to, but it’s definitive not for everyone. Most people would not go through this kind of trouble. Even whole-system solutions don’t seem to make an impact on the consumer. But I think it’s definitively worth it for the sake of privacy and security.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s