On a recent episode of Security Now (520) Steve Gibson placed forward the idea of using a virtual machine to browse the web securely with minimal worry. This is not new to me — I’ve actually done it for compatibility reasons with Virtual PC and Windows 2000 back when some websites did required specific browsers to function, namely IE and Windows. What’s novel, for me, is to browse on a VM for the sake of privacy and security.
And why not? With the browser and it’s internet-enabled supports (Java, flash, Acrobat) as major targets ripe for exploitation it makes sense. Tools such as Adblock, HTTPS Everywhere, NoScript, and Sandboxie, while useful, are not enough. And with virtual machine technology quite mature and available — again, why not?
For the last week I have actually switched doing my browsing through a virtual machine.
I got a copy of the Net Installer of Debian and installed a minimal set of packages (just SSL and System Utilities) along with sudo. Since I wanted to have the Guest Additions installed, I went ahead and got the build-essentials, module-assistant, appropriate Linux-headers, and dkms installed as well. The GA seems like an odd thing to install, but it allows several niceties, namely Seamless Mode which allows your programs’ window to run on along with your system’s windows.
When it comes time to install Firefox, you’ll need
wget. To get the i686, US English, version 40.0.2, from the terminal:
tar xjf firefox-40.0.2.tar.bz2
sudo mv firefox /usr/local
Also, don’t forget to enable Tracking Protection!
To get Chrome, again from the terminal:
sudo dpkg -i google-chrome-stable_current_i386.deb
If that fails:
sudo apt-get -f install
to install the missing dependencies, and try again.
Actually Using The Dang Thing
To me it was a very straight-forward transition once Debian and the browsers were up and running with my favorite extensions and settings. I made a snapshot of the system as soon as I reached a ‘stable’ point to where I can jump back once I finish my session: it’s a permanent private mode, Yay! I use Firefox Sync to keep my bookmarks between sessions and devices in order as well as Chrome’s sync features. Outside of that it was mostly unremarkable; everything worked as expected, even my work’s site.
There are a few caveats for those who decide to try it:
- You’ll need to be a bit more aware of operating system and browser updates and install these, and the snapshots, accordingly. Firefox is fine—it will tell you when they’re available—but Chrome won’t!
- In my experience, there can be a somewhat noticeable slowdown under games or flash-heavy sites, but since I’m not a gamer it doesn’t concern me much.
Will I keep using it? I see no reason not to, but it’s definitive not for everyone. Most people would not go through this kind of trouble. Even whole-system solutions don’t seem to make an impact on the consumer. But I think it’s definitively worth it for the sake of privacy and security.