Vulnerability free web browser

28 respostas [Última entrada]
Henry Jensen
Desconectado
Joined: 04/09/2011

Hello,

from time to time I check out Trisquel. I noticed that Trisquel is
still lagging behind when it comes to security fixes.

Current abrowser is at version 21.0, available in the repo since 09 Jun
2013 (according to changelog) The upstream browser (Firefox) was
released at May 14.

Current upstream browser is version 22.0, available since Jun 25. 25
days ago. This version is available in the upstream distro (Ubuntu)
since Jun 27, two days after upstream relase.

It isn't available in Trisquel yet.

This means, that Trisquel abrowser users are surfing the web with
following "critical" vulnerabilities (which are described as
"Vulnerability can be used to run attacker code and install software,
requiring no user interaction beyond normal browsing.")

CVE-2013-1682, CVE-2013-1684, CVE-2013-1685, CVE-2013-1686,
CVE-2013-1687, CVE-2013-1690

See http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE-Number] for
detailed description.

Additionally there are the following "High" vulnerabilities (which are
described as "Vulnerability can be used to interact gather sensitive
data from other sites the user is visiting or inject data or code into
those sites, requiring no more than normal browsing actions.")

CVE-2013-1688, CVE-2013-1692, CVE-2013-1693, CVE-2013-1694,
CVE-2013-1697, CVE-2013-1700

From my point of view it is as dangerous to users to use software
with known vulnerabilies (aka security holes) as it is to use
proprietary software. With both you may be not in control of your
computer anymore.

I don't know how hard it is to apply patches to the Ubuntu firefox
packages to free it and transform it to abrowser. But it is hard to
imagine that it takes more than three weeks.

Perhaps Trisquel maintainers should talk to the Parabola GNU/Linux
people, they maintain a free version of Debian's Iceweasel named
iceweasel-libre. Current version 22.0 was available in the repo three
days after Firefox 22.0 was released. Maybe iceweasel-libre can be
rebuild and packaged for Trisquel.

Don't get me wrong, I think Trisquel maintainers are doing great work
to offer a completely free distro. But from my point of view as a
security-aware user, the situation is simply not acceptable, and it is
highly dangerous for users who are not following security announcements
and mailing lists.

Because of this I can't recommend Trisquel in good faith yet, because
this issue is a real show stopper.

So, please, do something about it. Security maintenance should be a top
priority for every serious software distribution.

Regards,

H.

ssdclickofdeath
Desconectado
Joined: 05/18/2013

What does "ESR" mean in the Firefox and Thunderbird releases?

GNUser
Desconectado
Joined: 07/17/2013

I might be wrong but I think it's Extended Support Release. ESR are the releases that Tor Project uses for their browser, so I would assume it has some security advantage.

mYself
Desconectado
Joined: 01/18/2012

For Firefox, read here and here. For Thunderbird, here and here.

GNUser
Desconectado
Joined: 07/17/2013

Hello.
I agree with you that security should be a top priority. And I believe Trisquel already has a good security measure: only free software =)
However, I agree with you that SOME minor things could be improved. One other would be to have ufw installed by default. NOw, I have read some people explaining that Trisquel is secure enough without the firewall, and that having it installed would cause confusion to some people, misleading them to think that Trisquel is not secure without a firewall. I disagree, ufw is a damn small piece of software that can be used by power users only if they see fit. I for example, due to some concerns over my ISP, like to have all ports closed. It's legitimate and I don't really feel confortable installing it when I install Trisquel fresh. I don't think it's a need for everyone, and therefore understand Trisque team for not having it, but for me personally.... It would be helpful =/

Still, as far as the browser is concerned, you can actually make it a little bit more secure by installing some addons like noscritp, adblock, disconnect... Unninstal Gnash... There are still things to be improved, but at least I believe we can be a little bit secure that way =)

As I have no input in the development of Trisquel I can't say anything for sure, but maybe with the "LTS releases only, focus on security updates" policy, maybe the Abrowser will get more attention soon =)

ssdclickofdeath
Desconectado
Joined: 05/18/2013

Instead of removing Gnash, you could use the free Flashblock addon, where you have to allow the Flash to run.

GNUser
Desconectado
Joined: 07/17/2013

I know you can use that. However, since you still have the plugin installed, I am not sure if you won't get flash super cookies anyway, even blocking flash from playing.
And really, my intention was to try and use Abrowser only with HTML5, no plugin intervention. So far, I was pretty happy with the results.

Henry Jensen
Desconectado
Joined: 04/09/2011

Hi.

On Sun, 21 Jul 2013 00:31:58 +0200 (CEST)
name at domain wrote:

> I agree with you that security should be a top priority. And I believe
> Trisquel already has a good security measure: only free software =)
> However, I agree with you that SOME minor things could be improved.

So what you are saying is: this car is safe to use, because it has
airbags. The fact that the brakes aren't functional is a minor issue. ;)

> One other would be to have ufw installed by default.

ufw is a comletely different issue. It is security related as well,
however it works at network level while the issue I am talking about is
security at application level.

GNUser
Desconectado
Joined: 07/17/2013

No I am saying the opposite exactly. "This car is secure because it has brakes, every car has those, now we can make it more secure adding airbags."
I consider that security is a matter that affects all layers of computer. I would be using a computer if Free BIOS if I could right now, for example. "Free software only" is a good start (good brakes) but is not enough. More needs to be done.

UFW should be installed by default too....

lembas
Desconectado
Joined: 05/13/2010

I think it's very important to have all patches applied. But since the details for at least the first CVE are not available, it's hard to evaluate it.

However, looking at this changelog [1] for 22, I see nothing too interesting there, so perhaps the problems aren't relevant to Ubuntu and so to Trisquel.

[1] http://changelogs.ubuntu.com/changelogs/pool/main/f/firefox/firefox_22.0+build2-0ubuntu0.12.04.2/changelog

Henry Jensen
Desconectado
Joined: 04/09/2011

On Sun, 21 Jul 2013 01:13:42 +0200 (CEST)
name at domain wrote:

> I think it's very important to have all patches applied. But since the
> details for at least the first CVE are not available, it's hard to evaluate
> it.

The details are also available at
http://www.mozilla.org/security/announce/

All security advisories from MFSA 2013-49 to MFSA 2013-62 do apply to
current Abrowser.

> However, looking at this changelog [1] for 22, I see nothing too interesting
> there, so perhaps the problems aren't relevant to Ubuntu and so to Trisquel.
>
> [1]
> http://changelogs.ubuntu.com/changelogs/pool/main/f/firefox/firefox_22.0+build2-0ubuntu0.12.04.2/changelog

Unfortunately the Ubuntu changelog doesn't mention security issues
particularly. The last time a CVE was mentioned in the Ubuntu changelog
was for Firefox 2.0 in the year 2006. So don't rely on Ubuntu
changelogs when it comes to security.

Debian changelogs usually are more reliable. Have a look at

http://ftp-master.metadata.debian.org/changelogs//main/i/iceweasel/iceweasel_22.0-1_changelog

lembas
Desconectado
Joined: 05/13/2010

>All security advisories from MFSA 2013-49 to MFSA 2013-62 do apply to current Abrowser.
How can you be sure? Firefox is for Windoze, OSX and GNU/Linux.

mfsa2013-62 explicitly reads windoze only. Access is denied to the details of the bugs.

Henry Jensen
Desconectado
Joined: 04/09/2011

On Sun, 21 Jul 2013 16:34:32 +0200 (CEST)
name at domain wrote:

> mfsa2013-62 explicitly reads windoze only. Access is denied to the details of
> the bugs.

Thanks for the hint. However, if someone would grab the source of
current Abrowser and build it for a free NT kernel compatible system,
e. g. ReactOS, the build would be affected.

oysterboy

I am a member!

I am a translator!

Desconectado
Joined: 02/01/2011

I agree that browsing with those known vulnerabilities is a very unfortunate situation. What I'd like to understand is what the security model of Trisquel is. Is this situation specific to the abrowser package? Could we be missing other security patches in other packages? Now that Trisquel 6 is out and work on the next version will only start next year, what's holding back the delivery of those fixes?

ssdclickofdeath
Desconectado
Joined: 05/18/2013

Is ReactOS fully free?

onpon4
Desconectado
Joined: 05/30/2012

I think it is, but note that:

1. ReactOS is in an early alpha stage, barely usable. It's not recommended for actual use.

2. Most Windows binaries you'll find are compiled with MSVC, which is proprietary, so there is a potential for malicious code to be introduced that way. To get around this risk, you would need to compile everything yourself with a free compiler.

3. Windows is not particularly well-designed. :) No package manager, in particular.

lembas
Desconectado
Joined: 05/13/2010

It might be free but its purpose is to run proprietary drivers and applications.

andrew
Desconectado
Joined: 04/19/2012

On 22/07/13 08:53, ssdclickofdeath wrote:
> Is ReactOS fully free?

Unfortunately not. From their website:
http://www.reactos.org/intellectual-property-guideline

> B. ReactOS License Binary Linking Exception
>
> The GNU GPL generally prohibits the combining of non-free software
> with GPL-licensed software such as ReactOS. That (or any other such
> policy) notwithstanding, the ReactOS Project's official position with
> respect to runtime linking of non-free modules is as follows: ReactOS
> may be used and distributed with non-free software such as commercial
> device drivers and commercial applications. This exception does not
> alter any other responsibilities of the licensee under the GPL. This
> exception is in recognition that the majority of the Windows
> ecosystem is composed of closed source applications and drivers.
> While the project encourages open source as a matter of principle,
> the project does not intend to enforce philosophical beliefs on
> developers interested in using ReactOS as a replacement platform for
> Windows. The project also recognizes that attempting to force such a
> belief is infeasible in an ecosystem where there is a significant
> body of software already written and distributed as closed source.

Andrew.

ssdclickofdeath
Desconectado
Joined: 05/18/2013

As far as I can tell, that doesn't say it contains nonfree software.

Drewski
Desconectado
Joined: 07/18/2013

It seems like installing Iceweasel-libre until Abrowser is patched is a good course of action at the moment.

However, when you try to execute/run any non-Abrowser version of firefox something automatically forces Abrowser to run instead of what you chose. Why is this?

GNUser
Desconectado
Joined: 07/17/2013

HUm, not sure what happens with you, but when I try to use Tor Broswer (firefox) it does so without any problems.

ssdclickofdeath
Desconectado
Joined: 05/18/2013

To Drewski:
Did you quit Abrowser beforehand?

Dave_Hunt

I am a member!

Desconectado
Joined: 09/19/2011

I'm able to run non-abrowser firefoxes in this Trisquel 6. You can
manually choose your non-abrowser from the menus, type its name in the
'run' box, or set your default browser to that other, instead of abrowser.

On 07/21/2013 07:03 PM, name at domain wrote:
> However, when you try to execute/run any non-Abrowser version of firefox
> something automatically forces Abrowser to run instead of what you
> chose. Why is this?

Drewski
Desconectado
Joined: 07/18/2013

It seems to be working now. Icecat for instance opens normally now. Not sure what was causing the issue before. Abrowser being opened/closed beforehand also doesn't seem to affect it at all.

Icecat and Iceweasal-libre seem very similar to me. Not sure what the main differences are. My guess would be that Icecat has a bigger developer/contributer base, but i'm not positive.

Mzee
Desconectado
Joined: 07/10/2013

I agree with the OP that the current situation is very unfortunate. Is there any page where I can get .deb files of the current versionb of iceweasal-libre? Wouldn't it be a great idea just to include this package in the repository if it's already available?

@Drewski: I found this site concerning the differences between iceweasel-libre and Icecat:
https://parabolagnulinux.org/news/iceweasel-libre/

Henry Jensen
Desconectado
Joined: 04/09/2011

Hello,

On Mon, 22 Jul 2013 11:08:50 +0200 (CEST)
name at domain wrote:

> I agree with the OP that the current situation is very unfortunate. Is there
> any page where I can get .deb files of the current versionb of
> iceweasal-libre? Wouldn't it be a great idea just to include this package in
> the repository if it's already available?
>
> @Drewski: I found this site concerning the differences between
> iceweasel-libre and Icecat:
> https://parabolagnulinux.org/news/iceweasel-libre/

As far as I know there is no deb package for iceweasel-libre. However,
it shouldn't be hard to build a deb package, since the upstream source
package is already made for Debian.

1. Get Debian source package from
http://mozilla.debian.net/pool/iceweasel-release/i/iceweasel/
(*.orig.tar.gz, *.debian.tar.gz and *.dsc files)

2. Get the libre patch from Parabola https://parabolagnulinux.org/ (don't
know the exact location of the sources and their patches)

3. Apply patch to Debian source package and possibly make modifications
to files under the debian/ subdirectory YMMV

4. Build package with dpkg-buildpackage

oysterboy

I am a member!

I am a translator!

Desconectado
Joined: 02/01/2011

GNU IceCat (not available in Trisquel repositories but in a PPA) is also lagging behind: the current packaged version is 17.0.1 whereas Firefox ESR is 17.0.7. I suspect the small maintenance teams (Trisquel, IceCat) have difficulties following Firefox's rapid release cycle. After all, an LTS release should be stable and receive only critical bug fixes and security fixes. How Firefox fits into that model with its monthly version bundling new functionalies, bug fixes, and security fixes, is unclear to me.

WootMoon
Desconectado
Joined: 03/06/2013

Does anyone have any direct contact with quidam, to ask him for official clarification? There is, obviously, a reason for the lack of upates lately, and the community can deal with that, but lack of communication about difficulties can hurt the project on the long run...

andrew
Desconectado
Joined: 04/19/2012

On 29/07/13 07:59, atilio.baroni wrote:
> Does anyone have any direct contact with quidam, to ask him for
> official clarification?

He is sometimes contactable by IRC, with some persistence. :-)

Andrew.