Leadership By Numbers :: Firefox and Ubuntu are #1 for Identity Protection

Category
The latest release of Ubuntu has a terrific new feature: advanced security for browsing with Firefox. This feature is not enabled, by default, and requires running a single line in a console to activate. The Karmic Koala release hints at this capability in the release notes:

A new profile is provided for Firefox as well, though it is disabled by default. Users can enable AppArmor sandboxing of their browser by running:

$ sudo aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5

This is pretty amazing, as the only other reasonable solution for browser protection is the recommendation of Brian Krebs to rely on booting up with a Live CD. Useful, but not practical. In a work environment, I need to use my browser continuously, and having to juggle with a Live CD is not a practice which is going to be widely adopted. On the other hand, by relying on Ubuntu's AppArmor profile for Firefox, I achieve an extraordinarily high level of Identify Protection with barely an inconvenience.

Why isn't this feature turned on by default ? Reading the Ubuntu Security Team wiki on Firefox, explains that users "must opt-in to using the profile and therefore should know that AppArmor confinement could cause Firefox to behave unexpectedly." Unexpectedly ? That's not a term which bolsters my confidence for adding the profile. I asked Canonical's Security Engineer for Ubuntu, Jamie Strandboge, if he would describe the benefit of enabling the AppArmor profile for Firefox:

The basic idea is that Firefox is a complex application. It (like all browsers due to the complexity) has had a lot of security vulnerabilities. AppArmor confines an application to being able to perform only a known and well-defined set of actions. Because of Firefox's complexity, the profile is disabled by default, to not interrupt the user's experience. If the profile can provide the necessary protection as well as a good user experience, then it may be enabled in a future release of Ubuntu.

I absolutely recommend using AppArmor in a corporate environment, which is one reason why we ship it. It is well tested in Ubuntu, and does work with extensions and plugins shipped in Ubuntu. The best thing to do is try it out and report any bugs.

Jamie hasn't found any broken Firefox applications, and when I read through the bug reports, it seemed that any problems with a secured Firefox were related to user configurations, and not to AppArmor's Firefox implementation. I think the enhanced security of Firefox on Ubuntu is one more reason that Ubuntu provides a solid corporate desktop environment.

Technorati Tags: Ubuntu, Firefox, AppArmor, Jamie Strandboge

Comments

5 - Nobody in life gets exactly what they thought they were going to get. But if you work really hard and you’re kind, amazing things will happen.

Posted by 30 inch shower stall At 09:42:24 PM On 10/07/2011 | - Website - |

4 - Great article Jack. Managing a case to move a company towards Ubuntu and Firefox can be a daunting task. Add in the fact that its more secure and it seems to push them away rather than draw them into the idea. I'm no code head or Ubuntu guru, but I am certainly aware of environments where Linux platforms mixed with Firefox thrive daily.

Posted by Nakeva At 01:00:19 PM On 11/10/2009 | - Website - |

3 - @2,

Try this URL for a workaround for Notes 8.5.1 on Karmic:

{ Link }

Posted by Mike Brown At 07:26:36 AM On 11/10/2009 | - Website - |

2 - Yes Karmic is a great release. To sad, that Notes 8.5.1 is not running on Karmic very well. I have some strange problems with the painting of the ui.

Posted by Ralf M Petter At 01:10:12 AM On 11/10/2009 | - Website - |

1 - Done! Thanks for the tip - seems like it's a great option. If I have any issues, I will let you know. I've been really digging Ubuntu on my T61. Emoticon