Gentoo Archives: gentoo-user

From: Rich Freeman <rich0@g.o>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Re: What Firefox (what browser) for Online-Banking?
Date: Sat, 07 Jan 2017 22:26:12
Message-Id: CAGfcS_nf4V6VqsGaBjZR5cuixtrHoS_a49eAsVLTy=6K9Shacg@mail.gmail.com
In Reply to: Re: [gentoo-user] Re: What Firefox (what browser) for Online-Banking? by wabe
1 On Sat, Jan 7, 2017 at 5:13 PM, wabe <wabenbau@×××××.com> wrote:
2 > Ian Zimmerman <itz@×××××××.net> wrote:
3 >
4 >> On 2017-01-07 17:36, wabe wrote:
5 >>
6 >> > I think a dedicated (virtual) machine for online banking is
7 >> > much more important than the use of a specific browser.
8 >>
9 >> This sounds like a very good idea, but are there unintended
10 >> consequences? For example, where do you keep the password?
11 >
12 > In my little red analog notebook. :-)
13 > If someone steal it, is is useless without my banking card that
14 > I always carry with me when I leave the house. Without this
15 > card the thief cannot crate TANs (I'm using a TAN generator
16 > that only works with my card).
17 >
18
19 If you actually do use a dedicated machine I'd probably encrypt the
20 whole thing, using many rounds (which makes cracking the password
21 prohibitive, LUKS probably does that by default).
22
23 Then you could actually use whatever browser you want inside (even
24 IE), and just have the password managed any way you want inside as
25 long as it is strong (browser PW manager, lastpass, whatever). Since
26 you ONLY visit the bank website using the VM then the only way for
27 somebody to get at your vault would be to hack the bank website, and
28 if they're going to do that you're hosed no matter what. A dedicated
29 machine would be safer since you're less vulnerable to attacks on the
30 host (which they could use to keyboard sniff your VM password, or your
31 bank password if you key that in manually).
32
33 This is why I commented that if you're really concerned with security
34 a VM or dedicated host around the browser used to only access the bank
35 website is probably going to provide a lot more security than trying
36 to pick the "right" multi-site browser. By having a dedicated VM and
37 browser for one site you're immune to cross-site attacks, sandbox
38 vulnerabilities, etc. With a VM you have the VM's ability to sandbox,
39 but that is the main purpose of a VM, and with a dedicated host then
40 you're down to remote exploits of the host itself, which need not run
41 any listening ports and it could be behind a firewall.
42
43 If you're going to install a special browser only for banking you're
44 probably better off going the VM route (or more, possibly run from its
45 own UID). It seems equivalent in terms of hassle but it is probably
46 much more secure.
47
48 --
49 Rich