Desktop OS with persistence protection for private browsing - No TOR

User2288

Please forgive the long post. Was unavoidable.

Like all of you I'm looking for a solution to internet browsing on the desktop that is private and secure. Doing it all on the phone just doesn't fly.

I've concluded instead of trying to do all my computing on the same machine, its more practical to have a separate OS or older machine dedicated for the "privacy browsing" need situation. That way I can still use my windows machines for their use cases; and have a "trustable" platform ready for use for the privacy/security requiring uses.

You might say "Stop there!" ... "Tails / Qubes. Done."

Well, I need an "everyday browsing use" solution. That means no TOR.

All the ready-made solutions already out there (Tails, Whonix, KickSecure) either totally rely on TOR without an ability to turn it off (or beyond my technical knowhow), or in the case of Qubes, the hardware requirements often can't be met.

I have done a decent amount of searching and found some solutions that might work, but I need some more information and clarity on these options. I'm wondering if you guys can help.

Again I'm not looking for a desktop OS to do everything. I need it to only do ONE thing, but do it right. That is:

Private browsing that is usable, in a trustable environment, On the Desktop (laptop).

By Private Browsing: I mean proper fingerprinting and IP protection (the two pillars of web tracking).
By Trustable Environment: I mean the OS is private, it has reasonable Live security, and protects against persistent attacks (reboot = clean state).
By Usable: I mean that its compatible with all websites, is not blocked by sites, and is not slow. Can be used for youtube and other HD video streaming (including fullscreen with hardware decoding), general site hopping / research, shopping/banking, and other online "logged-in" web use cases.

I'm particularly chasing after Immutability / persistence-protection because desktop OSes are not well secure and linux particularly so, and the best solution I see to mitigating that is a non-persistent / semi-persistent OS.

Requirments:

Can trust OS to be private (keyboard, network stack, clipboard, etc.)
Reasonably secure against live attacks
Protected from persistent attacks
Must be able to use own VPN
Must be able to use Brave
Browser be able to play streaming HD video without stutter/hiccup.
no forced TOR
Run on older laptop with 8GB RAM. _Unupgradable

Bonus: _Not _Required

Usability of virtual memory if possible
Run from USB if possible _{[ need it for one particular machine ]}

Notes:

Brave: because its compatible with websites, it's privacy is good, and has best available security. TOR Browser/Mullvad are not compatible with all websites even in lowest security level modes. Also since my end solution is likely linux, the combination of linux security and firefox security leaves my confidence a bit shaky.
No TOR network: because many websites just refuse TOR, its slow, and doesn't work for streaming video.
Physical security and forensics is not a concern. I simply want protection from remote attacks (internet/browser/network vector attacks) and to know that a new start everyday can be trusted to be free from persistent malware.

Options:

Standard linux install (Fedora):
Protection against live attacks ... meh/maybe.
Persistence ...Fail.

Windows:
"Can trust OS to be private (keyboard, network stack, clipboard, etc.)"
Fail on entry.

Tails:
A TOR free version with VPN would have been exactly what I needed. Sadly with TOR, its a no go.

Tablet with GOS:
Android is no desktop OS.
A tablet is no laptop.
I have 5 old laptops. I need to use what I have. (same as most others).

Good Options:

LiveCD OS (Fedora)

Well, this totally eliminates the persistence issue, but problem is live security. Every time I boot I have to do a lot of system updates to ensure the live system isn't full of security holes. I could avoid this and just run the outdated ISO image "AS IS" until next OS Image comes out in 6 months, but I wonder if this increases the "live attack" risk too much.

Would you say it does?

And after the updates then I still need to install brave, install vpn, install config file for vpn, and configure brave. How much ram would be left for browsing at this point? There probably isn't any virtual memory available either. Downloading all of this every day, even once a day is probably too much and not realistic. Not a good solution. Perhaps if I could find a scripted way to automate this to be done from local files that I can update once a week then it might work. If I could also download the updates once a week as local files and do all the updates and installs locally using a script this could work. But the RAM issue still remains.

So for this case, I want to ask those with linux knowledge:

Is there a way to use a LiveOS ISO and use a simple 1-click prewritten script to update the running system with local update files and software install files?
Is there a way to assign virtual memory on a local disk to the LiveOS?

If I could address the above two problems I think this LiveOS solution would be usable, because it becomes like Tails, but without TOR and of course without the extra security hardening of Tails, but something has to give. I can't build my own Tails right now, or ever.

Qubes OS

Qubes meets almost all the above criteria and exceeds with bonuses. Although it only runs on CPUs with VT technology. So not compatible with my i3 machines.

But, a major concern:

Because its a VM (baremetal "like", but still), am I able to run HD streaming video smoothly and fullscreen?
Given that the machine has low RAM (8GB), running Qubes and browsers as VMs exacerbates the RAM issue even more. This would be fine for me if the system can use virtual memory to cirumvent the issue. But does it? does Qubes use virtual memory to help itself? I couldn't find documentation on this.
Does Qubes support screen rotation? I also would like to run this setup on a 2in1 laptop that turns vertical. In LiveCD & normal Installs rotation works. Would it in Qubes?

Immutable Fedora

This option sounds very interesting and it would be great if it would work but my linux knowledge is very basic and atomic linux, even lower.

Immutable fedora still has the same Kernel and other security vulnerabilities as all linux as far as I know. So this would be similar to running a "Regular Linux Install" scenario, except that I'm hoping this one would offer persistent malware protection.

The benefits of this system is that it solves the RAM problem as well as the CPU virtualization problem because its running directly on machine and utilizes virtual memory. Also there is a hardened version of it called SecureBlue which enhances security some more.

However there is a number of issues I need to get clarity on. Particularly around security and persistent attacks.

As you know SilverBlue uses OSTree and not DNF and all changes are applied to the booting image, not the running OS. However, from my reading, OSTree is not password protected and commands don't seem to be protected with any security safeguards (as far as amateur me can see) to prevent a malware that has managed to enter the system from running commands silently and adding packages to the Image using OSTree commands. Am I mistaken here or am I onto something?
Would there be any warning to the user that the Image has been updated/modified without user intention?
I've read that the /etc, /home, and /var folders are writable in Immutable Fedora. I have no understanding of the contents of these folders except that /home is probably my personal files. Question is, can a malware cause itself to become persistent by writing things to these folders?
In other words what I'm trying to ask is, is SilverBlue actually SECURE against persistent malware? or am I in an equal boat to the non-immutable version of linux?

Now I must also mention (for other readers) that as of this writing, based on my recent research into Fedora SilverBlue/Kinoite, installing Brave on Immutable Fedora is a bit of trouble. Installing it into the image has some complications, and installing using flatpacks also destroys brave's process isolation. Likewise installing VPN software into the image is mandatory as they can't run as flatpacks and at the very same time a lot of VPNs have compatibility issues being installed into the image, and just don't work. The workaround seems to be using the OpenVPN application installed into the image and just updating the personal VPN config files.

It would be wonderful if Immutable Fedora could offer the persistent attack protection I'm looking for because it is probably the most workable and compatible solution for average machines and average users.

P.S. All 3 of the above systems can run from USB.

I Dream...

Oh how I dream, that this write up would amount to something,

Thanks in advance.

TheGodfather

User2288

Why not go the simple route?
Run a browser (Brave is a good option, Mullvad if you need better fingerprinting mitigations, but less security) in a lightweight ephemeral VM on a lightweight host OS and route the VM through a trusted VPN. As long as you need the device only for browsing, this should be sufficient and 8GB RAM enough. If you trust the browser's sandbox to protect you, you can even avoid the VM.

User2288 In other words what I'm trying to ask is, is SilverBlue actually SECURE against persistent malware?

User2288 or am I in an equal boat to the non-immutable version of linux?

Yes

GrapheneOS

User2288 Booting a live install without persistent state itself doesn't provide any protection against persistent compromise on a computer without verified boot for firmware, etc. that's able to chain to the OS. These so called "immutable" operating systems you're referring to don't have any form of protection against persistent compromise either. They have tons of fully trusted persistent state and lack proper real secure/verified boot both for the OS and the rest of the computer underneath the OS. Protecting against persistent compromise is also hardly at the top of the list with what's missing with those operating systems.

[deleted]

Take a look at Masq Browser. It is in beta with a nice roadmap ahead.
https://www.masqbrowser.com/

User2288

TheGodfather No

Can you elaborate more why that is? I wanna understand.

TheGodfather Why not go the simple route?

The light VM you speak of i don't know how to setup and make secure. Could you tell me more specifically about it so I can look into it? Ty.

TheGodfather

User2288 Can you elaborate more why that is? I wanna understand.

No cryptographic verification of the whole bootchain including the OS from an immutable root of trust. Plenty of room for modification and persistence.

User2288 The light VM you speak of i don't know how to setup and make secure. Could you tell me more specifically about it so I can look into it? Ty.

Install a lightweight distro of your choice and browser into the VM, make basic security and privacy adjustments inside the VM. Create a snapshot. Browse the web. Revert to snapshot afterwards. Don't forget to update the VM regularly and create a new snapshot afterwards.

Tryptamine

Brave sucks. It is full of garbage that bloats it and IMO makes for an inferior browser to Firefox Nightly.

Firefox Nightly (it has more complete Network Isolation and other privacy/security features compared to stable, regular Firefox). With No script, Skipredirect, and UBlock Origin. No other extensions as they are fingerprintable. Then, preferably with the below file in your own /etc/hosts (or wherever in Windows\System32\ the hosts file is located):

https://divested.dev/hosts/

Only use UBlock with Adguard URL Tracking Protection and the Actually Legitimate URL Shortener Tool added under Custom. Other adblocking subscriptions are fingerprintable. If you cannot use the hosts file (I see no reason you can't though) then sure, use all the adblocking subscriptions.

Then, use the Arkenfox user.js script. Don't deviate from defaults, unless you want to enable First Party Isolation and know how to manage it. If you do use FPI, set network.cookie.cookiebehaviour (in the script, user-overrides.js) to 1 (block all third party) or 3 (block from unvisited). Add site exemptions as needed, but he warned, site exemptions disable all isolation features for those sites!

Enable Fission too. In the user-overrides.js, or about:config set to "true":

fission.autostart
gfx.webrender.all

Enable all optional, currently commented out lines in your user-overrides.js file as well, that apply to you, and make sense to do so! Always use a trustworthy (third party audits) VPN with kill switch. Block JavaScript globally with NoScript, is even UBlock if you choose. I find NoScript more user friendly. Make surd in NoScript's settings you disable frames loading in the default configuration!

There, that's what I do. You should also set up a DNSCrypt service, or at minimum set up a private, DNS-over-HTTPS in Firefox, under Max Protection. You can use Quad9 by setting it to:

https://dns.quad9.net/dns-query

Oh yeah, make sure you have a firewall configured to block all incoming too. On Linux it should be (for Ubuntu and Debian at least):

sudo apt install ufw gufw

Or rpm install ufw gufw #I think...

Then through gufw configure block all incoming!

One more thing, the Firefox above I use is a Snap, with it's own Apparmor strict isolation!

For OS, use Fedora Silverblue, I bet they have something like verified boot to deal with the malware at boot issue, plus, you would actually need malware to be present and activated at boot time, not in the userspace where most malware first runs for this to be an issue.

TheGodfather

Tryptamine Brave sucks.

Brave is the only other recommended browser of GrapheneOS. It provides better security than Firefox-based browsers and has a nice privacy feature set

Tryptamine

You mention fingerprinting, yet you use such an uncommon setup that you are likely unique.

Tryptamine For OS, use Fedora Silverblue, I bet they have something like verified boot to deal with the malware at boot issue, plus, you would actually need malware to be present and activated at boot time, not in the userspace where most malware first runs for this to be an issue.

Neither has it verified boot (no Linux desktop distro has), nor does malware need to be outside of user space for persistence.

Tryptamine

TheGodfather Ubuntu 23.10, installed as an all snap install with TPM backed full disk encryption does have verified and measured boot, for one example.

My browsing setup, Firefox Nightly does make me more unique, regular Firefox is better from a fingerprinting perspective, I run both with the same security setup. The lack of adblocking subscriptions in UBlock make you less unique as you have only two, and neither are the common ones monitored for. Having the standard UBlock subscriptions makes you more unique!

I also state, no other extensions, Noscript, UBlock, and Skip Redirect. More extensions make you more vulnerable. I will trade privacy for better security however, so Skip Redirect stays, and I modify my user-overrides.js with that in mind. On top of basic Firefox. The Arkenfox user.js is only a way of editing about:config and setting your settings up in one shot! It takes fingerprinting seriously into account with what it changes and enables/disables. Makes you much less fingerprintable. Also we are talking desktop here, the GrapheneOS recommendations against Firefox and for only Chromium browsers do not apply!

User2288

TheGodfather

TheGodfather No cryptographic verification of the whole bootchain including the OS from an immutable root of trust. Plenty of room for modification and persistence.

Yes but no desktop os has cryptographic integrity check or image verification. That's not a requirement.

Are you saying a malware running in memory could bypass the internal update mechanism of immutable fedora and intelligently modify the OS image that is on another hidden partition without going through the input/output write process of the running OS? (In other words, undetectable by running OS and user)

Isn't the whole point of immutable OS that a malware (or other apps) can not write to the OS image other than running OStree commands?

TheGodfather Install a lightweight distro of your choice and browser into the VM, make basic security and privacy adjustments inside the VM. Create a snapshot. Browse the web. Revert to snapshot afterwards. Don't forget to update the VM regularly and create a new snapshot afterwards.

In this implementation its not the guest OS i have any worries or questions about, its the HOST OS that is in question. What kind of a host OS would I have to run to again be sure its protected from persistent malware?

See the problem of VM solutions is that they never address the security issue of the host OS, which is where the real problem lies. Only VM solution I know of that addresses this is Qubes. Even whonix doesnt address the host OS problem (as far as I know).

Not to mention that normal VM also splits RAM and CPU in half, which is a no go. So what kind of a Virtualization software and host OS would I have to run that would fit the bill?

TheGodfather

Tryptamine Ubuntu 23.10, installed as an all snap install with TPM backed full disk encryption does have verified and measured boot, for one example.

It does not have verified boot. Daniel Micay made it pretty clear in a long discussion in the Matrix off-topic room that it's not possible on desktop Linux on X86 in its current state.

Tryptamine Also we are talking desktop here, the GrapheneOS recommendations against Firefox and for only Chromium browsers do not apply!

Daniel and other devs have criticized FF's security on Linux a lot.

Tryptamine

Your understanding of fingerprinting seems to be flawed. Individualizing a browser as much as you do is terrible for fingerprinting and a fundamentally flawed approach.

User2288

Thanks for your comments.

This thread and my intention is to focus on the OS choice however. Browser choice is not the issue. I will be using all those browsers at the same time.

I'm looking for an alternative to Tails without the TOR.

Tryptamine

User2288 just install the wireguard packages and use Proton VPN. They have a great help article for it, it will take less than 2 minutes to copy paste the commands from the article when you boot up. Do it over Tor, then use the VPN and disconnect Tor.

User2288

Tryptamine
you mean while using tails?

I've never used tails but I've heard that if you turn TOR off all network access gets blocked. Would you please link the article that you are talking about?

If i could install my own VPN and brave on top of tails and bypass TOR such that the internet speed would be normal I'd be very happy with that solution. But i don't think its possible.

TheGodfather

User2288 Isn't the whole point of immutable OS that a malware (or other apps) can not write to the OS image other than running OStree commands?

It is not fully immutable and some important parts are mutable. It's not significantly more resistant against malware persistence. This is contrary to modern OSes like Android and iOS which actually enforce immutability within a strong security model and verification.

TheGodfather

User2288 In this implementation its not the guest OS i have any worries or questions about, its the HOST OS that is in question.

As I read your original post, I got the impression that your main use case is browsing the web and the concern is security against malicious websites. This setup protects your host OS against it. What else do you need protection from?

GrapheneOS

What you're requesting is not available.