Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: What am I missing concerning Chromium and potential cross site scripting?

  1. #1
    Join Date
    Jan 2018
    Beans
    102

    What am I missing concerning Chromium and potential cross site scripting?

    Hi everybody. Full disclosure, I'm currently on Debian. One reason is my one remaining concern about Ubuntu and security. (I've generally resolved my other concerns.)

    I'm kind of looking for opinions, educated evaluations, and experiences rather than hard answers (which are also welcome of course). I just think that this topic is more suited for the chat subforum rather than support as I think that the hard answer is just that medium cve's just take some time to fix.

    Now generally I use Firefox to access my bank but sometimes the login doesn't work so I have to use Chromium. Just through observation it seems that it sometimes takes more than a week to update the stable channel. One time it took three weeks.

    Generally most cves for Chromium seem to be medium cve's (just by informal observation checking the Ubuntu CVE Tracker). I get that no one is in a hurry to fix medium cve's. And not just Ubuntu but through Googling it seems that medium cve's are fixed in time measured in months so I get that.

    In the Ubuntu CVE Priorities they say that cross site scripting is a medium cve. My understanding of cross site scripting is that someone could steal information entered on a form on a web page. So what I'm concerned about is that since seemingly Chromium is sometimes updated in a week to three weeks that someone could steal my banking credentials through cross site scripting.

    Am I right in this assessment? What am I missing? For example, perhaps Ubuntu is carefully watching the cve's and only delaying updates when it is safe.

    I get that I could just use the candidate channel but I would prefer not to if I can help it.
    Last edited by donald187; October 28th, 2023 at 01:21 AM. Reason: Changed title to be more representative.

  2. #2
    Join Date
    Jan 2018
    Beans
    102

    Re: What am I missing concerning Chromium and potential cross site scripting?

    I suppose I'm trying to be too granular for the scope of this forum. Probably it's generally covered in the following quote by Alex Murray.

    Vulnerabilities which affect the largest number of Ubuntu installations and which present the largest risk (by say being remotely exploitable without any user input, etc.) are prioritised critical or high. Those which affect only a small number of users and might require user-input or might only cause smaller effects such as a denial-of-service may be prioritised as medium, low or negligible. This prioritisation is done on a case-by-case basis for each vulnerability,....

    https://ubuntu.com/blog/securing-ope...prioritisation
    Last edited by donald187; January 9th, 2024 at 04:57 PM.

  3. #3
    Join Date
    Jan 2018
    Beans
    102

    Re: What am I missing concerning Chromium and potential cross site scripting?

    Still, even though cross site scripting may be a "smaller effect" from a technical standpoint if someone gets your banking information that's real world serious.
    Last edited by donald187; November 1st, 2023 at 05:51 PM.

  4. #4
    Join Date
    Jan 2018
    Beans
    102

    Re: What am I missing concerning Chromium and potential cross site scripting?

    Oh well, I don't really distrust Canonical. I was just enjoying figuring these things out. But I guess this is beyond my abilities. I'm sure Canonical is taking care of me.

    But then again, what do I know?
    Last edited by donald187; December 30th, 2023 at 09:58 PM.

  5. #5
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,263
    Distro
    Ubuntu

    Re: What am I missing concerning Chromium and potential cross site scripting?

    I use Chrome, which is updated rapidly. You have to install it from the official website (instructions), and the installation adds the official PPA.
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  6. #6
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: What am I missing concerning Chromium and potential cross site scripting?

    I'd never use Chrome. Why would providing a huge advertising company, known for stealing information without clearly asking or compensating each person for this breach be ok? I'm at a lose to put it any clearer.

    Chromium is almost as bad. There are so many tendrils from that marketing company inside Chromium and when they switched to snap-only distribution, they lost me. Snaps broke my ability to control security of browsers, so any browser software that is snap packaged, I stopped using. Basically, Canonical forced me to change to a non-snap desktop so I could have control AND better security.

    Browsers are constantly getting security wrong. Constantly. Don't trust any browser to be bug free. None of them are and when it comes to privacy, google has a poor record of protecting us.

    I use different browsers for different purposes almost always running inside a firejail container. Sometimes that is using a container that prevents touching any local storage, like I do with banking logins. Sometimes I allow read-write access to a few directories - usually /tmp/ from the browser.

    I seldom worry about cross-site scripting, as I block all 3rd party cookies and use "private" mode from firejail for any locations that I suspect are doing things I wouldn't like. Additionally, I only access financial institutions using a separate VM with firejail around a browser that isn't allow to save anything. Where I live, personal banking accounts have limited liability coverage and business banking accounts have zero liability coverage. This means I need to be careful accessing any bank accounts, since that could lead to having all data/funds stolen by nefarious people on the other side of the world. I used to be a CFO for a small company. To make payroll, we'd have $100K/month in our checking account. Imagine if that was stolen and the lives it would impact? No way will I risk a failure by using the same browser environment that I use for any other purpose for access to payroll checks. No way! It is too important.

    Similarly, I'd never use Chrome. Too risky.

  7. #7
    Join Date
    Jan 2018
    Beans
    102

    Re: What am I missing concerning Chromium and potential cross site scripting?

    Quote Originally Posted by Paddy Landau View Post
    I use Chrome, which is updated rapidly. You have to install it from the official website (instructions), and the installation adds the official PPA.
    I had forgotten about Chrome. That would certainly solve the problem of sometimes slow updates. I've become somewhat of a purist on Linux trying to stick with only the distribution. But a respected Debian forum member once said that Chrome would not cause instability so from that perspective it should be ok. I'll consider it. Thanks!

  8. #8
    Join Date
    Jan 2018
    Beans
    102

    Re: What am I missing concerning Chromium and potential cross site scripting?

    Quote Originally Posted by TheFu View Post
    I'd never use Chrome. Why would providing a huge advertising company, known for stealing information without clearly asking or compensating each person for this breach be ok? I'm at a lose to put it any clearer.

    Chromium is almost as bad. There are so many tendrils from that marketing company inside Chromium and when they switched to snap-only distribution, they lost me. Snaps broke my ability to control security of browsers, so any browser software that is snap packaged, I stopped using. Basically, Canonical forced me to change to a non-snap desktop so I could have control AND better security.

    Browsers are constantly getting security wrong. Constantly. Don't trust any browser to be bug free. None of them are and when it comes to privacy, google has a poor record of protecting us.

    I use different browsers for different purposes almost always running inside a firejail container. Sometimes that is using a container that prevents touching any local storage, like I do with banking logins. Sometimes I allow read-write access to a few directories - usually /tmp/ from the browser.

    I seldom worry about cross-site scripting, as I block all 3rd party cookies and use "private" mode from firejail for any locations that I suspect are doing things I wouldn't like. Additionally, I only access financial institutions using a separate VM with firejail around a browser that isn't allow to save anything. Where I live, personal banking accounts have limited liability coverage and business banking accounts have zero liability coverage. This means I need to be careful accessing any bank accounts, since that could lead to having all data/funds stolen by nefarious people on the other side of the world. I used to be a CFO for a small company. To make payroll, we'd have $100K/month in our checking account. Imagine if that was stolen and the lives it would impact? No way will I risk a failure by using the same browser environment that I use for any other purpose for access to payroll checks. No way! It is too important.

    Similarly, I'd never use Chrome. Too risky.
    So to recap, browsers are insecure, Google steals information, and use Firejail. To be honest I'm not too worried about Google. And snaps have a built in sandbox. I haven't been ambitious enough to use the Firefox PPA (so that I could use Firejail). As I mentioned in the previous post I've become a bit of a purist wanting to use just the distribution. But there's no rhyme or reason about it. Something to think about. Thanks!

  9. #9
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,263
    Distro
    Ubuntu

    Re: What am I missing concerning Chromium and potential cross site scripting?

    Quote Originally Posted by TheFu View Post
    I'd never use Chrome. Why would providing a huge advertising company, known for stealing information without clearly asking or compensating each person for this breach be ok?
    Gosh, @TheFu, that seems like quite a rant against Google, ha ha!

    Google and I have a deal. Google provides a great deal of free services to me and the charities that I support (free of charge), and in return Google advertises to me based on my preferences. I don't think that that's a bad deal. I don't believe that it steals my information; everything is clear, unless you fail to read the T&C or the news.
    Quote Originally Posted by TheFu View Post
    Snaps broke my ability to control security of browsers…
    This is the single thing where snap fails badly: It doesn't allow you tailor the sandbox. That's why I can't use snap Gedit, because it restricts access to a very select few folders. For example, I can't use it to edit, say, /etc/fstab, or even files in my own ~/bin. Flatpak is better in that regard.
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  10. #10
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: What am I missing concerning Chromium and potential cross site scripting?

    Google has been caught lying far too many times for it to be accidental. It all started when they removed the "Don't be evil" moto. Seems their moto is now, "see what we can get away doing".

    Just yesterday, https://apnews.com/article/google-in...46ab84191f7a9d
    Google settles $5 billion privacy lawsuit over tracking people using ‘incognito mode’
    The class-action lawsuit filed in 2020 said Google misled users into believing that it wouldn’t track their internet activities while using incognito mode.
    Is that a company that should be trusted?

    I want nothing from Google, but there's no way I can opt out of their tracking without providing them even more information. That's wrong. People who wish to be tracked should have to opt-in.

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •