Chrome sandboxed

Discussion in 'sandboxing & virtualization' started by Overkill, Jun 25, 2015.

  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I am a geek. Love to learn. Love computers. Used to love pc security (ok, I still do deep down). Its been, maybe 4 or 5 years now without any 3rd party apps other than SBIE and chrome (and MBAM is installed, but never run it). My security was based soley on OS mechanisms. I run as admin on win7 (and xp before that), all the time. A couple years ago I stopped using any security. No SRP, no UAC, no ACLs, absolutely naked except for chrome and my pfsense router and only used SBIE if I was going somewhere I thought was "nefarious". (and I should note, I only do banking etc on a dedicated machine)

    My world did not end. My pc did not die. I know what to look for, and monitor it all the time. For me, its more about what I know and what I do (or don't do) that makes the difference. I've proved that to myself. And while I don't need anyones approval, and I know with certainty that it can be done, I am never going to convince others to do it, nor should I. That would be pointless unless they had my experience and did things in the same way.

    I can certainly appreciate others opinions and input. I love that in fact. But, and really, I mean, BUT, there is no definitive right or wrong, best or worse form of "computer security", because it will never truly be secure. We all hedge our bets as it were, based on what we are comfortable with, based on what we think we know, and often times based on what has a user interface that we can understand.

    If your security setup works, great. If not, thankfully there are threads similar to this one that can give you some ideas. But this thread seems to be more like an argument than a discussion.

    Funny thing is, its not a topic one can ever win in an argument
     
  2. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    686
    Location:
    Canada
    Totally agree. If you want to run Chrome sandboxed then do it. If you want to run it without then by all means do it. That way,we all will all be happy for ever more. Peace over and out.:thumb: As I said pages ago we all seem to agree to disagree.
     
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,969
    Location:
    Nicaragua
    Not everybody uses Sandboxie the same way but this is how I handle files in general. When I download something and recover it out of the browser sandbox, I don't stop running that file sandboxed just because it has been recovered. I keep running that file sandboxed until the day it gets deleted. Thats how I use Sandboxie. Its really simple and it works. All done automatically with very little thinking required. If a file its going to run in my computer, that file its going to run sandboxed. The only time that I run something out of a sandbox is when I install something. And I never do. My computers are pretty much static. Nothing changes.

    Bo
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Hopefully that's finally over, so can someone else with technical expertise please comment on this?
     
  5. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,969
    Location:
    Nicaragua
    I never assume anything about any file that gets written in my computers. I found the simple and efficient way of handling files is to run all files and programs that run in my computers untrusted under Sandboxie, all the time. Works really nice. I donr even have to think about it. I click on a PDF file, it runs sandboxed. I click on a DOC document, it runs sandboxed, etc.

    Bo
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,324
    Location:
    Slovenia
    That's good approach. Never trust anything... If I don't trust anything I similarly run it inside VM.
     
  7. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,969
    Location:
    Nicaragua
    Sandboxie motto is "Trust no program" , that means something to me, I believe running all or most programs and files in the computer under Sandboxie is what Tzuk had in mind when he created the motto.:)

    Bo
     
  8. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,924
    Location:
    Mexico
    Yep, I believe motto should be now: "Trust no program or file".
     
  9. Reverse here zero third party, just Windows internals (GPO+UAC+SRP+ACL+WFW) and Chrome (sandbox using windows internals) :D
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,095
    Location:
    The Netherlands
    I'm not sure what you mean with this, this whole forum is mostly made up of different point of views and opinions. About AppContainer, it's meant to keep Metro Apps running sandboxed, it's not really geared to other "normal" apps, only IE is making use of it at the moment.

    I also think it's spiraling out of control. But the main question was, does it make sense to run SBIE on top of Chrome? I already gave numerous of reasons why it does. And I also explained why "added attack surface" is hardly relevant at the moment.
     
  11. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,794
    Wrong. It's an IL on it's own. It's compulsory for Metro apps but desktop apps can utilize it too.

    2 sides to the story. There are others who already gave reasons why it does not make sense to run SBIE on top & why the attack surface is relevant.
     
  12. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,794
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,095
    Location:
    The Netherlands
    I never said that it wasn't, I just said that it was mainly invented to sandbox Metro Apps.

    Yes exactly, and people should decide for themselves which of those arguments makes more sense. There is no reason to get emotional about this.
     
  14. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,794
    Nope it wasn't. It was invented for any app developer who cares to utilize it. It's just that Metro Apps are made compulsory to do so.

    1. Once again, you are diverting the thread and making it personal.

    If anyone is emotional, it's the Sandboxie fanboys over here including 1 in particular who claims about "brainstorming" but insist on proving himself right despite countless of time others (& me) having said that it's a matter of trade-off & people seeing risks differently.

    How about you look back through a few pages behind and see whose words really smell of personal attacks...not just at me but also at HM, GJ and the likes. No wonder they bailed out. I wanted to bail out myself but thought "hey, here's a chance at posting 1 more time just to get the facts right" but hey, nope somebody has to make it personal once again...

    If I am emotional, it is because I am annoyed by the fact any reasoning made so far cannot go through the minds of people who tightly cling onto beliefs. How do anyone expect a fruitful discussion when 1 party keeps dismissing any facts made as "hypothesis", "it's just theory" or simply "most people don't care"? Seriously?
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,095
    Location:
    The Netherlands
    Do you have any more info about this, sounds interesting. And why didn't Chrome make use of it? And what about other apps, will we see this more in the future?

    This is exactly what I mean, you're getting emotional again. Just look at the length and the "tone" of your post, who are you kidding? I already explained that none of these posts were meant as personal attacks.

    And I never said I was right or wrong, I just gave several reasons why I believe that this "added attack surface" talk hardly makes any sense, I'm sure you don't want me to repeat it all again. Besides, seems like you completely missed the point of those posts. It looks like you're the one who can't deal with the fact, that there's 2 side of the story. But I might be wrong.
     
  16. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,794

    https://www.chromium.org/developers/design-documents/sandbox

    As for other apps, ISVs are usually slow to adopt changes like these. Just take a look at how long it takes for developers to adopt things like DEP and ASLR. Changing to a sandbox model would require some rewriting of their programs so I'm not expecting much change there. If anything, Microsoft is pushing for Universal Apps...because it's easier to start anew.

    Can we have a normal discussion without making this about me or you? Anyone can read through both of our posts & decide who is missing the point.
     
    Last edited: Jul 28, 2015
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,095
    Location:
    The Netherlands
    That's what I said a few posts back. I do wonder why M$ decided to implement AppContainer in Windows 8. I still have a feeling it might be because of the Metro environment.

    EDIT: I found this, for the ones who are interested:

    http://recxltd.blogspot.nl/2012/03/windows-8-app-container-security-notes.html
     
  18. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    I'm a firm believer in "less is more" but at the same time I understand that there is not a single program to rule them all. If I had my way, there would be a super app that combined all my security products but I'm not holding my breath there. So rather than settle for 'bits and pieces' of security, I've come up with a group of programs that help protect me on many fronts. Every program added is a potential path for a targeted attack (larger surface area) but I've yet to encounter any such attacks or read about any such exploits for my products. Could it happen? Sure! It's a worthy argument, it's just not one I feel is worth opening many other (actually) targeted paths for or settling for subpar protection.

    I don't use chrome myself, but if I did, it'd be inside sandboxie like all my other internet facing apps.
     
  19. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    This a bit fun to me as a read. Linux fanboys who don't have Sandboxie and then us windows users. It is a never ending thing and i so much hate hackers. They want access to what is most popular, sigh.
     
  20. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,794
    What is funnier is seeing the "windows vs linux" card being played here. The discussion on Chrome & Linux was a side-topic on how sandboxing works.
    Btw, it's such a disappointment to see the use of the word "hackers" in such a context because it disgraces the white-hat community.
     
  21. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    Noth funny in here. We are able to see that mask as your avatar. White hat mentions are not ok coming from you!
     
  22. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,051
    Interesting discussion.
    FWIW i believe anyone new to chrome browser in particular reading this will be under the impression that chrome without sandboxie is somehow weak protection.:(
     
  23. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    I had to run Chrome in Windows 8 compatibility mode for the context menu to appear. It didn't seem to work, so I checked HKEY_CURRENT_USER\Software\Google\Chrome\Metro

    Turns out it is on, but I can't seem to see any difference except that History and recent tabs are combined.

    *Nevermind, it was a Chrome update that changed the menus. I still don't seem to have Metro Mode. More: http://www.tenforums.com/browsers-e...-not-launch-when-windows-8-mode-selected.html

    *Aha!: https://code.google.com/p/chromium/issues/detail?id=470227
     
    Last edited: Jul 29, 2015
  24. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,324
    Location:
    Slovenia
    Yes, sadly someone not familiar with browser or computer security could get this impression when reading this thread...
     
    Last edited: Jul 29, 2015
  25. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,342
    Location:
    USA
    :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.