Any thoughts on inclusion of Iridium By Default

Hello!

Wondering If anyone else have gave Iridium browser a shot.

Its a FOSS that is privacy oriented, based on chromium engine which has been completly stripped down of all the google telemetry and tracking elements. Additionally it has made a lot of changes by default that an average-joe might miss out that can improve his browsing experience along with privacy.

Its highly deployable. Available for almost any popular desktop OS like Deb [or deb based OS], MacOS, Windows, Suse, Fedora, RHEL/CentOS…you get the point.

Its Source Code

Since Parrot have included “Privacy Suite” as a selling point on download/documentation page, I reckon giving users flexibility of choice to choose between firefox or Iridium [i.e chromium based] browser by default on installing OS would be awesome. Especially for users switching from Windows.

One can argue that : how is it different from chromium which is available from apt repo, and the answer to that is,

Iridium has following things Up from chromium by default -

Security improvements:

  1. Increase RSA keysize to 2048 bits for self-signed certificates (used by WebRTC)
    Generate a new WebRTC identity for each connection instead of reusing identities for 30 days
  2. Generate a new ECDHE keypair for each WebRTC connection instead of reusing them for multiple connections
  3. Disable using system-provided plugins (i.e. Java, Flash, etc.)

Privacy enhancements:

  1. Disable “Use a web service to help resolve navigation errors”
  2. Disable autocomplete through prediction service when typing in Omnibox
  3. Always send “Do-Not-Track” header
  4. Network/DNS prediction is disabled by default
  5. Block third-party cookies by default
  6. Link auditing (<a ping="link here">) is disabled by default
  7. Fetch plugins list from iridiumbrowser.de where it will be updated regularly
  8. Site data (cookies, local storage, etc.) is only kept until exit, by default
  9. Passwords are not stored by default
  10. Input form autofill is disabled by default
  11. For IPv6 probes, use a DNS root server instead of Google
  12. The default search provider is Qwant
  13. Load “about:blank” on new tabs instead of the currently set search engine and/or promotions.
  14. Don’t report Safe Browsing overrides.
  15. Don’t use autofill download service.
  16. Disable cookies for safebrowsing background requests.
  17. Disable the battery status API.

Disabled features:

  1. Disable background mode
  2. Disable EV certificates, so they are shown just like “normal” certificates
  3. Disable Google cloud printing
  4. Disable Google hot word detection
  5. Disable Google experiments status check
  6. Disable Google translation service
  7. Disable Google promotion fetching
  8. Disable Google Cloud Messaging (GCM) status check
  9. Disable Google Now
  10. Disable automatic update check
  11. Disable profile-import on first run

Networking changes

  1. Network/DNS prediction is disabled by default
  2. Link auditing (<a ping="LINK here">) is disabled by default

Other changes

  1. Add DuckDuckGo search provider
  2. Add Qwant search provider
  3. Add certificate pinning for iridiumbrowser.de
  4. Let user confirm downloading translation dictionaries from Google
  5. Always prompt for download directory
  6. Don’t ask to send settings to Google by default on profile reset
  7. Don’t warn about missing API keys (services are not used anyway)
  8. Iridium will show a warning bar when running possibly unwanted requests (trk prefix)
  9. Show all extensions (including internals) in chrome://extensions.

For installing it on debian,

wget -qO - https://downloads.iridiumbrowser.de/ubuntu/iridium-release-sign-01.pub|sudo apt-key add -
cat <<EOF | sudo tee /etc/apt/sources.list.d/iridium-browser.list
deb [arch=amd64] https://downloads.iridiumbrowser.de/deb/ stable main
#deb-src https://downloads.iridiumbrowser.de/deb/ stable main
EOF
sudo apt-get update
sudo apt-get install iridium-browser

I’ve been using it for a while now, works flawless [initially had to make few changes in firejail profile but other than that, no issues]. The repo regularly pushes for security patches and upgrades just like chrome.

Maybe @palinuro & other devs can have a look at it and share their thoughts.

Cheers! :blush:

1 Like

I have not tried iridium, it may well be very good. But…

I don’t think parrot needs more than one browser, to have two is just extra bloat. At which point you would have to choose between iridium, firefox or whatever else.

I think the general consensus would be that Firefox with a few plugins, and a custom configuration, would be “more secure” than iridium. If only because firefox is tried and tested.

1 Like

I get it. Adding more than one browser [by default] would seem like adding bloat. But my point ov view was… more flexibility.

If user wants to use Firefox, Great. If they want a browser based on chromium engine, They get to choose between Opera, Chromium, Iridium & few more.

And if having it installed by default seems like a bad idea, how about adding it to the parrot repository. The devs there update their stuff every month, keeping up with patches, and are very responsive. Its a FOSS, community helps keep the software alive when more people get exposure to it and realize its worth. Maybe you should give it a shot too :smiley:

Another good arsenal in Parrot Repository. :blush:

1 Like

Looks like you’ve done you’re homework.

I tried iridium browser when it first came out and wasn’t impressed. I think I’ll give it another try.

I’ve been using Yandex browser for a while and have mostly been happy with it. Has anyone else tried it?

2 Likes

:stuck_out_tongue:

I personally, prefer opensource software because I can see what goes behind the curtains. Yandex may provide a good browser, but I like to stay a mile away from it for its privacy, telemetry and data collection policies

Sounds like a plan :blush:

I’d like to add something if I may?

It sure seems like ALL the browsers out there FLOSS or no are designed to make it easy to track and surveill you. Frankly, I don’t trust any of them. I’ve tinkered with about:config and gotten some success; but, there has to be one out there that the serious players use. Any ideas?

Hello @valerie :slight_smile:

I’m not sure how to exactly respond to your statement, if I’m understanding you correct, The most Privacy & Secure Environment I have got out from a browser is from Firefox with a lot of tweaks. By A lot, I mean changing at least 25-30 default values of strings & booleans, adding some, Along with sandbox, of-course.

At that point, I’m assured some website may break, others may not work at all, while preserving my privacy & security.

You see, privacy and security are two concepts that, in my personal experience, have no quantitative stable equilibrium with usability.

If you tune up system privacy, you may loose security. (For instance, Using everything opensource where I can view to code to determine what actually goes behind the scene, avoiding practices like using a good Antimalware for the sake of system & to preserve user’s privacy), you are at the risk of compromising your system by a 0day or any sort of unplanned mistake that you are not aware of.

If you tune up system security, loss of privacy maybe at risk. (AKA lets say you install a good thirdparty firewall & antimalware, most antimalware sends your files to their cloud (file hash/signature or the file itself along with your system ID & a WHOLE lot of more identifiable information) if you enable advance threat defense, chances are, your system will stay secure with minimal efforts, (at the loss of privacy)

Now If you tweak your system for better usability, perfect privacy & security is something that is difficult to achieve at a satisfactory level, especially for an average joe

One can argue that setting up restricted environment like running files and browsers in sandbox, running Live systems (On RAM or on flashdrives), setting up a mere-usable system with tons of Ip-table rules for firewall is good enough to preserve privacy as well as security. At a point, yes. But I have tried it, most of the times, I do not achieve the paranoid environment I want, if I do, I end up breaking some workings of the system, or the system as a whole :stuck_out_tongue:

This is just my opinion from my experience, everyone is free to debate and counter-argue about it

I hope that (kinda) answered your question!

Cheers :blush:

2 Likes

Im game I will give it a shot.

CB
Cursed with a curse, blessed with a blessing.
Nothing ventured nothing gained.

I’m not a dev like you appear to be; but I have tooled around under the hood quite a bit over a number of years, and I’m inclined to agree with you. My banking and financial sites seem to break when I have my system so dialed-in that I pass all the “panopticlick” tests, including fingerprinting. No offense intended; but I don’t like to use the word paranoid, our BFF “The Beast” really is that vicious and both discriminate and indiscriminate and just plain rotten to the core. I can’t tell you how many times I’ve been hacked. Most of the time it appears to be “clipboard” attacks, as my “recent-files” are exported. I’d like to find a way to lock this down, maybe by connecting my mobile phone to a separate “hardware” router and disabling my recent-file list, and just disconnecting from the Internet when working with images and documents. Any suggestions appreciated. Something called “OpenBSD” doesn’t seem to be getting hacked. All I know is that they turn off hyperthreading. It’s normally used for servers, and doesn’t have wide adoption, so for-now it’s probably not considered a worthwhile target. I’m currently on Borneo and I was sent “FinSpy” by my mobile provider “MY MAXIS.” I had to do a “factory” reset to clear this. I’ve since destroyed the chip. I’m in a [Commonwealth of Nations] country, so I’m not entirely surprised. Any suggestions for defeating FinSpy greatly appreciated.

BTW, I’ve found something called “Astra linux.” This is used by Russians and may be worth having a look at https://astralinux.ru/en/ . I tried getting the Special-Purpose OS and contacted their sales department. Their response was send me a PO on “State-Letterhead.” I wonder if someone on your leadership team could get a copy of this? Just sayin’.

Which ports should I lock down? FinSpy uses 8889 and 8999 also:

FinSpy

Twenty five countries are using the FinSpy surveillance software package (also called FinFisher) to spy on their own citizens:

The list of countries with servers running FinSpy is now Australia, Bahrain, Bangladesh, Britain, Brunei, Canada, the Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, the United Arab Emirates, the United States and Vietnam.

From Schnier on Security.

Cheers

I see :slight_smile:

I’m not a fully fledged developer either. I’m still a student. Learning new things day after day. I saw your entire response. Despite being in the parrotsec team, I’d be honest to help you when I say this, Parrot by default isn’t designed to be the best “secure OS” concept in mind. Don’t get me wrong here. Parrot is secure, but giving users the ‘most secure’ environment available out in the market wasn’t the priority. Same goes with Kali & other pentesting distros. Of course, one can modify the system accordingly to their convenience to harden the system, but that users needs to be confident and aware of what changes they are making and how its impacts the system. Parrot is definitely secure than Kali, as Kali logs in user as superuser by default, not to mention parrot sandboxes most of the vulnerable activities of users that may lead to system being compromise.

I, again this is my personal opinion, thoroughly believe that the majority part of the integrity of the system depends on the end-user. If you give an extremely restricted and hardened to a user with a brickhead, chances are none of the security measurements will be sufficient enough form getting the system compromised. On the same hand if you give an environment that has decent equilibrium between security and usability to a user who knows what he/she is doing (aka aware of how to get around file system, how not to mess up, how can he/she possibly get compromised); targeting that user would be more difficult even for a good pentester.

That is not true, at all. OpenBSD is just another linux distro. HardenedBSD is a tough (and better competitor) if security is kept in mind. And if security is the primary concern of the end-user, try giving QubesOS a shot (It would definitely be more heavy on your system resource than parrot though lol)

Welp, It would be a long briefing on how not to mess up, but my these tiny tips apply for both mobile and desktop environment :

  1. Do not download files you don’t need or files you are not aware of. And obviously, Don’t click on links here and there. As cliche as it sounds, trust me, Most users get compromised by their silly stupidity and we don’t even need a top secret CIA-Mi6 developed 0Day to get around the target. Its these tiny things that users should keep in mind. Do not user add-ons/plugins you don’t require. At most you should have ublockOrigin (essential & recommended) blocks nonsensical advertiseents. No. No pretty lady in your area is looking for you. That too good to be true deal on versace handbag is probably too good to be true…you get the point. HTTPS everywhere (with Encrypt All Sites Eligible set to ENABLED/ON, a MUST have) so that you block absolutely every unencrypted request. Privacy badger is a good shoutout as well.

  2. ABSOLUTELY Delete softwares that you don’t require or user no more. On mobile, disable services that you do not require if you cannot uninstall them. I don’t remember when is the last time I used “google play games” or “google play books” or “live wallpapers” and many more on my android, simply disable them if you cannot uninstall them. This minimizes the possibility of system compromise by 0Day. Supply only sufficient permissions to apps. Facebook does not need to know who is in your contact list or what your current location is or whats in your sms inbox. Do you really require to share your day to day life with companies like Snapchat and Instagram and Tiktok? You really need gmail and outlook for email? Is your necessity worth the data you 'willingly" share with them? Dont use them, delete the accounts. Stay away from data hungry companies. Turn off services like WIFI and Bluetooth when not required. Have a look at THIS too if you are looking to quit using products form data hungry companies.

  3. Use TOTP instead of SMS-based authentication. Not even Trump or CEO of Twitter himself can defend themselves from SMS/SIM hijacking based authentication bypass attacks. Use Password manager like Lastpass or better yet, KeePass and secure it with a nice long password. Store all your passwords there. Use absolutely random passwords for random sites. Ideal password are between 22 digit [for services like spotify or VPN accounts and rest basic services] to 31 digit [for accounts that is involved with your personal data and financial transactions in anyway, for instance, Paypal, amazon shopping, ebay, Emails, Social media] cryptographically random passwords that has symbols, numbers, case sensitive and does not include anyword available in the dictionary. Make sure to keep 4-5 backups of the KeePass KDBX database file in different places though [1 copy in CD, 1 copy in flashdrive, maybe 1 in separate folder on the same device] and try not to lose it. Try to shift to Cryptocurrency and avoid stone age plastic money [Credit cars, Debit cards] which is terribly vulnerable but no one hooks an eye on it because it gets the job done easily. Change passwords every 3 months. Companies out of europe wont even let you know that they’ve had a breach and your credentials have been compromised. Juggling random passwords every three months on all your services is just as important as creating a strong password.

  4. Absolutely avoid using fancy IoTs. I mean, do you really need amazon, its partners, feds, advertising entities to know that you want to make a rainbow lobster sushi tonight and you are searching for a good recipe? Do you really want to share what songs you listen to over and over again? A Chinese light bulb that connects to internet and activates when you say a particular word. Really? you are willing to trust that?

  5. Last but not the least, Restrict down your local network itself. Keep an eye on your local wireless network and make sure you now who is connected. And first of all, get rid of proprietary firmware. This is a must. Companies like Dlink (which btw is getting thousands of lawsuits now for not pushing security updates and providing cheap routers and modems that are vulnerable to almost all internet malicious attacks), TP-Link, Tenda, Linksys, some models of netgear often fail to push security update to their firmware, I mean, you shouldn’t really expect any sort of update from routers that cost 40 bucks. Switch to DDWRt Or Tomato Or OpenWRT. (P.S Search about what you are doing, If you end up bricking your router, Don’t come catching me :stuck_out_tongue: ) These are opensource firmwares that have wayyy better usability, security and the fact that you can actually view the source code is a free black Friday deal. Change your default router gateway IP, username & password. Learn IPtables especially with ddwrt, Because you can create a really secure and restricted environment with it. @dmknght is working on a cool firewall thingy, should be great to see that come fully fledged soon.

These 5 Things isn’t everything you can do to be on safer side. But I reckon it should be sufficient enough to keep you and me, aka an average-Joe users on safer side :blush:

This has probably gone wayy out of topic on the parrot community, Probably will be scolded by upper devs for continuing this off topic, shouldn’t even have had responded with such long Point to point response but when you said I can’t tell you how many times I’ve been hacked. I couldn’t resist but to try to help you. I really hope this helps you out in a somewhat manner and benefits you in someway ahead in future @valerie :smile:

3 Likes