Idea #11106: Implement a Secure Internet Mode.

Written by Auzy the 14 Jul 08 at 02:37. Category: Security.
Related to: Nothing/Others. Status: New

Description

I'd like to see a means added of enabling a secure mode for my own user (or system-wide for some options).

EXAMPLES OF TRIGGERABLE OPTIONS:
- Require SSL HTTP connections
- Require Encrypted Voip connections
- Require all communications use encryption
- Only allow execution of Signed Binaries.
- Disable External Web Browser Plugins (Flash and Java).
- Block all wireless connections
- Ability to see all established connections in the window.
- Disable all hooks in Xorg that could allow key monitoring, screen viewing/snapshotting, or mouse tracking.

BENEFITS:
- Users have a better guarantee that their traffic isn't being read
- Users can verify that the binaries they have downloaded belong to their source.
- Paranoid users will love linux.
- Helps reduce the chances that a keylogger/remote desktop viewer can be used to watch you type in your bank details.

Whilst it may not prevent very elaborate forms of Man-in-the-middle attacks, I would love to have a way to help lock down my connections whilst performing banking for instance. Its all good setting up file system policies and such, but if you cant guarantee that an attacker cant slip malicious code into a file you are downloading, whats the point?

Tags: (none)

Attachments

No attachments.

Duplicates

[Report a duplicate and merge its votes to this idea]

Comments

Auzy wrote on the 14 Jul 08 at 02:39

Ideas this works well with:
Digitally Signed Binaries
Security and stability centre.

Eldmannen wrote on the 14 Jul 08 at 03:11

I find this to be an interesting idea.

It surely would be nice to have a "highly-secure account" from which you could do online banking. Especially if the computer is shared with many family members.

gmatht wrote on the 14 Jul 08 at 11:56

"Require SSL HTTP connections" In other words, be unable to access any http only sites, including e.g. brainstorm? I don't get it.

Arnaudus wrote on the 14 Jul 08 at 12:11

It's probably an interesting idea, but as such, I doubt it should be reasonable to implement it. Some of the features you describe are firewall or basic TCP/IP functions, while others (such as the Flash/Java thing) are clearly client-related. It's very complicated to implement if you consider all combinations of clients, desktop environments and kernel options possible.

Auzy wrote on the 14 Jul 08 at 12:20

Many sites have a SSL encrypted entry page, but after you authenticate, they change back to a normal HTTP connection, which makes it mostly useless, because the data you are viewing may have been intercepted and changed.

The idea is basically to provide a more secure internet environment, at the cost of restricting the internet only to secure protocols and website.

Granted most users would not enable many of these options for default, however, what we should be aiming for in the future is, to be able to enable all of these options, and not be inconvenienced at all. If any banking sites fail to be accessed with HTTPS only, then they are configured wrong, and should be sent bug reports. At the moment, we have no mechanism to help guarantee users security when connecting to websites.

Auzy wrote on the 14 Jul 08 at 13:41

Actually, another way of putting it, would be:

If you were doing online banking, wouldn't you like to have a way of guaranteeing that the data you are receiving, is the banks, and that its secure?

HTTPS can barely be called secure when everyone has permitted their browsers to allow it to redirect back onto an insecure connection anyway. Without this, you really have no guarantees that HTTPS is secure at all (all your data besides the login could still be read or modified inflight).

Eldmannen wrote on the 14 Jul 08 at 16:58

Also, not only useful for online banking.
Also if you want to upload some material to Wikileaks.
* http://www.wikileaks.org/

notyetroot wrote on the 10 Aug 08 at 19:53

This would be great for the government. Paranoiabuntu! +1

Post your comment