So, I’m currently on Kubuntu and I’m not really a fan. I want to take the opportunity to switch to a better distro. Ideally I’d use secureblue but I’m hoping for advice on how practical it is as a daily driver from the people who’ve used it.
My priorities are:
- Using Linux.
- Using Firefox.
- Security, within reason.
- Using software which treats security with the importance it warrants (If desktop Linux should improve in one area in 2026, it’s security).
My options are:
- Fedora Kinoite
- Fedora KDE with some hardening
- Secureblue
My needs are:
- Browsers: Firefox, Mullvad Browser, a Blink-based browser (backup).
- Extensions: Ublock Origin (Lite or otherwise), Noscript, Proton Pass
- Apps: Freetube, Anki, Discord, Threema, Libreoffice, Mullvad VPN, Kwrite, Kolourpaint
- Sound: Bluetooth headphones, Sound, Printing (Optional)
I’ve stopped using themes, partly because of the security issues and partly because I just don’t really like them anymore. I’ve replaced them with the Plastic window decorations that come default on Kubuntu and a custom colour scheme.
On Firefox:
- I need Firefox because it allows me to create duplicate bookmarks with ease. I manage a lot of things via bookmarks and sometimes they overlap.
- Secureblue has been incompatible with Firefox in the past, but IIRC Firefox recently added support for hardened_malloc. I can’t find where I read this though.
- In terms of the security issues with Firefox, I’ve installed Noscript to prevent untrusted sites from running javascript (especially Wasm). I can swap to a blink-based browser where it requires trusting too many sites.
- Proton Pass … I don’t log directly into it on my computer (only on GrapheneOS) and I don’t have my 2FA keys stored on it. I need it for a Passkey because neither Linux nor GrapheneOS support them natively and my government services’ 2FA codes requires it’s own app which requires the Play Integrity API (bloody Australia). My government services are a very high value target (because Australia).
- I wonder if I really need hardened_malloc in the first place, since with the state of Linux security I’m not sure there’s a reason someone would use a memory vulnerability unless I’m being targeted personally (and nobody’s gonna do that for me).
Security goals:
- I want to make sure the software I install to not have access to anything it doesn’t need to.
- I want to make sure that any website I visit won’t be able to access my file system.
- I want to make sure that my browser extensions won’t be able to access my file system.
- I want to use a distro that’s somewhat resilient against supply chain attacks.
- Proximity to upstream for timely security patches.
I’m not sure I’m qualified to answer, you seem to know your security needs but i’ll ask anyway: what are you securing against and why? You listed your security goals, but not exactly why you need them and what you are defending against. Fair enough, but without knowing more details, I’d suggest looking at QubesOS, which specifically isolates apps into different virtual machines. You could also go with security-by-minimality, and roll your own environment with Arch or Alpine (even Gentoo if you really wanna go down the rabbit hole)
That’s a new one.
I’m after security against malware and websites to prevent my email or government services from being accessed maliciously, but I want to do so without over-relying on the obscurity of Linux and Firefox.
In other words, I want to do my due diligence on security.
Malware in the traditional sense, as in a malicious program that sneaks its way onto your machine and runs a dangerous payload, is far far more common on Linux machines with open ports acting as servers on the internet. And even then, I’d wager that’s less than 1% of the malware out there that specifically targets Windows simply due to market share. With that in mind, plain old Fedora will do just fine, especially if you leave SELinux enabled; many tutorials have you disable it if it interferes with apps/services you want to run, but they’re simply being lazy, working around SELinux can be obscure at times, but it’s still worth doing, and keeping it running rather than disabling it.
Malicious webpages and phishing attempts are more likely to cause you trouble on Linux, and the OS can only do so much to protect you there. Securing against those is more about vigilance and wisdom, which it sounds like you’ve got covered honestly!
In terms of phishing I am very prepared. In terms of malicious webpages not really. Noscript probably helps but I click on basically any link with no regard for safety, and if it doesn’t work I normally give it any javascript permissions it asks for (except wasm, unrestricted css, LAN, and other). Plus there’s the added risk of browser extension supply chain attacks that I’ve been getting increasingly paranoid about.
I think you’re right about software. If I use SELinux, and especially if I use a hardened profile on it, then I should be reasonably secure. If I uninstall sudo and switch to run0 (which I prefer using anyway) then malware probably wouldn’t be able to do much of anything if it escapes the sandbox. I’ve heard everywhere that Fedora and OpenSUSE are relatively good on security so I have every reason to trust your assessment.
Sudo and run0 are both problematic. Sudo is a setuid binary, which is problematic, but run0 is not much better. It works by making calls to systemd/polkit/dbus, services that constantly run as root, and they themselves expose a massive attack surface. Many privilege escalation CVE’s similar to sudo have been released that exploit that attack surface.
When it comes to actually being secure, systemd somewhat screws you over, due to having a massive attack surface, a way to run things as root, and the interesting decision to have polkit parse and run javascript in order to handle authorization logic (parsing is a nightmare to do securely).
The other thing, is that the browser sandbox is much, much stronger than the separation of privileges between users in Linux. Browser sandbox escapes (because they work the same on windows or Linux) are worth immense amounts of cash, and are the kinds of exploits that are used in targeted manners against people who have information on their computer worth that much. If you don’t have information worth millions of dollars on your computer, you shouldn’t worry about browser sandbox escape exploits.
The reality is that any attacker who is willing and able to pierce through a browser sandbox, will probably also have a Linux privilege escalation vulnerability on hand. In my opinion, trying to add more layers to security is pointless unless you are adding stronger layers. If your attacker has a stronger “spear”, it doesn’t matter how many weak “shields” you try to put in front to stop it.
If the million dollar industry of browser escapes is in your threat model, I recommend checking out the way that Openbsd’s sandboxing interacts with chromium. Or check out google’s gvisor sandbox and see if you can run a browser in there.
The idea of disabling sudo was that malware would try to use sudo and fail (plus Secureblue’s endorsement). But now that I think about it malware probably wouldn’t keylog my password and use systemd anyway, but instead use something less tedious and less distro-dependent like a privilege escalation attack. I’m wondering though, are you saying that you think run0 is more vulnerable, or that it shares a massive attack surface with sudo?
I guess the value of browser escape vulnerabilities explains why I’ve never gotten any malware despite my risky web browsing. Though browser extensions still pose a risk and being a Firefox users I suspect that such value is low enough to use for run-of-the-mill malware (though probably just for Windows). I’ve heard a fair few times about thumbnailer attacks, but no real detail from KDE about what if any mitigations they have in place.
These also are valuable. Less valuable than browser escapes IMO though.
A keylogger is more likely, and it’s just as possible with sudo as it is with run0. They would replace sudo, run0, doas, etc with a fake command (since that only require access to the user), that either keylogs, or inserts a backdoor while it does the other sudo things.
Please ignore the entire cybersecurity hype news cycle about images being used to spread malware. They often like to intentionally muddy the waters, and not clearly explain the difference between a malformed file being used as a vulnerability to exploit a code execution exploit, and an image file being used as a container for a payload (steganography). The former is a big deal, the latter is a non issue because the image is not the issue, whatever means the malware actually used to get onto the systems is.
Here’s a recent example of me calling this BS out. The clickbait title implies that users got pwned by viewing a malicious image, when in actually it was a malicious extension that did the bad things.
Unless you are using windows media player, the microsoft office suite, or adobe acrobat, code execution from loading a media file is a really big deal and fixed extremely quickly. Just stay updated to dodge these kind of issues.
As for zero days, unknown and unpatched vulnerabilities, again, that’s a different threat model because those exploits cost money to execute. Using an existing known (but fixed in updated versions of apps) is free.
I’ve heard of thumbnails being used to deliver malware. Specifically the idea that “thumbnailers” are javascript code included in the file that will run in order to generate a thumbnail and they have the potential to deliver malware. After an arduous search I found this article https://thehackernews.com/2017/07/linux-gnome-vulnerability.html suggesting a vulnerability in the thumbnail generator for windows executables on GNOME allowed it to be used to deliver malware because the file name contained code that was executed by the thumbnailer. I’m still entirely unclear about what a thumbnailer even is (whether it’s local or remote code) or what my original source was. For now I’ll just turn off thumbnails for all but images and hope that counts as adequate security.
You’ve heard of critical vulnerabilities in media processing applications that mean that thumbnails can theoretically be used to be spread malware. That is not the same as “this issue was being actively exploited in the wild and used to spread malware before it was found and patched”.
These vulnerabilities, (again, cost money), and are fixed rapidly when found. Yes, disabling thumbnails is more secure. But I am of the belief that average users should not worry about any form of costly zero day in their threat model, because they don’t have sensitive information on their computers that makes them a target.