[PLUG] Firefox safe mode...

Daniel Herrington herda05 at gmail.com
Mon Oct 26 01:08:20 UTC 2009 

I don't know if it's possible, but it sounds like you want FF to operate 
off line, ie. not go out to the network. One of your initial queries was 
regarding restricting FF to local to the computer. When I run my laptop 
without any network, I can still access the vmware managment console 
even though FF is in off line mode. It sounds like that would be another 
solution.

I don't know how you'd limit users to FF in off line mode though, as 
it's a check box under the file menu. You may face the same challenges 
with that as with safe mode.

Dan H.

Michael Robinson wrote:
> On Sun, 2009-10-25 at 16:42 -0700, Scott Garman wrote:
>   
>> Michael Robinson wrote:
>>     
>>> I want safe mode to be closed to the average person.  If one must enter
>>> a password to get into safe mode, that will work.  Changing the source
>>> code of firefox is an extreme option that will make it harder to upgrade
>>> when new releases come out.  Is there any standard way to protect
>>> against safe mode abuse?  Procon Latte is a popular plugin I suspect,
>>> but what's the point of it if anyone behind it can pop into safe mode
>>> and remove it?  I am surprised that the author of Procon Latte hasn't
>>> addressed the safe mode abuse issue.  Ideally, the developers who are
>>> going to release the next version of firefox should address the safe
>>> mode abuse issue.
>>>       
>> Safe mode exists for a good reason - to prevent Firefox from becoming 
>> totally borked by third-party extension code. So while in your 
>> particular situation it poses a security risk, I guarantee if it were 
>> disabled by default, a far greater percentage of the user base would be 
>> inconvenienced. It's a trade-off.
>>
>> Procon Latte is likely a good solution for users who do not have the 
>> technical know-how or motivation to try running Firefox in safe mode. 
>> Content filters are best deployed at the network level, e.g. as a 
>> firewall service. Otherwise you're constantly playing a cat and mouse 
>> game with other applications the user could install or run to circumvent 
>> the content filtering - including by using things such as bootable CDs 
>> or USB drives.
>>
>> Scott
>>     
>
> I get the cat and mouse game problem.  Thing is, what filter is there
> that I can implement without a proxy at the network level?  Some sites
> don't work through a proxy.  It would be nice if my direct access option
> could catch attempts to search for "adult" material etcetera and do
> something about it.  To be a direct access option means no proxy though.
> I suppose I need to use iptables somehow to reroute packets to a server
> side filter program and then inject as appropriate as if nothing had
> happened.  I want something transparent.  An option is to simply go and
> get the PICS ratings for whatever web site one is trying to reach and
> flash a warning if appropriate, but how do I do that transparently and
> still provide direct access?
>
> As far as safe mode being an authenticated mode of firefox, I think
> that is way too liberal.  I don't suppose in Linux though that one
> can restrict what programs can be run.  To do so one would need an
> administrator program that registers all the acceptable programs
> with perhaps a daemon in the background that gets queried every
> time there is a request to execute a program.
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>   

-- 
Daniel B. Herrington
Director of Field Services
Robert Mark Technologies
dherrington at robertmarktechnologies.com
o: 651-769-2574
m: 503-358-8575

More information about the PLUG mailing list