What could make Fedora a real privacy OS?

boredsquirrel · July 12, 2023, 9:43pm

All these discussions about Fedora collecting data …

In my eyes no Linux Distro really is dangerous for your Privacy (lol apart Ubuntu or Android) but its role is to protect you from the outside.

But really, leaving all that anonymized telemitry aside, what would make Fedora a better privacy OS? I think it would be:

randomized Mac address with GUI on/off
firejail for all RPM apps like Firefox
a tor proxy like on Tails available as an RPM
a hardened Firefox user.js by default, as well as search engines and links
…

What would you add?

sampsonf · July 12, 2023, 11:28pm

Do not link to Internet

Or using an outgoing firewall to control all out going data transmission.

icesvz · July 13, 2023, 11:25am

Dont use browsers and electron-based software

boredsquirrel · July 13, 2023, 10:25pm

This is only necessary on Windows. I used OpenSnitch for a while and there are literally nearly no connections I dont want.

Use Flatpak apps for that purpose and just block their internet. Outgoing Firewalls slow down App opening immensly, so they dont work.

Firejail on the other hand should be implemented, when I try to isolate Firefox, Kate or anything else it doesnt work. It would be useful for some programs though, Firefox, maybe some Apps that run faster as system apps, Nextcloud, virt-manager and so on.

boredsquirrel · July 13, 2023, 11:08pm

Agree on Electron, poorly there is no Signal Webapp, Element Web has less support, no local Youtube feed alternative and also Firefox doesnt support them… So yeah Electron it is for quite a while.

I have the feeling some comments here dont go in a constructive direction. Not using anything may be the best solution, but no.

vekruse · July 14, 2023, 5:11am

That depends on if you drop the packages or you reject them with an ICMP message. The former results in the application program to wait for a no response.

boredsquirrel · July 25, 2023, 12:15am

What about enabling IPv6 Privacy by default? This seems extremely important

nmcli connection modify eth0 ipv6.ip6-privacy 2

this has to be done with every device I think

elesiuta · July 27, 2023, 2:23am

I created picosnitch (copr) to check for any connections I don’t want, and since it is not a firewall (only monitors), it does not slow down apps. I also use Flatpak or firejail for blocking.

boredsquirrel · August 6, 2023, 3:44pm

How do you use firejail? For me even firefox doesnt work, so I use the Flatpak

elesiuta · August 9, 2023, 3:19pm

I just use firejail --net=none or unshare -r -n to run programs I don’t want to connecting to the internet.

I never run my browser with Firejail or Flatpak since it already has better sandboxing built in. I know chrome’s sandbox was disabled for it to work with Flatpak (this makes it less secure), so the same might apply to Firefox and could be related to why it doesn’t work with Firejail.

boredsquirrel · August 20, 2023, 8:58am

Thanks. No, obviously I am running Fedora Firefox RPM using firejail, and that didnt work for me. Would be great to have a workaround for the lacking features of the flatpak. The sandboxing sounds interesting and concerning. I wonder how the browsers handle that, because the app itself has access over the system, just components of it don’t.

boredsquirrel · August 20, 2023, 9:00am

I would also imagine better Hardwarekey support for LUKS unlock (configurable in the installers) would be veery necessary. Swapped in Windows 11 a moment ago (had no internet lol) but apart from that its crazy how many security features they seem to have integrated, especially TPM and hardwarekey.

Also there is this panictrigger USB-Port, that locks the PC or shuts it down when plugged out. Having this for some environments might be useful. Its just a special usb stick and a udev rule, nothing too crazy.