On 6/6/20 12:13 AM, Linux-Fan wrote: > Peter Ehlert writes: > >> Family is using Zoom, International. >> They will use Zoom, and I need to participate. >> >> I use Debian Mate Stable, and Firefox ESR >> >> I am concerned about security, duh! >> Looking for ideas. >> >> my current thoughts, in order of preference: >> >> 1. Use a separate Debian alongside my daily driver, and use Only for the Zoom >> meetings >> >> 2. Sandbox? (but how can I do that?) >> >> 3. Use a different browser > > [...] > > Hello, > > best practice is certainly using different software (Big Blue Button has been > mentioned, Jitsi works OK for small groups, say ~10 persons, too), but there > are > cases where I am not asked to decide the software. At least, Zoom works on > Linux > whereas e.g. Skype for Business doesn't despite claiming to have a „Web App“? > > I am also using Zoom (not by preference, see above) and thought about ways to > isolate it for which I basically came up with a similar list to yours. Here is > what I did so far: > > * Zoom inside a VM works well here. I use Virt-Manager + KVM and > audio works flawlessly without the need for much additional configuration. > I only added this line to .config/pulse/daemon.conf: > > flat-volumes = no > > This makes sure that opening the VM does not reset volume back to 100% > which is dangerously loud on my sound card, see > <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674936> :) > > * As a fallback solution, I setup a sandbox for chromium using firejail > (package firejail) with a custom profile (attached for those interested). > > If you do not like the VM approach, you might consider a sandbox around > the zoom client. Of course, it is possible to use the sandbox inside the > VM, too. I doubt the added security of combining VM+sandbox is worth the > added complexity, though. > > Using an entirely different system is certainly an option security-wise (if > network isolation is considered properly), but might have some additional > practical limitations. > > HTH > Linux-Fan
Thanks for sharing firejail profile, however doesn't it work in the browser? It is really hidden though, but if you decline 2 times software installation in the Chrome you get a link to join zoom via browser. That's what I had to use a couple of times. The best practice is to avoid installing zoom debian package at all. Btw BBB is also far away from a secure platform imho.
