Is Browser-in-the-box legit and how come so few users?

That’s all I have to ask which is in the title question. Details is that it’s a browser isolated from the main operating system you use which is set into a hardened debian 6 with randomized root password. Sounds too secure and good to be true, but how secure it is? Doesn’t seem to access anything suspicious.

Seem to be legit. But I never heard about it until now. Why few users? Maybe just like me. Never heard about such product.

370 MB download? What? LOL! No thanks. I can’t tell you how secure it is as I never used it. I can’t take their word for it.

All I found on it is this: Free 'Browser in a Box' Runs Firefox 4 with Ultra Security | PCWorld


“I downloaded this last Friday and intended to install it this morning. Unfortunately, the installation instructions are in German. So, unless you or someone you know speaks that language, you’re pretty much out of luck.”

Ha ha ha LOL! ;D

I can PM you the english version if you want.

Alternatively, use a translator to guide you.

I give it a try. Yes do that, thanks.

I gave you a PM.

Ok, how was your test with it?

Is waiting on confirmation

I do think Browser-in-the-box or BITBox (this one right? Cybersecurity: Digitization & IT Security | Rohde & Schwarz) is legitimate. I’ve used it before and not really practical since it essentially just loads a browser inside a vm. A full vm is more functional than this. It’s not bad, but it isn’t that good either.

Right, I didn’t answer the question:

It’s secure if we’re talking about malware.

  1. Debian 6 alone should tell you that Windows-targeting malware won’t run in here.
  2. Randomized root password should be secure enough. Longer is better as usual, though no indication of length here. But this is not Windows and no one else would be caring about that password so length should not pose a concern. Basically, if you don’t know the root password, you can’t launch anything infectious (which requires root privileges) or modify anything critical for that matter.
  3. Since downloads are made to the shared folder, inside a vm, nothing will be automatically launched.
  4. Most malware that can detect VM’s and sandboxes require one of two conditions: (1) that the VM is a Windows or (2) if it’s Linux, it is preconfigured (and I stress the word) to bypass sudo.

It’s as secure as it can get.

you have Kiosk in CIS v6.

A bit off-topic, don’t you think? :wink:

Not really. Promoting Comodo on Comodo forum? Never.

although what u are suggesting is fully virtualised environment based on an OS etc…i offered kiosk as an alternative…

We all got that Melih. And it’s a good idea. I better use kiosk rather than browser-in-the-box.

I offered no such alternative. I merely explained the…theoretical…rationale behind Bitbox which the OP made clear in his post (shall I quote?):

I read no such request for alternatives and I made none.

If I may make a suggestion to people who would reply in the future, why not compare Bitbox to security implementations instead so we can gauge the security it promises vis-a-vis current implementations? Contrasting it to other products not only allow us to see if it is secure or not, but also determine the necessity of such a software and at the same time, recommend (albeit indirectly) a software without going off-topic.

May I make an example?

Let’s compare Bitbox to SRWare Iron for example.

Virtualization-wise (by which I mean how it approaches vulnerabilities by separating browser to OS, Bitbox certainly comes stronger. However, the resources it consumes may be a good factor to consider when using this browser. When one argues that present hardware specs should manage the resources needed, one’s forgetting that a system’s performance does not solely rely on hardware, but also on software which may be more substantial considering that the variety of which comes with substantial requirements.

Taking into consideration as well the context by which Bitbox was most possibly thought up, the audience it targets I mean, it’s probably directed to the more knowledgeable community by which it makes sense and somewhat safe to assume that the person who chooses to use Bitbox has taken necessary precautions prior to its installation.

If this should be the case, then SRWare Iron would suffice considering that the necessary precautions that may serve as an alternative to achieve the same level of security Bitbox promises require less resources than Bitbox itself. A custom build for example would be sandboxing Iron, using a VPN, forcing downloads through a manager into a write-only folder (not allowing execution of any program within the folder; achievable through NTFS permissions), a key scrambler and an automated scanner should achieve just as much security as Bitbox and proves more functional and beneficiary than Bitbox.

However, Bitbox may have an advantage by using the browser inside a virtualized environment which ensures that no malicious program is monitoring your activities. And in which case, Bitbox proves superior to the above alternative.

Bitbox is secure though the resources needed (which also is a consideration in security and stability) is a compromise when using the browser. There are implementations that exist currently with less resource demands than Bitbox over which Bitbox security may be judged as unnecessary. It does however, ensure to a much higher degree that no program is running to spy on you except perhaps the websites you visit and thus conclude that Bitbox is indeed secure.

How would CIS with default deny fit in this scenario of blocking a malicious program monitoring? You seemed to have left that out of the suggested scenarios.

I was debating with myself whether or not to send this as PM rather than to post it here. It made more sense to post it here to explain to everyone else who would be reading this thread why I wrote what I wrote and prevent any more misunderstanding seeing that it’s still a possibility.

I took it into consideration though as you might have noticed, I made no attempt to name any other security product, choosing to generalize rather than to be particular because:

  1. What I was aiming for was to build on Bitbox’s prime disadvantage that is memory consumption. To which I opted for something more stable in memory (NTFS permissions) rather than relying on a security suite that consumes memory indefinitely.

  2. Many architectures have come to adapt the default-deny albeit in various different ways that to be particular with CIS would seem to be propaganda on my behalf (of course, this is a personal issue and preference for me; nothing political as disliking the company; I do the same in my studies).

  3. I have not used CIS for a good period of time that I no longer fully understand its mechanisms, and consequently, making me incapable of making an accurate assessment. I rule myself as an unreliable source in this context and therefore made no such attempt.

  4. I simply had wanted to make an example to illustrate my point seeing how vague I was with words. I chose to write only about a single possible alternative and nothing more.

  5. I have not used Windows for a year now, except maybe to run a few tests or identify dependencies for compatibility issues, and the configuration I gave was the last that stuck in my head at the time of writing. I felt that it was the best that I could do.

Now to answer your question: How would CIS with default deny fit in this scenario of blocking a malicious program monitoring?

That depends really. It seems from what I’ve read so far across the Internet that there are still programs that are able to bypass CIS (though I’ve not seen proof of it, it still makes more sense to take it as a testimony rather than sheer arrogant claims. We are after all discussing about security. We musn’t be too complacent unless there is solid proof that claims otherwise. Or if were to take it as a dead body, show me the head and I’ll believe that it’s dead. The claim can be proof of its existence. But there is none that disproves its non-existence, and since there was no sample given, it’s the same as a witness having witnessed a crime but only seeing the back of the suspect) despite default-deny.

In this case, if we were to pit it against Bitbox, although it would not prevent it from being launched, it does prevent it from auto-launching (because it was essentially downloaded in a different environment), preventing it from being run through the browser) which gives the user an edge (same rationale as autorun). Putting it into context, the malware is as good as found once it’s been scanned and tested (as in my case, I have threatexpert analyze the file first) and will be unable to do damage. But in CIS alone, if for example a malware got through (for argument’s sake, humor me), then the malware can autolaunch itself.