How To Run Your Web Browser In A Secure Sandbox

by Sunny Hoi

Practicality of Firejail

The default configurations of modern Linux distributions such as Ubuntu and Linux Mint are already eminently secure. Nevertheless, the acquired habit of running your web browser from within a virtual sandbox increases security drastically and serves in the best interest of the skeptical individual. The reason being that web browsers like Firefox and their plugins are the one’s utmost attacked today.

By utilizing Firejail’s virtualization capabilities on the application level, we are competent of attaining protection which we undoubtedly deserve in the age of surveillance and uncertainty. This is achieved by wholly segregating your web browser from your personal folder. By doing so, you are thus relieved to an extent where the web browser can not cause mischief to your personal folder. When you take the incentive of sandboxing your web browser, you are not only making it difficult for malware to touch and alter your personal files but also you are creating a fundamental extra layer of protection that isolates your web browser application from the imminent attacks today. To illustrate this danger, I am referring to the period in August of 2015, where security researcher Cody Crews reported to Mozilla that a vulnerability in Firefox’s PDF Viewer was being dangerously exploited by a malevolent advertisement occupied by a Russian news site. The payload thoroughly probed for delicate files on an individual’s local filesystem, and unfortunately uploaded them on the attacker’s server. Firejail was able to prevent the potential catastrophe because it’s default configuration obstructed entry to .ssh, .filezilla, and .gnupg in every directory located in /home. And by making use of more advanced configurations of the sandbox by Firejail, everything else was blocked without conflict ensuing. Hence, your operating system is significantly protected against intruders and malware from breaking into your personal folder.

Hence, your operating system is significantly protected against intruders and malware from breaking into your personal folder. Keep in mind that some exceptions exist, such as the Downloads folder and the web browser’s configuration. The folders and files belonging to the system are though accessible, yet crucially as read-only.

My question for you is: Why wouldn’t you want to use Firejail? After all, Firejail uses only a little bit more of resources, and the extra protective layer offered is conceivably effective that it is not difficult to take advantage of. The benefits clearly outweigh the costs. The sole disadvantage of segregation, however, is that printing website pages may fail since your web browser is separated from your personal folder. Or that you can only upload files to an e-mail message if only those interested files are in your Downloads folder. But this is easily resolved by you getting in the habit of launching the original web browser the way you normally do without gaining the capabilities of Firejail that may sometimes interfere with your casual businesses and pleasures.


Installing Firejail on your Linux system is simple.

  1. Launch a terminal window.
  2. Type in the following: sudo apt-get install firejail
  3. Press Enter and when requested, type in your password. Press Enter again.

Sandboxing Firefox

You can now run Firefox from a sandbox after successfully installing Firejail.

  1. Launch a terminal window.
  2. Type in the following: firejail firefox
  3. Press Enter.

That is all. For the majority of users, the default settings of Firejail will suffice since it already increases your security considerably. Also, the default settings are ideal for entertainment or casual browsing.

Keep in mind that you will have to type in this command every time if you would like to launch Firefox in a sandboxed mode again. It is possible to create a desktop launcher that automates this process so Firefox will be launched in a sandbox with a click of a button.

Depending on your Linux distro, you can typically right-click with your mouse on the icon of Firefox. The command should be altered into: firejail firefox %U

To check whether Firefox is running in a sandbox, go in terminal and type in the following command: firejail –tree

Sandboxing Chrome and Chromium

Chrome and Chromium have enhanced protection that Firefox lacks. The first two mentioned web browsers use a “protected mode” to operate browser processes with as little user permissions as desired. If a malicious actor discovered a zero-day browser vulnerability and exploited it, he must also utilize another vulnerability to circumvent the sandbox to acquire access to the Linux system. Nonetheless, it is still exceptional to use Firejail for these browsers.

After you have installed Firejail, you can sandbox Chrome if you prefer it over Firefox.

  1. Launch a terminal window.
  2. Type in the following: firejail google-chrome-stable
  3. Press Enter

NOTE: If you are using Chromium, you would replace “google-chrome-stable” with “chromium-browser“.

If you are interested in modifying the desktop launcher in order to ease the way in which sandboxing Chrome or Chromium becomes more convenient for you, the command would be: firejail google-chrome-stable %U

Or if you are using Chromium, the command would instead be: firejail chromium-browser %U

High security sandboxed browser

If you are doing online banking or accessing any highly sensitive information, this is a setup you should use instead of the default one. We should be suspicious of the addons and plugins we install since we have little means of verifying whether they contain malicious intents. Therefore, we shouldn’t trust them when our private information may be in jeopardy. The command –private is important since it provides us with the option of starting with a factory default browser configuration, and also a home directory which is empty.

We need to keep in mind that current routers in homes are extremely insecure and vulnerable. A malicious actor may redirect DNS and redirect the incoming traffic to a bogus bank website site. Hence, use the command -dns to determine a DNS configuration for your sandboxed web browser: firejail –private –dns= –dns= firefox -no-remote

Those two DNS servers listed above are owned by Google. And The National Security Agency (NSA) has access to the logs. This will assist you in case a malicious actor decides to try something. Nonetheless, do not use these DNS servers for anything else other than banking. The command above uses -no-remote to this extent that we will not be mistaken of already using a browser that accomplishes our entertainment needs. Therefore, if you already have Firefox launched and running, it would be best to use the -no-remote command. If you choose not to do so, you will merely have a new tab or even a new window which will be connected to the current Firefox. The command to type into terminal would be: firejail firefox -no-remote

Related Posts