[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Zoom- best practice?

Peter Ehlert writes:

Family is using Zoom, International.
They will use Zoom, and I need to participate.

I use Debian Mate Stable, and Firefox ESR

I am concerned about security, duh!
Looking for ideas.

my current thoughts, in order of preference:

1. Use a separate Debian alongside my daily driver, and use Only for the Zoom meetings

2. Sandbox? (but how can I do that?)

3. Use a different browser



best practice is certainly using different software (Big Blue Button has been mentioned, Jitsi works OK for small groups, say ~10 persons, too), but there are cases where I am not asked to decide the software. At least, Zoom works on Linux whereas e.g. Skype for Business doesn't despite claiming to have a „Web App“?

I am also using Zoom (not by preference, see above) and thought about ways to isolate it for which I basically came up with a similar list to yours. Here is what I did so far:

* Zoom inside a VM works well here. I use Virt-Manager + KVM and
  audio works flawlessly without the need for much additional configuration.
  I only added this line to .config/pulse/daemon.conf:

	flat-volumes = no

  This makes sure that opening the VM does not reset volume back to 100%
  which is dangerously loud on my sound card, see
  <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674936> :)

* As a fallback solution, I setup a sandbox for chromium using firejail
  (package firejail) with a custom profile (attached for those interested).

  If you do not like the VM approach, you might consider a sandbox around
  the zoom client. Of course, it is possible to use the sandbox inside the
  VM, too. I doubt the added security of combining VM+sandbox is worth the
  added complexity, though.

Using an entirely different system is certainly an option security-wise (if network isolation is considered properly), but might have some additional practical limitations.

include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/whitelist-var-common.inc

blacklist /var/log
blacklist /var/www
blacklist /boot
blacklist /root
blacklist /opt
blacklist /srv
blacklist /media

# problems with multiple browser sessions

#caps.keep sys_chroot,sys_admin
noexec /tmp

shell none

#caps.drop all

Attachment: pgpmOoLW7Wjem.pgp
Description: PGP signature

Reply to: