Re: Zoom- best practice?
On 6/6/20 12:13 AM, Linux-Fan wrote:
> Peter Ehlert writes:
>> Family is using Zoom, International.
>> They will use Zoom, and I need to participate.
>> I use Debian Mate Stable, and Firefox ESR
>> I am concerned about security, duh!
>> Looking for ideas.
>> my current thoughts, in order of preference:
>> 1. Use a separate Debian alongside my daily driver, and use Only for the Zoom
>> 2. Sandbox? (but how can I do that?)
>> 3. Use a different browser
> best practice is certainly using different software (Big Blue Button has been
> mentioned, Jitsi works OK for small groups, say ~10 persons, too), but there are
> cases where I am not asked to decide the software. At least, Zoom works on Linux
> whereas e.g. Skype for Business doesn't despite claiming to have a „Web App“?
> I am also using Zoom (not by preference, see above) and thought about ways to
> isolate it for which I basically came up with a similar list to yours. Here is
> what I did so far:
> * Zoom inside a VM works well here. I use Virt-Manager + KVM and
> audio works flawlessly without the need for much additional configuration.
> I only added this line to .config/pulse/daemon.conf:
> flat-volumes = no
> This makes sure that opening the VM does not reset volume back to 100%
> which is dangerously loud on my sound card, see
> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674936> :)
> * As a fallback solution, I setup a sandbox for chromium using firejail
> (package firejail) with a custom profile (attached for those interested).
> If you do not like the VM approach, you might consider a sandbox around
> the zoom client. Of course, it is possible to use the sandbox inside the
> VM, too. I doubt the added security of combining VM+sandbox is worth the
> added complexity, though.
> Using an entirely different system is certainly an option security-wise (if
> network isolation is considered properly), but might have some additional
> practical limitations.
Thanks for sharing firejail profile, however doesn't it work in the browser?
It is really hidden though, but if you decline 2 times software installation in
the Chrome you get a link to join zoom via browser. That's what I had to use a
couple of times.
The best practice is to avoid installing zoom debian package at all. Btw BBB is
also far away from a secure platform imho.