Based on the given links and comments I could not decide on a clear course of action. If only we w'd have continuous builds of Chromium in the Ozone-Wayland implementation. Buying a Chromebook may not be the worst idea after all. At least this sounds promising: https://youtu.be/4PflCyiULO4?t=2h31m32s https://docs.google.com/document/d/1WPdUbaJ6_UVxsJ6hLnDpGR-eMvS6j-0tF_TZ62DMtT0/edit?usp=sharing Or maybe I'll decide on a read-only filesystem, which is inconvenient and unsuitable for me and my two simple little laptops running 'n rolling Arch. Maarten Baert write (in 2014): > As long as Wayland isn't used together with some > form of sandboxing, holes in the underlying system > won't protect you from keyloggers. As an amateur, it is hard for me to identify likely attack vectors. I would like to see a package with a ran{somware,domness} detection daemon in the official repos, and learn more about machine learning security models. Have there been cases of X client mimicry or click- jacking? I sure a compositor doesn't care about that. I'm particularly cautious about GUI clicking... I often look at the source of a web page, or use a browser extension that allows me to automatically scrape the target url, as opposed to clicking, which could trigger anything beyond control. So I'm not sure about the idea presented here: http://mupuf.org/blog/2014/03/18/managing-auth-ui-in-linux/ Steve D. Lazaro wrote: > It’s important to separate authentication from > authorisation so that spoofing does not compromise > valuable tokens. (...) An authorisation token is > typically a one-time use object generated by > a trusted authority (the compositor) and used by > the system controlling access to privileged > interfaces (the WSM). Such tokens can be > distributed by having the user interact with an > authorisation UI controlled by the compositor. I've written down an silly idea (off topic) in a gist: "Can password typing in the browser be made less obvious for a keylogger?" https://gist.github.com/sharethewisdom/062da46347c93f778e0fae8d30e87090 I've been unsharing and chrooting for a while. I think I'll symlink most of my configs to a read only folder, owned by a 'myname.conf' user, and I'll try and read more about SElinux, MACs etc. cheers, Bart
