4

I administer a number of linux servers (hosted on EC2 and linode) which provide VPN termination for thirty-odd users. I'm considering ditching my Macbook running OSX / Ubuntu in favour of setting up a server on one of the public clouds and using an iPad to access my 'computer in the cloud'. These are my assumptions :

  • A web browser + flash is probably the most risky piece of software you can run if you are concerned with security, especially on general purpose Operating Systems. Using an iPad will provide me with a reasonable level of utility while limiting the risk of exploits delivered throught the browser / flash / java. All access to my servers will use One-Time-Passwords (Google Authenticator) on a separate device (an iPhone minus iCloud or anything else that could connect the two devices).
  • a hardened linux OS instance without any GUI / browser / flash using a non-privileged user account and only sshd listening + default deny iptables (inbound and outbound) could mostly limit the potential attack surface to the big four (cloud provider / kernel / ssh / iptables). I will probably also use an encrypted home directory using LUKS or truecrypt.

Is my thinking OK?

Wr

wolfyrabbit
  • 51
  • 4
  • The easy solution to this problem is just don't visit websites on the terminal computer. You also can just not install Java and Flash on the computer also. – Ramhound Nov 13 '12 at 17:06

1 Answers1

4

Your thinking is a bit weird. When browsing the Web, however you put it, a Web browser is necessarily involved, and there is little reason to believe that the browser in the iPad would be more secure than the browser in any operating system. There are even reasons to state that it would be less secure, because on the iPad you are constrained in your choices: you must use the iPad browser, and security updates are those from Apple, whether you like it or not. You can get exactly the same level of security from your Macbook by simply running a stock MacOS X with Safari, and installing updates when Apple says so (with the automatic "software update" system). Personally I find some Linux distributions more proactive in their update mechanisms, so I tend to give a bit more trust in the security of that OS.

As for Flash and Java, well, you always have the option of not installing them. On the iPad, you do not have the option of installing either; but on any other system you can just skip them. Of course, no Flash means no Flash.

A hardened Linux server is, yes, hardened. The important thing to make a system secure is not that it is minimal but that it is maintained.

Thomas Pornin
  • 326,555
  • 60
  • 792
  • 962
  • Thanks for your answer. A few reponses - I'm pretty sure you can get Chrome and Opera for iOS. Also I'm basing my assertion that Browsing is more secure on iOS due to the sandboxing of applications, therefore if Safari was compromized then it would have to compromise the entire OS to break out of the sandbox to access data stored by other apps? Also ios exploits are top of the list in terms of price [forbes] (http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/) – wolfyrabbit Nov 10 '12 at 13:29