It is funny that you say this because virtualized solutions are widely recognized as more secure isolation than chroot. On most operating systems chroot ships with known jail breaking vulnerabilities. I hope you don't scare people away from using security enhancing solutions into using less secure solutions simply by quoting the opinion of one expert who just happens to be rabidly against almost any form of security that doesn't come from having absolutely perfect code. The fact that you suggest using chroot over using a paravirtualized system seems suspicious to me because it is widely thought that chroot is flawed and paravirtualized solutions offer stronger protection. Also I am not certain if you can use chroot by itself to isolate firefox from external IP address, but I know you can use paravirtualization and full hardware virtualization to accomplish this goal. OpenBSD has a more secure version of chroot than most operating systems but it is even recognized that the OpenBSD version of chroot has inherent issues which are not present if you use paravirtualization or full hardware virtualization. I will wait for a detailed technical reply from Theo regarding the inherent security risks of using full hardware virtualization before I come to my final conclusion on the matter, but even if he talks poorly about paravirtualization (which avoids many of the issues he mentions when he talks specifically about the full hardware virtualization solution virtualbox, in the quotes you misconstrue as discussing virtualization based isolation in general) I will still be using it because I know it is a technique suggested by a number of very skilled security researchers, with Theo being (potentially) opposed to it but also not being the final authority regarding computer security. For example, Qubes gains much of its security by automatically putting every launched application in an isolated virtualized environment, and FreeBSD ships with jails which also allow you to isolate applications with a layer of virtualization. Also Open Solaris has built in support for virtualization for security, Open Solaris Zones. Qubes, Jails and zones use virtualization that doesn't virtualize all of the hardware. Also Inferno uses virtual machines although I am not sure which type, I don't know much about inferno. Again, I need to hear specific security risks from Theo before I come to my final conclusion on using full hardware virtualization, but right now I am leaning against it and towards using paravirtualization / OS virtualization solutions simply from what I have heard (from Theo, from other hackers who suggest not using Virtualbox or VMware due to code complexity and incorrectness of the hypervisor) and from what I have seen (Qubes, Open Solaris and FreeBSD use non-full hardware virtualization based isolation, although I am not sure if this is for security or for the other benefits it brings). I am still not convinced that it is actually a security risk to use full hardware virtualization systems, and I doubt I will ever be convinced against using virtualization based isolation at all. Tor knows your real IP address so if they pwn Tor they have located you. If they can pwn Firefox they can configure it to go around Tor or use other techniques to determine your IP address, unless you take active measures against this happening. I don't think chrooting Firefox, by itself, can be used to prevent this. Explain in technical detail how to isolate an attacker who pwns firefox from being able to determine your external IP address by using vnconfig/chroot because I currently don't know how to do this. I will look over your solution and have some friends look it over as well. I am not saying it wont work, I just am not sure how to do it, or if it will work. I do know you can run Tor on a dedicated machine and firefox on another machine with only an internal IP address though, and I think this should be able to give isolation as well. Yes chroot on most OS is easy to break out of but OpenBSD has a more secure version. However, most security people I talk with suggest using virtualization techniques for isolation over chroot because of how historically insecure chroot is. This indicates to me that you don't know what you are talking about, because it isn't Tor that you should be isolating so much as it is your network facing applications. If Tor itself is pwnt you are fucked no matter how many layers of isolation you are using. I can agree with this to an extent, I use command line for most things now. I only use command line for servers. X is insecure but there are various isolation tricks you can use. Qubes offers x isolation. You can also get your own x isolation by using virtualization. BTW OpenBSD with x windows is just as insecure as any other OS, if a single application is pwnt the attacker can EOP to root because there is NO GUI ISOLATION WITH X WINDOWS. The attacker can spy on ALL of your keystrokes and steal your password when you SU to root in a windowed terminal. This can be fixed by using virtualization. I wonder if Theo is aware of this. This is cherry picking. There are numerous security experts who are strong advocates of using virtual machines for isolation. I am not certain if they would advocate the use of full hardware virtualization though (I will ask, and I also eagerly await some technical details from Theo explaining how full hardware virtualization is not only completely worthless but also horribly insecure), but I know the FreeBSD devs and the Qubes devs and the Open Solaris devs and the SEL4 devs are advocates of using virtualization for isolation. So are many other security experts. You have a biased opinion on virtualization based isolation if you are basing your opinion only on what the OpenBSD devs say. They are very against virtualization and imo seem to be against security via isolation in general, instead hoping that you use *only* code that has been audited by them for the past decade, because *only they* know how to write anything that isn't totally insecure shit. First of all things are not as cut and dry as you make them seem. There are numerous people who are widely recognized as security experts who advocate the use of virtualization based isolation. I may have fucked up by advocating for full hardware virtualization over / in addition to other sorts though, I need to do a little more research on this before I come to my final conclusion. Anyway, the three primary 'philosophies' of computer security are correctness, isolation and randomization. OpenBSD devs are religiously commited to security via correctness (although they do have very sophisticated randomization systems and have before pretty much anyone else, and they do have two tools for isolation but none of them use virtual machines or MACs) Others prefer security via isolation, knowing that only formally verified software is perfectly correct and that very very very little software has been formally verified, and that randomization can't protect from everything. It is a lie to say that any developer will immediately tell you Theo is right about this, many will immediately tell you that he is wrong actually. Most of the people who are big on security via isolation will tell you that he is wrong. Ask the Qubes devs or the FreeBSD devs or the Open Solaris devs or the SEL4 devs I will concede that using full hardware virtualization MAY not be the best solution, it may be better to use other sorts of virtualization which will avoid all of the potential (although unsubstantiated and unexplained in technical detail) problems that you/Theo have brought up (well, IOMMU is also needed to fix some of them). I need to do more research before I conclusively say that full hardware virtualization should be abandoned in favor of using other sorts exclusively. I personally am not convinced that you know what you are talking about and are not cleverly cherry picking opinions of certain people (none of which have yet said anything about anything other than full hardware virtualization, and I am not even sure I agree with his opinion on this yet I need to hear technical details and I need to talk with other security professionals including people who are fans of security via isolation) in an attempt to scare people away from more secure solutions. For one I don't think anyone other than maybe the OpenBSD devs would suggest using chroot for isolation over using jails for example. I will concede that you / Theo may be correct about the risks of full hardware virtualization though, I just need more time to research the matter. I also already know that the potential risks will not apply nearly as much if at all to other virtualized isolation solutions as they will to full hardware virtualization solutions. Also I have heard from one hacker who I respect that breaking out of full hardware virtualization is actually more difficult than breaking out of other types of virtualization...I will ask him for his opinion on this issue as well. Essentially I need to do more research on this before I can make a more educated and conclusive reply to Theos comments on full hardware virtualization, but in short I am not sold on what he says and even if he turns out to be correct what he is talking about will apply much more strongly to full hardware virtualization than to other sorts. edit: fixed technical error in what I wrote calling some systems that are not paravirtualization paravirtualization. Again, i am not an expert on virtualization and wish I had a few days worth of free time to read up on it in depth before I made a reply to this thread.