debiantu wrote:I'm ok with using Firefox ESR and older software - so with that.. what else can I do for a secure desktop experience?
Older well tried and tested stable software is fine IME. Does all I want, well.
I've just been trying out Debian 9 (Stretch) installed the way I like ... where I can boot read only (frugally) or as full read/write (which I only do to apply updates). Pristine factory fresh (exact same (updated) image booted each and every time). Unknowingly catch a virus and after a reboot its gone. Cross between Puppy Linux and Debian.
The way I set that up is to create a single HDD primary partition and format that ext3, giving it a partition label of 'persistence' and install grub4dos to that. I then grab a copy of the 'unofficial' LiveCD (I prefer LXDE for the desktop) and extract that CD's /live and /boot folders to that partition. I then extract all of the /live/filesystem.squashfs to the / folder and recreate a empty filesystem.squashfs in /live. Add a persistence.conf file to the root folder that contains / union ... and with the appropriate menu.lst entries and a few other tweaks such as setting up grub in the /boot folder you can boot either frugally or have the gru4dos menu.lst chain to the Debian standard menu.lst.
Similar to as though booting a livecd that's stored on HDD, but with persistence set up so changes can (with the appropriate script) be made persistent and where the same partition is used as being the boot partition, the liveCD partition and the save partition (and where the entire operating system is in that save partition - such that it can also be booted as though a full install). I don't bother with swap however when I do do something heavy such as video editing then I create and activate a swap file also within that partition during that session.
I ran that LXDE Jessie through updating to Stretch and with a few other tweaks (setting it up to use aufs instead of overlay for instance as my current script to flush changes during a frugally booted session to disk is based on aufs) - and its running great. I've been a convert to running Debian frugally (read only Puppy style) since Windows XP withdrew support and love it. Boot, play around, mess things up and a reboot has you back to clean again. But easy enough to update (boot as though full install, apply updates, reboot back to frugal again). As a desktop choice that's great IMO.
Very secure. For instance prior to doing online banking I just reboot to the factory-fresh image before going to the banks web site (nowhere else before or after) and then reboot again.
The only downside is that when you mostly boot frugally (read-only) you have to store documents/diary etc. outside of that i.e. on another partition/disk so that changes are preserved across reboots. And import/export firefox bookmarks if you regularly change those (I tend to just lock in my most common bookmarks into the 'factory fresh' version and store others in a document file).
Provided you only stick to the Debian repositories and update regularly (stay with the current stable i.e. security patches etc) ... that's incredibly stable and combined with Puppy style frugal running ... incredibly safe (best of both worlds).