Using Chromium's feature to get Noscript like functionality

Well, as some members have pointed out, they are playing with different Chrome profiles (e.g. M00NBL00D). So here are some tips for Privacy and Security (yo

Lately I have helped someone to secure his PC (adding a decent Router a NAS for data backup and Keriver-1-click image restore). They had some PUP installed and the PC was brought to a crawl with all the install/de-install PUP's. The lady of the house is a friend of my wife. So I had installed this 'hardware' and their old programs again without seeing the man of the house. You all know my opinion on using FireFox on Vista or Windows7 (on XP I have no problem with FF). So I had replaced FireFox (and Noscript stuff) with Chromium with different profiles (for HIM and for HER). After installing this, we were asked for a drink. The man of the house told me with a big grin he had improved security on their Win7 setup by installing FireFox with NoScript

So I asked, really?, could you show me how? He proudly went to their study room to show me. Only reason for installing FF with Noscript, Panic and Better Privacy was his surfing habits. I opened the firewall log and told him I had beter options for browsing these sites.

Default
Using the default profile (for HER), add it to your taskbar (properties "[YOUR LOCATION]\chrome.exe" --profile-directory="Default" /prefetch:1)

Added LastPass for storing passwords, added bookmarks menu for quick access to bookmarks, added new tab behaviour for redirecting to homepage in stead of newtab, set www.google.nl for home page.

Advanced settings Other
- Deselect all settings of "Paswords and Forms "
- Deselect "Offer to translate pages ......"
- Select "Check for server certificate revocation"

Advanced settings Privacy
- Allow local data to be stored for current session only
- Block third party-cookies and site data
- Clear cookies and other site and data-plug-in when I close my browser

Advanced settings Privacy - button Manage Exceptions
Add "HTTP://*' Allow, change afterwards in "Block"
[This practically disables tracking cookies, allow on per site basis if nessecary, added plug-in Search Engine Security as only extension]
Add "HTTPS://* 'Allow, Change afterwards in "Session only"
[You need to allow https cookies for internet banking etc, with this manual exceptions cookie acceptance is more granular]
See pic below


Stealth Mode as a replacement for NoScript / ScriptNo
Create a new short cut, with properties [YOUR LOCATION]\chrome.exe" --profile-directory="Stealth" /prefetch:1). Start Chrome using this shortcut.
Create a new user. Click on new user, choose Edit, change name into "Stealth" and choose an icon, save it. You can delete other users (keep the default "First User") Add a shortcut to start menu (you can give it another icon, e,g, the one found in the profile directory Stealth). Properties of the shortcut are:
"[YOUR LOCATION]\chrome.exe" --profile-directory="Stealth" --incognito


Added Startpage search engine and set Startpage (allowing XXX content) as his home page (https://startpage.com). At settings make the correct choices, choose generate URL and copy this URL to your homepage.

Advanced settings Other
- Deselect all settings of "Paswords and Forms "
- Deselect "Offer to translate pages ......"
- Select "Check for server certificate revocation"

Advanced settings Privacy
- Block sites for setting any data
- Block third party-cookies and site data
- Clear cookies and other site and data-plug-in when I close my browser

Advanced settings Privacy - button Manage Exceptions
Add "HTTP://*' Allow, change afterwards in "Block"
Add "HTTPS://* 'Allow, change afterwards in "Session Only"
Add "FILE:///* 'change to Block"

Advanced settings Privacy - JavaScript
Choose "Do Not Allow Sites to run Javascript"

The good thing about incognito is that you can choose to allways allow a site to run javascript. After restarting Chromium incognito again, these "allways allow" values are thrown away with other data.

Advanced settings Privacy - Plugins
Choose "Click to Play"
The good thing is that all the flash advertisements won't run.

Note before flash movies will play, you often have to allow javascript for a site first (signs appear in Chrome window, see picture bottem), then click on the flash movie you want to see. The incognito mode won't save these setings so these allow allways settings won't last/survive restart of Chromium

Add Norton (choose A) DNS and Default Chrome Phising and Malware protection and your are fine, you can check Chrome's effectiveness at Malware Domain List and Norton's at Malc0de database.

Regards Kees

 

Now for those less afraid of security breaches, but more concerned for privacy issues, there is another option (my current setup, credits to M00NBl00D though). Title is not correct, this setup is a replacement for track me not and flash block extensions (specially flash ads). With the two profiles I can easily switch between Privacy mode (incognito) and normal browsing. Write protect user profile would have also stopped the latest Pawn2Own chrome breach As said this double user profile usage (and write protecting one of them) was an idea of M00NBL00D.

1. Normal browser user profile
- allows Session only cookies for http
- allows All cookies for https

2. Privacy browser user profile
- an exact copy of my normal browser profile, only changed Google for StartPage as home page and search engine
- set plug-ins on click to play (less flash ads)
- ONLY I HAVE TAKEN AWAY "CREATE FILE/WRITE DATA" RIGHT FROM USER (ACL restriction), this way it does not write cookies etc, works as incognito mode on steroids. Because Chrome works with incognito mode, Chrome does not crash. See pic, Right click folder with user profile (Privacy in my case), choose tab security, choose advanced, choose EDIT of username, add a deny Create Files / Write Data (close by choosing Apply, OK, OK)

 

Regarding JavaScript, and this also applies to security and not just privacy, you can restrict JavaScript to specific top level domains, such as nl. For instance, considering you're from the Netherlands, you could allow to [*.]nl and [.*]com. Sure, there's still an open window for exploits requiring Javascript coming from those top level domains, but by allowing only those you're also decreasing exploits that require JavaScript by a lot, considering you're blocking all others.

So, for those users who simply do not want to be bothered with having to allow JavaScript in a per-site basis, you can enable it only for specific top level domains. Not the perfect solution, but it sure will help quite a bit. It sure is better than having it globally enabled for all top level domains.

-edit-

The approach for Javascript will also work for cookies, plugins, etc., of course.

 

Smart.

 

@Moonblood

Had not thought of the top level domain rules.

Also using ACL to protect your profile (your trick) works really well. I have two profiles, one for normal browsing and one for tricky browsing, with the tricky browsing profile being read only. Surprisingly (problably due to Chrome's inprivate mode) a forced inprivate with ACL does not seem to crash the browser, it works without a glimps running in 'hardened pseudo incognito mode', thanks for the tips

 

I set Javascript and Plugins to this list:


It obviously allows for a ton but that's fine by me as I have a ton of other stuff implemented. If I'm redirected or a website is hacked and there's a .cn or .nl domain or whatever I should be ok.

 

This is what i've been doing for ever now! It works so well (even better than NoScript). I use this along side apparmor and seccomp.

 

Interesting. I didn't know Chrome could handle blocking by tld like that. Makes me rethink my script blocking methods. I think combining custom javascript rules with a script blocking extension would be the most thorough. ScriptNo is the only current NoScript-like Chrome extension available in the web store. It blocks by referencing hosts files and does a few other neat but gimmicky things like referrers and ua string spoofs. Among those hosts files, there's about 130,000 .com domains that are blocked.

I'll try a js policy similar to yours Hungry Man, but I'll keep ScriptNo going too. I wonder how much overlap there is between those hosts files and Adblock Plus/Fanboy/Easylist/Adversity.

 

AdblockPlus is not meant to used like host files are, but a good percentage of ad servers (as most of those host domains in ScriptNo likely are...blocking malware hosting in that manner is useless) will overlap between the two methods. Honestly white-listing certain domains (.com, .net, .gov, etc) is a much easier and quite thorough approach, along with a few lists in AdBlock/AdBlock+. Anything else and you start risking performance issues.

 

I couldn't edit this post, so I'm quoting myself.

I mentioned this would also work for cookies, and it does; but, unfortunately, if we block all cookies, third-party cookies included, and then allow cookies for specific TLDs, then Chromium/Chrome won't respect the Block third-party cookies and site data option, which means that all third-party cookies ending in the specified TLD will be allowed. I thought it would respect this option, but it apparently doesn't.

 

In Chromium or Firefox? If with Firefox, which extension do you use? After a long time, I'm trying Firefox again, but unfortunately there's no built-in mechanism to handle JavaScript, etc., like Chromium has.

 

Yes, there is.

EDIT: BTW, if it's correct what I wrote here Chrome is not yet the proper browser for me.

 

Thanks! I'll give it a look.

I'll have to check that out.
But, do you mean that, and let's imagine I visit -https://www.pcworld.com, and I enable JavaScript for it. PCWorld website containts third-party content. Are you saying that if I visit one of those third-party domains, then JavaScript will be automatically enabled for those as well?

-edit-

I think I understand what you mean. You're saying that not only will scripts from within the same domain be called, but also third-party scripts. I get that now. Yes, I agree that it would be great to only allow those from *.pcworld.com (in my example), but not from *.otherdomain.com. As it is now, if we enable for *.pcworld.com, then we're globally allowing JavaScript for any script in the source code, regardless of where it comes from. Hopefully they can change that. I wonder if anyone has ever complained about it. I never really gave it much thought. lol

 

By the way, sometime ago I did find an extension named Cross-Domain Request Filter in Chrome Web Store. Unfortunately, it doesn't block those requests automatically. You need to do it manually, so it's kind of useless at the moment. Great news is that, it actually works as it says - it does block communications, after you block them.

-https://chrome.google.com/webstore/detail/ggdfifojddnlfciogdedpldahnbnjmhd/details

This extension has potention, so I hope the author decides to work on it.

 

Yes, that's what I mean. And I find that unacceptable. It means, e.g., that you also automatically allow any trackers once you allow JS for a specific domain. So you have to rely on your adblocker/hosts file to block them. Again, that's definitely not the degree of control I expect from my browser.

ScriptNo handles that differently but it's unreliable (as mentioned in my post). And, of course, Noscript handles it the way it should be. So the situation might change once Noscript will be available for Chrome.

 

I agree; but, unfortunately it's not specific to Chromium. It happens with all of them.

Sadly, it seems that the Chromium's extension developers forgot to improve theirs. Who knows if NoScript will change that... Time will tell, for sure.

 

@ tlu and others

I found an extension that works similar to Request Policy. -https://chrome.google.com/webstore/detail/lfopjlendebbnfddpgpoaahmpbgmffii

KISS Privacy. Based on my quick test, it does prevent connections from happening. The UI is not that pretty, though.

So, I wonder when Cross-Domain Request Filter will also block third-party connections from happening, in the first place. This extension is better looking.

 

Agreed I had tried that extension before and wasn't overwhelmed. One irritating problem is that it subsumes subdomains under domains. Consequently, you have to allow any request from one subdomain to another. That's not configurable, AFAIR. Nerve-racking

EDIT: Sorry, it IS configurable!

 

Damn! I was about to reply, when I saw the edit. Yes, it is configurable, and I have it blocking within the same domain, because I visit some blogs that load bars from the service they use. I dislike them. Other than that, pretty cool.

So, I suppose that with this extension Chrome is one step closer from being more regularly used by you? On the other hand, I like the direction Firefox is taking (Nightly builds)... I just wish it could have some built-in functionality, as Chromium has. It does have extensions, so... not a big deal.

 

@TLU, M00NBl00D

Thanks for the chrome extension tip KISS. I have set the cross domain filter on clear for NO matching filters (in stead of default pass) in Advanced Options, works really well.

 

You're welcome. I also have it configured like that. I'm trying a different approach, though. I'm going to create a list of all web sites I regularly visit, and the connections they need to properly work, and then will make use of the command line switch --host-rules to make a more strict profile. At the moment, it isn't as strict as it could be. I'll still be using KISS Privacy, but by doing what I'll do, I'll be preventing any connection to malicious websites. Except hacked websites...

I think I've found an extension that could do what KISS Privacy does, but I don't recall where I saved the information about it; will have to find it, so I know which extension it is, and how it fairs. I found it outside of Chrome Web Store.

 

Maybe referer control? https://chrome.google.com/webstore/detail/hnkcfpcejkafcihlgbojoidoihckciin

 

No, that one only controls referrers. I found it, though. -https://github.com/unindented/whitelist-chrome

It's not like KISS Privacy, but it should help achieve the same I did using --host-rules switch, though.

I also found another one at Chrome Web Store. -https://chrome.google.com/webstore/detail/ekdgbodaoampohmhmecigaomnjppbplb

I haven't tried any of them yet.

 

So, I used --host-rules to allow access only to websites I want; everything else is blocked. Sadly, it's ineffective for ftp://.

I'm wondering if there's a way to control ftp access in Chromium, without a firewall.

-edit-

I don't know how I forgot about it, but it should be possible with Policy Lists. Specically with both -http://www.chromium.org/administrators/policy-list-3#URLBlacklist and -http://www.chromium.org/administrators/policy-list-3#URLWhitelist.

With URLBlacklist, we can have 1 entry blocking all, and with URLWhitelist have the entries we want to allow. I suppose one shouldn't overload the Registry, though. lol But, it should filter FTP as well, according to this: -http://dev.chromium.org/administrators/url-blacklist-filter-format

 

Chrome doesn't remove session cookies when using referer control or https everywhere.