Chrome - security/privacy extension

[Gnikf]

Since there is a thread about Firefox lets see what analogs we've got for Chrome.

I would start with
Use HTTPs - even if right now it works just for facebook and twitter out of the box

[Pinga]

I thought you'd never ask!

http://www.wilderssecurity.com/showthread.php?t=263095

[Ring0]

HSTS is HTTPS Strict Transport Security: a way for sites to elect to always use HTTPS.

Typing chrome://net-internals/ into your address bar, and then include HSTS menu item.

Add domain (example.com) paypal.com, google.com, ......

To delete: Delete domain (example.com) paypal.com, google.com,......

[Kees1958]

Quote:

Originally Posted by Ring0

HSTS is HTTPS Strict Transport Security: a way for sites to elect to always use HTTPS.

Typing chrome://net-internals/ into your address bar, and then include HSTS menu item.

Add domain (example.com) paypal.com, google.com, ......

To delete: Delete domain (example.com) paypal.com, google.com,......

Simply brilliant find thx to one who searchers

[m00nbl00d]

Quote:

Originally Posted by Ring0

HSTS is HTTPS Strict Transport Security: a way for sites to elect to always use HTTPS.

Typing chrome://net-internals/ into your address bar, and then include HSTS menu item.

Add domain (example.com) paypal.com, google.com, ......

To delete: Delete domain (example.com) paypal.com, google.com,......

That built-in function isn't that useful. First, for security reasons what ever you add to it, will only be valid for as long as the session lasts. Second, if you add a *.domain to it, then it will force every sub-domain. Many domain's sub-domains do not have a working HTTPS version, hence it will result in error.

We're better off with something like HTTPS Everywhere/similar.

[Gnikf]

Quote:

Originally Posted by Pinga

I thought you'd never ask!

http://www.wilderssecurity.com/showthread.php?t=263095

this thread seems to be for all kinds of plug-ins an is from 2010
lets focus on security/privacy ones here

[Ring0]

Quote:

First, for security reasons what ever you add to it, will only be valid for as long as the session lasts.

I'm sorry, I thought you knew, you can make your *.json file, or download this and add your *.domain manually.
http://code.ohloh.net/file?fid=CL0Ms...rowser=Default

Quote:

Second, if you add a *.domain to it, then it will force every sub-domain. Many domain's sub-domains do not have a working HTTPS version, hence it will result in error.

No, If Include subdomains: not checked = include_subdomains:false

[m00nbl00d]

Quote:

Originally Posted by Ring0

I'm sorry, I thought you knew, you can make your *.json file, or download this and add your *.domain manually.
http://code.ohloh.net/file?fid=CL0Ms...rowser=Default

Yeah, I think I came across an example like that before. But, I believe the security principle behind it is the same. There's a good reason why HSTS doesn't keep entries beyond Chrome's session. I've read a thread over Chromium's own forum sometime ago; will have to see if I can find it again.

I don't think having a JSon file would change that security risk?

Quote:

No, If Include subdomains: not checked = include_subdomains:false

You're right, but if we do check the Include subdomains: option, then it will force all subdomains to default to HTTPS, and many website's subdomains do not have an HTTPS version, and the user will have to manually remove each entry that may be necessary.

To have all this trouble, I rather - and I do use - use HTTPS Everywhere, and add any additional rules to the settings file, by creating regexes.

Another good extension, for those not wanting to edit HTTPS Everywhere rules settings file, is Redirector.

[ComputerSaysNo]

HTTPS Everywhere (still in alpha stage)
ScriptNo
Adblock Plus + Adblock Element Hider
Ghostery
Do not Track Plus
User Agent Changer (About 10 different ones available if you search)
VirusTotal uploader
Dr Web Link Checker
AVG Link Checker

[Ring0]

Quote:

Originally Posted by m00nbl00d

Another good extension ......

Configuring hsts data, I find this way sexier.

When using private browsing mode, hsts won't record any new hsts data.
When you choose "Clear browsing data" and "Empty the cache" is checked, hsts data will be erased (TransportSecurity-file) from your profile.

To prevent this, find > profile > "TransportSecurity" file and set attributes: read only, after you have imported all desired *.domain.