Cracking Open Chrome

Such is the blessing and the curse of extensions. I was under the impression that Chrome extensions were much less powerful than say, Firefox. I know what they mean though, every extension you install within Chrome warns you that they can access your data.

 

This should be interesting. Chrome OS is *nix-based.

 

It'll get a lot of attention due to it being the "untouchable" Chrome, but otherwise, the possible dangers of extensions has been known for some time. It's said these attacks can't be blocked, but, since they used cross-scripting, what about keeping javascript off? Or do Chrome extensions require it?

 

Yes, they do.

 

After I wrote that is when I decided to research it myself, lol. Thanks for confirming. It makes me curious though how Notscript ever worked then, but the more important question is, in a way, doesn't that pretty much put a dent in Chrome's status as "most secure browser"? Certainly this attack is much different than your trojans, bots and other nasties, but it's an attack nonetheless and one that seems unavoidable. From the limited information in the article, it may turn into one heck of a problem. Kind of like a social attack without the need for user stupidity or malicious processes. One thing that could help is if Google ran a quality check on submitted extensions like Mozilla does.

 

That's why I'm wary of extensions in general but there are some that are a must.

 

One, we should use as few add-ons/extensions/plug-ins/scripts/whatever (before someone jumps in with some broader term) as possible.

Two, Google's Web Store, there are extensions made by Google which we can hope are safer.

Three, as far as Mozilla's tests, I don't know how rigorous they are.

Edit: and there's this about Android:
Android browser vulnerable to "Cross Application Scripting"
-http://www.h-online.com/security/news/item/Android-browser-vulnerable-to-Cross-Application-Scripting-1317645.html-

 

What would you consider a "must"? It seems like even the web store ones are vulnerable to this, though obviously we (hopefully) wouldn't need to worry about intentional malicious extensions. As far as Mozilla, I'm pretty sure that after they revamped their addon section, they became more involved with checking them out (I think, gonna have to look that back up too as it's been a while now.).

 

It would be nice to have a topic dedicated to must-have add-ons/extensions/plug-ins/whatever along with cogent reasons for inclusion. In other words the justification shouldn't be, "It's cool".

 

My question precisely!
I am resisting the temptation to load up on extensions.
I'm only running these four.
What do you guys think about these?

 

The mods may want such a topic to be continued here: https://www.wilderssecurity.com/showthread.php?t=263095, I don't know.

 

If Adblock and Ghostery weren't among the ones crippled by the API limitation, I'd consider them among the essential. But, seeing as how plenty of trackers slip right by Ghostery and AdBlock lets a lot through too (or if it does block it once, 9 times out of ten the ad will load on a refresh of the page or upon next visit), I'm not sure I can call them useable, let alone essential. I'd either use a HOST file or, if so inclined, maybe AdMuncher for use with Chrome. I've never used the Bitdefender Quickscan, but Click and Clean might prove useful, at least for me seeing as how that annoying issue of Chrome refusing to delete data is still around in v13 Stable.

 

BitDefender ... can't you have it as a standalone rather than tied in with Chrome?

CnC: I think it's not essential if you browse in Sandboxie.

Ghostery ... I rely on the vastness of the Internet and my own insignificance as sufficient protection. Seriously, I don't bother.

AdBlock Plus ... that's a tough one and the closest to being indispensable if you don't want to use something like Privoxy.

Edit: oops ... realized you use AdBlock and not AdBlock Plus. I'd use the latter, if at all.

 

I wonder how Peerblocker would serve as an ad blocker? I never gave it much thought or paid attention, considering it was used for downloading mostly.

 

We got separate topics for Chrome, Firefox, and Opera stuff. I prefer lumping rather than splitting (... retired lazy taxonomist).

 

I know of folks who just love it. But isn't it a sort of hostfile thingie?

 

Pretty much, though the lists are updated far more frequently than most alternate hostfile lists are. I just wasn't sure if it would block ads from showing, or would just prevent them from tracking. Sounds like I need to test again, hehe.

 

It blocks IP addresses. So if a page points to an ad that has an IP address corresponding to one on the Peerblock list, you shouldn't see the ad. That's my understanding.

Anyway, I don't like lists prepared by someone else. I make up mine as I go along. I feel that's more relevant and if something breaks I don't have to go anywhere for help.

 

I'd agree that making up your own has a great benefit. No valid sites being blocked, a lot of issues go away. But, it can be hard to know exactly what to block (as far as ad servers and whatnot, how do you know where the ad is being served from?).

 

BitDefender Quickscan and Ghostery have now been uninstalled.

BitDefender, I learned the other day, is listed as enabled under plugins (as a component of Click&Clean, I believe). I then opted to install the BitDefender extension in order to be able to use it as a 2nd 3rd opinion scanner.
Realizing that I don't need a 3rd opinion, I adiosed it.

Excellent point. Now gone.

Using a combination of largely adserver host files, I was going that route for a few days when I opted for AdBlock. AdBlock seems like so much less hassle. But I'll look into AdMuncher, or AdBlockPlus.

Thank you both for your input!

 

No problem, Page. Just remember AdBlockPlus has the same limitation on Chrome, meaning not everything will be blocked, and sometimes it'll be blocked one session,a nd come through the next.

 

Well, until the mods decide what to do...

Here's my list but it's for Firefox v7 on Linux (!), not Chrome ... that's why I was hoping for just the single topic so my post wouldn't be OT.

Console² 0.8 >>> allows me to "select all" which is not available in the default error console. Helps me troubleshoot SimpleBlock
DOM Inspector 2.0.10 >>> helps get id's for "chrome" or content elements for use with Stylish.
DownThemAll! 2.0.7 >>> use it to download youtube videos
Inspect Context 1.00 >>> opens DOM Inspector to where I want it
SimpleBlock 0.0.7 >>> content blocker without a decent GUI, just a text file to be edited. Allows regex. I feel it will be less demanding on resources than AdBlock Plus. No way to prove that until processes can be monitored separately, I think. To my mind, it's very like the blocker in SRWare Iron.
Stylish 1.2 >>> for styling the "chrome" and web-pages. Changes reflect instantly unlike changes made to userChrome.css or userContent.css. It's preview feature also catches poor "grammar".
Test Pilot 1.1.3 >>> Comes with the Fox. I set it to auto. Doesn't bother me.
Ubuntu Firefox Modifications 0.9.1 >>> Disabled until I find out what this does. Anyone?

 

I'm having excellent results with AdBlock.
I mean way more than I had hoped for.
And the ability to custom block an ad on a page is ideal.
I'm using it because I read that it had less drag on system than Plus.
For now, I think I'm pretty streamlined with just two extensions.
Would you guys agree?

 

I'd say if you're running good and are having great results, I'd keep everything as is, Page