Firefox with NoScript vs. Chrome?

Yeah, scriptno seems pretty good. And Adblockplus works perfectly fine if you're using the experimental builds.

 

If you use ScriptNo you should use the experimental builds, which use the WebRequestAPI

http://code.google.com/p/scriptno/downloads/list

 

Chrome with ScriptNo probably wins. Not that it matters with Sandboxie. Thanks for sharing that extension though.

 

They can both use Sandboxie though. And Sandboxie is not a catch-all one hit wonder with no vulnerabilities and a perfect record.

Using ScriptNo now. Pretty cool.

 

Apparently all of these are blocked. Does NoScript have this?

 

Closest I've ever seen, especially after restrictions. I'll bet it's stronger than Chrome's.

 

I forgot all about ScriptNo. It looks good.

EDIT: I gave it a bit of a trial in Iron. I couldn't seem to make it block scripts. Technically it shouldn't let me write this. Tried it on Chrome portable. I think I 'broke' it when I moved its position on the GUI. Nice try ScriptNo ... but no cigar.

 

You need to enable Experimental Extension API in aobut:flags.

 

OK, I'll have a look at that, thanks.

EDIT: It still doesn't work for me. It's a shame as it looks like it has great potential.

 

No real way to test that. Especially since they attempt to do different things.

EDIT: I had a longer post but I don't actually think I need to start a sandboxie v chrome thing.

 

I'm trying out ScriptNo. Did a basic test; went to YouTube. It was on default block and the movie didn't load. I approved the site, refreshed and it started up. Tried that with some scripts on a few other sites, and it looks like it worked. I'm going to try this out for a while. NoScript functionality was the main reason I kept going back to Firefox.

 

It's not as straight forward as noscript. There's "allow" but also "trust" and I'm not sure I know the different lol I just use "allow" because "trust" seems to be a lot more... trusting.

 

Does NoScript have this function?

I can't tell if it's working. I tried a two from malwaredomainlist and it didnt work.

 

I think Trust is site-wide while Allow is just this page. I don't know, I end up checking both honestly.

I don't think NoScript blocks based on host files.

 

Can you explain why?
Thanks.
Hugger

 

It needs the new rights in order to function properly under Chrome (which gave limited power to extensions).

 

I am hoping that Sanboxie is more than sufficient for replacing any of the NoScript type of addons because that is what I have done.

 

That's what I've done as well.

 

J_L, that's not quite right.

There are no new rights given. The WebRequestAPI is still in development.

 

It's much of a muchness really. I don't think it matters so much which browser is 'better' or 'safer' - someone securing their system should recognise the holes, and plug them themselves. Neither browser will fully protect someone from themselves, but both try.

I'd started out thinking Chrome, but I've realised Firefox with NoScript is actually stronger overall for a competent user when you take into account extensions and clickjacking. The average user is probably safer with Chrome though.

When it comes to Phishing protection, both compare URLs entered to phishing databases. I've seen various comparisons between phishing databases, and it really depends on the day as some reviewers have pointed out.

Chrome handles out-of-date plugins better than Firefox, as it will automatically disable an out-of-date plugin when a website calls for it to be used. Firefox will check for out-of-date plugins and alert the user, but it doesn't prevent their use. Occasionally Mozilla will act to disable vulnerable plugins (and extensions) at times, but this is a reactive approach. Third party plugins are the most commonly exploited components of browsers.

Firefox has a much safer approach to Extensions, as Mozilla checks all the extensions they host for security issues, which is something Google neglects to do. Some commentators expect this will be a big issue in time to come.

When it comes to exploit protection for drive-bys, both are roughly equal - but NoScript depends on the competence of the user. Edit: I may have been too hasty in making the following statement: "Chrome doesn't allow exploits to affect the system even when an insecure plugin is present and explicitly allowed by the user to run." NoScript when configured properly should prevent the exploit script from running in the first place. If not, then Firefox has little in place to stop the exploit working other than the 'malware page' warning. With software fully up-to-date, one is much less likely to be exploited either way.

NoScript gives Firefox ClickJacking detection, which AFAIK Chrome lacks.

Trojan downloads are much of a muchness. Both parse the links with their databases, and will have the antivirus scan the download. Not an issue for any competent user.

As Browserscope shows, there's many other security aspects. Usually Chrome is ahead in overall security features mentioned on browserscope. What this means in the real world is anyone's guess.

Chrome's strongest feature is the sandboxing, as well as the default deny for out-of-date plugins. Firefox is far safer with extensions, and as stated NoScript when used correctly should block any exploit kits or malvertising, as well as expose clickjacking.

 

Great summary RJK3!

You stated that "Chrome doesn't allow exploits to affect the system even when an insecure plugin is present and explicitly allowed by the user to run." Is this accurate in the case of Java though?

 

Thanks MrBrian

I couldn't successfully exploit Chrome with an out-of-data Java plugin when I tried versus a Blackhole Exploit Kit, while I could with Opera, Firefox, and IE9 using the same version of Java. Also the various exploit kit statistics (Phoenix, Blackhole) suggest that Chrome has been uniquely unaffected by exploit kits, so my personal testing was just validation rather than conclusive in itself.

Maybe there's a way to exploit Java in Chrome that the exploit kits I've seen don't use?

 

See https://www.wilderssecurity.com/showpost.php?p=1831563&postcount=43. For Chrome vs. exploit kit stats please see hxxp://2.bp.blogspot.com/_Mcy4oUq8gAQ/TIfUBOy84oI/AAAAAAAAAYM/O89CS9O359I/s1600/advance-stat.png.

I don't know of any theoretical reason why Java in Chrome couldn't be exploited (after the user has given permission for Java to run).

 

Besides exploits, there are also other reasons why it's desirable to not have potentially malicious scripts run.

 

In terms of security, now that Chrome has NoScript I can't really see any possible way in which Firefox can be considered more secure.

Me either.

I think this only applies to when Java is denied permission. While the exploit may still attempt to run in other browsers Chrome will stop it dead once you deny permission.

On second thought Firefox's extensions are potentially more secure because of the vetting process.