Google Chrome extensions

It works. Thank you.

 

I've been using it for a couple of months without any problems. A scientific paper that explains how it works and compares CsFire with other approaches like RequestPolicy is definitely worth reading.

EDIT: Its home page provides more information.

 

Thanks for sharing it!

This extension was (still is) in my todo list. There are just way too many great extensions/userscripts to be tested! It just never ends...

 

Efectiveness
@TLU - I noticed that in the remote policies a payment service of Ogone is mentioned (which is also active in the Netherlands)

Any GET request
from https://secure.ogone.com
to any site
will be ACCEPTED

This is a quite a disappointment that this unsecure GET has to be allowed in the first place, so best practises still apply:

I am back to safe HEX practises. It is a real disappointment that plug-ins like NoScript and CSFire increase security of secure POST messages when at the same time a stupid payment services requires those plug-ins to lower its defense by enabling unsecure GET messages to enable a payment transaction ( Ogone )

 

Yes, I noticed that.

Well, I'm not familiar with Ogone. But if using Ogone doesn't work without such an exception, I'm afraid that "safe HEX practices" won't help if someone depends on their service. In any case, I don't think that this is a point against CsFire.

 

So is Csfire extension worth using? How about just banking with no other tabs open and using the OWASP recommendations?

I'm using Chrome with policy enforcement found here and only ABP extension.

 

According to the paper I mentioned it makes sense. You might also try out Site Isolation by using the command-line flag

--enable-strict-site-isolation

I've been using this flag for a couple of days (only) and haven't run into problems so far.

The second flag mentioned on that site seems to be more problematic and I haven't tried it yet.

 

Okay thanks tlu!

 

The thumbs down are on Ogone, not on CsFire. Thx IE10 offers more options to close leaks in the browser, Trusteer Rapport also does a decent job, but CSfire has way less impact on browser and also works on Chromium (Trusteer not).

Running Chromium with --no-referrers --enable-strict-site-isolation command switches (thanks Thomas)

 

The following extension has been mentioned before (in one or other thread in the past), but it has never been mentioned in this Google Chrome extensions thread, so I thought of remembering about it, especially if new comers are checking this thread for extensions to look for.

It's KB SSL Enforcer, and it's similar to HTTPS Everywhere, but this one will automatically detect if a the website you're visiting supports HTTPS and will automatically redirect you to it. It's a nice companion to HTTPS Everywhere, because this way, those wanting, can then create rules for HTTPS Everywhere (manually, of course).

You can find the extension at Chrome Web Store.

There's on other extension, SKN SSL Enforcer, which allows to create rules from within its options, but unfortunately it won't let us import HTTPS Everywhere rules, judging by the looks of it.

 

I've been using both Abine Donottrackme and Nimi Web Cleanser. The latter blocks ads and trackers using heuristics (regular expression patterns); it requires a bit of work (due to possible false positives), but together with Abine's extension uses less RAM than ABP alone. Considering that I don't have much RAM.

I'm also looking into Userscripts that block ads/trackers and see if I find one that adds something to them, without much overlap, for those situations where I need to allow something in Nimi Web Cleanser (due to false positives, you may end up allowing more than it should; it's a downside).

 

I gave CsFire a try, and at first (before installing it) I thought it was a bit like RequestPolicy, which we have to create rules to allow connections to third-party sites, but it seems that we need to create rules to either allow/block (also remote rules).

I wonder if any of you have created local rules based on RequestPolicy ones? (I think this might be a good idea to restart using Firefox + RequestPolicy.)

 

The suggested policy rules are only provided to make easy exception rules locally. When everything works well, you do not need to add rules. When you encounter a problem, have a look at the rules CSfire suggest. Just look for the website you were on and the website you were supposed to linked to. Add the suggested rule to your local policy, that is it.

1. NO, created one for a lousy payment service using unsafe GET (Ogone), because I disabled the remote policies. Thomas has used it for months, may be he can give more insights
2. Using Firefox again! Are you feeling well, do I need to call a doctor for you and ask your ISP to disconnect you from the internet?

 

No. I was actually thinking of using Firefox + RequestPolicy only to make CsFire rules creation an easier process. It was just a thought. An alternative would be KISS Privacy (Chrome's extension, which is similar to RequestPolicy in concept).

-edit-

I've been playing with CsFire a bit more... yes, bit by bit ... and, unfortunately there doesn't seem to be a way create a local rule that actually blocks connections to third-parties like RequestPolicy/KISS Privacy do... Bummer.

 

I'm not sure if this is happening because there may be some incompatibility issues with Chromium builds (at least the recent ones), but I've been trying KB SSL Enforcer together with HTTPS Everywhere, because the former automatically detects if a website supports HTTPS and redirects to it, which would be an easier way to then know which ones I'd have to add to HTTPS Everywhere. Unfortunately, this mixture was rendering HTTPS Everywhere useless, because it was preventing it from redirecting domains to HTTPS.

Could anyone give it a test, and confirm whether or not it also affects Google Chrome?

 

This is a NoScript blacklist of URLs provided a while back by tlu which I've entered into the "Block JavaScript on these sites" Chrome policy setting. I'm not sure how much this helps, as the list is just a little over 100 entries, but I guess it helps some.

The registry location is at: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\JavaScriptBlockedForUrls

The blacklist of URLs supplements the whitelist of...

[*.]com, [*.]ca, [*.]net, [*.]edu etc...

 

Many extensions:

Adblock
Adblock Pro
Adblock Plus
Simple Adblock

What is your preference and why?

 

Adblock Plus, just because it seems to be the most popular in this forum

 

It's correct that CsFire doesn't block connections to third-party sites. Rather,

We all know that RequestPolicy and KISS Privacy break many sites unless you add innumerable allow rules. CsFire, on the other hand, is considerably less problematic and still provides protection against CSRF attacks without the need to add that many rules.

You have to decide if that's good enough for you. For me it is, since Easylist + EasyPrivacy and my hosts file block adservers/trackers anyhow. RP or KISS would be overkill, IMHO, and not worth the trouble.

 

It's Adblock. Simply because AdblockPlus still lacks some features of the Firefox version, particularly the list of blockable items (which I need quite often in order to finetune the rules for a site). Adblock offers that and uses the same well-known filter lists.

I haven't tried Adblock Pro and Simple Adblock, though.

 

trying Disconnect atm.

seems like a good addon, it's open source and it's faster in use that Ghostery.

it's donation-ware.
it's free to use but there is a donation page on their website.
i'll try it for a few days.
if i like it i'll throw them a few dollars.

 

The original. Based on AdThwart.

 

I did find KISS Privacy more problematic, but most likely due to coding issues. RequestPolicy was friendlier IMO. I don't use Firefox anymore, though.

I just wouldn't mind having CsFire also blocking access to third-party connections, as an optional setting (disabled by default). For two reasons, one being that KISS Privacy was kind of buggy when I last tried it - I didn't try newest version - and I simply like the fact that CsFire mimicks Chromium's native look, which is always a plus to me.

 

Not necessarily the correct thread for it, but since i see people talking about CsFire. This is the thread i made a short while ago on the site MalwareTips.

http://malwaretips.com/Thread-CsFire-for-Google-Chrome

As you can see it was mentioned that Firefox users also hat some problems with CsFire. But no one was able to mention if it was possible to use CsFire and Lastpass together in Google Chrome with out getting the problem i mention in that thread? Is any one here aware of a way to make those two play nice together in Google Chrome?

 

Since I do NOT want to be automatically logged into Lastpas whenever I start Chrome, this is not a problem for me. I suggest that you contact the developer Philippe De Ryck - he's very helpful.