How are YOU hardening Chrome?

Discussion in 'other software & services' started by CrusherW9, Dec 25, 2013.

Thread Status:
Not open for further replies.
  1. bberkey1

    bberkey1 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    244
    Location:
    United States
    I couldn't find much info about (--cipher-suite-blacklist) this line switch any links for some general information of what it does?
     
  2. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    235
    httpXXXX://wiki.archlinux.org/index.php/Chromium_Tips_and_Tweaks

    "Disable insecure RC4 cipher"

    httpXXXX://en.wikipedia.org/wiki/RC4
     
  3. tlu

    tlu Guest

  4. bberkey1

    bberkey1 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    244
    Location:
    United States
    Awesome thanks you for the links guys
     
  5. CrusherW9

    CrusherW9 Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    517
    Location:
    United States
    I just thought I'd say that after messing with HTTP Switchboard some more, I'm digging it :D
     
  6. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    556
    Location:
    Sonoran Desert
    Added HTTP Switchboard, Netcraft, and CsFire extensions. Plus the usual privacy tweaks.
     
  7. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    yeah, it's bloody righteous i say! :thumb:

    anyone that has played a bit with NoScript should feel right at home.

    the dev says he does it just for fun but i'll pay him a case of good beer anytime. :)
     
  8. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    +1, Westvleteren worthy.
    Reg. Chrome, just some user-settings changed and HTTPSB. The latter makes Chrome a FF(+Noscript) alternative.
     
  9. bberkey1

    bberkey1 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    244
    Location:
    United States
    Doesn't chrome have cross domain protection built in? When I go to the CsFire site and click on the test link a little shield pops up indicating "this page includes unauthenticated script sources" Plus with HTTP Switchboard disabling javascipt by default, wouldn't that be just another layer of protection from cross domains? I could be wrong, so I'd like to read a little more about this situation

    I remember seeing that you can disable this with --disable-web-security, but I don't myself. Are there any others sites to try and test cross domain protection by chance?
     
  10. tlu

    tlu Guest

    I guess that javascript is used on the CsFire test page in order to demonstrate what's happening. But generally CSRF attacks don't require javascript (at least from my understanding) although they can be part of an XSS attack.

    Quote:

     
  11. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    815
    Location:
    India
    I have added few tracking/ad agencies myself when i encountered on sites i visited. Perhaps you may review this and add to your local list if you deem its serving ads or tracking...

     
    Last edited: Jan 2, 2014
  12. Dave0291

    Dave0291 Registered Member

    Joined:
    Nov 17, 2013
    Posts:
    553
    Location:
    U.S
    Harsha, a lot of entries will be based on user opinion. Some may or may not consider one or more to be annoying or malicious, and some entries will need to based on usage. For instance, Disqus is not a tracker or an ad company. They are a commenting system provider, much like LiveFyre. Unless you just want to block comments from showing up on most major websites, this one is harmless. Brightcove is one of those iffy instances. They deal a lot with media, like embedded video. Almost every time I have ran across them at a website, it was a video in relation to an article and not an ad. That however doesn't mean it will always be that way.

    I'd like Gorhill to focus on real threats as much as possible, and not go the way of ABP where users get whatever they want added. That ends up turning into the massive, conflict-ridden and slowdown causing mess that ABP lists have become.
     
  13. gorhill

    gorhill Guest

    Thanks for clarifying for me, this is pretty much my mindset when it comes to decide what is eligible for the blacklist.

    My rule is that it needs to be obvious that the purpose of a hostname is to track or serve ads, and in the blacklist file I have a rule of needing a quote or reference from whoever is behind the hostname as an explanation of why something made it to the list.

    For tracker and ads, we don't even want to d/l images from the hostname so hence the blacklist. Obviously `disqus.com` has no place there. I didn't look at others, but I usually assume good faith, so in doubt I don't put on a blacklist. In case that wasn't clear, I meant to readers of the forum to send me something so that I will investigate whether I choose to put it on the list or not using the criteria above.

    Actually, I need to revise that: if someone think something has to be put on the list, explain why, and using a quote from the owner of the hostname will be required for most cases. Essentially, make a convincing case. This way more thoughts is going to be put into these suggestions as to why something should be blacklisted. And that will save me work (although I will double-check.)

    Btw, re. ADP, I didn't look closely, but from what I can see ADP works with some kind of complicated rule syntax, which implies a lot of processing and/or memory needed to evaluate, hence the CPU and memory use of ADP.

    For HTTPSB I plan on keeping it simple, even as of now I have to turned down feature requests to turn it into an ADP or something else that can't even be described because of features which do not fit naturally in the current UI or even purpose.

    Ultimately this GPL project can be forked, so whoever can turned this into whatever they wish, but for the original one I intend to keep it focused and continue to perfect it according to its well defined purpose.

    At this point I consider it almost (just a few little things missing re. privacy) feature complete and most of the work until v1.0 will be to fix bugs/issues/performance/polish.
     
  14. gorhill

    gorhill Guest

    Thanks for the suggestions. If you look at the project's blacklist file, almost every entry is documented using a quote taken from the owner of the hostname, so that would be great if you could provide me with the same kind of evidence for why a hostname is put on the blacklist.
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Have you thought further about attempting to deal with XSS and CSRF vulnerabilities, as NoScript does?
     
  16. tlu

    tlu Guest

    The question is if Chrome's built-in XSS Auditor is inferior to Noscripts's XSS filter. I guess that's difficult to answer - even for Raymond.;)
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    My thoughts pretty much exactly as yours on these two sites.
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Yeah, the approach seems to be the same - check content to requests. I don't know what differences there are. The differences might be out of scope, like DOM based XSS.
     
  19. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    815
    Location:
    India
    thanks dave0291 and gorhill for your inputs.

    I will revise my suggestions and update it accordingly and add the reason why it needs to be blacklisted if applicable. That is the reason i asked gorhill to review them in the first place.

    I am not sure why brightcove was in my list. I thought i removed it later once i blacklisted.
     
  20. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
  21. tlu

    tlu Guest

    Quote:

    (... or more precisely: Firefox's upcoming filter)

    Above remarks don't really say anything about the efficacy/reliability of those approaches (except the IE filter).
     
  22. Dave0291

    Dave0291 Registered Member

    Joined:
    Nov 17, 2013
    Posts:
    553
    Location:
    U.S
    You want to name me a large company that doesn't disclose "non-personal" information? I'm not trying to pick at you, but people have to realize that the days of not sharing any user data with third parties is over. None of your links are new or shocking, Disqus has screwed up like every other company out there. I'm much more concerned about companies that share everything about their users and, when questioned, flip users the middle finger..like Facebook, Google, AdSonar and too many others. Compared to them, Disqus is indeed rather harmless. This would be one of those times where, like Brightcove, user opinion matters and will vary.

    Again, not picking on you or saying you are necessarily "wrong". But commenting is a huge part of our web now and social, and there are bigger, more insidious fish to fry.
     
  23. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    815
    Location:
    India
    I never had any issues in slowing down with the massive list of ABP+ in firefox or Chrome (of course it is not as massive as firefox's). And its job is perfectly done atleast in firefox to me.

    I dont bother if it is taking few extra cpu cycles or memory. As it is not slowing the browsing or system.

    And coming to the lists, I wish to block all the 3rd party ad content. That even helps if some ads are compromised. It gets stopped at the roots.
     
  24. Dave0291

    Dave0291 Registered Member

    Joined:
    Nov 17, 2013
    Posts:
    553
    Location:
    U.S
    The lists are a mess if you take some time out of the day and look through them if you're bored enough. As I said previously, the list managers have taken to adding anything and everything. There is a ton of entries in the more popular lists that are basically "one offs", meaning encountered by few users and on very specific websites. Taking more memory and CPU usage is the last thing users of Firefox need, but that is an entirely separate topic. As far as I am aware, ABP is a better ad hider than a blocker. So it may or may not help much with truly malicious ad servers.
     
  25. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    815
    Location:
    India
    I agree with you, the number of lists in ABP+ (firefox) is massive. But not sure if its causing any incerase in cpu usage or memory. Personally, i believe it is neither (At least, to me with my configuration!). Its lowering both cpu usage and memory. Because, the time taken to render and display the blocked objects will be saved and negated if any additional processing involved in finding out which objects to be blocked.

    I just did quick fun to test to measure the memory of tomshardware site (+ about:memory page) in firefox in various configfurations..And you may find the result quite interesting...

    note:time to render the tomshardware site with out noscript and ABP+ is quite high and noticeable to the naked eye.

    here you go my friend.. :)

    Can you explain what do you mean by better hider than a blocker. As far as i know, the hidden objects are not loaded to client browser at all. Meaning the requests (GET) from browser are blocked and would never reach the host server.
     
    Last edited: Jan 2, 2014
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.