How are YOU hardening Chrome?

From Noscript.net link;

From an old blog on XSS Auditor (vs Noscript anti-XSS) link;

And from a 2013 Chromium bug report link;

 

Harsha, according to an older thread here:https://www.wilderssecurity.com/showthread.php?t=341838, those Chrome limitations are now gone. I was wrong and apologize.

 

Why don't you use Chromium instead of Chrome? It offers far better privacy settings than Google Chromium. Harden Chromium instead of Chrome.

 

You are welcome! No need to apologize at all.
I wish ABP in chrome would get "add block filter" options similar to firefox one.
This will help to create more granular rules when needed.

Thanks, Harsha

 

In my opinion, not really. RLZ is missing yes. But it comes into play when getting Chrome through other means such as bundles, not through the official source. All other privacy issues, such as recording search terms or sending back data, is going to happen whether you use Chromium or Chrome. All it takes is using Google services period. What you are missing with Chromium is automatic updating, Flash being quite well secured and automatically updated, PDF reading built in, which is one less program to secure on your system, and a few other things.

Chrome really isn't any less private than other browsers. If you use Google at all, they are getting the data.

 

Chromium still has more potential though, because the source code is there for you to modify. Being lazy and unqualified, I just use Chrome.

 

Yep, you've summed it up nicely This is what it boils down to, as well as other sites that do the same thing as Google.

 

We have more than enough Chromium/Chrome forks out there, almost all of them touting "privacy" and generally not worth a darn. So I don't consider it that much of a benefit. I don't want to veer too much out of the current topic, I just prefer the real deal and its incredible security, privacy issues notwithstanding.

 

for the cipher suite did you just plug in the command line from the chromium tips page or did you head to https://cc.dcsec.uni-hannover.de and use that as well.

 

I do nothing to hard any browser I use, and more than likely never will. I don't feel the need to.

 

When you have PRO version you can download Chrome ADM template and apply NSA advises http://www.nsa.gov/ia/_files/app/Deploying_and_Securing_Google_Chrome_in_a_Windows_Enterprise.pdf

I use IE11 for HTTPS (both EMET and WFW protected, with own privacy policy and Boerenkoolmetworst cipher improvement), so I do not need the HTTPS improvements, only want to prevent 'something' making changes to my Chromium and lock privacy settings. I just prefer Chromium over Chrome for privacy/tracking reasons.

 

Tweaks you can apply to Chromium/Chrome using internal mechanism (I run chromium with --no-referrers and --incognito switch and Adguard extension which also allows to write your own blocking rules . I am using startpage most of the time, but google NL often shows more (better) results, so I added some Google cookie and data blocking rules (anti-tracking blocklist of AdGuard takes care of the rest).

Options used are wildcard, HTTP, HTTPS and FILE (=data)

 

I also included the ciphers using MD5 as suggested in the first link and confirmed with site you mentioned. So far, I haven't run into any problems with the https sites I'm using.

 

Collin Jackson is also one of the authors (one of them is Adam Barth who is a security engineer with Google) who wrote a document about XSS filters in general and the XSS Auditor in particular.

 

Gotcha. I'll give it a test and see how things work. thanks for the info

 

@tlu,

did you add any more to the following of blacklisted cipher suites?

Code:

--cipher-suite-blacklist=0x0001,0x0002,0x0004,0x0005,0x0017,0x0018,0xc002,0xc007,0xc00c,0xc011,0xc016,0xff80,0xff81,0xff82,0xff83

I ask because you were in discussion regarding RC4 cipher suite. Thanks!

 

On a website like Facebook it can't modify the request to remove the ad AFAIK, since the requests are bundled. Same with GMail. So instead all it can really do is manipulate the page to remove the ad. In most cases it should be able to simply break the request for ads.

 

No, those are the ones I'm using. As already mentioned, I haven't had any problems with the sites (banks, Amazon, whatever ...) I'm accessing.

 

Very good, thanks