Security: Firefox vs Chrome

I think any (objective) FF user would concede that Chrome is more secure out of the box. Heck, so is IE these days. And the Chrome sandbox vs. FF + Sandboxie, advantage, once again, Chrome.

But when you get to FF+Sandboxie+NoScript, the scales begin to tip a bit in FF's favor. And when you add other addons into the equation, I'd say even tip in it's favor.

Now you can call it cheap that it needs "help" via addons to make it catch up, but I don't see how that makes it any less effective.

Also, I can't utilize Chrome's sandbox here on XP, so for XP users, FF+Sandboxie+NS is the clear winner. But if/when I move on to 7, it'll be hard to resist using Chrome. Because I'm such a fan of integrated security, and playing with restrictions/privileges. A frickin geek, admittedly.

 

If Chrome could ever get NoScript quality functionality for itself, there would be no debate at all.

And from what I hear in here ScriptNo has been pretty much abandoned? That sucks.

 

For several weeks I've struggled with the decision as to which one offers the best overall security:

Firefox with NS plug-in + AdBlock+

or...

Chrome + AdBlock (not Adblock+ because it is beta for Chrome)

In the end I've decided to go with Chrome + AdBlock because:

although it's indisputable nothing beats NS plugin for controlling scripting, the sandboxed renderer processes of Chrome in its default state is clearly superior over Firefox in its default state, and this should not be underestimated in importance - Chrome Browser at base default with no add-on or 3rd party help is superior to Firefox at base default. Hungry Man has explained this earlier in this thread re the sandboxed renderers of Chrome.

What it all comes down to is I feel more comfortable using the most secure browser in its default state, with less reliance on add-ons or 3rd party help (eg: Sandboxie) than one that's less secure at default and requires add-ons or 3rd party help to secure it.

Of course, the "coup de grâce" would be Chrome coming up with a script control extension equivalent to NoScript

 

Adblock Plus has been in beta for years but it is still better and more recommended then Adblock. Adblock Plus is 100% free where as Adblock asks for a donation.

 

There are other ways to mitigate things like XSS. Chrome isn't a slouch there - content security policy is a great way to prevent all types of exploit. The Chrome site isolation also contributes to this.

 

Fine choice.
Been using AdBlock for as long as I have been using Chrome.
It does a great job and I was happy to send a few dollars to the developer.

 

Under Advanced Settings I enable: "Do not allow any site to run javascript" then I allow [*.]com, [*.]ca ...etc. I think it was you and maybe m00nbl00d who had recommended this approach some time ago.

Thanks! I've been happy with it.

 

I think it was... *cough*... (https://www.wilderssecurity.com/showpost.php?p=2063562&postcount=3). Just pointing the thread, so that users unware of it take a look at it, because user Kees1958 also mentioned a few tips there.

-edit-

By the way, you may want to take a look at KISS Privacy (Chrome Web Store). It's similar to RequestPolicy.

 

m00n is the one who originally mentioned it as far as I know. Haven't seen a reference to it elsewhere.

There's a new RequestPolicy API that's symmetric so that should yield interesting results for NoScrilt-like extensions. I know Georgio has stated he's working on it but there are still limitations that won't be going away.

Like I said, things like site isolation and content security policy are still going a long way to prevent XSS. I personally prefer things like CSP as they're more inline with what I consider strong security.

 

Absolutely, Kees 1958 mentioned several tips there in the thread he started. Yet, you were the one who *cough*... mentioned the tip to restrict top level domains in javascript. My memory served me not too badly in this case, even without conducting a search before posting, only that I got yours and HM's names reversed.

 

Absolutely. And I'm hoping that by the time I make the jump to Win7 this will be a reality. It will make my choice quite simple.

 

great thread folks.

we had the same discussions here months ago in another thread and the consensus was pretty much the same.

but i settled on the FF with NoScript.
NS for me is not only an effective security device but it cuts down on the bandwidth sucking scripts that load on some page.

some websites have so much javascripts and whatnots running that they sometimes freeze the whole computer until all the crap has loaded.
i've verified this on different browsers and machines, as did some other members here at Wilders in a previous thread.
my guess is the CPU is 'red lining'.

i really wish there was something as good as NS for Chrome.

 

Would you be kind enough to list and explain those tweaks and add-ons so that I can make my FF stronger.

 

I've made so many over time I can't keep them all straight, but many of them are in this post here. We were discussing how to tweak FF to make it like the TOR browser bundle version:

https://www.wilderssecurity.com/showthread.php?t=309748

As for addons:

NoScript
Adblock Plus (Subs: EasyList, EasyPrivacy, Malware Domains)
CS Lite Mod
HTTPS-Everywhere
RequestPolicy
WOT
Download Statusbar*

* = Check out my post in the "other AV" forum titled "VT Hash Check - autoscan" for how to make great use of that Download Statusbar addon.

Make sure to give VT Hash Check start/run & internet access in your Sandboxie restrictions for your Firefox box.

There... that outta harden you up pretty good.

 

@luciddream
Thx a lot.