µMatrix - the HTTP Switchboard successor

I think comment #8 nailed it. The nonsense from the Chromium people trying to rationalize this is beyond ridiculous. If a user installs an extension manually, it is not force-installed, and surely the browser can remember this one important bit of information as part of the extension profile. I don't see any other reason than just to force everything through the Chrome store, and that annoys me.

Edit: By the way, I don't think Opera has that kind of annoying bubble (not sure though). Maybe worth trying?

 

The assumption is that the attacker has local execution, in which case they could modify that profile to say "it is not force installed" - so that does not work.

 

Yeah, it occurred to me afterward. Is the problem of extensions installing themselves on Windows without a user intervention that serious? (I wouldn't know I'm using Linux). And if so, how does it happen? Command-line switches?

 

I'd say Google is trying too hard to make the browser more secure than the OS, so that newbies won't mistakenly believe that Chrome is vulnerable. Market share expansion.

 

On Windows, some of these malicious extensions get bundled with 3rd party software installers (sometimes you can opt-out, but more often than not they install silently), and they're on the rise (I'm pretty sure CNET Download has some of these in their installers if you're brave enough to try)... If you provide administrator privileges during the install, the installer can then forceinstall any extension via Group Policy by changing the registry.

And yeah they can be a pain, effectively hijacking your browser.

I know how very annoying for developers Google's new policy can be, I have to click on the warning every time I launch Chrome... But I still think on the long term it's a good decision for the majority of users.

BTW you can create a private collection of extensions on Google Store, I still prefer keeping everything local but it can be a good solution for some users : https://support.google.com/chrome/a/answer/2649489?hl=en

 

Yeah, as mentioned above, it happens a lot with software bundles. Less 'malware' - more 'PUP'. I don't know if they use command lind switches, but there's naturally nothing at all stopping them while the switch exists.

Personally, I think it's futile for them to attempt to deal with this type of attack - much better suited for MS. But that's their prerogative, and it is certainly a real thread.

 

Does anyone know where the installation/update instructions, using Developer mode, are for uMatrix? I know i saw them a few days ago but have totally forgotten where they are and unable to find them now

 

It's the same steps as with uBlock: https://github.com/gorhill/uBlock/tree/master/dist#install

 

How close is this to beta or full release now

 

Ahh...that's it, thanks Raymond!

 

About doc stuff, I'll take this example:
https://github.com/gorhill/uMatrix/releases
If I want to download xxx-x-alpha.xx.zip, there's a request for amazonaws.com. I'd think this file would be listed in a column "doc", but instead µMatrix creates a Matrix for amazonaws.com. Have you planned to change something or you advise to use filter "* * doc allow" ?

 

I have Switchboard disable on 2 of my computers & I'm using uMatrix. How does it update to the latest version. I installed it early this morning when the latest version was Alpha 17 & it's now up to 19. Does it update like all other extensions by clicking on Update Extensions now? According to the uMatrix settings about i'm using 0.8.0.0

Thanks.

 

Hello gugarci,

Until µMatrix is released to the Chrome store, you will need to update manually. See gorhill's post # 58 above for more information. He includes a link that will give you instructions on updating.
HTH...

 

I don't plan to change anything. The `doc` type is whitelisted internally in global scope (just like image and css), so there should be no problem downloading, unless the hostname is blacklisted. In such case, whitelisting the hostname in the associated scope will fix the downloading.

Since there is always just one root `doc` per page, it's pointless to have a column for this.

Not sure what can be done about the tab id no longer matching the URL in the address bar when downloading through a click. I didn't realize this was happening, and I checked and same was happening with HTTPSB. For now I think I rather let this quirk be rather than trying to fix this before release. Eventually I will look if anything can be done.

 

Sometimes, hijacked pages try to make your browser auto download files, and I though it was possible to have several "doc" type (maybe I did not understand the "doc" attribute, I though it was for downloadable content) in the same page.

But indeed, a column with "doc" makes no sense in general, since it would appear only when you click on a link.

PS: I even block css and images from third-party in my filterset (* * * block + * 1st-party * allow)

 

Thanks for the reply puff. I'll have to keep playing it with the directions in the link. First time I did it I lost all my settings, 2nd time I had 2 versions of uMatrix. I'm sure I'm doing something wrong updating to the latest beta.

 

Bottom line is that an extension keeps its identity (settings etc.) if it is the same absolute path. If the new absolute path is different than the old absolute path, it will be seen as a new extension, and thus settings will be the factory ones.

To avoid any confusion, you may want to unzipped to a temporary location, then copy the content of unzipped folder into the folder currently used as the extension.

 

Thanks. I'll try that next time.
Like I said I'm sure it was user error on my part.

 

I debated with myself blocking all css/images except for the source hostname, but it just breaks too many sites and so isn't convenient enough for me. Basically I use the Block-All/narrowly Allow-all (only CSS/Images allowed) and I'm fine with that.

But is there any security risk that you know of which would warrant blocking CSS/Images ? I don't care that much about privacy, but more about browser hijacking, drive-by downloads, etc...

 

There is an option to export and import your rule set so just export them, delete the existing uMatrix, install the new one and then import your rule set. I lost my rules also then I saw that so the next time I update it (if its not yet in the chrome store) that's my plan.

 

µMatrix release candidate available. Congratulations, Raymond!

From a technical perspective, this version is definitely mature enough and ready for the webstore, IMHO. However, for users not familiar with HTTPSB the missing/too technical documentation will probably make it rather hard to make use of all the great features of µMatrix. Perhaps some (slightly overhauled) parts from the HTTPSB wiki (e.g. the must-read section, the matrix toolbar and scopes chapter) can be used in the µMatrix wiki.

 

@oneeyed25: In term of security, I don't think there's something wrong allowing css+images. In term of privacy, since you download something, you let a trace on the server, but not a problem if you don't care about security (but if you saw the number of 1x1 images to trace you, you would be surprised).
The problem is sometimes, when you allow images and css, you think you did not break the site, but yet, you did not allow scripts, and you lose sites functions too. When you block everything, it appears clearly.

But I'm aware it breaks several sites, but it also allows me to see some sites are too dependent from other sites (hotlink is bad for history).

 

@tlu and @Pilou42

Well there is scriptblocker based on HTTP Switchboard. Easy no hassle solution for the time being: disable 3rd party cookies in your browser, 3rd party img(pixel tags)/iframes in ublock and 3rd party scripts in scriptblocker. No hassle setup. I was hoping Raymond would add a block script/allow same domain like functionality as scriptblocker in UBlock.

 

Huh?

 

Script Blocker is not based on HTTP Switchboard, the author just give credit to the technique used in HTTPSB on how to reliably block scripts.

µBlock is able to block script and frames on a 1st-/3rd-party basis. Anything more than this is µMatrix, which now comes with a 1st-party row to create special rules to be used for whatever net requests is 1st-party to a web page -- without having to deal with specific host/domain names. I would say this one item is one of the biggest improvements (right behind full-layering of scopes) in µMatrix relative to HTTPSB.