Whitelist for Chrome does not work as expected

Hello all,

Am trying to visit only the following websites with Google Chrome:

hotmail.com
yahoomail.com
gmail.com
facebook.com

So am using "Whitelist For Chrome" plugin. However its not working properly.
In the whitelist I put login.live.com. But when I visit hotmail.com, I get the following page.

Please help

 

Judging by the looks of it, it's working as it should.
You're allowing the following domains:

hotmail.com
yahoomail.com
gmail.com
facebook.com

According to the screenshot, the domain being blocked is secure.shared.live.com. So, it makes sense it's blocked. You'll have to allow access to all domains Hotmail needs access to.

Anyway, I wouldn't use an extension in a browser profile meant for sensitive tasks. I'd rather use the command line switch --host-rules. You can achieve the same, and more.

 

I was able to solve the prob by adding the following(Please check the pic) Although the following approach creates a problem
with facebook apps...

Can you please elaborate on that?? Google did not help.

 

While I'm not a facebook user my self, I believe that facebook services have other domains beside *.facebook.*. Check the source code of the Facebook page. To do it, type view-source:https://www.facebook.com or while in Facebook, right-click an empty spot of the page and click View source. You should be able to see whatever domain names it uses.

Sorry, I forgot to mention you could search the forum for my nickname and host-rules. You'd get a few example on how to achieve that goal.

But, I'll give a quick example with Wilderssecurity forum.

"C:\Program Files\Google Chrome\chrome.exe" --host-rules="MAP * 127.0.0.1, EXCLUDE www.wilderssecurity.com","MAP www. wilderssecurity.com 66.227.46.190:443" (the domain is together, but I had to separate it, otherwise it would transform it in an URL)

In the above example, I am mapping everything to localhost (127.0.0.1), which will make the connections fail, with an exception for www. wilderssecurity.com. To make it stricter, I've also mapped www. wilderssecurity.com to its IP address and remote port 443 (which is for https).

This profile can only connect to WSF, respective IP address and port 443. No other kind of connection is allowed.

If WSF had any other sub-domains, then I could either add an additional rule or write *.wilderssecurity.com instead. Rules are separated by commas, as you can see the example I gave for WSF.

One thing you must never forget, is that, there's a pretty good chance that whatever service you'll access has more than one domain/sub-domains.

Another thing to consider, is that, when using --host-rules, www. wilderssecurity.com will not match wilderssecurity.com, and vice-verse.

Either method you use, you'll have to find out which domains you'll have to whitelist.

 

Sorry but where do you write that??

 

It seems that I always forget to mention something...

You can use two methods to do it. Change your Google Chrome shortcut or create a batch file. Depending on how long the --host-rules command will be, you'll be better off by writing a batch file. I'll examplify with WSF.

Code:

@echo off
cd "%PROGRAMFILES%\Chrome\"
start chrome.exe --host-rules="MAP * 127.0.0.1, EXCLUDE www.wilderssecurity.com","MAP www.wilderssecurity.com 66.227.46.190:443"

Then, we'd save it as something like ChromeWSF.bat

You may then modify you Chrome shortcut to open the batch file, instead of the standard chrome.exe location.

####

Unfortunately, I've discovered that the command --host-rules does not prevent access to FTP sites; it seems to only work with HTTP/HTTPS.

So, if you have a regular Google Chrome installation, and if you use only one Google Chrome profile in your user account, you may want to use Google Chrome Policy Templates, instead.

There are two policies that would allow you to block all connections, and then whitelist what you want.

URLBlacklist and URLWhitelist:

-http://www.chromium.org/administrators/policy-list-3#URLBlacklist
-http://www.chromium.org/administrators/policy-list-3#URLWhitelist

For example, this would blacklist everything:

Software\Policies\Google\Chrome\URLBlacklist\1 = "*"

and, this one would whitelist what you want to allow:

Software\Policies\Google\Chrome\URLWhitelist\1 = "https://www.wilderssecurity.com"

You can find more info about other policies: -http://www.chromium.org/administrators/policy-list-3

Download the templates: -http://www.chromium.org/administrators/policy-templates

Using the templates: -http://www.chromium.org/administrators/windows-quick-start

More documentation: -http://www.chromium.org/administrators

#####

Anyway, I'd use this method if I wanted to block FTP/other schemes as well. Otherwise, the command --host-rules is more than enough.

I hope I didn't make things more confusing.

 

Just curious to know why would you prefer to use this method compared to a plugin like "Whitelist For Chrome"?? Is it because plugins are targeted by malware ??

 

There are two main reasons. One, there are two native ways of doing what you want already, either with --host-rules or policy templates; the second reason is that, when using an extension, we always risk a new browser upgrade to make the extension no longer work, and we'll have to wait the developer to fix it, or someone else to come up with a new and better extension that works.

There's also one third reason, actually. We need to trust the extension - that it won't break both our privacy and security.

I'd understand using an extension, if there was no native way of doing it. But, if there is, and if both those ways work, why not using them instead? That's how I think.

Chromium doesn't have a native way of blocking ads and tracking, so I use an extension for that. I wouldn't use one, if it had a native feature, though.

Hope this clarifies why I "dislike" extensions.

That said, I don't mean that you/someone else shouldn't be using this or that extension for this or that purpose. I just thought of providing two natives ways to achieve the same goal.

 

Thanks for the replies m00nbl00d. Very comprehensive indeed

I fully agree with you. If the same features and functions are available natively why use an extension?? I always prefer security with minimum bloatware

Because of the issue of accessing ftp sites even after applying host rules, I've opted for Google Chrome policy templates as you've suggested. Its quite a hard work!! For eg. just to whitelist gmail I gotta add the following:

accounts.google.com
mail.google.com
google.co.in
ssl.gstatic.com
google.com

Do you think I should whitelist the full url including https because https is secure??

Things like *.google.* or *.google.com are not working. Any idea why??

Also I know that this is just a one time effort because there aren't MANY sites that we generally login to.
Although am just concerned about facebook(Actually am doing all this on my friends system) because there are
soo many apps and games on fb that am worried it might just break it.

 

I'm actually wondering if URLBlacklist and URLWhitelist policies would work together with --host-rules. Will have to test someday.

No pain, no gain. Right?

I'd restrict connections to https as much as possible. I think there's a moment in Gmail's login/signout process where an http connection happens, though. You'll have to try it out; it's the only way to know for sure.

If you look at this page http://www.chromium.org/administrators/policy-list-3#URLWhitelist you'll see there's an example that just has a decimal dot instead of an asterisk: Software\Policies\Google\Chrome\URLWhitelist\5 = ".exact.hostname.com"

So, I imagine you have to whitelist like .wilderssecurity.com and not *.wilderssecurity.com.

 

There shouldn't be. It's supposed to be HSTS with SPDY.

 

But there was. I no longer have a Gmail account, but I remember I had to allow an http connection. I believe the http connection is for the country specific Google TLD, and I believe it's during the signout process.

Anyway, maybe they changed the behavior.

 

Yes you are right there is a split second moment where an http connection happens. No wonder I added google.co.in in post no.10

I like the fact that you respect others likes/preferences. Thats the reason I am being frank about my displeasure to not use
only this particular native method and opt for the addon 'Whitelist for Chrome' instead.

That unfortunately doesn't seem to work. Anyways after much thought and trial/error I've decided to go with "Whitelist for Chrome" because besides being too much of a hassle to whitelist each url, I was just wondering what effect it might have on something like a payment gateway once the user makes a payment. For eg. A user clicks on "checkout" or "pay" button and because of whitelist the page would not load. Then I would whitelist that page and refresh it. Wouldn't the payment be made twice??!! Just wondering...

Also which other option would you recommend to configure from security point of view from that chrome security template which you had
suggested??


-----------------------------------------------------------

So considering that am using "Whitelist for Chrome", if I get any link
to a random malicious url in my yahoomail or facebook and if I click on it, it would be blocked by default. Of course I wouldn't know if that link is malware ridden so I would copy paste it into Firefox and since FF will be sandboxed and loaded with NoScript, BetterPrivacy, Adblock Plus I need not worry about XSS, CSRF and ClickJacking is that correct ?? Firefox is for general browsing.

Also I would want to know which is your preferred privacy/security chrome addon ??

 

I suppose something like that would happen. But, wouldn't it also happen with Whitelist for Chrome, or other method? The safer bet would be to know before hand the domains that need to be whitelisted for those services, before accessing them.

 

Sadly, --host-rules will come to a point of saturation. I didn't investigate further, but either it has a limit set for the amout of blocks you can specify, or I've reached Windows own limit for the ammount of characters a line can have.

Either way, I'm thinking the best approach would probably a combination of Group Policies, --host-rules and an extension... One needs to design well how things would work out, though.

 

And what is the procedure for that?? Suppose I visit a website like www.flipkart.com how can I come to know which specific urls to whitelist
in advance so that I dont face a situation like this:

 

I didn't visit the website (It would require me to whitelist the domain and then my batch file, which I use to run Chromium.), but, most of the times it should be enough to check the website source code (Right-click a website spot and View page source).

Otherwise, if there are service you prefer to play safe, in case all the domain names aren't the source code of the main page (it may happen), I'd just e-mail the support team and ask them to provide all the domains involved in the login process, so that you can whitelist them. Just tell them you'd like to create a more secure browser profile, and for that you'd like to know all the domains involved in the process.

 

I think I'll visit the shopping or any sort of websites that requires my credit card info from firefox instead of chrome. In case of firefox what I'll do is before visiting such sites I'll close my sandboxed firefox and re-open it to do any such transactions. But yes remembering this procedure in future would be a challenge. Am conscious right now but what about future when am visiting 10 different sites and I quickly need to visit a CC info entering site as well?? Whitelisting in advance the possible shopping sites or any other CC info entering sites and any of their third party domains would be an ENORMOUS task. Also I dont visit such sites that often.

No wonder I use the blacklist addon in firefox so that, by mistake like in the above scenario, I dont visit the whitelisted sites in Chrome, in Firefox. But I really wish the addon 'Whitelist for chrome' has some sort of password protection for its list like the addon 'Blocksite' has for firefox...

 

Question

When a user visits a site not in the whitelist he gets the following
message in the browser due to the extension "Whitelist for chrome".
Is there any way to get the functionality to open the blocked site
in firefox directly instead of copying the link address and pasting it in
firefox, when the user right clicks on it? something like
"Open in Firefox" ?