Firefox extensions for security & privacy

Discussion in 'other software & services' started by bellgamin, Apr 30, 2019.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes I've used it years ago, but quickly realized that it was not necessary and more or less just an annoyance. At least for me :)
     
  2. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    Though this applies for users that don't visit different sites. And limit themselves to their favorite sites.
     
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    No, it doesn't. Let me give you a couple of examples. Lets say I am here at Wilders, and in one of your posts, you post a link and I click it, when I land in the webpage, if all I want out of that webpage is read and I am able to read without allowing anything, I don't allow nothing. Why should I create rules or white list domains when its not required for getting the content you want? You don't do it, and the vast majority of webpages you land at random are like that and can be treated like that.

    Another example. If you land in a webpage at random, lets says your link is an article that has pictures and you like to see the pictures, then you allow the pictures. You don't have to fiddle with NoScript settings to create rules or white list this type of sites for getting the pictures to be displayed. It wouldn't make sense to do that. What you do is allow scripts to run temporarily in this type of sites. Most of the time, it takes one click and you are done.

    I can understand some people not liking NoScript, but in my personal opinion, users who claim they used NoScript and call it annoying, or say that it breaks the internet, the bulk of this group of users are users who didn't learn enough about NoScript and didn't became an advanced user. Anyone who understand that NoScript is supposed to block, by default, everything that runs, would not say NoScript breaks the internet, when blocking all content is what NoScript s supposed to do. So, saying I don't like how NoScript works and functions, I think that's OK and fine, but saying that it breaks the internet, that's wrong. NoScript is doing what is supposed to do, you as a user, should understand what you are getting when you install NoScript and go from there.

    Face it, NoScript is not for everyone but is an easy program to use once you learn how to use it properly, everything has a nice flow about it once you become an advanced user, to feel this way, you have to advance. You have to move on. Some people after using NoScript for 5 years, are still using it as when they first started using it. That shouldn't be. Using NoScript that way can be annoying. So, if you become an advanced user, you ll like NoScript, if you don't become advanced, you are better off using programs with filters and let other people decide what to block or allow instead of you. :)

    Bo
     
  4. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    @bo elam
    I know how NoScript works. I used it in the past when I used to use Firefox.

    > click it, when I land in the webpage, if all I want out of that webpage is read and I am able to read without allowing anything

    Depends if the site doesn't require scripts to be read properly.

    > I can understand some people not liking NoScript

    Yeah, not everyone likes the whole script blocking thing. Some people can get overwhelmed. Personally, I don't dislike NoScript. I just find that other add-ons can do its job even better.


    My point is that the more sites a user visits the more likelyhood he/she will encounter a site that requires a new script to be enable. And while, yeah, you can do so temporarily you still need to allow it.
     
    Last edited: Jul 8, 2019
  5. Marwood

    Marwood Registered Member

    Joined:
    Aug 11, 2019
    Posts:
    20
    Location:
    UK
    One of the things I have on all of my browsers is uBlock Origin. Recently I've been reading about is AdNauseam. You can get it easily on Firefox and Opera although I think there was some trouble with it a while ago as far as Chrome is concerned, but is it safe to use? This is their site:
    https://adnauseam.io/
    I saw this by them on the GitHub site:
    Install AdNauseam on Chrome Without Google's Permission
     
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Only now came upon this thread :rolleyes::isay: ...
    How so, hadn't noticed ... Is this still the case?
    @Krusty I see ClearURLs gets :thumb:, does it completely replace all the functionality of the other three?
    Also missed those, thanks for the recommendations - trying now.
     
    Last edited: Oct 5, 2019
  7. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    Ah, I meant HTTPS Everywhere, not Privacy Badger. This seems to be fixed now, however.
     
  8. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Paul, they all do pretty much the same job but ClearURLs is constantly being updated.

    Edit:
    https://addons.mozilla.org/en-US/firefox/addon/clearurls/
     
    Last edited: Oct 5, 2019
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    I'm using uBlockO in Medium mode for my main content blocker, and then NoScript with Restrictions disabled. This should still keep XSS protection, HTTPS enforcement and clickjacking protection enabled? This is all I want NoScript for.
     
  10. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
  12. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    :thumb: Thanks Krusty, made the change(s) yesterday!
    I used to do this too, then read somewhere (that at least some of) these protections were superfluous (on my setup at least, also with uBO, medium mode).

    But would have to find the source again, to confirm the details ... can someone else shed some light? @summerheat perhaps?

    In the meantime, have re-enabled that. :D
     
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Well, there was an interesting lengthy discussion about this question on ghacks-user.js in which @gorhill participated as well.

    The conclusion seems to be: If using uBO in Medium Mode (or better yet in Hard Mode) there is hardly any door open for XSS. This also applies to clickjacking. There might be some edge cases left, and so you might use Noscript in the way @wat0114 does in order to cover them. It certainly doesn't hurt but chances are that that additional protection will very rarely come into effect if at all.

    EDIT: And to mimic ABE you can add these ruies in uBO and/or these ones in uM.
     
    Last edited: Oct 6, 2019
  14. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    545
    Ah, I missed what the topic was when I responded :/
     
  15. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Thank you @paulderdash and @summerheat for your responses. I'll just keep it for the time being, since it's so far had no perceptible performance impact on my browsing.

    Sorry summerheat, where are these rules for uBO in that thread?
     
    Last edited: Oct 6, 2019
  16. 142395

    142395 Guest

    @wat0114 If you don't noop your important domains gloablly, you're protected from most of XSS. If not, the door is open. So if you use e.g. Gmail, don't globally allow google.com, account.google.com, email.google.com, etc. Complete protection requires hard mode + blocking these domain as 1st-party and nooping only when you actually use it, but it's questionable if worth doing. Note if you separate your browser profile (using another browser or Fx's tab sandbox are other options) when you login or buy sth, you're practically 100% safe - what attacker can do now is at most some silly mischief. If Maone haven't changed NS' XSS auditor (except for dropping support for Chromium), don't expect too much - it does nothing when the attack is in POST request. XSS auditor in general is a best-effort, incomplete solution from the beginning (there have been numerous bypasses) and even worse, XSS auditor itself has created a number of vuln - ironically this itself could be used to make some new XSS attacks. So don't blame Google for removing XSS auditor.

    Note that rules mimic only default rule of ABE which blocked DNS binding & only a specific case of CSRF, while hard mode practically blocks all CSRF. Medium mode still blocks most of CSRF & all CJ (as long as you don't allow important domains globally).

    BTW, the rules in the link are wrong (confirmed on uBO). Here correct ones which you need to copy & paste to My Filter:
    Code:
    ||127.0.0.$important,third-party
    ||[::1]$important,third-party
    ||10.$important,third-party
    ||192.168.$important,third-party
    Add
    Code:
    ||172.$important,third-party
    ONLY IF you use these IP range (this may cause FPs).

    [EDIT] Add
    Code:
    * localhost * block
    to My Rules too.
     
    Last edited by a moderator: Oct 8, 2019
  17. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Ah, interesting. I hadn't read that before.

    Thanks! I had forgotten that I had written about them before.
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Thanks Yuki, I'll apply these rules, and probably remove NS as well.
     
  19. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Yuki, I don't know where from you got the idea that NoScript does nothing against POST request, but its wrong. You shouldn't reinvent NoScript, it might confuse someone into believing something thats not so about NoScript. According to NoScript, I quote:

    "Turn cross-site POST requests into data-less GET requests - the request is sent but no malicious data is uploaded."

    The link where I got the quote from.

    https://noscript.net/features#xss
    Again, so people reading this thread dont get confuse. That above, applies to Chromes XSS auditor, not NoScript. The way you wrote what I am quoting, someone might think you are talking about NoScript and Chromes protection. But no, its only about Chromes.

    I know sometimes the anti XSS protection in NoScript generates false positives, but never ever anywhere I read anything about bypasses bypassing NoScripts anti XSS protection.

    Bo
     
  20. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Well @bo elam you give me a compelling reason to definitely keep it :)

    Besides, as I mentioned earlier, it's not causing any kind perceptible issues whatsoever. I appreciate all the feedback from everyone.
     
  21. 142395

    142395 Guest

    bo, please see I conditioned my statement under "If Maone hasn't changed". But sure, I shouldn't have spoken solely on my memory but should have searched and confirmed how it now works.

    So now I've confirmed, NS has patched more than 20 XSS auditor bypasses (and as many FPs) - see changelog, a researchers' blog explains some of them and praised Maone's quick response. Moreover, in v10.2.2rc3 "Ask confirmation for cross-site POST requests which could not be scanned" option was added, so now you're protected from these POST requests as long as the option is turned on and you don't allow the request. But note before the change bypassing the auditor for POST was trivial. Maone himself wrote in the changelog:
    (emphasis mine).
    [EDIT] What if you didn't allow script on the site? Ofc you're safe, but it's likely you were safe even w/out XSS auditor.

    Chrome XSS auditor also had patched as many bypasses, and while there was slight differences in implementation btwn those two, they have one in common: these patches are incomplete and bypass is still possible. XSS is website's vuln and can not fully be patched from browser side by design. I was not talking Chrome XSS auditor, as I said, I was talking XSS auditor generally, or suppose all auditors combined together. I know for most ppl XSS and auditor are hard to understand, and wanna emphasize these tools, including uBO/uMatrix, can't replace correct knowledge/learning effort & safe browsing practice. TBH the probability you get a victim of XSS may not be very high, however, if one thinks he is safe because his browser or NS has XSS auditor, that's definitely wrong - they're best-effort mechanism aimed at hopefully catching some elementary XSS, but have never meant cure - it's as if one thinks he is safe from phishing as he uses Phishtank list. Problems auditors make such as cross-site info leaks can't be fully patched too, tho ofc they're not as serious as XSS. Importantly, if you block script on your important sites by NS and only temporary allow it when you use, you're safe from XSS & CSRF. This is what I'd been doing when I was using NS. Whatever tool you use, you can block these attacks if used properly. You're not safe if used improperly, as I noted about uBO for example.
     
    Last edited by a moderator: Oct 8, 2019
  22. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Ha thanks @summerheat for unearthing that lengthy discussion - I knew I could rely on you! :D ... and all others in subsequently, in this thread.

    I have to confess it is over my head. :geek::confused:

    I have now left NS with restrictions disabled to cover this on this test machine, but I think it's too much of an 'edge case' for me to generally use NS in this way, or try to replicate it in uBO / uM on my 'production' laptop. I prefer to keep things as simple as possible there (just uBO in medium mode, no uM). :shifty::isay:
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    In reading about it, it seems as though NoScript will protect against all known reflective XSS, DOM-based XSS and most persistent XSS threats. That's good enough for me even if not ideal :thumb: Obviously there is some dependence on web developers to sanitize their servers against the threats, but the protection available in NS looks to be decent, and if UBO can supplement it, then that's good too.

    EDIT:

    I've posted this link somewhere before. It explains different XSS threats really well...

    https://excess-xss.com/
     
  24. 142395

    142395 Guest

    @bo elam @wat0114 and all others who're willing to know.
    I've read several papers & tech articles about NS XSS Filter, and found I need to correct my statement above - sincere apology for everyone who read that.

    Conclusion: indeed, NS Filter is more powerful than Chrome's. But with its own cost - more FPs.

    What u need to do: If you get a warning, DO NOT IGNORE! You can't judge FP until you inspect the request & destination page, and being a popular site does not guarantee a malicious code can't be embedded in it. Once you got a habit of arbitrary judge, XSS Filter gives no protection - this is what ppl tend to disregard on HIPS, FW, etc.. Instead, report that to NS. I heard their response is quick, and as NS mostly relies on such user reports to correct FPs, it will help other NS users - not to mention if that was not FP.

    Details: The biggest diff btwn NS & Chrome's was the former doesn't compare request & response. This means NS blocks anything suspicious regardless whether it can be abused or not. The upside is it won't cause cross-site info leak. The downside is it will cause many more FPs (another diff w/ Chrome's makes it worse, FP by NS can be more serious, sometimes break the page). But w/ this "I don't care FPs" approach and the fact security researchers continuously reporting bypasses, I believe Maone's saying it blocks all known reflective XSS is true. The aforementioned blog was written in 2012, but he has kept reporting bypasses until today (BTW he is the man who won the highest $ in Brave bug bounty) and several other researchers too. What NS regard as suspicious must be defined in its regexp blacklist, and as a result of many reporting it has become quite complex - this may be a reason someone may feel slowdown FWIW. Remember NS XSS Filter is still not a complete protection. It's limited against stored & DOM-based XSS, and bypasses still being found suggest there are other ones waiting for finding. Also it's theoretically possible one of whitelisted sites get compromised and start real XSS. So my advice above still holds - use diff profile/browser before doing sth sensitive and you're practically 100% safe, no bypass, no CSRF which XSS filter can't protect. There are other tools to do that, one is Firefox tab sandbox (@summerheat is an expert for it) and another is Sandboxie (@bo elam ). Oh, I was about to forget to mention, there is another good news for NS user. Its XSS Filter may catch some HTML injection too. HTML injection is a superset of XSS.

    Special thx to @bo elam . If you didn't give me a caution, I was spreading false info. After all, you're right!
     
    Last edited by a moderator: Oct 8, 2019
  25. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Even though I am always using Sandboxie, I dont ignore the xss warnings from NoScript. Whenever I get one, I close the warning and don't allow the page to load. I believe is likely that about half of the warnings are FP, but regardless, I never click allow when I get a warning. With NoScript, getting xss warnings is rare. You can go months without getting one. But this past week, I got two, while visiting websites that are decent and I visit regularly. So, you never know when or where you are gonna get one.

    One good thing about NoScript is that, we are protected against xss attacks even when scripts are allowed to run (white listed or temporarily allowed). I think that's nice.

    I am going to tell a little story, I know I wrote about it here at Wilder's before. There is a website from Colombia that I used to visit regularly, about 10 years ago, the website came under xss attacks. This attacks lasted for about 2 weeks. The site has many links, you clicked here and there, and many of the links you clicked, generated a xss warning. I didn't allow any. I guess this attacks lasted for 2 weeks because the owners of the website don't have the resources to pay for regular inspections of the code in their website. So, the website remained infected for a while. I didn't get infected, I had NoScript and SBIE, but I am sure other users of the website got infected. At the time, I was still using AV, it didn't warn me or detect anything.

    Bo
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.