Boost Chrome browser security with these five add-ons

Boost Chrome browser security with these five add-ons.

-- Tom

 

Lastpass no. Just because. But also because they are based right next to the NSA, CIA, and others. Not comforting, as they are 'neighborhood boys' to the other boys. Comfort level = Zero. NOT saying this happens, but false flag breaches actually do happen, and honeypot products are a reality. Besides;
http://news.cnet.com/8301-1009_3-20060464-83.html

HTTPS Everywhere -agreed.

Everything else? All of them replaced by a single, faster, more secure application called "Adguard". Which integrates multiple databases, WOT, Malware Filtration into one package at the port level. (Port 80, 443).

 

I don't see the point of ABP and Disconnect at the same time. Easylist tracking subscription should cover it.

 

#2&3 can be replaced with the better HTTP Switchboard.
Lastpass to me is fine. At least, is more secure to use lastpass for creating and using secure password rather than using nothing and maybe just remember a unique password "password" for all logins..

 

Actually the best password system is to develop your own easy to understand methodology.

For example ,,,,,,,,,Wilder$,,,,,,,, is far more secure than iKA8ZJnm. Due to the fact you have a length on your side, any brute force still has to run through the gamut, and it's easy as hell to remember. So develop a system like this, and you don't even need to use a password manager. Have a set of variations, such as replacing ,,,, with $$$$, or cycling through your old pet names with symbols where relevant.

$$$$$$$$D0G$$$$$$$
,,,,,,,,,,,,,Trix1e,,,,,,,,

You get the idea. I used to worry about passwords, and encrypt them, and go to extremes. Now I use common sense systems that are very long, and easy to remember. If you want to get even more secure, develop your own pseudo language. For example if you use a pet name, pet names always get commas. If you use names of streets, those always get dollar signs. Remembering that is just as easy, and you mix things up even more - while having no written/digital record of any of it, recovery is easy because it's a matter of knowing which name you used, then the symbol is linked to that category of name.

1) YOU control your method.
2) YOU control your passwords. (not lastpass, or the cloud)
3) You don't need a recovery method, it's in your brain, and without a recovery method you cannot be MTM recovered or PWR intercepted.
4) Legally, with no written record, there can be made a claim you 'forgot' your encryption password, should you be compelled to remember it. <grin>

But that's my opinion.

 

Well, not really. 1st password is 45bits, 2nd is 58bits then should me more secure.
I still believe any password manager is better than no password manager at all. Then we can discuss if we can trust a cloud password mgr like Lastpass. I do (with security set-up at best, TFA, long random master password 145bits, alerts for any change, etc.).
But it's my opinion.

 

For example;

,,,,,,,,W1lder$,,,,,,,,

It would take a desktop PC about 30 octillion years to crack your password

vs

HFMt64Xz

It would take a desktop PC about 15 hours to crack your password

So lets take a 20 character password;

foHyByHgSKVOzsv9UsS6

Impossible to remember. Requiring password manager (accentuating risks). But It would take a desktop PC about 5 quintillion years to crack your password

,,,,,$mithJ@mes,,,,,

Easy to remember but; It would take a desktop PC about 3 sextillion years to crack your password

 

Being worried that a company is stationed in MD makes little sense to me. If you want to get work in computer security you're basically going to be in one of three places in the US, and the number one place is MD. (For CS it's NY, MD, LA - for security you tack on Colorado to that, potentially).

LastPass has an option to use servers in Europe as well.

Let's say your password is :
,,,,,$mithJ@mes,,,,,

Is that easy to remember? What if I have 50 websites I log into (I easily do) - will I remember 50 different passwords like the above?

If they're all following a single algorithm and *one of them* leaks, an attacker can attempt to decipher that algorithm. Haveibeenpwned.com shows how many millions of leaks there are.

LastPass guarantees you a random password for every site you visit. That's pretty big. It's not so much about a passwords keyspace as it is about it being unique from all other passwords.

 

But an attacker needn't resort to bruteforcing. The last two passwords have a definite pattern, and attackers can (and do) take advantage of patterns.

 

Haystacking.

https://www.grc.com/haystack.htm

 

If you use some kind of algorithm to create unique passwords for each login, your passwords are not safe. If one password gets compromised, all other can be guessed, because attacker will probably guess the algorithm. It's like domino effect... Entropy and length of password doesn't mater as brute forcing won't be necessary.

hqsec

 

chrome or any other browser is secure even without any of these add -ons.

 

In my tests, ABP with Fanboy Ultimate outperforms Disconnect, and Ghostery performs slightly better than ABP. There are other philosophical considerations (open source, GPL, etc.), but strictly measuring blocking power, Disconnect doesn't perform too well so far compared to other blockers.

 

No aigle, Chrome is not much secure as itself. It needs script blockers like gorhill's HTTP Switchboard. At the moment it is my main security in Chrome, though I have others in general for my internet activities.

 

With Chrome I'd be much less worried about javascript than third-party plugins, which run with much less restrictions than the individual tabs.

But still, HTTP SB is definitely one of the best extensions available for Chrome.

 

Notscript would be my only choice if any, vis-a-vis security.
Mrk

 

Lastpass is a better choice, than storing passwords in the browser, but it has been hacked at least 3 times, so it is better to use an offline password manager like KeePass.

 

Notscripts is no longer developed nor available in the Chrome Web Store. You should switch to ScriptSafe which seems to be partially based on Notscripts. However, HTTP Switchboard is considerably superior.

 

I did notice that you are using the same method as Mr. Gibson. I mentioned why his reasoning is wrong in Those meters that rate password strength work, until they don't.

 

Can you document that LastPass has been hacked three times and what exactly it means? I heard some time ago that there was a breach, but that no user data was lost/compromised. The product was hardened further afterward as well.

 

3 times Do you have any evidence for that claim?

To my knowledge, there was one hacking attempt in 2011 where is was not clear if any data was stolen. (And your data - if affected - was not at risk if you had a good master password.) As a consequence Lastpass has implemented several security improvements.

 

Considering you need a whitelist for specific URL's to prevent website breakage, it's extremely difficult to measure "blocking power". What you think is an advantage in one addon might actually be a disadvantage (it breaks something) and has been whitelisted in EasyList.

It's extremely unlikely anything has "better blocking power" than EasyList, excluding the few rare situations where something new hasn't been added to the list yet.

 

Easylist + EasyPrivacy are definitely excellent. But if it comes to 3rd party requests, HTTPSB with out-of-the-box settings blocks significantly more by definition. However, the Adblock filter lists are very good supplements for cases like

http://graphics8.nytimes.com/ads/marketing/mm09/verticalst/verticals_tech.gif

This is something HTTPSB cannot block unless you blacklist graphics8.nytimes.com completely in the matrix.

 

You missed my point or ignored it. This statement doesn't mean it's better, nor is it necessarily a good thing.

I could make a list that blocks half the internet and claim it has better "blocking power" than anything else. The issue would be that half the internet is broken.

Whitelists are a requirement and prevent any statistical measure of "blocking power" being accurate unless you want to spend hours analysing every single blocked entry. You would probably also end up referencing the EasyList whitelist anyway to do such a test.

At the end of the day EasyList has been worked on for years and is constantly updated. Think twice before you decide that some new addon is somehow better than all those years of work just because it's blocking more.

 

HTTPSB's methodology of modifying Content Security Policy is pretty powerful, though. I would consider it more reliable than the other methods I've seen used for content removal on websites.

From a technical standpoint I find Gorhill's extension pretty solid, though I have not looked at EasyList code.