Chrome - security/privacy extension

Discussion in 'privacy technology' started by Gnikf, Aug 15, 2012.

Thread Status:
Not open for further replies.
  1. Gnikf

    Gnikf Registered Member

    Joined:
    Aug 15, 2012
    Posts:
    40
    Since there is a thread about Firefox lets see what analogs we've got for Chrome.

    I would start with
    Use HTTPs - even if right now it works just for facebook and twitter out of the box
     
  2. Pinga

    Pinga Registered Member

    Joined:
    Aug 31, 2006
    Posts:
    1,420
    Location:
    Europe
  3. Ring0

    Ring0 Registered Member

    Joined:
    Aug 9, 2010
    Posts:
    66
    HSTS is HTTPS Strict Transport Security: a way for sites to elect to always use HTTPS.

    Typing chrome://net-internals/ into your address bar, and then include HSTS menu item.

    Add domain (example.com) paypal.com, google.com, ......

    To delete: Delete domain (example.com) paypal.com, google.com,......
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Simply brilliant find thx to one who searchers :thumb:
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That built-in function isn't that useful. First, for security reasons what ever you add to it, will only be valid for as long as the session lasts. Second, if you add a *.domain to it, then it will force every sub-domain. Many domain's sub-domains do not have a working HTTPS version, hence it will result in error.

    We're better off with something like HTTPS Everywhere/similar.
     
  6. Gnikf

    Gnikf Registered Member

    Joined:
    Aug 15, 2012
    Posts:
    40
  7. Ring0

    Ring0 Registered Member

    Joined:
    Aug 9, 2010
    Posts:
    66
    I'm sorry, I thought you knew, you can make your *.json file, or download this and add your *.domain manually.
    http://code.ohloh.net/file?fid=CL0MsPYvGEaWT8eXN5-zAEVg2Z0&cid=0W4KUpSYxGo&s=&browser=Default

    No, If Include subdomains: not checked = include_subdomains:false
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yeah, I think I came across an example like that before. But, I believe the security principle behind it is the same. There's a good reason why HSTS doesn't keep entries beyond Chrome's session. I've read a thread over Chromium's own forum sometime ago; will have to see if I can find it again.

    I don't think having a JSon file would change that security risk?


    You're right, but if we do check the Include subdomains: option, then it will force all subdomains to default to HTTPS, and many website's subdomains do not have an HTTPS version, and the user will have to manually remove each entry that may be necessary.

    To have all this trouble, I rather - and I do use - use HTTPS Everywhere, and add any additional rules to the settings file, by creating regexes.

    Another good extension, for those not wanting to edit HTTPS Everywhere rules settings file, is Redirector.
     
  9. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,413
    HTTPS Everywhere (still in alpha stage)
    ScriptNo
    Adblock Plus + Adblock Element Hider
    Ghostery
    Do not Track Plus
    User Agent Changer (About 10 different ones available if you search)
    VirusTotal uploader
    Dr Web Link Checker
    AVG Link Checker
     
  10. Ring0

    Ring0 Registered Member

    Joined:
    Aug 9, 2010
    Posts:
    66
    Configuring hsts data, I find this way sexier. :cool:

    When using private browsing mode, hsts won't record any new hsts data.
    When you choose "Clear browsing data" and "Empty the cache" is checked, hsts data will be erased (TransportSecurity-file) from your profile.

    To prevent this, find > profile > "TransportSecurity" file and set attributes: read only, after you have imported all desired *.domain.
     
Loading...
Thread Status:
Not open for further replies.