Cracking Open Chrome

Discussion in 'other security issues & news' started by ronjor, Aug 3, 2011.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    http://www.technologyreview.com/computing/38227/
     
  2. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Such is the blessing and the curse of extensions. I was under the impression that Chrome extensions were much less powerful than say, Firefox. I know what they mean though, every extension you install within Chrome warns you that they can access your data.
     
  3. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    It'll get a lot of attention due to it being the "untouchable" Chrome, but otherwise, the possible dangers of extensions has been known for some time. It's said these attacks can't be blocked, but, since they used cross-scripting, what about keeping javascript off? Or do Chrome extensions require it?
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, they do.
     
  6. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    After I wrote that is when I decided to research it myself, lol. Thanks for confirming. It makes me curious though how Notscript ever worked then, but the more important question is, in a way, doesn't that pretty much put a dent in Chrome's status as "most secure browser"? Certainly this attack is much different than your trojans, bots and other nasties, but it's an attack nonetheless and one that seems unavoidable. From the limited information in the article, it may turn into one heck of a problem. Kind of like a social attack without the need for user stupidity or malicious processes. One thing that could help is if Google ran a quality check on submitted extensions like Mozilla does.
     
  7. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    That's why I'm wary of extensions in general but there are some that are a must.
     
  8. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    One, we should use as few add-ons/extensions/plug-ins/scripts/whatever (before someone jumps in with some broader term) as possible.

    Two, Google's Web Store, there are extensions made by Google which we can hope are safer.

    Three, as far as Mozilla's tests, I don't know how rigorous they are.

    Edit: and there's this about Android:
    Android browser vulnerable to "Cross Application Scripting"
    -http://www.h-online.com/security/news/item/Android-browser-vulnerable-to-Cross-Application-Scripting-1317645.html-
     
  9. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    What would you consider a "must"? It seems like even the web store ones are vulnerable to this, though obviously we (hopefully) wouldn't need to worry about intentional malicious extensions. As far as Mozilla, I'm pretty sure that after they revamped their addon section, they became more involved with checking them out (I think, gonna have to look that back up too as it's been a while now.).
     
  10. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    It would be nice to have a topic dedicated to must-have add-ons/extensions/plug-ins/whatever along with cogent reasons for inclusion. In other words the justification shouldn't be, "It's cool".
     
  11. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    My question precisely!
    I am resisting the temptation to load up on extensions.
    I'm only running these four.
    What do you guys think about these?
    Chrome extensions.jpg
     
  12. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    The mods may want such a topic to be continued here: https://www.wilderssecurity.com/showthread.php?t=263095, I don't know.
     
  13. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543

    If Adblock and Ghostery weren't among the ones crippled by the API limitation, I'd consider them among the essential. But, seeing as how plenty of trackers slip right by Ghostery and AdBlock lets a lot through too (or if it does block it once, 9 times out of ten the ad will load on a refresh of the page or upon next visit), I'm not sure I can call them useable, let alone essential. I'd either use a HOST file or, if so inclined, maybe AdMuncher for use with Chrome. I've never used the Bitdefender Quickscan, but Click and Clean might prove useful, at least for me seeing as how that annoying issue of Chrome refusing to delete data is still around in v13 Stable.
     
  14. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    BitDefender ... can't you have it as a standalone rather than tied in with Chrome?

    CnC: I think it's not essential if you browse in Sandboxie.

    Ghostery ... I rely on the vastness of the Internet and my own insignificance as sufficient protection. Seriously, I don't bother.

    AdBlock Plus ... that's a tough one and the closest to being indispensable if you don't want to use something like Privoxy.

    Edit: oops ... realized you use AdBlock and not AdBlock Plus. I'd use the latter, if at all.
     
  15. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I wonder how Peerblocker would serve as an ad blocker? I never gave it much thought or paid attention, considering it was used for downloading mostly.
     
  16. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    We got separate topics for Chrome, Firefox, and Opera stuff. I prefer lumping rather than splitting (... retired lazy taxonomist).
     
  17. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    I know of folks who just love it. But isn't it a sort of hostfile thingie?
     
  18. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Pretty much, though the lists are updated far more frequently than most alternate hostfile lists are. I just wasn't sure if it would block ads from showing, or would just prevent them from tracking. Sounds like I need to test again, hehe.
     
  19. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    It blocks IP addresses. So if a page points to an ad that has an IP address corresponding to one on the Peerblock list, you shouldn't see the ad. That's my understanding.

    Anyway, I don't like lists prepared by someone else. I make up mine as I go along. I feel that's more relevant and if something breaks I don't have to go anywhere for help.
     
  20. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I'd agree that making up your own has a great benefit. No valid sites being blocked, a lot of issues go away. But, it can be hard to know exactly what to block (as far as ad servers and whatnot, how do you know where the ad is being served from?).
     
  21. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    BitDefender Quickscan and Ghostery have now been uninstalled.

    BitDefender, I learned the other day, is listed as enabled under plugins (as a component of Click&Clean, I believe). I then opted to install the BitDefender extension in order to be able to use it as a 2nd 3rd opinion scanner.
    Realizing that I don't need a 3rd opinion, I adiosed it.
    Excellent point. Now gone.

    Using a combination of largely adserver host files, I was going that route for a few days when I opted for AdBlock. AdBlock seems like so much less hassle. But I'll look into AdMuncher, or AdBlockPlus.

    Thank you both for your input! :)
     
  22. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    No problem, Page. Just remember AdBlockPlus has the same limitation on Chrome, meaning not everything will be blocked, and sometimes it'll be blocked one session,a nd come through the next.
     
  23. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Well, until the mods decide what to do...

    Here's my list but it's for Firefox v7 on Linux (!), not Chrome ... that's why I was hoping for just the single topic so my post wouldn't be OT.

    Console² 0.8 >>> allows me to "select all" which is not available in the default error console. Helps me troubleshoot SimpleBlock
    DOM Inspector 2.0.10 >>> helps get id's for "chrome" or content elements for use with Stylish.
    DownThemAll! 2.0.7 >>> use it to download youtube videos
    Inspect Context 1.00 >>> opens DOM Inspector to where I want it
    SimpleBlock 0.0.7 >>> content blocker without a decent GUI, just a text file to be edited. Allows regex. I feel it will be less demanding on resources than AdBlock Plus. No way to prove that until processes can be monitored separately, I think. To my mind, it's very like the blocker in SRWare Iron.
    Stylish 1.2 >>> for styling the "chrome" and web-pages. Changes reflect instantly unlike changes made to userChrome.css or userContent.css. It's preview feature also catches poor "grammar".
    Test Pilot 1.1.3 >>> Comes with the Fox. I set it to auto. Doesn't bother me.
    Ubuntu Firefox Modifications 0.9.1 >>> Disabled until I find out what this does. Anyone?
     
  24. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I'm having excellent results with AdBlock.
    I mean way more than I had hoped for.
    And the ability to custom block an ad on a page is ideal.
    I'm using it because I read that it had less drag on system than Plus.
    For now, I think I'm pretty streamlined with just two extensions.
    Would you guys agree?
     
  25. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I'd say if you're running good and are having great results, I'd keep everything as is, Page :)
     
Loading...
Thread Status:
Not open for further replies.