Firefox with NoScript vs. Chrome?

Discussion in 'other security issues & news' started by Fox Mulder, Oct 15, 2011.

Thread Status:
Not open for further replies.
  1. Fox Mulder

    Fox Mulder Registered Member

    Joined:
    Jun 2, 2011
    Posts:
    203
    Hi everyone. I'm currently having an ongoing debate about whether Firefox with NoScript (and Adblock) is as secure as Google Chrome. Does anyone have any thoughts on that?
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    No, Firefox with NoScript is not as strong as Google Chrome, which can also adblock.

    Why?

    1) Tab separation and sandboxing. Firefox doesn't have this, which means that if one tab is malicious it can access other tabs.

    2) Protected mode. Firefox doesn't have this. Chrome does, which means that in the event of a break in the sandbox it will be contained to a low integrity area.

    3) Socially engineered malware. Chrome blocks ~15% and Firefox blocks ~7%.

    4) Plugins. Chrome automatically sandboxes Flash and keeps it up to date. Flash is a very common attack vector so this is a huge boost for Chrome.
     
  3. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Though I'm not a big cheerleader for NoScript, one could say that since many attacks are carried out via scripting, the extension does provide a decent barrier to these attacks. Not to mention the huge speed boost from not loading all those nonsense 3rd party scripts that bog down websites these days. I personally don't feel the social engineering factor should be used in this argument, as 15% is still extremely poor.

    That being said, protected mode and sandboxing is what puts Chrome on top, hands down.
     
  4. Fox Mulder

    Fox Mulder Registered Member

    Joined:
    Jun 2, 2011
    Posts:
    203
    Looks like I'm losing this one so far. (My bet was that Firefox + NoScript/Adblock was essentially as secure as Chrome.) Does Chrome have any extension that replicates NoScript and Adblock functionality?

    Also, NoScript blocks Flash unless scripts are approved on that site, so I'm less worried about that as an attack vector.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    15% is poor. But it's still higher than 7%. They're also working on a heuristics for phishing pages and I believe that's still in 15/beta.

    I think the big thing for Chrome is the sandboxing of the tabs, renderer, and Flash.
     
  6. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    Which one is the most vulnerable to a clickjacker?
     
  7. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I gotta go with Chrome on this one..if NoScript is installed in Firefox. Neither browser, I don't believe, is well defended against clickjacking.
     
  8. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Indeed 15% is higher, but remove the word "social" and just say it blocks 15% malware, and watch the reaction you get out of users and experts. Chrome would be verbally trashed.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Neither. Clickjacking uses HTML, which NoScript naturally doesn't block.
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    But saying it blocks 15% malware would be incorrect. I can say it blocks 15% donuts too, and I'd be outright upset about it. The 15% only applies to socially engineered malware or at least htat's what they were looking for in the study.
     
  11. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    "ClearClick" would like to have a word with you. Check NoScript's features :)
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
  13. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    :) My point was that comparing 7% and 15% weren't worthy of even trying. They're both pitifully inexcusable percentages.
     
  14. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I suppose. 15% is still more than 1 in 10. It's not great but it's something.

    But I can see how they're both easily dismissable.
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Firefox can manually be configured as low integrity though.

    Some security aspects are covered at http://www.browserscope.org/?category=security&. Another comparison is available at http://www.yourbrowsermatters.org/.
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Firefox can only be configured manually for low integrity if you set multiple other folders (non-firefox folders) to low integrity. This is not a good idea. Principally the idea behind integrity is some form of write-protection, if everything is run at Low IL you remove that protection.

    I wouldn't go by yourbrowsermatters.com

    1) It's a microsoft site
    2) It doesn't test your browser, it uses known profiles for known browsers.
     
  18. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    That sounds about right. I don't think there is a good extension for Chrome that can prevent clickjacking either.
     
  19. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    Mr Maone may disagree on this one.
     
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The set of registry and file system locations that can be written to with low integrity Firefox is much smaller than the set of registry and file system locations that can be written to with a standard Firefox installation.
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes, noscript does have clickjacking protection. Apparently so do all major browsers by default.

    @MrBrian, yep. But it's not native to Firefox and you still have to set some folders to Low Integrity.
     
  22. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    Are you sure about this?
     
  23. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Afaik, for IE8 Clickjacking's protection feature, websites devs have to change/add some code to their webpages. All of them, worldwide.
    That's imo hardly a concept that can be compared with the specific Noscript functionality.
    The same with Chrome, they also use an approach which relies on cooperation with website builders everywhere.

    From the Google Browser Security Handbook;
    'So far, the only freely available product that offers a reasonable degree of protection against the possibility is NoScript (with the recently introduced ClearClick extension). To a much lesser extent, on opt-in defense is available Microsoft Internet Explorer 8, Safari 4, and Chrome 2, through a X-Frame-Options header (reference), enabling pages to refuse being rendered in any frames at all (DENY), or in non-same-origin ones only (SAMEORIGIN).' link
    I can't find any addendum on this text, saying things have changed since, reg. Chrome.
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Good to know.
     
  25. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    527
    Location:
    USA

    Attached Files:

Loading...
Thread Status:
Not open for further replies.