Firefox with NoScript vs. Chrome?

Indeed. That's my major point of critique (I've mentioned that in several threads here.). Chrome security is very good overall. So much the worse is the lack of a review process for all these extensions around. I mean, what's the use of talking about all these great security features of Chrome if I can't be sure that an app is reading my passwords? And don't tell me that an extension can be considered safe just because thousands of users installed it. It can't - as probably none of these users won't notice such a security/privacy breach until it's too late.

 

This isn't really the issue. If an application can read your passwords you WILL be notified on installation.

The issue is that if I have a LEGITIMATE application that can read my passwords Google does nothing to ensure that this legit application was coded securely. Simple techniques can be used to hijack that extension and then use it for malicious purposes.

 

Perhaps, but I'm sure that still most users would install it. Besides, it's not only passwords. Example: The Cooliris site says:

What does that exactly mean? And what are they doing with that data?

I think I haven't seen a single extension that doesn't qualify at least for a "Low Alert" .

Yes, that's another critical aspect.

 

There are lots of extensions that require very few rights. Usually just access to a single site.

The real issue is that they aren't coded securely. Google should implement a simple heuristics check for this.

 

There was a post at the NoScript forum about NoScript on Chrome and NoScript vs. ScriptNo.

forums.informaction.com/viewtopic.php?p=32746#p32746

I don't know whether this forum lets new users like me post links to other sites, so I took off the prefix. Quick click-link, if allowed:

http://forums.informaction.com/viewtopic.php?p=32746#p32746

 

using something like No Script is not only unsafe, it is also 'un-fun' as well.
it's unsafe because it relies way too much on user input.
it's like a HIPS; all it takes is to click "Allow" once by mistake when you shouldn't and there you go: you've just been pwned.

and No Script is 'un-fun' because it 'breaks' the internet.
too many websites needs javascripts just to function normally.

 

Using Noscript can hardly be described as unsafe.
Even when you choose 'allow scripting globally', which is not recommended by the dev. but which will stop the need for user input, you still have protection against;
XSS protection, Clickjacking protection, CSRF protection and the Ability to force HTTPS on sites.
So, even with Noscript on 'fun'/partially disabled, it offers unique security features.

 

sounds good.
i don't like popups. as you can probably tell.

 

As said there are definitely some benefits to NoScript that are there whether you allow a site or not - and those are important.

But the majority of its protections rely on user input and that's not too strong.

As for forcing HTTPS we'll have that very soon. WebRequest API solves that.

I doubt Chrome will give an API allowing for XSS protection for a whlie - but XSS protection is built in by default.

 

As you wrote in the Informaction Noscript thread link; 'As for XSS protection I've seen Chrome's own filter bypassed but it's there.'
Then to what extend is Chrome's filter usefull compared to Noscript's implementation?

(OT; interesting Informaction thread btw)

 

That's hard to say without understanding Noscripts implementation. I believe they both work against relfective XSS.

I also believe that bypassing Chrome isn't super easy as you need some amount of control over the webpage to begin with - I'm not sure. It seems that the attacker needs to have two or more XSS vulns.

http://code.google.com/p/chromium/issues/detail?id=96616

I'd say Chrome's is definitely useful. I don't know about NoScripts but I assume they both work on the same principals.