How are YOU hardening Chrome?

Hmmm. I was expecting there to be some other little tweaks I hadn't heard of. I did try out HTTPSwitchboard after reading through this thread. I didn't like it but I'm going to give it another go. I'm questioning whether I even want that inconvenience.

After switching from Firefox with Sandboxie and No Script, that's exactly how I feel.

 

Chrome does not need much hardening as it has a very good sandbox.

i use HTTP Switchboard to control javascripts.

a also go in the Settings and do the usual adjustments just to tighten things up a little.

 

I quite like to hear criticism of the extension. This helps me assessing what I need to work on. I think currently the area that needs the most improvement is the doc: No wall of text, instead, lots of pics, animated GIFs, to provide quick answers for most common "how do I...?"

 

How about video tutorials if possible?

 

A better help manual would be nice! One of the features I like about No-Script is the ability to shift click an entry and be brought to a variety of rating sites for that domain. It makes things faster. So far my experience has been VERY minimal with HTTP Switchboard but in that time, I couldn't get sites to work correctly unless I whitelist everything, which defeats the purpose of the extension.

 

The problem with that NoScript functionality, is that the most reliable source of information is HPHosts and I can never get the place to give me information anymore. I'm almost ready to say that source is dead/dying. The rest, like WOT, are borderline useless. Great idea, but if Gorhill implements it, I hope better sources are found. As far as figuring out which scripts to allow and which not, just with NoScript it will take time and many experiences. I think I nearly have a large majority of 3rd party advertising firms figured out and can easily avoid them. On occasion though I do indeed come across something new or a tracker/ad server that must be allowed, as frustrating as that is.

 

VirusTotal can scan URLs, Vtchromizer makes that easy. So can URLVoid with a bookmarklet or search plugin. I don't see how that NoScript feature is special or necessary.

 

Well HTTPSB is like an improved NoScript, so if you could make a site work with NoScript, certainly you can do it with HTTPSB, the difference being the matrix and graylisting/precedence concepts.

I myself usually stick to whitelist whole domains or subdomains (having frames and cookies blacklisted), I rarely go more granular, unless I really want the minimal set of permanent rules for a site I visit all the time.

But then, even whitelisting all (clicking on the top-left cell?) you still benefit from all the preset blacklists which disable thousands of hostnames with malware/tracker/ads/nuisance/etc.

I have been working on doc, but it's coming along slowly: https://github.com/gorhill/httpswitchboard/wiki

 

If you can send your findings to me, I have created a list local to HTTPSB for those third-parties I stumbled upon which were not taken care by other lists: https://github.com/gorhill/httpswitchboard/blob/master/assets/httpsb-blacklist.txt

 

I'm talking about the helper scripts and such. Like on Facebook, you need some of the AkamaiHD and fbcdn stuff in order to use the site.

 

I made a recipe for Facebook, you may want to import it in the Rule manager:

https://github.com/gorhill/httpswitchboard/wiki/Recipes-(web-site-scoped)#facebook :

https%3A%2F%2Fwww.facebook.com%0A%09whit
elist%0A%09%09*%20akamaihd.net%0A%09%09*
%20facebook.com%0A%09%09*%20fbcdn.net%0A
%09%09*%20fbstatic-a.akamaihd.net%0A%09%
09image%20*%0A%09blacklist%0A%09%09objec
t%20*%0A%09%09sub_frame%20*%0A%09%09*%20
*%0A*%0A%09blacklist%0A%09%09*%20faceboo
k.com%0A%09%09*%20facebook.net%0A%09%09*
%20fbcdn.net%0A​

I don't have a facebook account, so I don't know if there is more stuff to whitelist once logged in, if anybody has a better recipe for Facebook I will update the wiki.

 

How do I export rules for a specific site? I have a Facebook ruleset that blocks the images for ads, but allows everything else to work (and nothing more).

I'd be willing to share quite a number of rules.

Having an "Export Ruleset" button right on each "per domain" section of the rule manager would make that way easier.

 

You should able to select the encoded text in the rule manager page and store it some where. And am interested to see your site specific rules

Credits to gorhill, atlast am using now Chrome instead of Firefox with its ABP+ and noscript

But, i am still using ABP in chrome to collapse the blocked objects.

 

I also have this item on my todo list: to be able to snapshot whatever state the matrix is in into a recipe, so he user would not have to go to the Rule manager. I figure this will make it easier for users to help each if it becomes this easy to create a recipe.

 

I'm starting Chrome with the following command line switches:

Code:

--cipher-suite-blacklist=0x0001,0x0002,0x0004,0x0005,0x0017,0x0018,0xc002,0xc007,0xc00c,0xc011,0xc016,0xff80,0xff81,0xff82,0xff83 --host-rules="MAP *.google-analytics.com 0.0.0.0","MAP *.googleadservices.com 0.0.0.0","MAP *.doubleclick.net 0.0.0.0","MAP *.googletagservices.com 0.0.0.0" --enable-strict-site-isolation --site-per-process

References:
http://superuser.com/questions/616996/what-is-the-correct-cipher-name-for-rc4-in-chrome and https://code.google.com/p/chromium/codesearch#chromium/usr/include/nss/sslproto.h
http://www.chromium.org/developers/design-documents/site-isolation

 

I would be happy to if I come across them again or see something else not covered. You have a lot covered that I personally don't recall seeing in my internet travels.

 

I can see the convenience if you regularly manage scripts, but copy+paste is good enough for me.

 

Excellent, thank you.

Facebook:

That works for me. No ads.

GMail:

 

I run mine on Linux.

 

Hungry Man: I implemented that rule for facebook and gmail, but still had ads on the side, they were without their pictures, but the ads themselves were still present. Just wanted to give a heads up in case I missed something or if something else needs to be black listed.

 

Unfortunately the request for the ads is within the request for other aspects of the webpage, or some such thing like that. Removing the text is not possible without something like adblock, only the images.

Sorry, I was unclear. I meant that I had blocked the ads to the extent possible with HTTPSB.

 

This one works good for right side Ads in Facebook for me..https://chrome.google.com/webstore/detail/commercial-ads-blocker-fo/djkncpfhommbpbjihphicfpmfjpeddco

 

This works good in Facebook to..Disable the new Profiles and Pages layout ("Timeline") and return to the Classic 2011 Profiles. (NOTE: this is NOT an user-agent switcher!)
Disable the new 2013 Home Layout ("Less Clutter") and return to the Classic Layout.
Disable the Chat Sidebar and return to the Old Normal Chat.
Use Friend Lists in Chat to limit your availability and group your Chat contacts......http://www.socialreviver.net/

 

I see, well test won't bother me, but just wanted to give you a heads up just in case. Either way I liked the over global rule set you have come up with, similar to what I had whitelisted for both gmail and FB. Great job. I think with some of the valuable advice here at Wilders, this extension and perhaps and other gorhill comes up with will be a very smart and powerful tools for not only security nerds like us, but with a little trial and error, common browsing as well.

 

In the other thread you can see my full ruleset, I also globally blacklist 'frame' and 'other'.

It's a great tool. I'm curious to see where it goes.