Is Firefox still the safest web browser?

Like I said, don't think I'm saying not to use extensions. I just would prefer to have the security built in rather than used via extensions. Layers are important.

It's not really "eggs in a basket" - I'm not saying not to use them at all, I'm just saying that they should really be true to the word "Extension" they shouldn't be handling every security measure, they should just be bringing some more to it.

Possibly. But ABP works just as well on Chrome - we know that because it's the same dev on both projects and he's said it.

And NS does have more functionality but I don't see it as much of a danger. It's not like a hacker can use code to break into my computer via chrome or Flash anyways.

What ScriptNo can do is stop javascript from loading right when the request is made (just like NoScript) and while that won't protect against ClickJacking that's more protection that I'd ever think Chrome needs.

 

So, what's actually your point then?

Which is what extensions do on all the browsers I can think of anyway.

LOL! Maybe in a parallel universe or the Twilight Zone!

Oh OK. As long as he's said it & 'we' know that, it must be right then.

When you say 'he' is that Mr Sorensen, Mr McDonald or Mr Palant? ROTFLMAO!

OK. Remember NS prevents drive-bys & clickjackers as well, has anti-XSS protection & an Application Boundaries Enforcer (whatever that is).

You can keep flogging this ScriptNo dead horse as much as you like. It is a poor clone of NS & is more like a dead donkey if we are going to continue with deceased equine analogies LOL. It is poor even by Chrome extension standards. If Chrome doesn't really need it aren't you contradicting yourself & what you are saying by running it in the first place?

 

That a vanilla chrome is obviously more secure than a vanilla Firefox. That even with multiple extensions Chrome is arguably more secure.

My point is that NoScript has to add security because Firefox doesn't have it to begin with whereas Chrome extensions can work with what's there and you don't have to rely.

You can say "layers" all you like but the fact is that with Chrome the layer is the browser and with Firefox the layer is the extension. The lower the layer is the more secure it usually is.

So when the NoScript dev says something his word is gold but when the ABP dev says something it's a farce?

All of the previous "known issues" in ABP were solved with the WebRequest API. That's from the dev.

You can check the adp forums for yourself.

Find me a drive-by exploit for Chrome... ever.

What does clickjacking do except lead you to an exploit page?

Chrome has anti-XSS protection built in.

ABE looks like some kind of restrictions on web apps.

As I said right in that quote, NoScript protects against more. But in terms of blocking specific javascript/elements on a page they both do it the same or to the same effect - they block the request as it is made.

What is this based on? Your knowledge of Javascript? Have you looked at the source code? Do you understand the APIs?

My Javascript is rusty as hell and my looking at it would mean nothing especially since I'm unfamiliar with Chrome's APIs. That's why I'm going by what the developers are saying.

I'm defending ScriptNo for two reasons:
1) You have no reason to believe it's nearly as inferior as you keep insisting it is.

2) While I personally believe it offers virtually no added protection some others might not agree.

EDIT: And I don't run it. I ran it for a bit to make sure it didn't kill the browser before showing others.

 

Granted in terms of Chrome being a lower layer than the extension it's really a layer within the application layer and not a big deal.

EDIT: Although really a lot of Chrome's security is kernel-level (sandbox, ASLR, etc) whereas extensions are Applicaton level.

All Firefox can really do is add on multiple extensions just to get close to Chrome's security.

There are no situations where an exploit through the browser will infect a default vanilla Chrome user.

There are absolutely situations where an exploit through the browser will infect a Firefox user.

Throw in Flash and you've got even more infections with Firefox.

Throw in NoScript and you've got a much harder time but if a site is infected and on your whitelist you can, in many situations, be infected.

 

When was the last 0-day that automatically infected people running updated Flash/browsers?

I answer: Pre-XPSP2 days. LOL

 

I wouldn't doubt Chrome is more secure out of the box, I just doubt that there is much difference between the two with appropriate extensions.

So what? Once you reach the desired level of security, what's the difference?

So? I can make Firefox more or less as secure as Chrome by adding just two extensions: ABP & NoScript. In all honesty, you only really need NoScript.

I don't know that much about farces or even comedies of errors, but the deus ex machina so to speak, is that, for me anyway, ABP has always worked far better in Firefox & SeaMonkey than it ever has in Iron or Chrome.

Maybe, but it fails to block ads sometimes on Chrome that it does for Firefox. Not only that, it is far more sophisticated as an extension on Firefox.

What people claim, & what actually happens in reality can be different things. Ask David Icke.

This is a redundant argument, it doesn't mean it can 'never' happen.

I dunno, but I feel safer knowing I can avoid it.

NoScript has far more capabilities than that though, let alone it does it properly. The plain fact of the matter is that Chrome extensions are generally inferior to Fx ones.

I don't even know how my toaster works.

You forgot the fanboy third reason.

I don't blame you not running it. It's still about as useful as a deceased equine quadruped.

 

for me Chrome is perfect.

i don't run extensions and i'm mostly allergic to computer security 'solutions'.

for people like me who like a minimalist setup, there's only 2 choice: IE or Chrome.

different strokes for different folks and all that.

 

Nothing's perfect.

I like my extensions (& customisations), they make life easier.

There's a lot to be said for minimalism. My interpretation of it though is to just run a decent light AV & all other security is browser-side.

Definitely.

 

It's absolutely more secure out of the box, no question there really.

I don't think there is much difference but there's certainly some.

I guess it depends on the desired level and there's some risk assessment.

And as I said there are still time where you can be exploited with NoScript. There aren't with Chrome barring some unprecedented 0-day.

The developer, the guy who creates the extension for both disagrees with you.

This isn't based on anything. Sophisticated? Again, is this based on your knowledge of javascript and the Chrome API? Because the developer disagrees.

Users are confirming. It's all open source. You think they're all lying? Why is Maone a trusted source but not the ABP guy?

The idea that they're generally gimped is something I just don't believe. Most extensions don't need additional APIs. All of the ones I've ported from Firefox work just as well.

As I said in what you quoted, yes, it does more than just block elements/tags/javascript. But those are the big things that NoScript does. Yes, it's not as full-featured. I've already said that Chrome doesn't have to rely on NoScript-like extensions anyways but I'm just trying to explain that you have some strange bias where you think all Chrome extensions are inherently broken when they really aren't.

Not really a question. It leads you to an exploit page. An exploit page that you don't have to worry about with Chrome.

Magic.

I'm hardly a ScriptNo fanboy.

So you use NoScript purely because of clickjacking protection? You don't actually believe that blocking specific javascript/page elements does anything?



Like I said in this quote:

There are no circumstances where your Chrome browser will be the attack vector for an exploit. There are circumstances where NoScript + Firefox will be an attack vector.

You can't actually believe this. Articles get posted all of the time with new Flash exploits - less so for browser certainly but the fact that they're not being exploited often absolutely does not mean that the browser is somehow more secure.

There are 0day flash exploits in the wild all of the time. A simple Google search will tell you that. Exploits are closed in Firefox all of the time. They're closed in Chrome too - the difference being that in Chrome they don't actually matter because of the sandbox.

 

Tell me the name/address of one (only one!) malware/site that automatically* infected** people browsing with everything updated (including browser/Flash) in the last 6 years.

*by automatically I mean "without any questions/only by visiting a compromised page"
**by infected I mean "compromised the system"

 

Which makes them about even with extensions.

Maybe. But it would be minimal enough not to excessively worry about. That's what AVs were invented for.

I don't care. ABP is more sophisticated for/& works better on Firefox & SeaMonkey in my experience. I'm not making this up.

So you are telling me that ABP for Firefox is exactly the same for Chrome with the same UI & everything? I think not.

Do you ever read what I actually write & not what you think I've written?

I never actually said that did I? I believe I stated that most of Chrome's extensions are inchoate & less developed compared to Mozilla's. The one's I use on Chrome work relatively well, but their equivalents on Firefox are usually far superior.

No, you're a Chrome fanboy apparently in denial. I think it may become terminal.

Remind me exactly where I stated this? I'd genuinely like to see where I said that this is the sole reason I actually run NS on Firefox & SeaMonkey (& at one time on K-Meleon).

Are these circumstances at about the same odds as me winning the lottery? I think I can live with that. Personally I'd rather have NS block malware before it gets through than relying on any kind of tab sandboxing. Most malware, in my opinion, that gets into your system does it surreptitiously & is just not detected by AVs or anti-malware filters merely because its signature isn't recognised. I think prevention is better than a cure in this respect.

 

@PeterPAn:
http://www.kahusecurity.com/2011/flash-0day-found-in-drive-by/

First google search for "Flash 0day exploit." This was used in drive bys and in the wild. It was a 0day and a fully updated Flash could be exploited.

These things happen a lot with plugins, they can happen with browser too but don't as often.

It's a drive-by installation - textbook.

Maybe, definitely debatable.

We're not talking about AV's here. I believe you can have a secure system even with Firefox. This is about the browsers.

The changes are very recent and only in the experimental versions.

It's obviously different code for one and the other though I'm sure quite a lot of it is the same. In terms of capabilities they are absolutely the same. That's not me telling you that, that's the developer. There are outstanding issues all of which can be fixed and none of those issues effect it blocking the ads.

Gonna need examples.

I have about 6 extensions installed and they all work perfectly compared to their Firefox counterparts. That's me saying that after years of using Firefox and hating Chrome for lacking extensions.

Believe what you like. I know myself pretty well and I know that I'd drop Chrome just like I dropped Firefox. People used to call me a Firefox fanboy too. I don't mind it lol I know what I'm like and I know how I come off.

The defining difference between ScriptNo and NoScript is taht NoScript provides protection for clickjacking and the XSS auditor and the restrictions. You say that ScriptNo is useless so I assume you must be using NoScript for those three things.

I agree - prevention is always better. That's what a sandbox does. It prevents the malware from reaching your system.

There are situations in which your page is whitelisted and compromised is a situation in which NoScript won't help you. If the page is compromised with XSS NoScript might protect you. If the page loads up an iFrame to another domain, NoScript might protect you. If the exploit is hosted right on the site, NoScript won't do a hell of a lot and neither will Firefox.

But that's just the issue with Whitelisting.

You can just never whitelist sites or only whitelist absolutely when you need to and that'll help but the point is that there are ways around it.

Those circumstances may be rare but I'd say they're a lot less rare than a 0day targeting Chrome.

 

LOL
http://www.vupen.com/demos/VUPEN_Pwning_Chrome.php

5 months ago.

 

LOL @ a single exploit that's never existed in the wild after 3 years of having literally no exploits.

People pointing to the Vupen exploit makes me smile every time.

If you think I'm saying taht Chrome has 0 exploits, you're mistaken. I'm saying that you'll never run into a Chrome exploit but you can easily run into a Flash exploit, the chances of it being on a whitelisted site depend on the user. The fact is that it's more likely to run into one of those than it is to run into the non-existent Chrome exploits (in the wild.)

 

That " never existed in the wild " sentence isn't possible to prove.

Plus, crackers may just not be targeting chrome now, because it's still only the third most used browser.

 

Um, of course it's possible to prove. The vulnerability was never disclosed and has never been seen. You can bet ~ Snipped as per TOS ~ if it had been seen it would have made news.

It's old as hell too (5-6 months?), Flash has gone through at least one full version change with hundreds of security updates. Chrome's gone through 5 revision changes (I believe) with hundreds of security updates.

The exploit was never disclosed. Vupen hasn't said whether it's still around or not.

 

Did anybody search for it in 100% of the internet?

This is almost like the "God exists, God doesn't exist" discussion and will lead us to nowhere.

Plus I can make impossible to prove claims too: crackers may just not be targeting chrome now, because it's still only the third most used browser.

 

lol... ok... the exploit that only a white-hat security firm knows the details of that's never been disclosed and is over 6 months old might somehow exist somewhere out on the internet and might somehow still work on programs that have had radical changes.


As for Chrome being targeted, what about Flash? I'd say almost everyone has Flash installed. I'd bet everyone in this topic does. Chrome protects you against one of the most exploited programs and Firefox does not.

Chrome and Firefox have virtually the same market share at this point anyways lol it's not about obscurity.

Plenty of people have their eyes on Chrome security.

 

I mean, just ask yourself, what is more likely?

1) Running into the single Chrome exploit that's never been seen in the wild that no one knows the details of and that may have been unknowingly patched months ago?

or

2) Any of your whitelisted pages get hacked and use a Flash exploit.

We've seen 0day flash exploits in the wild before. The only thing that has to happen is a user going to a trusted website.

Are either super likely? Eh, not especially. But I'd call 1 virtually impossible and 2 fairly improbably.

EDIT: And wasn't my name blue yesterday? >_>

 

The Vupen issue is not something I'd be concerned over, and I'm one that doesn't believe the Chrome hype..though I do believe if you stick a bare Firefox and a bare Chrome on the same system, Chrome will come out ahead for day to day security. If you stick with Firefox, add ABP and Noscript and actually pay attention to what scripts you allow, you'll be alright, in my opinion.

 

I agree dw. Users can do alright with NoScript though it does certainly rely a bit on the user, which is something that I think really negates most security but that's such a separate discussion I wouldn't bother.

I think that all you can really do with Firefox is add extensions and hope to get to where Chrome is. There's no saying "Firefox is more secure than Chrome" it's really only ever been "just as secure."

Whereas a simple vanilla Firefox is nowhere near Vanilla Chrome a fully decked out Firefox with extensions and a bit of common sense is actually about as good.

I still think that you're more likely to run into an infected whitelisted page than you are to running into a Chrome exploit. But neither are super likely and the biggest threat for either of the fully configured browsers wouldbe user error (something NoScript is prone to) and tricking the user into downloading a file (Chrome's detection rate is 2x+ Firefox's.)

=p

 

The trick download is where other precautions come into place though. I'm sure as hell not going to rely on Chrome, Firefox, or even the "godly" Smartscreen to tell me if a file is bad. NoScripts' disadvantage is playing the shell game with scripts. But, after you've used it a while, you start seeing the same 3rd party ones over and over again, and begin understanding what might be needed and what is just junk.

Chrome, Firefox, no matter really. If you're relying on your browser to keep you from harm, you're already doing it wrong.

 

I absolutely agree that relying on their blacklists/heuristics is a poor defense. But it's still there. Not great, a mere 8% different (again, more than double) and I wouldn't bet on it every time but it's there.

I think the big issue with NoScript isthat it's user-configured security and once a site is whitelisted the defenses kick down a bit. I wouldn't use it with Chrome - I don't believe I'll ever run into a Chrome exploit in the near future and I don't believe NoScript provides valid protection against socially engineered malware.

Still, I think that while we should never rely on a single layer of security we should always look to see how we can strengthen that layer.

 

The potential theoretical risks don't pay the performance costs of having more and more layers here.

I only run layers the OS I'm in offers natively. Some of them are even disabled, lol. But I guarantee the attack surface is much smaller. And I have common sense.

My portable Firefox is pretty hardened, though.

 

And, really, NoScript isn't an "extra" or "added" layer of security. It's the only layer of security. Firefox doesn't provide a hell of a lot in terms of securing the browser - just patching mostly.

With Chrome you can add on superfluous things like ScriptNo (even if it isn't quite up to par, though certainly not as horrible as some might think) and Adblock and if those somehow fail you've still got your strongest layer there.