Discussion in 'sandboxing & virtualization' started by HempOil, Dec 15, 2017.
So does Firefox. I'm not sure what you're trying to suggest
I used Chrome for two weeks but without NoScript I don't feel safe. I switched back to Firefox 57 Quantum + NoScript 10.
There is uMatrix for both browsers.
I know that Firefox isn't sandboxed to the degree Chrome is. Chrome is designed from the ground up to be sandboxed. Firefox isn't. I mean Firefox has sandbox, but it is a weak sandbox.
That's no longer true. This was true for the "old" Firefox - but Electrolysis laid the ground for sandboxing in the past years, and they are basically using the Chrome model.
Did you really compare in detail the ruleset used in the Linux version of Firefox with the one used in Chrome? Unless you did, your claim is, at least, questionable. Besides, I'm sandboxing both Firefox and Chrome with Firejail anyhow which improves security in both cases considerably. This has been discussed in this thread at large.
Firefox doesn't spawn one process for each tab. According to the settings it can be set to the maximum of 7 which leads to much less used RAM (in comparison with Chrome and if a lot of tabs are opened)
The default sandbox level ("security.sandbox.content.level") seems to be "3". I'm sure the default was lower (lower = less restrictive) in previous versions But ok, the higher the better
Firefox - sandbox level 3:
Firefox - sandbox level 4 (maximum level):
Soon Google will block third-party module injections (with some exceptions) into the chrome.exe process, which will harden it more.
Google Chrome Plans To Block AV Module Process Injection
Edit: small correction and addition
But also lossens the sandbox isolation.
Linux kernel has features such as RAM deduplication (Kernel same-page merging) and other that can decrease RAM used by Chrome.
Yes, in the settings menu. But in about:config you can set dom.ipc.processCount as high as you want. I've set it to 16 as I never have more tabs open.
Hm, I wonder how useful that is if I block all 3rd-party scripts in uMatrix anyhow.
>> Soon Google will block third-party injections
this will mean dll injections (eg antiexploit and similar)
I mean dll/module injections into chrome.exe, edited post:
NoScript is a lot more than script blocking. Read Giorgios post #6.
Yes. However, i am interested if offers any benefit to uBO, if one configures it to block (Inline Script block + Medium Blocking mode), and selectively enable them.
As far as i know, in my past experience
ABE - Can be configured in uBO/uMatrix. See this post.
XSS - This is an interesting aspect. How, i am not sure if uBO/uMartix are susceptible, with above configuration. The only way, it is exploitable i believe, is if one allows target scripts/frames to be allowed..
CSRF - No Idea. Any insight is appreciated. I will read about it.
Any insights on real world scenario or any test site, that demonstrates, if uBO/uMatrix users susceptible, i am interested to know..
Hi Harsha, in your quote from Wikipedia, you left this out, written inmediatedly below what you quoted:
"The NoScript extension for Firefox mitigates CSRF threats by distinguishing trusted from untrusted sites, and removing authentication & payloads from POST requests sent by untrusted sites to trusted ones. The Application Boundary Enforcer module in NoScript also blocks requests sent from internet pages to local sites (e.g. localhost), preventing CSRF attacks on local services (such as uTorrent) or routers."
By the way, FWIW, in the 9 years using NoScript, in my personal case, none of NoScript security features has interfered with normal operations on any site that is of any importance to me. So, that part that you blacked in your quote, perhaps applies to UBO but it doesn't to NoScript.
Let me add something else, Harsha. Please read very carefully every word written by Giorgio in this sentence taken from the link I posted earlier: "The main (most visible, but not the only) features of NoScript, beside script blocking, which are not present in any other security product are:".
See where he says, "The main (most visible, but not the only) features of NoScript...", I seen the list of security features that NoScript enforces silently in the background. Its huge.
Ok, Thanks. However, i have covered that potential loop hole in my reply already. However, please do note that ABE can be configured in uBO. So, i am not worried on that point. Only area, where i am interested (not worried though), is what if scripts/frames are whitelisted. I wanted any real-word examples.
Yes, with UBO, you would have to configure it once. And there is nothing after that.Also, as i take back-up. When switching the browser or re-install your existing browser, is no-hassle.
I used to be NoScript & ABP user, before uBO. And to my usage, i used to get many XSS popups, if i remember correctly.
That's what i am puzzled, and was reason i wrote my post above. Any real world scenarios, which it would have prevented, even after uBO with Medium blocking (+inline script) mode..
With that said, i will install Noscript 10, with Global Allow all for a month, and will see if it peeps on anything.. (Update: Have enabled Noscript, with global Allow all, let's see how it goes).
I see - thanks! Isn't that comparable with what Mozilla explains here?
Okay, we can probably discuss till eternity about browser security. In any case Firefox - after its overhaul - uses basically the same security architecture as Chrome. Yes, there are subtle differences as you showed in your post above. And there is, e.g., Site Isolation as a new feature in Chrome.
On the other hand, many critical parts in the new Firefox have been written in the Rust language with the result that whole classes of coding errors resulting in vulnerabilities (like the infamous buffer overflows) should no longer be possible in those parts of the code. This is an advantage which is not really "visible" at a glance but makes the browser inherently safer.
How to weight all those aspects? It's difficult. In the end I would say that for users with an adblocker and/or a script blocker it doesn't make a big difference security-wise if Chrome or the new Firefox is used.
However, one big advantage of Firefox is still its many options which improve your privacy particularly via the options introduced from the Tor Uplift Project like First-Party Isolation and fingerprinting protection. Add Containers and all those many options available, e.g., in the gHacks user.js. Most of them are not available in Chrome - and never will as Google is not interested in them at all, of course.
I guess you installed NoScript for the Antii XSS filter. In my personal case use, I never gotten many warnings. With version 10, other than a well known and reported false positive with google search in earlier version 10, I only gotten one warning, very likely a good detection as the site I was visiting should be considered dangerous. I treat all sites with same respect and avoid prequalifying sites but by any criteria, it was a nasty site. So, very likely I was protected by the filter that time.
Yes Bo, but there is no NoScript extension for Chrome.
My post was in reply to @netbook0tr about not having NoScript in Chrome.
For what it's worth. ScriptSafe does a whole lot more than blocks scripts too.
Not really comparable but the motivation of Mozilla/Chrome is similar (they want less crashes, less stability problems and no degradation of browser builtin security features)
Mozilla doesn't want specific third-party applications (AV browser plugins, niche software, ...) to interact with webpages through the Accessibility Service because it might lead to degraded security or even crashes. Mozilla recommends to disable the third-party application but isn't blocking them.
Google also wants to achieve less crashes and less stability problems, and it is doing it by preventing third-party applications (AV software, ...) from injecting its dll into chrome.exe
Hi Krusty, right, there is no NoScript for Chrome. He sounded to me like he wants to use NoScript not just any other similar extension. I can understand that.
By the way, this are some of the things NoScript does in the background to protect users. I dont know if any has been ported yet in NoScript 10 or what will be ported if any. Most likely if any get ported will be when Firefox 58 comes out and after.
tie to prove these overwhelming******
if NS were that good why did uB and uM had such earth falling success in the past? and why took it authors so much time to re-create?
noscript for chrome need some excellent merchandising to make users change.
Cool, didn't know about that, sounds good. But overall, I think it's safe to say that Chrome's sandbox is currently more advanced than the ones from Edge and Firefox, which makes it harder to exploit. But like I said, you pay a hefty price for it when it comes to resource usage and features, not worth it for me. Especially since I have never been hacked via Firefox, ad-blockers + third party security tools will do the job.
Yes, very good decision by the Mozilla development team. There has to be a balance between security and usability.
Depends on how you browse, I normally make a selection of articles that I want to read, and this may result up to 30 to 50 tabs. Chrome and Vivaldi would drain all of my RAM, and I'm not willing to buy more RAM just for a freaking browser.
Same here my goodness who would have 50 tabs open I don't have any problems slowdowns with chrome.
Actually, I think it's a bit overkill. I don't believe you need to sandbox every browser tab, I wonder what resource usage is like if you use micro-virtualization. Probably ridiculous high, and I think you can achieve the same amount of security with tools like Invincea/Sandboxie. Only for the truly paranoid ones Bromium is the best choice.
Yes, they are but optionally.
Separate names with a comma.