µMatrix - the HTTP Switchboard successor

Discussion in 'other software & services' started by tlu, Oct 25, 2014.

  1. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    864
    Location:
    Canada
    I think comment #8 nailed it. The nonsense from the Chromium people trying to rationalize this is beyond ridiculous. If a user installs an extension manually, it is not force-installed, and surely the browser can remember this one important bit of information as part of the extension profile. I don't see any other reason than just to force everything through the Chrome store, and that annoys me.

    Edit: By the way, I don't think Opera has that kind of annoying bubble (not sure though). Maybe worth trying?
     
    Last edited: Oct 30, 2014
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    The assumption is that the attacker has local execution, in which case they could modify that profile to say "it is not force installed" - so that does not work.
     
  3. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    864
    Location:
    Canada
    Yeah, it occurred to me afterward. Is the problem of extensions installing themselves on Windows without a user intervention that serious? (I wouldn't know I'm using Linux). And if so, how does it happen? Command-line switches?
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    I'd say Google is trying too hard to make the browser more secure than the OS, so that newbies won't mistakenly believe that Chrome is vulnerable. Market share expansion.
     
  5. oneeyed25

    oneeyed25 Registered Member

    Joined:
    Nov 26, 2013
    Posts:
    21
    On Windows, some of these malicious extensions get bundled with 3rd party software installers (sometimes you can opt-out, but more often than not they install silently), and they're on the rise (I'm pretty sure CNET Download has some of these in their installers if you're brave enough to try)... If you provide administrator privileges during the install, the installer can then forceinstall any extension via Group Policy by changing the registry.

    And yeah they can be a pain, effectively hijacking your browser.

    I know how very annoying for developers Google's new policy can be, I have to click on the warning every time I launch Chrome... But I still think on the long term it's a good decision for the majority of users.

    BTW you can create a private collection of extensions on Google Store, I still prefer keeping everything local but it can be a good solution for some users : https://support.google.com/chrome/a/answer/2649489?hl=en
     
    Last edited: Oct 31, 2014
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yeah, as mentioned above, it happens a lot with software bundles. Less 'malware' - more 'PUP'. I don't know if they use command lind switches, but there's naturally nothing at all stopping them while the switch exists.

    Personally, I think it's futile for them to attempt to deal with this type of attack - much better suited for MS. But that's their prerogative, and it is certainly a real thread.
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
    Does anyone know where the installation/update instructions, using Developer mode, are for uMatrix? I know i saw them a few days ago but have totally forgotten where they are and unable to find them now :confused:
     
  8. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    864
    Location:
    Canada
    It's the same steps as with uBlock: https://github.com/gorhill/uBlock/tree/master/dist#install
     
  9. NSG001

    NSG001 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    682
    Location:
    Wembley, London
    How close is this to beta or full release now :)
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,282
    Location:
    Canada
  11. Pilou42

    Pilou42 Registered Member

    Joined:
    Oct 4, 2014
    Posts:
    66
    About doc stuff, I'll take this example:
    https://github.com/gorhill/uMatrix/releases
    If I want to download xxx-x-alpha.xx.zip, there's a request for amazonaws.com. I'd think this file would be listed in a column "doc", but instead µMatrix creates a Matrix for amazonaws.com. Have you planned to change something or you advise to use filter "* * doc allow" ?
     
  12. gugarci

    gugarci Registered Member

    Joined:
    Mar 30, 2009
    Posts:
    288
    Location:
    Jersey
    I have Switchboard disable on 2 of my computers & I'm using uMatrix. How does it update to the latest version. I installed it early this morning when the latest version was Alpha 17 & it's now up to 19. Does it update like all other extensions by clicking on Update Extensions now? According to the uMatrix settings about i'm using 0.8.0.0

    Thanks.
     
  13. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,587
    Location:
    North Carolina, USA
    Hello gugarci,

    Until µMatrix is released to the Chrome store, you will need to update manually. See gorhill's post # 58 above for more information. He includes a link that will give you instructions on updating.
    HTH...
     
  14. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    864
    Location:
    Canada
    I don't plan to change anything. The `doc` type is whitelisted internally in global scope (just like image and css), so there should be no problem downloading, unless the hostname is blacklisted. In such case, whitelisting the hostname in the associated scope will fix the downloading.

    Since there is always just one root `doc` per page, it's pointless to have a column for this.

    Not sure what can be done about the tab id no longer matching the URL in the address bar when downloading through a click. I didn't realize this was happening, and I checked and same was happening with HTTPSB. For now I think I rather let this quirk be rather than trying to fix this before release. Eventually I will look if anything can be done.
     
  15. Pilou42

    Pilou42 Registered Member

    Joined:
    Oct 4, 2014
    Posts:
    66
    Sometimes, hijacked pages try to make your browser auto download files, and I though it was possible to have several "doc" type (maybe I did not understand the "doc" attribute, I though it was for downloadable content) in the same page.

    But indeed, a column with "doc" makes no sense in general, since it would appear only when you click on a link.

    PS: I even block css and images from third-party in my filterset (* * * block + * 1st-party * allow)
     
  16. gugarci

    gugarci Registered Member

    Joined:
    Mar 30, 2009
    Posts:
    288
    Location:
    Jersey
    Thanks for the reply puff. I'll have to keep playing it with the directions in the link. First time I did it I lost all my settings, 2nd time I had 2 versions of uMatrix. I'm sure I'm doing something wrong updating to the latest beta.
     
  17. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    864
    Location:
    Canada
    Bottom line is that an extension keeps its identity (settings etc.) if it is the same absolute path. If the new absolute path is different than the old absolute path, it will be seen as a new extension, and thus settings will be the factory ones.

    To avoid any confusion, you may want to unzipped to a temporary location, then copy the content of unzipped folder into the folder currently used as the extension.
     
  18. gugarci

    gugarci Registered Member

    Joined:
    Mar 30, 2009
    Posts:
    288
    Location:
    Jersey
    Thanks. I'll try that next time.
    Like I said I'm sure it was user error on my part.
     
  19. oneeyed25

    oneeyed25 Registered Member

    Joined:
    Nov 26, 2013
    Posts:
    21
    I debated with myself blocking all css/images except for the source hostname, but it just breaks too many sites and so isn't convenient enough for me. Basically I use the Block-All/narrowly Allow-all (only CSS/Images allowed) and I'm fine with that.

    But is there any security risk that you know of which would warrant blocking CSS/Images ? I don't care that much about privacy, but more about browser hijacking, drive-by downloads, etc...
     
  20. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    There is an option to export and import your rule set so just export them, delete the existing uMatrix, install the new one and then import your rule set. I lost my rules also then I saw that so the next time I update it (if its not yet in the chrome store) that's my plan.
     
  21. tlu

    tlu Guest

    µMatrix release candidate available. Congratulations, Raymond!

    From a technical perspective, this version is definitely mature enough and ready for the webstore, IMHO. However, for users not familiar with HTTPSB the missing/too technical documentation will probably make it rather hard to make use of all the great features of µMatrix. Perhaps some (slightly overhauled) parts from the HTTPSB wiki (e.g. the must-read section, the matrix toolbar and scopes chapter) can be used in the µMatrix wiki.
     
  22. Pilou42

    Pilou42 Registered Member

    Joined:
    Oct 4, 2014
    Posts:
    66
    @oneeyed25: In term of security, I don't think there's something wrong allowing css+images. In term of privacy, since you download something, you let a trace on the server, but not a problem if you don't care about security (but if you saw the number of 1x1 images to trace you, you would be surprised).
    The problem is sometimes, when you allow images and css, you think you did not break the site, but yet, you did not allow scripts, and you lose sites functions too. When you block everything, it appears clearly.

    But I'm aware it breaks several sites, but it also allows me to see some sites are too dependent from other sites (hotlink is bad for history).
     
  23. @tlu and @Pilou42

    Well there is scriptblocker based on HTTP Switchboard. Easy no hassle solution for the time being: disable 3rd party cookies in your browser, 3rd party img(pixel tags)/iframes in ublock and 3rd party scripts in scriptblocker. No hassle setup. I was hoping Raymond would add a block script/allow same domain like functionality as scriptblocker in UBlock.
     
  24. luxi

    luxi Registered Member

    Joined:
    Aug 31, 2013
    Posts:
    74
    Huh?
     
  25. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    864
    Location:
    Canada
    Script Blocker is not based on HTTP Switchboard, the author just give credit to the technique used in HTTPSB on how to reliably block scripts.

    µBlock is able to block script and frames on a 1st-/3rd-party basis. Anything more than this is µMatrix, which now comes with a 1st-party row to create special rules to be used for whatever net requests is 1st-party to a web page -- without having to deal with specific host/domain names. I would say this one item is one of the biggest improvements (right behind full-layering of scopes) in µMatrix relative to HTTPSB.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.