Whitelist for Chrome does not work as expected

Discussion in 'other software & services' started by exus69, Jul 10, 2012.

Thread Status:
Not open for further replies.
  1. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Hello all,

    Am trying to visit only the following websites with Google Chrome:

    hotmail.com
    yahoomail.com
    gmail.com
    facebook.com

    So am using "Whitelist For Chrome" plugin. However its not working properly.
    In the whitelist I put login.live.com. But when I visit hotmail.com, I get the following page.

    Please help
     

    Attached Files:

  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Judging by the looks of it, it's working as it should.
    You're allowing the following domains:

    hotmail.com
    yahoomail.com
    gmail.com
    facebook.com

    According to the screenshot, the domain being blocked is secure.shared.live.com. So, it makes sense it's blocked. You'll have to allow access to all domains Hotmail needs access to.

    Anyway, I wouldn't use an extension in a browser profile meant for sensitive tasks. I'd rather use the command line switch --host-rules. You can achieve the same, and more.
     
  3. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    I was able to solve the prob by adding the following(Please check the pic) Although the following approach creates a problem
    with facebook apps...

    Can you please elaborate on that?? Google did not help.
     

    Attached Files:

    Last edited: Jul 11, 2012
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    While I'm not a facebook user my self, I believe that facebook services have other domains beside *.facebook.*. Check the source code of the Facebook page. To do it, type view-source:https://www.facebook.com or while in Facebook, right-click an empty spot of the page and click View source. You should be able to see whatever domain names it uses.

    Sorry, I forgot to mention you could search the forum for my nickname and host-rules. You'd get a few example on how to achieve that goal.

    But, I'll give a quick example with Wilderssecurity forum.

    "C:\Program Files\Google Chrome\chrome.exe" --host-rules="MAP * 127.0.0.1, EXCLUDE www.wilderssecurity.com","MAP www. wilderssecurity.com 66.227.46.190:443" (the domain is together, but I had to separate it, otherwise it would transform it in an URL)

    In the above example, I am mapping everything to localhost (127.0.0.1), which will make the connections fail, with an exception for www. wilderssecurity.com. To make it stricter, I've also mapped www. wilderssecurity.com to its IP address and remote port 443 (which is for https).

    This profile can only connect to WSF, respective IP address and port 443. No other kind of connection is allowed.

    If WSF had any other sub-domains, then I could either add an additional rule or write *.wilderssecurity.com instead. Rules are separated by commas, as you can see the example I gave for WSF.

    One thing you must never forget, is that, there's a pretty good chance that whatever service you'll access has more than one domain/sub-domains.

    Another thing to consider, is that, when using --host-rules, www. wilderssecurity.com will not match wilderssecurity.com, and vice-verse.

    Either method you use, you'll have to find out which domains you'll have to whitelist.
     
  5. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Sorry but where do you write that??
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    :argh: It seems that I always forget to mention something... :D

    You can use two methods to do it. Change your Google Chrome shortcut or create a batch file. Depending on how long the --host-rules command will be, you'll be better off by writing a batch file. I'll examplify with WSF.

    Code:
    @echo off
    cd "%PROGRAMFILES%\Chrome\"
    start chrome.exe --host-rules="MAP * 127.0.0.1, EXCLUDE www.wilderssecurity.com","MAP www.wilderssecurity.com 66.227.46.190:443"
    Then, we'd save it as something like ChromeWSF.bat

    You may then modify you Chrome shortcut to open the batch file, instead of the standard chrome.exe location.

    ####

    Unfortunately, I've discovered that the command --host-rules does not prevent access to FTP sites; it seems to only work with HTTP/HTTPS.

    So, if you have a regular Google Chrome installation, and if you use only one Google Chrome profile in your user account, you may want to use Google Chrome Policy Templates, instead.

    There are two policies that would allow you to block all connections, and then whitelist what you want.

    URLBlacklist and URLWhitelist:

    -http://www.chromium.org/administrators/policy-list-3#URLBlacklist
    -http://www.chromium.org/administrators/policy-list-3#URLWhitelist

    For example, this would blacklist everything:

    Software\Policies\Google\Chrome\URLBlacklist\1 = "*"

    and, this one would whitelist what you want to allow:

    Software\Policies\Google\Chrome\URLWhitelist\1 = "https://www.wilderssecurity.com"

    You can find more info about other policies: -http://www.chromium.org/administrators/policy-list-3

    Download the templates: -http://www.chromium.org/administrators/policy-templates

    Using the templates: -http://www.chromium.org/administrators/windows-quick-start

    More documentation: -http://www.chromium.org/administrators

    #####

    Anyway, I'd use this method if I wanted to block FTP/other schemes as well. Otherwise, the command --host-rules is more than enough.

    I hope I didn't make things more confusing. :)
     
  7. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Just curious to know why would you prefer to use this method compared to a plugin like "Whitelist For Chrome"?? Is it because plugins are targeted by malware ??
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    There are two main reasons. One, there are two native ways of doing what you want already, either with --host-rules or policy templates; the second reason is that, when using an extension, we always risk a new browser upgrade to make the extension no longer work, and we'll have to wait the developer to fix it, or someone else to come up with a new and better extension that works.

    There's also one third reason, actually. We need to trust the extension - that it won't break both our privacy and security.

    I'd understand using an extension, if there was no native way of doing it. But, if there is, and if both those ways work, why not using them instead? That's how I think. :)

    Chromium doesn't have a native way of blocking ads and tracking, so I use an extension for that. I wouldn't use one, if it had a native feature, though.

    Hope this clarifies why I "dislike" extensions.

    That said, I don't mean that you/someone else shouldn't be using this or that extension for this or that purpose. I just thought of providing two natives ways to achieve the same goal.
     
  9. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Thanks for the replies m00nbl00d. Very comprehensive indeed :)

    I fully agree with you. If the same features and functions are available natively why use an extension?? I always prefer security with minimum bloatware :)

    Because of the issue of accessing ftp sites even after applying host rules, I've opted for Google Chrome policy templates as you've suggested. Its quite a hard work!! For eg. just to whitelist gmail I gotta add the following:

    accounts.google.com
    mail.google.com
    google.co.in
    ssl.gstatic.com
    google.com

    Do you think I should whitelist the full url including https because https is secure??

    Things like *.google.* or *.google.com are not working. Any idea why??

    Also I know that this is just a one time effort because there aren't MANY sites that we generally login to.
    Although am just concerned about facebook(Actually am doing all this on my friends system) because there are
    soo many apps and games on fb that am worried it might just break it.
     
    Last edited: Jul 14, 2012
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I'm actually wondering if URLBlacklist and URLWhitelist policies would work together with --host-rules. Will have to test someday. :D

    No pain, no gain. Right? :D

    I'd restrict connections to https as much as possible. I think there's a moment in Gmail's login/signout process where an http connection happens, though. You'll have to try it out; it's the only way to know for sure.

    If you look at this page http://www.chromium.org/administrators/policy-list-3#URLWhitelist you'll see there's an example that just has a decimal dot instead of an asterisk: Software\Policies\Google\Chrome\URLWhitelist\5 = ".exact.hostname.com"

    So, I imagine you have to whitelist like .wilderssecurity.com and not *.wilderssecurity.com.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    There shouldn't be. It's supposed to be HSTS with SPDY.
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    But there was. I no longer have a Gmail account, but I remember I had to allow an http connection. I believe the http connection is for the country specific Google TLD, and I believe it's during the signout process.

    Anyway, maybe they changed the behavior.
     
  13. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Yes you are right there is a split second moment where an http connection happens. No wonder I added google.co.in in post no.10 :)

    I like the fact that you respect others likes/preferences. Thats the reason I am being frank about my displeasure to not use
    only this particular native method and opt for the addon 'Whitelist for Chrome' instead.


    That unfortunately doesn't seem to work. Anyways after much thought and trial/error I've decided to go with "Whitelist for Chrome" because besides being too much of a hassle to whitelist each url, I was just wondering what effect it might have on something like a payment gateway once the user makes a payment. For eg. A user clicks on "checkout" or "pay" button and because of whitelist the page would not load. Then I would whitelist that page and refresh it. Wouldn't the payment be made twice??!! Just wondering...

    Also which other option would you recommend to configure from security point of view from that chrome security template which you had
    suggested??


    -----------------------------------------------------------

    So considering that am using "Whitelist for Chrome", if I get any link
    to a random malicious url in my yahoomail or facebook and if I click on it, it would be blocked by default. Of course I wouldn't know if that link is malware ridden so I would copy paste it into Firefox and since FF will be sandboxed and loaded with NoScript, BetterPrivacy, Adblock Plus I need not worry about XSS, CSRF and ClickJacking is that correct ?? Firefox is for general browsing.

    Also I would want to know which is your preferred privacy/security chrome addon ??
     
    Last edited: Jul 17, 2012
  14. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I suppose something like that would happen. But, wouldn't it also happen with Whitelist for Chrome, or other method? The safer bet would be to know before hand the domains that need to be whitelisted for those services, before accessing them.
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Sadly, --host-rules will come to a point of saturation. I didn't investigate further, but either it has a limit set for the amout of blocks you can specify, or I've reached Windows own limit for the ammount of characters a line can have.

    Either way, I'm thinking the best approach would probably a combination of Group Policies, --host-rules and an extension... One needs to design well how things would work out, though. :D
     
  16. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    And what is the procedure for that?? Suppose I visit a website like www.flipkart.com how can I come to know which specific urls to whitelist
    in advance so that I dont face a situation like this:

     
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I didn't visit the website (It would require me to whitelist the domain and then my batch file, which I use to run Chromium.), but, most of the times it should be enough to check the website source code (Right-click a website spot and View page source).

    Otherwise, if there are service you prefer to play safe, in case all the domain names aren't the source code of the main page (it may happen), I'd just e-mail the support team and ask them to provide all the domains involved in the login process, so that you can whitelist them. Just tell them you'd like to create a more secure browser profile, and for that you'd like to know all the domains involved in the process.
     
  18. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    I think I'll visit the shopping or any sort of websites that requires my credit card info from firefox instead of chrome. In case of firefox what I'll do is before visiting such sites I'll close my sandboxed firefox and re-open it to do any such transactions. But yes remembering this procedure in future would be a challenge. Am conscious right now but what about future when am visiting 10 different sites and I quickly need to visit a CC info entering site as well?? Whitelisting in advance the possible shopping sites or any other CC info entering sites and any of their third party domains would be an ENORMOUS task. Also I dont visit such sites that often.

    No wonder I use the blacklist addon in firefox so that, by mistake like in the above scenario, I dont visit the whitelisted sites in Chrome, in Firefox. But I really wish the addon 'Whitelist for chrome' has some sort of password protection for its list like the addon 'Blocksite' has for firefox...
     
    Last edited: Nov 20, 2012
  19. exus69

    exus69 Registered Member

    Joined:
    Mar 15, 2009
    Posts:
    160
    Question

    When a user visits a site not in the whitelist he gets the following
    message in the browser due to the extension "Whitelist for chrome".
    Is there any way to get the functionality to open the blocked site
    in firefox directly instead of copying the link address and pasting it in
    firefox, when the user right clicks on it? something like
    "Open in Firefox" ?
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.