InformAction Forums

[Vux]

http://lifehacker.com/5483611/chrome-beta-update-adds-automatic-translation-content-controls

As for cookies, images, JavaScript, plug-ins, and pop-ups, you can now set Chrome up in each case to always block them, always allow them, or accept them only from sites you add to a list. For hardcore fans of NoScript, FlashBlock, and other such web streamlining tools, that's a pretty nice addition.

[Vux]

[Giorgio Maone]

It's a first step, but quite different yet.
If you enable JavaScript on a certain site, you're automatically enabling all the 3rd party scripts loaded by pages on that site, even though you didn't whitelist them.
Furthermore, you have not even an easy way to see them.
This is a great weakness if you want to use this feature for security/privacy purposes, because if a site in your whitelist gets compromised with an iframe or script injection, or it includes tracking scripts, you've got no defense.

[Fionavar]

FYI: I have had to disable this option as it totally messes up Extensions. There seems to be no way to make sure Extension operate correctly when Java Security is initiated in the current approach.

[Vux]

http://lifehacker.com/5177709/chrome-th ... wn-contest

Wow at Chrome being the only unhacked browser. Amazing.

I wonder what's more secure: Firefox with NoScript or Chrome with its superior sandboxing and security features?

If FF + NoScript, just how much more vulnerable is Chrome? I love Chrome but not sure if I feel secure enough with just using Chrome's blanket Allow All or Disallow All javascript blocking.

[Giorgio Maone]

I wonder what's more secure: Firefox with NoScript or Chrome with its superior sandboxing and security features?

Chrome as no "superior" security features over Firefox+NoScript, sandboxing aside (Firefox will get some in 3.7, probably).
To say it all, NoScript as many more security features than Chrome (e.g. ClearClick or ABE), and the Google crew had even to disable their "XSS Auditor" filter (which already was quite easy to bypass) because of serious performance problems, so serious XSS protection is again a bullet point for NoScript (IE8's competition on that side is a gun aimed at your feet )

Most important, sandboxing is definitely overrated (yes, SandboxIE, I'm looking at you).
In this Web 2.0+ age, the ability to touch your hard disk and other system resources (which is what sandboxes try to impair) is not very important anymore: your in-browser password store and the services you access online (e.g. credit card transactions) are the most valuable targets, and an attacker can "own" them even without the need of a browser exploit (a web application vulnerability is enough). Of course, a browser vulnerability is a bonus, but manipulating to the browser process is more than enough, and no sandboxing can help you with that.

Notice that I've been talking about this stuff already more than two years ago

[Vux]

Well, my point is that if you go to a malicious website, is Chome with JavaScript disabled just as safe as going to a malicious website with NoScript and everything disabled?

[Giorgio Maone]

Well, my point is that if you go to a malicious website, is Chome with JavaScript disabled just as safe as going to a malicious website with NoScript and everything disabled?

Nope, Chrome is much less safe because it lacks defenses against several kind of non-Javascript attacks, including plugin-based ones, XSS, CSRF and Clickjacking.

[Fionavar]

Hi Giorgio,

I am just wondering if there have been any developments that you are involved in or know of that continues to improve security for Chrome?

[GµårÐïåñ]

What chrome is offering is nothing more than an all or nothing band-aid. It is no different than what is built-in for Firefox by default. If anything, they should be ashamed that it took them this long to provide it. It gives no granular control over individual sites, partial sites, or as Giorgio stated the myriad of other benefits that NoScript provides. At least with Fx there is a REAL API to provide someone like Giorgio the ability to provide that granular control over more aspects of security than saying "let's block everything or nothing", even if it can be done on a per site basis. To top it off, they are taking it out of the hands of the people and trying to do it themselves, which has many other implications that no one ever considers. The question people should be asking is why doesn't google provide the API for developers to use instead of locking it in the code without any way to actually use it in any meaningful way?

[Davezilla]

FYI: I have had to disable this option as it totally messes up Extensions. There seems to be no way to make sure Extension operate correctly when Java Security is initiated in the current approach.

Hello Fionaavr,

If you don't mind me asking, which extensions did it affect?

[Fionavar]

Hi Davezilla,

It was Forecastfox Weather - it seems no longer to be an issue with 6.XX. I still am not using Chrome as the default browser owing the to the other (i.e. ABE) ongoing security deficiencies, fwiiw.

[Davezilla]

Hi Davezilla,

It was Forecastfox Weather - it seems no longer to be an issue with 6.XX. I still am not using Chrome as the default browser owing the to the other (i.e. ABE) ongoing security deficiencies, fwiiw.

OK thanks for the reply.

[Vux]

Google Chrome Now Has Resource-Blocking Adblock
http://apple.slashdot.org/story/10/07/2 ... ng-Adblock

"It seems to have slipped under the radar, but Google Chrome now has resource-blocking abilities, and may have had the ability for some time. Using the 'beforeload' event on the document, an extension can now intercept resources from loading. Adblock for Chrome has already added it, and I expect the other 'ad-blocking' extensions have as well. Before you start praising Google, however, it's the WebKit team that deserves your credit; one Chromium developer responded to praise by stating '... thank Apple — they added it to WebKit, we just inherited it.' Firefox vs. Chrome just got a bit more exciting."

Does this finally make Chrome as safe as using NoScript?

[GµårÐïåñ]

Not by a long shot. That false sense of security is what will destroy many and if they fall for it, they have no one to blame but themselves.