Hungry Man wrote:Google as a company makes (literally) 99% of their revenue from ads alone. And yet the WebRequest API allows for ads to not only be blocked but for the ad-requests to be blocked entirely.
Furthermore, all Google ads are "by-click" and not "by-view" so even the old method of adblocking, which has been on Chrome for about 2 years now, is killing profits just as effectively as one that stop tracking/ ads simply from being viewed. It is a matter of clicks and not downloads.
So why would Google allow for this? I wouldn't really try to guess. It could simply be "If we can't beat them join them" issue
Interesting info, thanks. I suspect that they realize that if there were no ad-blocking capability at all, most users would choose another browser.
They still get a good deal of marketable user data from Google searches, and my tinfoil-hat side tends to, uh, "doubt" their statements that the browser doesn't send some marketable data to Google about their users. I can't prove that, partly because I've never used Chrome, and partly because I don't care to go to the trouble of setting up Wireshark or vetting their code. [[ I found evidence of it later in this post.]] But when Chrome first was announced, the gut instinct was, "Who in the world would use a browser *made by an advertising company*?" -- especially since Google now owns Doubleclick, one of the most
notorious privacy-violators.
or, as I suspect, it's actually a movement to have the "annoying" ads blocked - Google recently began patenting differences between what "good" and "bad" ads are
Huh?
"patenting differences between ads?" I hereby claim a patent on my tech support methods and writing style. Anyone who uses them has to pay me royalties.
and the rumor is that Chrome will outright block "bad" ads by default leaving not much to the competition.
Ahhh, the light dawns --- all non-Google ads will be blocked, and Google ads will not. Oh, for the early days, when their motto was, "It is possible to make money without doing evil."
I think it's also important to note that in 2008 we saw adblockers on ~3% of Firefox browsers. In the grand scheme of things that isn't a hell of a lot. Maybe it's doubled in the last 3 years and even still.... not a ton of people.
I don't have an adblocker on my Fx 3.6.24, and hardly ever see ads.
For one thing, the days when ads were just text and still images are pretty much gone. Most are served by scripting, often with Flash videos. NoScript takes care of both. I also use a HOSTS file service that blocks any *attempts* to connect with 16,000+ sites. (If I type www dot doubleclick.net, I get a "can't connect" error message.)
For another, any ads based on still images are easily blocked by adding the source to Firefox Tools > Options > Content > Load images automatically > Exceptions.
So I'm in your 97% without an ad blocker. Maybe it's because Firefox + NoScript doesn't *need* one?
Tom T. wrote:Whereas Giorgio Maone has 20 years, not months, in developing, and freely gives his real name, e-mail address, company address and telephone number. You would trust an anonymous person to take complete control of your browser? What is he so afraid of?
Hungry Man wrote:There is no obfuscated Javascript in the extension - we both know how simple it is to unpack and view them.
Who said anything about obfuscated Javascript? I'm talking about obfuscated developer.
I merely visited the ScriptNo web site, looked at some of the FAQ, etc., and found that one about his anonymity.
It's not just a matter of spyware or malware -- definitely *not* making such accusations. I'm talking about being willing to stake your name and reputation on your product. Too buggy, or even worse, doesn't do its job -- user gets pwned -- no
accountability. Start somewhere else under another pseudonym, and make another product.
As said, this type of program, whether NoScript or ScripNo, has complete control of your browser. You want me to trust you, but you don't want me to know who you are, where you are, or even what you look like? Whom do I sue?
Giorgio has a complete bio and profile at
his own home page. Check it out. And compare its level of detail to the "mystery man" behind ScriptNo.
I myself am a student and I plan on writing a program. I have definitely wondered how public I'd be willing to go about the project.
I've had this same discussion with another student. He wanted to host his product at PortableApps.com, but Webmaster John T. Haller quite properly told him that if he wanted credit, he'd have to give his real name. Else, he could be listed as a contributor under his screen name, with a known, non-anonymous developer being in charge and getting prime credit.
Every add-on I have that has anything to do with security or privacy has the developer's real name (hopefully verified by Mozilla) attached to it.
"A 'NoScript-like' extension"... Really? Aside from the name rip-off, does it have NoScript's level of:
XSS protection?
Clickjacking protecton?
CSRF protection and WAN-LAN boundary protection?
Ability to force HTTPS security on sites that should have it (your bank), but may carelessly send insecure cookies?
Hungry Man wrote:Nope. I don't think it claims to - the main feature would certainly be the whitelisting of page elements by page and/or domain.
Well, as long as it doesn't claim to ... That will be comforting to the user who is pwned by an XSS, Clickjack, or CSRF attack, or has his bank login cookie stolen, or finds that his router has had its settings changed without him knowing it, including creating future remote access to the router's admin page without the user knowing. Whereupon, your .. well, just start thinking of all the evil a bad guy could do once he has complete control of your router.
But at least the poor user can say, "Well, he didn't claim that it would protect against it."
Or maybe not. Calling it a "NoScript-like extension", when it isn't even close to NoScript's capabilities -- it's "a whitelist-based script-blocker", and that's a better description. And the name is so close that we actually had a private discussion of whether Giorgio Maone could sue for trademark infringement, not that he would. But the name clearly tries to associate itself with NoScript, as does much of the promo material. Which could lead users into thinking that the two are roughly equivalent. Not even close.
Incidentally. to the extent that there may be an element of sarcasm in the language here, I'm sorry, but the above paragraph sums up what is actually irritating, if not irresponsible, about ScriptNo and its proponents. Which undoubtedly shows a bit in the style here.
As for XSS protection I've seen Chrome's own filter bypassed but it's there.
So what good is it?
Side note: It takes a hacker to stop a hacker. Giorgio Maone and his good friend,
Sirdarckcat, tied for first place in a
contest to write the smallest possible, fully self-replicating worm, in 161
bytes. So by one criterion, Giorgio is among the world's best hackers, and thank goodness he's on our side.
And his friend Sirdarckcat often tries to poke holes in NoScript, and if he can, he of course notifies Giorgio privately, and an update is issued.
Writing sw is one thing. Writing security sw is another. Writing sw to breach security is entirely different, and knowing how to do it gives one a huge leg up in knowing how to protect against it. In fact, many "new" web threats have been found to be *already defeated* by NoScript's existing protections.
How much hacking, white- or black-hat, has Mr. ScriptNo done?
Hungry Man wrote:As for HTTPS I can assume it'll be coming fairly soon as the WebRequest API continues development,
NoScript users have had it for more than three years now. NoScript is very often on the leading edge of security innovation. If you want to use the ones playing "catch-up", who never quite catch up, and hope that this issue doesn't affect you before the "assumed" improvement...
it does solve the issues (you block and redirect sites rather than reloading with the https as the extensions currently do.)
Not sure what you mean there. My bank is already secure. If they carelessly send me an insecure cookie, which could be accessed via some other technique, does your product force the cookies to be HTTPS only?
Tom T. wrote:Plus many other protections, like "Forbid WebGL", a technology that has already been exploited), and more to come, in a product that is constantly evolving and improving, thanks in part to suggestions from users through this forum, which ATM has more than 20,000 registered members + guest posting allowed, and almost 30,000 posts on almost 5,000 topics. And which was once a part of Mozilla support, but when the user base and the feature list demanded more than *ONE* thread at Mozilla, Mr. Maone chose to host this forum on his own servers, *at his own expense*.
Hungry Man wrote:WebGL is one of the most interesting exploitable techs to come out in a while - it's been of great interest to me.
WebGL does need JS to run, of course, so ScriptNo protects just fine with that (though it could block canvas specifically.)
With NoScript, you can allow a site's scripting while prohibiting WebGL. And since many sites break without scripting, using ScriptNo's "protection" (blocking JS), may break the site.
And, of course, Chrome has an about:flags to disable WebGL globally.
Didn't know that, thanks. But how conspicuous is it? I'm assuming about:flags is similar to
about:config in Firefox? NoScript has a simple checkbox in the GUI so that novices who hesitate to tread past Firefox's warnings of dire consequences from mis-configuring
about:config don't have to go there.
Hungry Man wrote:Can you link to WebGL being exploited? I don't think that's the case. Maybe a Proof of Concept... if even.
A Google search for "WebGL+exploit" gave about 1,200,000 results. No, I'm not going to go through them and give you a link
, so pick your own favorite(s).
Tom T. wrote:it still slipped up in letting your post go unanswered for so long, but genuine bugs, user support, and enhancements get first priority -- I'm sure you understand.
Hungry Man wrote:Absolutely - as I said I don't mind waiting for a proper discussion. I'm just happy that you put so much work into the response - I hate waiting only to get a "no, topic closed" =p
Thank you. The topic deserved a very thorough reply, as does your response. So it needed some time that was not required for helping users with issues in the immediate moment.
Still, if you should ever post again, and you don't get at a reply within a week or so, *definitely* within two weeks, please feel free to give it a bump and ask for a response. Especially if it falls off of the home page for that forum -- "out of sight, out of mind". Nothing wrong with bumping it back up and asking if anyone's looking at the issue. (I'll PM you a short note later about this.)
Tom T. wrote:I could be mistaken, but I don't see Google letting NS rob them of the revenue from their Chrome users, nor do I see their "NoScript-like" add-on ever coming close to this one. But please browse the NoScript "Features" Page and the NoScript FAQ, and decide for yourself.
Hungry Man wrote:Like I said, it's already been happening. Not only can we see Google already allowing for an API that blocks ads properly, we can see in the past how this has already done enough to hit revenue, and in the future we can see how this can be turned to their advantage.
Thanks for the info on ads, and as you said, it may be merely an attempt to monopolize. Sort of MS-like behavior.
Also keep in mind that chromium is open source. There's definitely community devs.
But not one who's created something with all of NoScript's capabilities. The thing is, as you said, Google asked Giorgio to port NoScript to Chrome, but
refused to supply a *sufficient* API. I think you'll like that article,
and the links in it to POCs defeating Chrome's "protections". For readers here who aren't going to go to that *December 2009* article, here's the gist without the links:
Giorgio Maone wrote:On April the 1st (!) 2009 I had a phone call with Mickey Kim of Google. The Chromium development team was starting to design a browser extension API, and they wanted to know what kind of hooks were needed for FlashGot and NoScript to be ported on Chrome. I gave them detailed answers with references to related Mozilla technologies, and they promised to keep me updated with progresses.
Eight months later, Chrome extensions are here but NoScript is not among them yet, and people are asking why. The reason is very simple: Chrome is still lacking the required infrastructure for selective script disablement and object blocking.
Maybe Google plans to implement the missing stuff later, maybe they’re still trying to figure out whether it can be done without enabling effective ad blocking, but in the meanwhile the pale AdBlock and FlashBlock imitations which have been hacked together by overwhelming popular demand, are forced to use a very fragile CSS-based hiding approach, ridiculously easy to circumvent.
Just install the most popular FlashBlock clone for Chrome and visit this page I put together in 3 minutes to see what I mean…
Update
Sam Hasler came to the rescue:
The top rated FlashBlock clone for Chrome does block your example page.
Of course, it took another 3 minutes to fix “the top rated” as well
***********************
Tom T. wrote:Regarding browser sandboxing, it might be nice for Firefox and SeaMonkey to implement this. But IMHO, letting the browser sandbox itself is like trying to lift yourself up by your bootstraps. If the browser is compromised, how can it protect its own sandbox? Much better is to let your sandboxing solution run on your operating system, *independently of the browser*. Then, if the browser is compromised, the malware cannot escape through to the hard drive. After all, much of MS' security issues with IE were based on, or worsened by, the fact that IE *is an integral part of the Windows OS*.
Hungry Man wrote:A fair point but I'd say you misunderstand the sandboxing mechanism. Chrome does not handle the sandbox to most extents - it is based on the Windows integrity system and then only hardened from within. That's the basis of it.
Isn't "Windows Integrity System" an oxymoron?
... You're right, that's much better. As said, I've never looked into Chrome; never been interested. Thanks for clarifying.
(individual tab separation as opposed to file access restrictions for every process/ broker.)
I do like the ability to sandbox individual tabs. Perhaps Mozilla will implement it.
However, with NoScript's strong XSS and CSRF protections, the necessity for sandboxing individual tabs is probably much less. Still, IMHO it's Best Practice *never* to have any other browsers or tabs open when doing sensitive stuff like online banking, no matter what browser or what protections. ("Defense in Depth".)
Tom T. wrote:Nope. Let the sandboxer run on the OS, and then let the browser run in the *independent* sandbox thus created. (I have been satisfied with Sandboxie, but that's just personal experience and opinion only, not an endorsement. But it meets the above criterion of being outside the browser instead of inside it.)
Hungry Man wrote:I had a conversation with Tzuk recently actually but I won't go into that. I will say that no third party security software will be able to compete with what's built into the kernel (in terms of security.)
Look up how many times the Windows kernel has been patched over the past two years, across all versions. Tzuk has to install a kernel-level driver, but if it succeeds in rendering the kernel (and everything else) read-only to the (sandboxed) browser, then kernel flaws won't be exploited by the browser.
I haven't followed Sandboxie vulns; I know there might have been a few, but not so many that the product isn't still going strong years later. Again, not an endorsement (My lawyer makes me say that. USA is famous for too many lawyers and too many frivolous lawsuits, and justifiably so.
), but it's never failed me. And in doing support here, sometimes the user says, "SiteX works with NS disabled, but not with it enabled." I may have to disable NS temporarily in the course of diagnosis, and some of these sites are, well, ... ones I wouldn't visit on my own.
So i have to trust Sandboxie and the other defense-in-depth methods. (On that note, I'm certainly not advocating that NoScript is the *only* security you need, *of course".)
Tom T. wrote:As for the topic there, "Safest browser?" Firefox and SeaMonkey, in their default states, ... wouldn't know. Always using NoScript. Fx and SM + NoScript (properly configured): I defy anyone to show another readily-available, mass-market browser suitable for both home and enterprise use that is equally protected from such a wide range of Web exploits, *and whose developer responds so rapidly to emergent threats*.
Hungry Man wrote:This will possibly sound like I'm knocking NoScript but I would not call it enterprise-ready. I can only imagine the nightmare of deploying it at an enterprise level "Why won't my site work? How do I do this?"
"My" site? Anyone at work who is visiting non-work-related sites is stealing from their employer (who is paying for their time, equipment, and bandwidth). Of course it happens all the time, but if you're using your work time to shop at eBay or whatever, no sympathy here if the site doesn't work right. More in a minute on that.
Hungry Man wrote:And of course a fair portion of NoScripts protection is down the drain as soon as the user whitelists the site - not by any means all of it, of course, but a fair bit.
It's a poor sysadmin who gives his users admin privilege on their workstations. Lock the
prefs.js file file, or for that matter, the entire profile. And most large corporations filter sites anyway, or should. My own $40 home router will let me block anything - Yahoo, eBay, Google-whatever, Amazon, etc.
Hungry Man wrote:As for being equally protected from exploits? I dare you to find a single Chrome exploit that breaks out of the wild - Vupen managed to... apparently, but it was never released and I sincerely doubt it still works.
http://en.wikipedia.org/wiki/Google_Chr ... rabilities
On January 12, 2011 versions of Chrome prior to version 8.0.552.237 were identified by US-CERT as "contain[ing] multiple memory corruption vulnerabilities...By convincing a user to view a specially crafted HTML document, PDF file, or video file, an attacker can cause the application to crash or possibly execute arbitrary code." The vulnerability was subsequently patched and a new stable version was released to the public with Chrome's auto-update mechanism.[91]
Although it was quite encouraging to read:
No security vulnerabilities in Chrome have been successfully exploited in three years of Pwn2Own.[92]
They do indeed seem to be very prompt in fixing flaws. At the time
this was posted, neither Chrome nor Firefox 3.6 and 8.0 had any known, unpatched vulns, whereas IE 6, 7, 8, and 9 come off much worse.
It was amusing to read that one critical flaw in Chrome was reported by a Mozilla person, to collect the $1,000 reward, rather than maliciously releasing it into the wild to embarrass the competition. Nice ethics there. (and greed lol).
The other factor is visibility. Mac users were always smug about "better security", because why would you spend time targeting something with 5% market share vs. 90+%? When Vista flopped, and the famous "Mac vs. Vista" commercials provided increased market share to Mac, they discovered that they were not in any way immune to security flaws -- as experts in the field had long said.
Chrome has been out for only three years, and according to various sources, didn't reach double-digit percent market share until a little over a year ago, at which time Firefox had triple the market share of Chrome; more if one adds in SeaMonkey and other Gecko-based browsers. Attacks on Chrome may grow if its market share continues to grow.
And someone made a
very perceptive observation: that Firefox and SeaMonkey market share may be undercouted by the number of NoScript users, because NS blocks the very stat-counters from which some browser-usage stats are drawn.
Hungry Man wrote:In the end NoScript + Firefox and Chrome (vanilla) are both very strong. Both are weak to social engineering (I believe Chrome has an 18% block rate and Firefox a 13%?) and that's not much to brag about for either party.
It's a very old truism in ITsec that the weakest part of computer security is between the eyes and the keyboard.
Can't protect people from their own carelessness or stupidity.
Hungry Man wrote:I was really just curious how many issues with NoScript for Chrome could be solved with the latest experimental extensions APIs (most notably WebRequest.)
I *think* this is an all-or-nothing for NoScript. The API either supports all of NS, or it doesn't. Bad enough that Giorgio would have to do all of the (unpaid) work to port NS to Chrome, but to create a separate, weaker fork of NS to suit whatever the present *experimental* (meaning, re-write the NS code when the next experimental version, or the final release version, appears) API?
As to whether or not I consider Firefox as secure as Chrome it's a matter of my own basic principles - I will almost always find that the software that utilizes OS-based security is the most secure.
If only it weren't true that all presently-available OSs, open-source or proprietary, are inherently and irreparably insecure... Search
Bruce Schneier's blog, especially for terms like "high-assurance", "EAL-7", or just posts by "NickP", who specializes in doing exactly that (ultra-high-security hw and sw) for high-level customers.
We have to do the best we can with what we have. IMHO only, that's MZ + NS (+
RequestPolicy +
RefControl). Chrome appears to be doing well in practice (not exploited in the wild), but the with the
info leaked back
to its master, and the
attempt to monopolize searches and ads:
In April 2011, Google was criticized for not signing onto the Do Not Track feature for Chrome that is being incorporated in most other modern web browsers, including Firefox, Internet Explorer, Safari, and Opera. Critics pointed out that a new patent Google was granted in April 2011, for greatly enhanced user tracking though web advertising, will provide much more detailed information on user behavior and that do not track will hurt Google's ability to exploit this. Software reviewer Kurt Bakke of Conceivably Tech wrote, "Google said that it intends charge advertisers based on click-through rates, certain user activities and a pay-for-performance model. The entire patent seems to fit Google's recent claims that Chrome is critical for Google to maintain search dominance through its Chrome web browser and Chrome OS and was described as a tool to lock users to Google's search engine and – ultimately – its advertising services. So, how likely is it that Google will follow the do-not-track trend? Not very likely." Mozilla developer Asa Dotzler noted, "It seems pretty obvious to me that the Chrome team is bowing to pressure from Google's advertising business and that's a real shame. I had hoped they'd demonstrate a bit more independence than that.
... it seems to me that I'd fear my browser maker more than I'd fear any remote evildoer. I have tools to deal with the latter, but I'm kind of helpless if the browser-maker itself is the enemy. (OSS? Who has time to vet every line of code in every release?)
Interesting discussion.
Cheers!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24