Thomas’s posterous

Chrome has Extensions, But They're Useless for Security

I really like Chrome as a browser. It's efficient, fast, and a powerhouse of future web technologies. On the Mac, it's a little bit faster than Firefox. On every platform, it just takes up less screen real estate than the competition.

But the reason I keep launching Firefox every day is the simple fact that Chrome doesn't have the same extension support as Firefox. There are a few addons that I simply require for my daily life, and I've posted a few of them before. The most important of which is NoScript.

I'm a security conscious guy. And I'm not going to stop being a security conscious guy when it comes to web browsers. Extensions like NoScript and Flashblock, among others, let me shrink my attack surface as much as I possibly can, and allow me to choose who I trust to push risky web components onto my delicate, precious computer. Chrome, in it's current state, does not have the infrastructure to support these advanced plugins, however.

An October blog post from Hackademix, the blog from the guy behind NoScript, explains. Extensions like Noscript have to hook deep into the bowels of the browser in order to prevent the loading or execution of things like Javascript or Flash. Chrome does not have those hooks available, which means that it loads every thing, every time. Yes, there's a Flashblock for Chrome. But the extension loads the flash and then hides it, which means it offers no protection from flash-based vulnerabilities. The Adblockers for Chrome don't speed up your browsing, either, as they load ads but then go about hiding them.

The post above has a demo that circumvents the Flashblock extension as a demonstration, to prove his point. He also speculates that Google may have crippled Chrome extensions by design, in order to avoid effective ad blocking. Obviously, the popularity of ad blocking technology for Firefox probably causes anxiety for an advertising based company, such as google. I guess we'll see- I can't think of any other reason to keep these limits in place.

Quick Tech Note - Managing Privacy in Firefox

www.mozilla.com/en-US/firefox/all-beta.html">Firefox 3.6 Release Candidate 1 came out recently, after which I decided to poke through my extensions and plugins and trim the fat. I usually use a Release Candidate as a good excuse to do this, and to research other plugins that may have cropped up since I last went looking. 3.6 RC1, by the way, is fantastic and you should go ahead and install it if you're on a Mac.

There are three Firefox Extensions that give me a reason to stay with Firefox over Chrome. One of them is called CookieSafe and while it's not the most user-friendly little guy, I think it's important. Cookies are pieces of information that web sites you visit can store in your browser to identify you. This is how, for example, Amazon keeps you logged in even though you close your browser and re-open it. And I like Amazon.com having that kind of power, but do I want any of the other random sites I visit to be able to do the same? Not usually. CS makes it easy to Allow or Deny particular sites cookies. I set it to Globally block everything, and then enable sites that I want to be able to keep up with me.

The second is a neat little guy is called NoScript. The idea is the same as CookieSafe above, but for Javascript. Javascript is what makes the web work these days, but it's a fundamentally scary thing. If you leave it universally on, any site you visit basically hands your browser tiny programs for it to execute. Almost all security vulnerabilities that crop up in browsers these days and compromise machines utilize javascript in one way or another. NoScript allows you to say "Sure, let Amazon.com run Javascript but don't load the Javascript from that ad agency." Again as above, I block all and then allow the ones I trust.

The third is called Flashblock, and it is the most user friendly of the three. Instead of automatically loading and playing Flash (such as those giant moving ads or embedded videos) Flashblock lets you selectively load Flash objects. So you go to a website using egregious Flash ads and has an embedded video, neither will load. But you can click on the Flashblock symbol where the video is located, and it'll play for you. This also makes pages load a lot faster, sometimes.

And now I have another to add, discovered yesterday.

It's called Better Privacy, and I got really excited seeing it. One of the problems with all the methods above, and with browsers in general, is that they don't deal with so-called "Flash Cookies." Flash cookies are the same as cookies mentioned above, but specific to Flash (which powers sites such as Youtube, and just about every current video player..) and are NOT cleared when you clear out your cookies through the browser setting. They are, technically, not a part of the browser. Because Flash is a plugin, they exist within the plugin and are generally not talked about. The problem with these Flash Cookies, is that ad agencies and web sites use them to track you. These companies realized that people have started clearing cookies and using things like CookieSafe, so they are using this workaround to track people who specifically don't want to be tracked. And just about every ad agency and web video service (cough, Youtube, Cough) does this.
Better Privacy, though, clears them for you. No web site uses these things for legitimate reasons, such as keeping your shopping cart current. The only reason to use these things is to track you without your consent. Load up Better Privacy and you will be dismayed to discovered how many sites are doing this, and not talking about it. These suckers even bypass the "Private Browsing" options for Firefox and Chrome. So, I set BP to clear the things out every time I close my browser.

I also discovered TACO, which is a simple-but-brilliant idea. Cookies can be used by ad agencies to track and spy on you, but many ad agencies allow you to specifically opt-out of their networks. These links are hard to find and a pain to manage... unless you have TACO! TACO makes sure that these cookies are set for you at all times, just as an extra little bit of protection.