Thomas’s posterous

Sometimes I Rant Too Long for Twitter. Then it Goes Here.
 

Chrome has Extensions, But They're Useless for Security

I really like Chrome as a browser. It's efficient, fast, and a powerhouse of future web technologies. On the Mac, it's a little bit faster than Firefox. On every platform, it just takes up less screen real estate than the competition.

But the reason I keep launching Firefox every day is the simple fact that Chrome doesn't have the same extension support as Firefox. There are a few addons that I simply require for my daily life, and I've posted a few of them before. The most important of which is NoScript.

I'm a security conscious guy. And I'm not going to stop being a security conscious guy when it comes to web browsers. Extensions like NoScript and Flashblock, among others, let me shrink my attack surface as much as I possibly can, and allow me to choose who I trust to push risky web components onto my delicate, precious computer. Chrome, in it's current state, does not have the infrastructure to support these advanced plugins, however.

An October blog post from Hackademix, the blog from the guy behind NoScript, explains. Extensions like Noscript have to hook deep into the bowels of the browser in order to prevent the loading or execution of things like Javascript or Flash. Chrome does not have those hooks available, which means that it loads every thing, every time. Yes, there's a Flashblock for Chrome. But the extension loads the flash and then hides it, which means it offers no protection from flash-based vulnerabilities. The Adblockers for Chrome don't speed up your browsing, either, as they load ads but then go about hiding them.

The post above has a demo that circumvents the Flashblock extension as a demonstration, to prove his point. He also speculates that Google may have crippled Chrome extensions by design, in order to avoid effective ad blocking. Obviously, the popularity of ad blocking technology for Firefox probably causes anxiety for an advertising based company, such as google. I guess we'll see- I can't think of any other reason to keep these limits in place.

Filed under  //   Chrome   Firefox   Google   Security  
Posted January 25, 2010
// 0 Comments
 

Lock Down IE on Windows, Even If You Don't Use It.

Listening to Security Now today, Steve Gibson hands out an important point about Internet Explorer on Windows. Whether or not you're using it, it's still there. And if you're forced to use Outlook at work as I am, IE vulnerabilities can still bite you.

What Steve suggests is locking down IE so that it is useful only as a Windows Update tool, which is important in Windows XP. If you're a Windows 7 or Vista user, you can skip the second half of this trick. Everyone should be following the first part, though.

Open up Internet Options and adjust the slider to "High" for "Internet" and "Local Intranet." This will disable Javascript and practically every other browser option for any non-trusted website that you, or IE, visit. While you're there, make sure that "Trusted Sites" and "Restricted Sites" have their default settings.



Once that's done, select "Trusted Sites" and then click the "Sites" button. To make Windows Update work on Windows XP, you'll need to add the following to the list:

  • *.microsoft.com
  • *.windowsupdate.com


If you have any sites that specifically require IE to function, you'll also want to add those sites to the zone. For my own sanity I had to disable the "Require https:" option for some of the sites my workplace requires IE.

Now, when other applications like Outlook access the IE components to render content, that content should be rendered under the "High" security settings that we set earlier, and things like Flash, Javascript and ActiveX shouldn't be issues. This doesn't mean IE becomes invulnerable, but it's a simple trick to reduce your risk surface, so no reason not to do it.

Filed under  //   Internet Explorer   Security   Security Now   Tech Note  
Posted January 25, 2010
// 0 Comments