A Geek With Guns

Chronicling the depravities of the State.

Firefox For The Truly Paranoid

with one comment

A while back I mentioned that I dropped Google Chrome and returned to Firefox. My reasoning revolved around features unavailable in Chrome which was available in Firefox through extensions. Well the two features I wanted most have been added in a previous build of Chrome: the ability to block all scripting except for pages I white list, and better cookie management. Yes I’m still on Firefox. Why? Because Chrome’s script blocking and cookie management features are severally lacking in my opinion.

In Chrome’s advanced settings you can chose to block all scripting and cookies from sites not on your white list. This is exactly what I want as scripting is the defacto method of exploiting a computer these days and cookies are tools for spying on sites you visit. The problem is Chrome’s interface for it’s script blocking sucks. If a site has scripts that are being blocked an icon appears in the address bar. If you click on this icon you have two options: keep blocking scripts or white list the sight. NoScript on Firefox gives a third option I’m very fond of, temporarily allow scripting. I only white list sites I trust and visit frequently. But oftentimes I find myself visiting websites that require scripting to be enabled in order to gleam information from. In this case I temporarily allow scripting, get the information I need, and know that scripting will be disabled automatically for that site when I close my browser. It’s a great feature.

Likewise NoScript blocks more than scripting. It also notifies you of things like attempted cross-site scripting attacks, forces cookies from an secured site to be sent via HTTPS, and blocks all plugin components like Flash movies until I give my expressed go ahead. But Firefox has some other features available via plugins that I can’t replace via Chrome because frankly Chrome’s extension support sucks. In Chrome an extension can’t block items from being downloaded when you view a page. For instance if you install Adblock in Chrome the advertisements from any websites you visit will always be downloaded but Adblock will simply hide them through the use of CSS. Firefox on the other hand gives extension developers granulated control. For instance if I set NoScript to block scripting on www.example.com no JavaScript files will be downloaded when I navigate to www.example.com. Likewise Flash advertisements will not be downloaded unless I enable scripting and click on the individual Flash item.

Overall Chrome is more secure than Firefox’s default installation. In Chrome everything runs in a sandbox which means in order to exploit the browser you must exploit its rendering engine (WebKit) and it’s sandbox. Using the right extensions in Firefox I can ensure no potentially malicious scripts are even downloaded to begin with. An ounce of prevention is worth a pound of cure. Ensuring malicious code is never even downloaded in the first place is a better security option than downloading the code and depending on the sandbox to prevent anything bad from happening. Ideally having both abilities is the best option which Chrome allows for JavaScript but again it doesn’t check for other potential malicious content like NoScript does.

So yes Firefox is a much slower browser that is a big on resources. But the power extension developers have in Firefox means you can make the browser extremely secure whereas in Chrome you can’t enhance its security outside of methods Google allows. Due to this I’m still on Firefox and will be for the foreseeable future. Since I’m here I thought I’d let everybody know what security related extensions I’m using.

NoScript: I love this extensions. I will go so far as to say this extension is the primary reason I’m still using Firefox. What it does is blocks all scripting on all websites unless you add said site to your white list. You can add a site to your white list either permanently or only temporarily if it’s a site you don’t plan on visiting again. It complicates web browsing and therefore isn’t for everybody (or even most people I’d venture to say). As a benefit most of those annoying flashing advertisements get blocked when using NoScript. This extension is constantly being updated with new security related features.

CookieSafe: Cookie safe is a plugin that allows you to managed website cookies. There are three options available for each web site. The first, and default settings, is to block cookies all together. The second option is to temporarily allow cookies (they will be wiped out upon closing your browser) and the third option is to add the website to your white list which will allow cookies for that domain. The plugin only allows cookies from specific domains meaning you don’t have to worry about third party cookies getting onto your system (although this feature is available on most major browsers the implementations generally suck).

Certificate Patrol: I’ve mentioned a research paper I’ve read recently that talks about SSL security and it’s ability to be exploited by governments. Although there is no sure fire way to detect and prevent this kind of exploit you can strongly mitigate it. Certificate Patrol is an extension that displays all major certificate information for a secure web page the first time you visit it or when the certificate changes. So when you visit www.example.com the certificate information (we’ll assume it’s a secure site) will be promptly displayed by Certificate Patrol the first time you navigate your way there. If the certificate changes when you visit the site again the new certificate information will be displayed including what has changed. One mechanism to catching a certificate is looking at the issuer. For instance Internet Explorer trusts the root certificate for the Hong Kong Post Office. If you visit www.example.com and Certificate Patrol notifies you that the certificate has changed and the new one is provided by a different root authority you know something could be up. If the site’s certificate was previously provided by VeriSign and the new one is provided by the Hong Kong Post Office you know something is probably fishy. This could point to the fact the sight is not actually www.example.com but a site made by the Chinese government in order to capture information about dissidence who visit www.example.com (obviously some DNS spoofing would be required to redirect visitors to their site as well).

Those three extensions help mitigate many common web based attacks. This post is not to say none of this can be done in Chrome though. For instance you can manually check for certificate changes in Chrome but you will have to do it every time you visit a site to see if the certificate changed or not. Certificate Patrol simply automates that task. Likewise you can block cookies and scripting in Chrome but the interface to do either is more cumbersome than using CoockieSafe and NoScript.

Personally I value security over performance and that is why I’m still sticking with Firefox.

Written by Christopher Burg

April 21st, 2010 at 11:33 am