A while back I mentioned that I dropped Google Chrome and returned to Firefox. My reasoning revolved around features unavailable in Chrome which was available in Firefox through extensions. Well the two features I wanted most have been added in a previous build of Chrome: the ability to block all scripting except for pages I white list, and better cookie management. Yes I’m still on Firefox. Why? Because Chrome’s script blocking and cookie management features are severally lacking in my opinion.
In Chrome’s advanced settings you can chose to block all scripting and cookies from sites not on your white list. This is exactly what I want as scripting is the defacto method of exploiting a computer these days and cookies are tools for spying on sites you visit. The problem is Chrome’s interface for it’s script blocking sucks. If a site has scripts that are being blocked an icon appears in the address bar. If you click on this icon you have two options: keep blocking scripts or white list the sight. NoScript on Firefox gives a third option I’m very fond of, temporarily allow scripting. I only white list sites I trust and visit frequently. But oftentimes I find myself visiting websites that require scripting to be enabled in order to gleam information from. In this case I temporarily allow scripting, get the information I need, and know that scripting will be disabled automatically for that site when I close my browser. It’s a great feature.
So yes Firefox is a much slower browser that is a big on resources. But the power extension developers have in Firefox means you can make the browser extremely secure whereas in Chrome you can’t enhance its security outside of methods Google allows. Due to this I’m still on Firefox and will be for the foreseeable future. Since I’m here I thought I’d let everybody know what security related extensions I’m using.
NoScript: I love this extensions. I will go so far as to say this extension is the primary reason I’m still using Firefox. What it does is blocks all scripting on all websites unless you add said site to your white list. You can add a site to your white list either permanently or only temporarily if it’s a site you don’t plan on visiting again. It complicates web browsing and therefore isn’t for everybody (or even most people I’d venture to say). As a benefit most of those annoying flashing advertisements get blocked when using NoScript. This extension is constantly being updated with new security related features.
CookieSafe: Cookie safe is a plugin that allows you to managed website cookies. There are three options available for each web site. The first, and default settings, is to block cookies all together. The second option is to temporarily allow cookies (they will be wiped out upon closing your browser) and the third option is to add the website to your white list which will allow cookies for that domain. The plugin only allows cookies from specific domains meaning you don’t have to worry about third party cookies getting onto your system (although this feature is available on most major browsers the implementations generally suck).
Certificate Patrol: I’ve mentioned a research paper I’ve read recently that talks about SSL security and it’s ability to be exploited by governments. Although there is no sure fire way to detect and prevent this kind of exploit you can strongly mitigate it. Certificate Patrol is an extension that displays all major certificate information for a secure web page the first time you visit it or when the certificate changes. So when you visit www.example.com the certificate information (we’ll assume it’s a secure site) will be promptly displayed by Certificate Patrol the first time you navigate your way there. If the certificate changes when you visit the site again the new certificate information will be displayed including what has changed. One mechanism to catching a certificate is looking at the issuer. For instance Internet Explorer trusts the root certificate for the Hong Kong Post Office. If you visit www.example.com and Certificate Patrol notifies you that the certificate has changed and the new one is provided by a different root authority you know something could be up. If the site’s certificate was previously provided by VeriSign and the new one is provided by the Hong Kong Post Office you know something is probably fishy. This could point to the fact the sight is not actually www.example.com but a site made by the Chinese government in order to capture information about dissidence who visit www.example.com (obviously some DNS spoofing would be required to redirect visitors to their site as well).
Those three extensions help mitigate many common web based attacks. This post is not to say none of this can be done in Chrome though. For instance you can manually check for certificate changes in Chrome but you will have to do it every time you visit a site to see if the certificate changed or not. Certificate Patrol simply automates that task. Likewise you can block cookies and scripting in Chrome but the interface to do either is more cumbersome than using CoockieSafe and NoScript.
Personally I value security over performance and that is why I’m still sticking with Firefox.