Comments on: 8 Firefox extensions towards safer browsing

By: SB

SB — Tue, 20 May 2008 11:58:08 +0000

It looks like Firefox are actually looking at providing better protection against XSS & CSRF: http://www.theregister.co.uk/2008/05/20/new_firefox_security_protections/

Heres hoping IE does the same!

By: dre

dre — Tue, 13 May 2008 19:26:47 +0000

FireKeeper has been around for awhile but doesn’t seem to be going in any direction. NoScript is where it’s at…

By: xavim

xavim — Tue, 13 May 2008 15:01:20 +0000

There’s an extension that works like an IDS but it’s still an alpha: FireKeeper

http://firekeeper.mozdev.org/

Not sure about protecting CSRF…

By: SB

SB — Fri, 04 Apr 2008 08:37:29 +0000

Been thinking about this a bit more.
I _think_ such a feature would provide some protection against ‘remote’ CSRF attacks, but not against CSRF attacks that were made using a link posted to the same site being attacked (eg in user generated content). I guess most banks wont allow user generated content in their sites for this reason.
However that still leaves many sites vulnerable that a user might want to protect.
The extension could allow a user to specify a subset of a site to protect (my.bank.com/onlinebanking) but that requires the user to delve into the site structure, and the protection breaks if the site structure changes.
A better solution might be if sites could actually specify in (for example) the HTML header the URLs that they think should be allowed to link to a specific page.
That could be abused to try to stop deep linking, but if browsers just warned about a potential issue then it would be in the users control. Of course that would require all of the major browser support such a feature, so that isnt going to happen!

By: Marcin

Marcin — Thu, 03 Apr 2008 19:12:46 +0000

@SB, you’re right about LocalRodeo not protecting against CSRF hotlinking. I’m not sure if RequestRodeo implements this functionality — I will get back to you on that this weekend. If it doesn’t, it sounds like a great feature request!

By: SB

SB — Thu, 03 Apr 2008 12:55:07 +0000

None of these add-ons will protect againt a CSRF attack that simply uses an image src URL.
Would a way to protect against such attacks be an add-on that would block any attempts to access URLs from any remote site for a set of sites that the user specifies?
I could then specify that my browser wouldnt follow any links to my.bank.com - which wouldnt impact me as I could either type in its URL or use a bookmark.

By: click73

click73 — Wed, 26 Mar 2008 15:05:06 +0000

@Pete

People who use AdBlock to block all adverts aren’t a bad thing. They raise your click/view ratio on the ads that do get seen and save bandwidth.

By: dre

dre — Wed, 26 Mar 2008 12:19:23 +0000

@ Pete:

You’ll be interested to know, that of the above Firefox add-ons, Adblock Plus is the only one that I don’t use. However, I do use the full CookieSafe version and not the Lite version, as mentioned earlier.

In Internet Explorer, I often use McAfee SiteAdvisor and the Netcraft Toolbar plugins. I wish that Safari had similar protections.

By: Marcin

Marcin — Wed, 26 Mar 2008 11:28:24 +0000

@Pete: Sure, you can argue that, but the same can be done using TiVo for television. I’d rather err on the side of caution and just block ads. I never clicked on ads anyways, so whatever you’re trying to say about people being selfish for using adblock, save it for someone who cares.

By: Pete White

Pete White — Wed, 26 Mar 2008 10:54:03 +0000

The link between blocking ads and security is lame. Most of the internet is supported by adverts, some selfish individuals use Adblock because they don’t like the ads but to say its to help security is just bad information.

The McAfee site advisor plugin is a good one which integrates into your search results telling you which ones are safe.