Comments on: 8 Firefox extensions towards safer browsing

By: Marcin

Marcin — Thu, 01 Apr 2010 15:34:41 +0000

@geoff Whatever, this post is old.

By: geoff

geoff — Thu, 01 Apr 2010 14:56:03 +0000

How can this list not include WOT?

That app alone is the single most safest web browser possible.

By: Pete

Pete — Wed, 03 Dec 2008 14:00:06 +0000

Nice lineup here. I’ve been using noscript, and had heard of a few of these, but there are a bunch that I didn’t know. Nice share. tnx!

By: SB

SB — Tue, 20 May 2008 11:58:08 +0000

It looks like Firefox are actually looking at providing better protection against XSS & CSRF: http://www.theregister.co.uk/2008/05/20/new_firefox_security_protections/

Heres hoping IE does the same!

By: dre

dre — Tue, 13 May 2008 19:26:47 +0000

FireKeeper has been around for awhile but doesn’t seem to be going in any direction. NoScript is where it’s at…

By: xavim

xavim — Tue, 13 May 2008 15:01:20 +0000

There’s an extension that works like an IDS but it’s still an alpha: FireKeeper

http://firekeeper.mozdev.org/

Not sure about protecting CSRF…

By: SB

SB — Fri, 04 Apr 2008 08:37:29 +0000

Been thinking about this a bit more.
I _think_ such a feature would provide some protection against ‘remote’ CSRF attacks, but not against CSRF attacks that were made using a link posted to the same site being attacked (eg in user generated content). I guess most banks wont allow user generated content in their sites for this reason.
However that still leaves many sites vulnerable that a user might want to protect.
The extension could allow a user to specify a subset of a site to protect (my.bank.com/onlinebanking) but that requires the user to delve into the site structure, and the protection breaks if the site structure changes.
A better solution might be if sites could actually specify in (for example) the HTML header the URLs that they think should be allowed to link to a specific page.
That could be abused to try to stop deep linking, but if browsers just warned about a potential issue then it would be in the users control. Of course that would require all of the major browser support such a feature, so that isnt going to happen!

By: Marcin

Marcin — Thu, 03 Apr 2008 19:12:46 +0000

@SB, you’re right about LocalRodeo not protecting against CSRF hotlinking. I’m not sure if RequestRodeo implements this functionality — I will get back to you on that this weekend. If it doesn’t, it sounds like a great feature request!

By: SB

SB — Thu, 03 Apr 2008 12:55:07 +0000

None of these add-ons will protect againt a CSRF attack that simply uses an image src URL.
Would a way to protect against such attacks be an add-on that would block any attempts to access URLs from any remote site for a set of sites that the user specifies?
I could then specify that my browser wouldnt follow any links to my.bank.com – which wouldnt impact me as I could either type in its URL or use a bookmark.

By: click73

click73 — Wed, 26 Mar 2008 15:05:06 +0000

@Pete

People who use AdBlock to block all adverts aren’t a bad thing. They raise your click/view ratio on the ads that do get seen and save bandwidth.