Comments on: Unusual List

By: RNiK

RNiK — Thu, 15 May 2008 11:00:59 +0000

Good suggestions Giorgio, I will put them in my next extension review article (sorry, only italian version).

By: fotoflo

fotoflo — Mon, 12 May 2008 02:12:57 +0000

Both of you neglected to mentioned MailCloak or any other web mail encryption tool…

By: arimfe

arimfe — Mon, 05 May 2008 19:28:46 +0000

Marcin, apropos Refcontrol it’s a fun little extension with the potential to piss off a lot of webmasters with hotlinking ;)
But its gem isn’t its disabling capability of httpreferer, it’s the capability to forge a fake referer. By default it fakes the root of the info gathering site. But you can set it to fake any referer you want, and for any specific site you want.
It’s always better to deceive them instead of directly denying the info. I set my global values to 3rd party Forge, because it’s rather harmless if the 1st party site knows I came from one of its own other pages.

By: Marcin

Marcin — Thu, 01 May 2008 21:50:50 +0000

True, you got me there. They do include 3 extensions I haven’t mentioned (passhasher? Now I’m curious as to how they’re hashing passwords..)

As far as trusted sites getting compromised, what I meant was if the the JS source, such as (cnn.com/script.js) was compromised then you got a problem. But yeah, that’s the imprecision in that. I should probably update the article since it gets HUGE traffic from StumbleUpon.

By: Giorgio

Giorgio — Thu, 01 May 2008 19:42:02 +0000

Marcin:
I wouldn’t say a ripoff: there’s also WOT instead of RefControl, and both the style and the targeted audience are quite different than yours, which is more technical.
That said, your article is very good, even if the part about NoScript contains a little imprecision. You wrote:

If a site you “trust” is compromised (e.g. cnn.com), any code on that site is run.

This warning on whitelists applies verbatim to Opera’s Site Preferences, for instance.
NoScript users, though, are in a far better position, because trusted sites can run code entirely embedded in their pages or downloaded directly from internal hosts (e.g. ).
In most cases, like in the recent mass web site attack, the compromised “trusted” site loads malicious scripts from external servers using IFRAME or SCRIPT tags (the infamous ): those domains are very unlikely to be “trusted” and whitelisted, and therefore are still blocked by NoScript.

By: Marcin

Marcin — Thu, 01 May 2008 18:15:12 +0000

Alright. WTF. This article is a ripoff of what I did last August! Only now I would skip CS Lite and FoxyProxy and go with CookieSafe (full version) and SwitchProxy Tool. Not cool…

http://www.tssci-security.com/archives/2007/08/15/8-firefox-extensions-towards-safer-browsing/