Comments on: Browser Plugins, Add-Ons and Security Advisers

By: All protection you need for your Internet Security | Today News, Technology, Wordpres

Thu, 04 Jun 2009 09:01:47 +0000

[…] this free, open source add-on allows JavaScript, Java and Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online […]

By: kimm

kimm — Thu, 28 May 2009 07:13:23 +0000

That honor actually goes to Opera, which had tabbed browsing even before Firefox did. Some say that Opera invented tabbed browsing - http://wiwapia.com/en/browsing

By: All protection you need for your Internet Security | FileNetwork Blog

All protection you need for your Internet Security | FileNetwork Blog — Sat, 14 Mar 2009 11:24:48 +0000

[…] mozilla-based browsers: this free, open source add-on allows JavaScript, Java and Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank), and provides the […]

By: Giorgio

Giorgio — Fri, 27 Feb 2009 18:21:44 +0000

@taverngeek:
you always need to start with the main site (the one in the location bar, also shown in bold by NoScript menu).
For other sites you should use a bit of common sense (e.g. starting with those which resemble the main one, like cnn.com/cnn.net).
However an “About these sites…” menu item is planned, opening a page with information about every site listed.

By: taverngeek

taverngeek — Fri, 27 Feb 2009 17:26:42 +0000

Can NoScript show what site it is blocking when it blocks javascript or so on? I hate having to randomly give permissions to site in hopes that’ll be the one that lets me execute a javascript submit button or so on.

By: Johannes la Poutre

Johannes la Poutre — Fri, 13 Feb 2009 12:05:14 +0000

Regarding secure updates of Firefox Add-ons: there is even a third option without using SSL.
You sign the extension’s install.rdf and, for every update, the corresponding update manifest, witch a signed checksum of the new installer package (.xpi).

This is well documented [1] and there is a XULRunner based tool available, McCoy [2], which takes care of all of the signing actions.

I chose this approach for the Twones Firefox Add-on, which is currently in private beta and only distributed from our own website at www.twones.com.

The bottom line is: if you trusted the extension when you installed it first, you also trust future updates which are signed with the same key.

So this enables secure auto-update over plain http!

1. https://developer.mozilla.org/en/Extension_Versioning%2c_Update_and_Compatibility#Securing_Updates
2. https://developer.mozilla.org/en/McCoy

By: Tom T.

Tom T. — Thu, 12 Feb 2009 08:20:21 +0000

@ pwnedwatchingfartporn says:
"Bottom line is that enabling a script remains a crapshoot, even on fully patched systems. How annoying that after all these years, I still canât watch online videos, etc, without placing my system at risk."

May I recommend Sandboxie? 3w dot sandboxie dot com. It’s free, but it’s nagware, and the nag screens keep getting worse with each update. If you get v3.02 or earlier, it’s just a single mouse click to go away. Although the name was (cleverly) derived from "Sandbox IE", you can also sandbox Fx or any other app, including, say, Apple Quick Time. So you can watch your movies inside the SB browser, or d/l them to the desktop inside SB, without worrying that anything in there can affect your machine. SB makes a virtual clone of the particular app (i. e., IE, or Fx) and necessary Reg hive, and renders the rest of your hard drive read-only to the sandboxed process. When done, empty the sandbox, and viruses, germs, STDs, etc. are flushed down the drain. Your hard drive remains virginal. And of course, you can still use NS inside SB for further protection (like wearing two condoms).

I have no personal connection with Sanboxie or its developer, but I recommend it whenever I can, just as I have no personal connections to Giorgio, but recommend NS whenever I can.

Watch whatever you like without placing your system at risk. Cheers!

By: Giorgio

Giorgio — Mon, 09 Feb 2009 21:50:36 +0000

@Dan:
last time I’ve been involved in a discussion about binary components (AMO 2.0 times, long ago), there was an orientation to mandate source code inclusion in the XPI for those add-ons containing them, FWIW (of course, nobody can grant the binary is actually related to the source). FlashGot’s XPI does include C++ sources, for instance. Has this policy been abandoned, after all?

By: Vadusik

Vadusik — Mon, 09 Feb 2009 21:44:12 +0000

FlashGet 3 …

By: Security Grills | Homelybedside

Security Grills | Homelybedside — Mon, 09 Feb 2009 20:12:58 +0000

[…] …Business Web Directory Blog » Blog Archive Charbroil Grills …Related Blogs on Securityhackademix.net » Browser Plugins, Add-Ons and Security AdvisersZabthink taining for SOA security » Computer internet security0Related Blogs on Security GrillsReal […]