As I can easily tell by looking at flashgot.net and noscript.net Apache logs, every day the blogosphere gets flooded by copycat articles about "Top 5 Firefox Extensions" or "Best 10 Add-ons".
Yesterday, though, I've been pleased by a slightly different variation: Keeping Safe on the Web: 8 Firefox Addons for Privacy and Security.

  • Once in a while, this is not just a rehash of an AMO category, like recommended or popular.
  • Its items count is a power of 2, rather than banally a divisor or a multiplier of 10 ;)
  • It features two often neglected extensions by Stanford University, Safe History and Safe Cache, which can effectively mitigate some interesting attacks on our privacy. Any web page can quite easily discover if we've visited certain sites by exploiting our navigation history visual feedback or the performance differences caused by our cache. Most people don't know or don't care, but such a vulnerability may be critical if you're under an oppressive regime or you're an interesting blackmail target. Even if these two extensions impose some usability and performance burden (SafeHistory, for instance, scans all the links of a page to "artificially" color them as visited only if they've been previously followed from the same site, and this can cause a noticeable unresponsiveness where links are a lot), they're the best defense we've got -- other than clearing both cache and history every time we navigate to a new site -- until these bugs (affecting all the major browsers) are fixed.

Thanks to Dave Drager for the useful reminder.

6 Responses to “Unusual List”

  1. #1 Marcin says:

    Alright. WTF. This article is a ripoff of what I did last August! Only now I would skip CS Lite and FoxyProxy and go with CookieSafe (full version) and SwitchProxy Tool. Not cool...

    http://www.tssci-security.com/archives/2007/08/15/8-firefox-extensions-towards-safer-browsing/

  2. #2 Giorgio says:

    Marcin:
    I wouldn't say a ripoff: there's also WOT instead of RefControl, and both the style and the targeted audience are quite different than yours, which is more technical.
    That said, your article is very good, even if the part about NoScript contains a little imprecision. You wrote:

    If a site you “trust” is compromised (e.g. cnn.com), any code on that site is run.

    This warning on whitelists applies verbatim to Opera's Site Preferences, for instance.
    NoScript users, though, are in a far better position, because trusted sites can run code entirely embedded in their pages or downloaded directly from internal hosts (e.g. <script src="http://cnn.com/script.js"></script>).
    In most cases, like in the recent mass web site attack, the compromised "trusted" site loads malicious scripts from external servers using IFRAME or SCRIPT tags (the infamous <script src=http://www.nihaorr1.com/1.js></script>): those domains are very unlikely to be "trusted" and whitelisted, and therefore are still blocked by NoScript.

  3. #3 Marcin says:

    True, you got me there. They do include 3 extensions I haven't mentioned (passhasher? Now I'm curious as to how they're hashing passwords..)

    As far as trusted sites getting compromised, what I meant was if the the JS source, such as (cnn.com/script.js) was compromised then you got a problem. But yeah, that's the imprecision in that. I should probably update the article since it gets HUGE traffic from StumbleUpon.

  4. #4 arimfe says:

    Marcin, apropos Refcontrol it's a fun little extension with the potential to piss off a lot of webmasters with hotlinking ;)
    But its gem isn't its disabling capability of httpreferer, it's the capability to forge a fake referer. By default it fakes the root of the info gathering site. But you can set it to fake any referer you want, and for any specific site you want.
    It's always better to deceive them instead of directly denying the info. I set my global values to 3rd party Forge, because it's rather harmless if the 1st party site knows I came from one of its own other pages.

  5. #5 fotoflo says:

    Both of you neglected to mentioned MailCloak or any other web mail encryption tool...

  6. #6 RNiK says:

    Good suggestions Giorgio, I will put them in my next extension review article (sorry, only italian version).

Bad Behavior has blocked 1379 access attempts in the last 7 days.