Linked by Thom Holwerda on Thu 23rd Sep 2010 21:36 UTC, submitted by google_ninja
Internet & Networking Now this is a subject sure to cause some discussion among all of you. LifeHacker's Adam Pash is arguing that Chrome has overtaken Firefox as the browser of choice for what he calls 'power users'; polls among LifeHacker's readership indeed seem to confirm just that. He also gives a number of reasons as to why this is the case.
Thread beginning with comment 442593
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[6]: I need NoScript
by wirespot on Fri 24th Sep 2010 21:09 UTC in reply to "RE[5]: I need NoScript"
wirespot
Member since:
2006-06-21

I just find it baffling.


That's probably because you are clueless.

You are mixing vulnerabilities up. Exploits that target rendering (images, CSS, HTML) and plugins, are used to get out of the browser space and provide remote access to your system. JavaScript vulnerabilities do not provide access to your system but instead to websites that you visit, under your credentials.

Both are equally serious, just the data being exposed is different.

Then there's also the concern with people who don't want to break in anywhere, they just want to spy on you. JavaScript can be used for that too. Remember the "everlasting cookie" article a few days ago? And here's another example:
http://www.mikeonads.com/2008/07/13/using-your-browser-url-history-...

NoScript and cookie whitelist extensions (CookieSafe or Cookie Monster) are extremely useful for protecting your privacy and preventing creative malicious uses of JavaScript. This is stuff that's actively exploited on a wide scale and works no matter what OS the browser runs on, unlike the other type of exploits.

I use such Firefox extensions (and builtin about:config settings) to create a super-hardened browser that I use exclusively when visiting my banking site, sensitive accounts or whenever I have to enter my credit card data. You cannot do that with Chrome (not to mention Google themselves spying on you with it).

Such privacy concerns strike you as paranoid? Suit yourself, it's your choice.

Edited 2010-09-24 21:27 UTC

Reply Parent Score: 3

RE[7]: I need NoScript
by google_ninja on Fri 24th Sep 2010 21:18 in reply to "RE[6]: I need NoScript"
google_ninja Member since:
2006-02-05

you are talking about CSRF and XSS. Any site that gets you with XSS you are probably going to whitelist anyways (like google or facebook), and if you are blocking authentication cookies already, CSRF completely goes away.

As for tracking cookies, unless you release your ip every time you visit a site, who cares if they cookie you? It is not like cookies magically break privacy, all that data is available server side. The only difference is they are able to tell that you are the same person if your ip changes, that is it.

You are right that javascript is a part of CSRF and XSS attacks, but not checking "keep me signed in" on sites you actually care about completely eliminates CSRF, and like I said before, if it is a good site to do an XSS attack on, it is probably a site you have whitelisted anyways.

Extensions like what you are talking about basically play on the fears of people who know just enough to realize the implecations, but not enough to fully understand the concerns.

Reply Parent Score: 2

RE[8]: I need NoScript
by wirespot on Sat 25th Sep 2010 16:57 in reply to "RE[7]: I need NoScript"
wirespot Member since:
2006-06-21

CRSF has nothing to do with JavaScript or cookies. It's about website actions that do not check that you have actually requested that action. Example: a link that deletes something. Someone can feed you that link under false pretexts (look at this cute puppy image!).

CSRF protection is 99% the responsability of the website. There are ways to do that but, once again, nothing to do with JS or cookies (POST instead of GET, intermediate confirmation page, secret tokens in the link etc.)

Now, about XSS. I have only about 50 sites in my NoScript whitelist. I've assembled them over many years and they are not some of the most obvious (ie. Google is not on it). See, the idea is to whitelist sites that actually genuinely need JS all the time to work, and those sites are extremely few. Second, often XSS code comes from third-party sites, not from the one you're on, so whitelisting that site is not a problem.

Granted, an XSS vulnerability can still exist on a site I whitelist. But the overall risk is a lot lower, precisely because I use NoScript.

Reply Parent Score: 2