| View previous topic :: View next topic |
| Author |
Message |
crouse
Site Admin
Joined: 17 Apr 2024
Posts: 11833
Location: Iowa
|
|
| Back to top |
|
lynch
Moderator
Joined: 15 Nov 2024
Posts: 2659
Location: The Diamond State
|
|
| Back to top |
|
crouse
Site Admin
Joined: 17 Apr 2024
Posts: 11833
Location: Iowa
|
|
| Back to top |
|
crouse
Site Admin
Joined: 17 Apr 2024
Posts: 11833
Location: Iowa
|
 Posted: Sat Mar 18, 2024 10:13 pm Post subject: |
 |
|
Useful Firefox Security Extensions
http://www.cerias.purdue.edu/weblogs/coj/secure-it-practices/post-22/
| Quote: |
Mozilla’s Firefox browser claims to provide a safer browsing experience out of the box, but some of the best security features of Firefox are only available as extensions. Here’s a roundup of some of the more useful ones I’ve found.
* Add n’ Edit Cookies
This might be more of a web developer tool, but being able to view in detail the cookies that various sites set on your visits can be an eye-opening experience. This extension not only shows you all the details, but lets you modify them too. You’ll be surprised at how many web apps do foolish things like saving your password in the cookie.
* Dr. Web Anti-Virus Link Checker
This is an interesting idea — scanning files for viruses before you download them. Basically, this extension adds an option to the link context menu that allows you to pass the link to the Dr. Web AV service. I haven’t rigorously tested this or anything, but it’s an interesting concept that could be part of an effective multilayer personal security model.
* FormFox
This extension doesn’t do a whole lot, but what it does is important — showing a tooltip when you roll over a form submission button of the form action URL. Extending this further to visually differentiate submission buttons that submit to SSL URLs would be really nice (as suggested by Chris Shiflett).
* FlashBlock
Flash hasn’t been quite as popular an attack vector as Javascript, but it still potentially could be a threat, and it’s often an annoyance. This extension disables all embedded Flash elements by default (score one for securing things by default), allowing you to click to activate a particular one if you like. It lacks the flexibility I’d like (things like whitelists would be very handy), and doesn’t give you much (any?) info about the Flash element before you run it, but it’s still a handy tool.
* LiveHTTPHeaders & Header Monitor
LiveHTTPHeaders is an incredibly useful too for web developers, displaying all of the header traffic between the client and server. Header Monitor is basically an add-on for LiveHTTPHeaders that displays a chosen header in Firefox’s status bar. They’re not really specifically security tools, but they do offer a lot of info on what’s really going on when you’re browsing, and an educated user is a safer user.
* JavaScript Option
This restores some of the granularity Firefox users used to have over what Javascript can and cannot do. I’d like to see this idea taken farther (see below), but it’s handy regardless.
* NoScript
This extension is pretty smooth. Of all the addons for Firefox covered here, this is the one to get. NoScript is a powerful javascript execution whitelisting tool, allowing full user control over what domains allow scripts to run. Notifications of blocked execution and the allowed domain interface are nearly identical to the built-in Firefox popup blocker, so users should find it comfortable to work with. NoScript can also block Flash, Java, and “other plugins;” forbid bookmarklets; block or allow the “ping” attribute of the tag; and attempt to rewrite links that execute javascript to go to their intended donation without triggering the script code.
The one thing I’d really like to see from this extension would be more ganularity over what the Javascript engine can access. Now it’s only “on” or “off,” but being able to disable things like cookie access would eliminate a lot of potential security issues while still letting JS power rich web app interfaces. Also read Pascal Meunier’s take on NoScript.
* QuickJava
Places handy little buttons in the status bar that let you quickly enable or disable Java or Javascript support. Note that this will not work with the latest stable Firefox (1.5.0.1). Hopefully a new version will be available soon.
* ShowIP
This is another tool that isn’t aimed at security per se, but offers a lot of useful information. ShowIP drops the IP address of the current site in your status bar. Clicking on it brings up a menu of lookup options for the IP, like whois and DNS info. You can add additional web lookups if you like, as well as passing the IP to a local program. Handy stuff.
* SpoofStick
The idea with this extension is to make it easier to catch spoofing attempts by displaying a very large, brightly colored “You’re on ” in the toolbar. For folks who know what they’re doing this isn’t wildly useful, but it could be just the ticket for less savvy users. It requires a bit too much setup for them, though, and in the end I think this is something the browser itself should be handling.
* Tamper Data
Much like LiveHTTPHeaders, Tamper Data is a very useful extension for web devs that lets the user view HTTP headers and POST data passed between the client and server. In addition, Tamper Data makes it easy for the user to alter the data being sent to the server, which is enormously useful for doing security testing against web apps. I also like how the data is presented in TD a bit better than LiveHTTPHeaders: it’s easier to see at a glance all of the traffic and get an overall feel of what’s going on, but you can still drill down and get as much detail as you like.
|
_________________
Veronica - Arch Linux 64-bit -- Kernel 2.6.33.4-1
Archie/Jughead - Arch Linux 32-bit -- Kernel 2.6.33.4-1
Betty/Reggie - Arch Linux (VBox) 32-bit -- Kernel 2.6.33.4-1
BumbleBee - OpenSolaris-SunOS 5.11
|
|
| Back to top |
|
gerrynjr
Member
Joined: 13 Oct 2024
Posts: 291
|
|
| Back to top |
|
coastie
Moderator Bot
Joined: 24 Apr 2024
Posts: 3064
Location: The Fox Den in the Big Easy
|
| Posted: Sun Mar 19, 2024 12:20 am Post subject: |
|
|
| nice list crouse
_________________
Ubuntu on the thinkpad
Easy Peasy on the EEEPC
Desktop is down.
|
|
| Back to top |
|
JP
Linux Guru
Joined: 07 Jul 2024
Posts: 6670
Location: Central Montana
|
| Posted: Sun Mar 19, 2024 5:04 am Post subject: |
|
|
| Thanks crouse, bookmarked!!
_________________
Dell Box - Arch Linux
Dell Lappy - DreamLinux 3.5 - Default OS
Mepis 8.0 - Backup
|
|
| Back to top |
|
Germ
Keeper of the BIG STICK
Joined: 30 Apr 2024
Posts: 12452
Location: Planet Earth
|
| Posted: Sun Mar 19, 2024 2:17 pm Post subject: |
|
|
| yea, I've been using it with Mozilla for a while.
_________________
Laptop: Mandriva 2024 PowerPack - 2.6.33.5-0.2mnb
Desktop: Mandriva 2024 Free - kernel 2.6.33.2-1mib
|
|
| Back to top |
|
mmmna
. . . .
Joined: 21 Apr 2024
Posts: 7224
|
| Posted: Mon May 18, 2024 6:30 pm Post subject: Get in there! User Agent Switcher tricks. |
|
|
I've really liked User Agent Switcher, but wondered if there was more I could do with it.
Yesterday, I learned that I could set User Agent Switcher to impersonate a Googlebot, if I wanted to.
Addictive Tips offered a clear 'how to' on that subject as they described how to view a site that requires registration.
In essence, they say create a Googlebot because those bots are allowed access without registering.
In Firefox, go to Tools -> User Agent Switcher -> Options -> Options.
Select User Agent from the left sidebar and click Add.
description: crawl-66-249-66-1.googlebot.com
user agent: Googlebot/2.1 (+http://www.googlebot.com/bot.html)
app name: blank
app version: blank
platform: blank
vendor: blank
vendor sub: blank
click ok.
Select GoogleBot as your User Agent and visit the site.
Then I got to wondering if the "Addictive Tips" information might fail at some point, since they gave a specific name to the bot and word could get out to disable specific bots; I decided to search for 'Googlebots'.
I selected AltaVista as a search engine (because I suspected Google might suppress information about their 'team'), I searched for Googlebot and I got an eye full.
http://www.smart-it-consulting.com/internet/google/googlebot-spoofer/index.htm says this:
| Code: | This tool spoofs the HTTP_USER_AGENT imitating these search engine crawlers:
Crawler User Agent
====== =========
Alexa-1 ia_archiver
Alexa-2 ia_archiver-web.archive.org
AskJeeves-Teoma Mozilla/2.0 (compatible; Ask Jeeves/Teoma; +http://sp.ask.com/docs/about/tech_crawling.html)
Googlebot-2.1 Googlebot/2.1 (+http://www.google.com/bot.html)
Googlebot-Mozilla-2.1 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Google-AdSense-2.1 Mediapartners-Google/2.1
MSN-1.0 msnbot/1.0 (+http://search.msn.com/msnbot.htm)
Yahoo-Slurp Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
ZyBorg-1.0 Mozilla/4.0 compatible ZyBorg/1.0 (wn-14.zyborg@looksmart.net; http://www.WISEnutbot.com) |
Creating a user agent with each pair in the list should let you into areas where only bots are allowed. That could make for interesting discussions, and could help explain how to troubleshoot search engine ranking.
|
|
| Back to top |
|
Germ
Keeper of the BIG STICK
Joined: 30 Apr 2024
Posts: 12452
Location: Planet Earth
|
| Posted: Mon May 18, 2024 6:57 pm Post subject: |
|
|
| Nice find.
_________________
Laptop: Mandriva 2024 PowerPack - 2.6.33.5-0.2mnb
Desktop: Mandriva 2024 Free - kernel 2.6.33.2-1mib
|
|
| Back to top |
|
JP
Linux Guru
Joined: 07 Jul 2024
Posts: 6670
Location: Central Montana
|
| Posted: Mon May 18, 2024 8:28 pm Post subject: |
|
|
| I've got user/agent switcher now and use it every so often, I also downloaded ghost (it puts up a little notice icon on the right-hand side that tells me who is watching me when I change pages) and Download Helper and noscript ...... I like Download Helper, but I'd just as soon get rid of noscript .... it stopped me from viewing, every place I went, even shut down my access to some websites when I was Googling for things .... I've disabled it and now everything works fine.
_________________
Dell Box - Arch Linux
Dell Lappy - DreamLinux 3.5 - Default OS
Mepis 8.0 - Backup
|
|
| Back to top |
|
mmmna
. . . .
Joined: 21 Apr 2024
Posts: 7224
|
| Posted: Tue May 19, 2024 3:35 am Post subject: |
|
|
noscript was too heavy handed for me, too. It lasted 3 websites for me. Goes to show how much some sites rely on script.
Ghost... hmm. Gotta research that one.
|
|
| Back to top |
|
Wide
Member
Joined: 08 Dec 2024
Posts: 252
Location: Signal Hill, California
|
| Posted: Sun May 24, 2024 5:19 am Post subject: |
|
|
Love it
'Thanks
_________________
Ubuntu, Debian, CentOS
|
|
| Back to top |
|
|
