Insights For Success

Strategy, Innovation, Leadership and Security

Chromium

Chrome extensions for the security conscious

GeneralEdward Kiledjian
marjan-blan-marjanblan-Hj5qdyQ2PmE-unsplash.jpg

Extensions are interesting little technical widgets. Most assume they are simply tools but some see it as art. I can learn a lot about a computer user by the browser extensions they have installed and use. As a security professional, I have a handful of security oriented extensions (in addition to the ones that make the web more usable or that save me money).

I regularly receive requests from readers to list my extensions and to be honest, they often change. I remove extensions I don’t use, deactivate extensions I sometimes use and add new ones that I learn about. So right now, here are the extensions I think you will find the most useful .They are Google Chrome extensions but they work in any Chromium browser (like MS Edge).

builtwith technology profiler

It shows the tech stack a website is built on

chaff

Generate random web browsing traffic to obfuscate actual browsing behavior to avoid profiling through 3rd party observation. Think of this as data poisoning for the companies that track you.

ClearURLs

This extension will automatically remove tracking elements from URLs to help protect your privacy when browsing the Internet.

Click&Clean

A tool that lets you clean browser tracking tools.

Disconnect

Let’s use block invisible web trackers

Distill

A tool that allows you to monitor a webpage and alert you when it changes.

DuckDuckGo Privacy Essentials

This is a swiss army knife of internet privacy. Here are the feature this extension offers

Escape Advertising Tracker Networks — Our Privacy Protection will block all the hidden third-party trackers we can find, exposing the major advertising networks tracking you over time, so that you can track who's trying to track you.

  • Increase Encryption Protection — We force sites to use an encrypted connection where available, protecting your data from prying eyes, like Internet Service Providers.

  • Search Privately — You share your most personal information with your search engine, like your financial, medical, and political questions. What you search for is your own business, which is why DuckDuckGo search doesn't track you. Ever.

  • Decode Privacy Policies — We’ve partnered with Terms of Service Didn't Read to include their scores and labels of website terms of service and privacy policies, where available.

DuckDuckGo has said “DuckDuckGo has announced that its Chrome browser extension has been updated to block Google's new tracking technology.” You can test if your browser currently supports flock using this EFF AmIFloced website.

EFF Chrome extensions

  • https everywhere Switches you to a secure https connection when available

  • Privacy Badget Privacy Badger automatically learns to block invisible trackers.

Robots Exclusion Checker

Robots Exclusion Checker is designed to visually indicate whether any robots exclusions are preventing your page from being crawled or indexed by Search Engines. But a security person could then take those robot files, manually check those pages and find out why the organization doesn’t them indexed. Sometimes the exclusion is because they don’t want Google indexing active pages, other times it’s because those pages contain information the organization doesn’t want outsiders to easily find (pricing, org info, etc).

Social Disconnect Plus

Social Disconnect Plus is a browser extension that removes all sorts of Social Media content on webpages (i.e. the Facebook like button and other widgets).

uBlock Origin

uBlock Origin is the best ad blocker available but it does so much more. It is a powerful HTML firewall to protect you from several web attacks.

UA Spoofer for Chrome

With this extension, you can quickly and easily switch between user-agent strings. Also, you can set up specific URLs that you want to spoof every time.

Wayback machine

Easily determine if the Internet Archive has previous versions of the webpage you are on.

The start of the end for Symantec cert trust on Google's Chrome

GeneralEdward Kiledjian

A little history

Early 2017, a security researcher (Andrew Ayer from SSLMate) discovered that three certificate authorities (Symantec Trust Network, GeoTrust Inc., and Thawte Inc), owned by Symantec, had improperly issued 108 TLS certificates. It is important to understand that these improperly issued certificates would allow a threat actor to spoof or impersonate a website that was using HTTPS.

9 of these certificates were issued without the knowledge of the domain owners. 99 were issued without proper validation of domain ownership. 

This improper issuance of certificates directly contravenes the strict (prescriptive) guidelines of the CA/Browser Forum and raised the ire of internet giants like Google, Mozilla, and Microsoft. 

These guidelines and controls underpin the entire trust model of the encrypted internet.

There is no way to verify if these certificates were ever used in the wild but we also cannot verify that they were not used. 

You can see the list of certificates here

Chrome to distrust Symantec TLS Certs

https://bugs.chromium.org/p/chromium/issues/detail?id=796230

Very quickly after this second incident was made public, the developers of the Chromium project announced their intention to distrust all Symantec issued TLS certificates. Since Chromium powers Google Chrome, the most popular browser in the world, this was a punishment for Symantec's mismanagement. So started the two-year roadmap to achieve this goal. 

You can read the blog article on the Google Security blog entitled "Chrome’s Plan to Distrust Symantec Certificates".

As you can see above, the process is broken down into 3 distinct phases:

  1. Certificates issued after December 1, 2017, from Symantec's legacy infrastructure will not be trusted
  2. Certificates issued before June 1, 2016, from Symantec's legacy infrastructure will not be trusted
  3. All certificates issued from Symantec's legacy infrastructure will not be trusted.

The first phase is rolling out with Chrome beta version 66 on March 15, 2018. Domain admins still using Symantec certs issued before June 1, 2016, are encouraged to replace them ASAP. 

The full roadmap will come to fruition with Google Chrome beta 70 (due October 16, 2018). 

In an October 2017 Symantec security blog entry, we learned that Digicert will takeover certificate updated as of December 1, 2017. 

Chromium browser can clean-up after malware infections

InfoSecEdward Kiledjian
Even the most careful internet user may find himself/herself on a questionable site that loads the browser with all kinds of "wonderful gifts" like toolbars, new search engines, extensions and the like. Normally recovering from something like this is painful and time consuming.
A crafty and detail oriented individual, Francois Beaufort, discovered a new feature in Chromium called reset profile which resets everything back to factory defaults:
  • homepage
  • search engine
  • cookies
  • and disables the extensions
Why is this interesting? Because cool new features often work their way from Chromium back to Google official Chrome browser. One more tool to make the internet a safer place.
You can read Francois' Google+ post here. And if you're not on Google+, what are you waiting for?