Category Archives: Browsers

Chrome’s Plug-Ins and What They Actually Do

Chrome doesn’t rely much on plug-ins, but when you load up Chrome for the first time, it’s already packed with five of them. How-To Geek explains what the heck they actually do.

If you’ve ever popped over to your chrome://plugins page, you’ve probably seen some weird names like ‘Widevine Content Decryption Module’ and wondered what exactly they do (and if you can disable them). So, here are the five plug-ins packed into Chrome and what they do:

  1. Widevine Content Decryption Module: This allows Chrome to play DRM-protected HTML5 video and audio, like you’d find on Netflix.
  2. Native Client: This allows developers to run C or C++ code on a website. For the most part, this is really only used for some of the more complicated apps and games in the Chrome Web Store.
  3. Adobe Flash: This is Adobe Flash, but tweaked a bit for Google Chrome.
  4. Chrome Remote Desktop Viewer: This is the Chrome Remote Desktop app needed to access your computer remotely. The plug-in doesn’t do anything unless you activate it.
  5. Chrome PDF Viewer: This one’s pretty self-explanatory: it’s the plug-in that lets you read PDF files.

That’s it. You can always disable any of these, but you’ll lose functionality as expected. As always, if you see anything weird on your plug-ins page, be sure to research it a little more to make sure it’s nothing that could cause problems.

Browser security

You need a browser that will not leak information over the internet and not leave traces on your machine.

Secondary Storage

On secondary storage, where browser is installed and is running from:

  1. Browser should be run from read-only media. Configure your browser to only read and never write. Remount your file system in read-only mode to ensure nothing can be written, then run the browser.
  2. Failing that, the browser should be ran from volatile RAM disk. Buy 1 or 2 GB of RAM. Setup a segment of main memory to be a file system as it if they are secondary storage. Load the image of the browser onto RAM and run.
  3. Failing the first two possibilities, the browser should be run from an encrypted device with a random one time key. The key needs to be generated from environmental noise and must never be revealed to you. The key should be stored in volatile primary storage and be unrecoverable after killing the power. Cipher through the storage device as a loop device with on-the-fly encryption with the randomized key. Format the loop device with a file system, copy the files of the browser over, and run. Optionally, shred the device afterward if you don’t want any adversary to brute-force your storage device 50 years later.
  4. Unrecommended, but the browser may be run from file-level encrypted directory with random one time key. Like above, key should be generated from environmental noise and you don’t know the key. The problem with file-level encrypted directory is that as the ciphered data grow and shrink within the file system, the ciphered data is spread all over the disk mixed in with your unencrypted data. It can’t be shred easily to protect you from future supercomputer brute-forcing your data.
  • Don’t use full disk encryption without one-time key. Your passphrase may actually have less entropy than you think. Your adversary may even use rubber-hose cryptanalysis to get your passphrase.
  • Don’t use NTFS file-level encryption. Your passphrase is stored on your disk protected by an extremely weak hash. Ophcrack can reveal your passphrase in under an hour.
  • Don’t just shred your browser. If your browser once wrote sensitive information to unencrypted storage device, shred the entire device.

Primary Storage

On primary storage, where the browser is running in:

  • Don’t leave your machine immediately after you power down the machine for at least 10 minutes. RAM takes time to lose its storage.
  • Don’t leave your machine without first powering down the machine. Simply pouring the liquid from any Compressed Gas Duster onto the RAM will lower the temperature of the RAM down enough to preserve it storage, then anyone can just yank the RAM out from your machine and dump everything store in your RAM including all your keys and passwords for all websites (eg: PayPal) your visited.
  • Don’t hibernate your machine. It writes RAM onto harddisk. Shred your hibernation partition if you previous had hibernated your machine. (Your PayPal password could already be written down onto the disk.)

Browser Settings

Here’s one method:

Running in:

  • Get Firefox Portable. It’s available for a variety of OS’s and works well.
  • Go through the preferences and disable anything that logs or leaks information. This includes, but is not limited to:
    • In “Content,” disable java. Disable javascript if you don’t have NoScript.
    • In “Privacy,” remember nothing. Remember no history. Always clear everything before closing. You may want to disable cookies, but this is not essential if they are not written to disk and cleared on every browser shutdown.
    • In “Security,” warn before installing addons. Remove all exceptions. Remember no passwords.
    • In “Advanced” – Network, set the cache size to 0.
    • In “Advanced” – Update, disable auto updating/checking for updates.
  • Install the Torbutton extension – the one that overhauls browser security, not just change proxy settings. The latest version at this time is 1.4.6
  • OPTIONAL – Install the firefox extension NoScript, allows fine-grade control of javascript, fix javascript links with js disabled, etc. Remove stuff in default whitelist. (I think this is unnecessary and may conflict with Torbutton – Moar)
    • Enable every check mark.
    • Make sure no cookies are written to disk.
    • Clear cookies on any browser shutdown.
    • Clear cookies on Tor toggle (“”).
    • Whenever there’s an option to choose between Tor and non-Tor, choose Tor.
    • Block tor disk cache, but you’ll want to allow memory cache to prevent redownloading of images.
    • Make sure the proxy settings point to privoxy.
    • Disable hotkey/quick toggle if you use the browser for just tor.
  • Set network.http.sendRefererHeader to 0 in about:config. Also set false for network.http.sendSecureXSiteReferrer.
  • In the proxy settings make sure the proxy exceptions list is empty. It can be used as a way for sites to access localhost.
  • One annoying thing about Firefox is the way it handles external applications. You want to disable them all because sites may call telnet for example, which can leak your IP address among other things. Look in about:config for network.protocol-handler.external. You’ll want to set the default and all the subsettings to false. Then look for network.protocol-handler.warn-external. You want to set the default and all the subsettings to true. Is there an extension that does this? (Torbutton!)
  • Popups are another annoyance, in “Content” tell it to block pop-up windows with no exceptions.
  • Recently someone has found that Firefox checks for extensions without the user’s consent; a temporary solution is to set extensions.blocklist.enabled to false.
  • There are probably other information leaks that could come about if you accidentally click a button, one person has recommended to search through about:config for URLs and blank them out. The types of links I’ve seen are http, https, and rdp. Don’t remove anything with chrome:// or resource:// though. (Some of these are used to phone home when you open the addons window [discussion on onionforum].)
  • Make sure the plugin directory is empty. Do this again every time you update Flash or Shockwave.
  • Set the home page to about:blank

It is a good idea to have a separate Tor browser to make things easier to manage. This becomes so much simpler when you have separate portable browsers each with their own specific purpose – non portable browsers tend to stick data in god knows where while portable ones keep it all in their folder. You should also make sure you use something equivalent to Firefox’s “Clear Private Data” feature and make sure evidence doesn’t pile up – encrypt what you plan to keep, shred anything you don’t. Take measures to prevent your computer from being remotely compromised; heck, encrypt your entire OS if you can, and don’t talk about Tor club. 😛

Because of the huge amount of lag associated with Tor, pipelining, i.e. sending http requests in batches, makes a lot of sense. Go to about:config and make the following changes:

  • network.http.keep-alive.timeout:600
  • network.http.max-persistent-connections-per-proxy:16
  • network.http.pipelining:true
  • network.http.pipelining.maxrequests:8
  • network.http.proxy.keep-alive:true
  • network.http.proxy.pipelining:true

You should also disable prefetching. This is when the browser tries to predict what the user will click next. It is a waste of Tor bandwidth, and should be disabled by setting:

  • network.prefetch-next:false

There is a test for browser information leaks on TorCheck. Note that it does not test for Flash, go to a non-javascript flash site like MeatSpin and if it loads it means (naturally) flash isn’t blocked. Another good test is Last Measure – If it does anything besides show a background image you have work to do (it starts downloading a file but this is harmless – browsers load images all the time for example).

Geolocation

Firefox 3.5 and above uses nearby WLAN signals and Google to determine your latitude and longitude for websites. To disable this feature set geo.enabled to false in about:config.

If you ever need geolocation enabled you can spoof it with the following method:

  1. Create a text file somewhere on your computer with the following text: {“location”:{“latitude”:0.000000,”longitude”:0.000000, “accuracy”:20.0}}
  2. Change latitude, longitude, and accuracy (in meters) to whatever you need to use
  3. Open about:config and find the option geo.wifi.uri
  4. Replace the URL (by default https://www.google.com/loc/json) with the path to the text file created in step 1 above

Browser Security Tests

Also look at Securing Tor to make sure Tor is self-contained and properly configured.

If you’re running Windows, check out Securing Windows as this information will go hand in hand with this page.

 

The Secret Powers of Chrome’s Address Bar

 

The Secret Powers of Chrome's Address Bar

Chrome’s address bar doesn’t do much at a glance. Type in a URL and you’re taken to a web site. But it can do a lot more if you know how to use it.

You can actually do a ton with it though, so let’s dig into some of the better tricks.

Perform Quick Unit Conversion and Math

The Secret Powers of Chrome's Address Bar

Don’t feel like opening up a calculator just to do some basic math? Just type in the equation and Chrome’s omnibox gives you the answer, no need to press Enter. You can do the same with basic unit conversion, including temperatures. All you need to do is add an equal signs after a query. So, type in something like 50 c = f for temperatures, or 50 feet = inches

Turn A Browser Window Into a Notepad

The Secret Powers of Chrome's Address Bar

This trick works in pretty much any modern browser, but it’s still worth noting here. If you want to get a blank notepad to type in a quick note, just type this into the address bar (or add a bookmark):

data:text/html, <html contenteditable>

You’ll get a blank page where you can type in text easily.

Search for Keywords with Drag and Drop

The Secret Powers of Chrome's Address Bar

If you’re not a fan of cutting and pasting or you hate right-clicking anything, you can search for a word by just highlighting it and dragging it to the address bar.

Search Specific Sites

The Secret Powers of Chrome's Address Bar

Google veterans are pretty familiar with the old “site:” search operator, but you can also easily get that from the address bar by simply typing in a web site address then tapping the Tab button.

Search Gmail or Google Drive

The Secret Powers of Chrome's Address Bar

Jumping over to a specific web app like Gmail or Google Drive to search for something takes a bunch of clicks. It’s a lot easier to just search those services from the address bar. To do so, you’ll need to do a little bit of set up.

  1. Right-click the address bar and select “Edit Search Engines”
  2. Add a new search engine called Google Drive
  3. Make the keyword something you’ll remember, like “Gdrive”
  4. Enter this in for the URL: http://drive.google.com/?hl=en&tab=bo#search/%s You can do the same for Gmail, just make the URL https://mail.google.com/mail/ca/u/0/#apps/%s

When you want to search your Google Drive or Gmail accounts, just type in gmail.com or docs.google.com and tap the Tab key to initiate your search.

Open a Link at a Specific Tab Spot

The Secret Powers of Chrome's Address Bar

If you’re obsessive about where a tab is located, you can grab any URL from the address bar or a link, then drag and drop it to a specific location in your Tabs.

Use Your Address Bar Basic File Explorer

The Secret Powers of Chrome's Address Bar

While there isn’t exactly a great reason why you’d want to use Chrome as a file browser, you can. Type in C:/ on Windows or file://localhost on a Mac and Linux to load up the file browser. You can also drag any file to the address bar to open it in Chrome.

Open a New Email Window

The Secret Powers of Chrome's Address Bar

Want to quickly send out an email but don’t want to deal with actually looking at your email? Type mailto: into your address bar and it’ll open up a new compose window in whatever your default email client is.

Look at all the Security Information for a Site

The Secret Powers of Chrome's Address Bar