Top Six Google Chrome Extensions for a Much Secure Browsing Experience

At first, I thought he forgot a word there, but after looking at his suggestions, I’m more inclined to believe that he couldn’t decide between “Much the same Secure Browsing” or “Much false sense that you are Secure Browsing”

Here’s his suggestions for protecting yourself from the villains that reside on the web:

1) Web of Trust: Because anonymous people telling you whether the site you are visiting is safe or not can not be manipulated by malicious entities.
2) McAfee Site Advisor: Favorite quote FTFA – “…you can definitely rely on ratings by McAfee for the most part.”
3) KB SSL Enforcer: Because such an incredible amount of data theft goes on due to unencrypted web page viewing.
4) Flash Block: So few attacks are based on flash apps, that you would call this more of an adblock than a security measure.
5) Last Pass: Finally something we need for these browsers that don’t store passwords.  Wait…. what?
6) View Thru: Discover where shortened URL’s really direct you.  We’ve seen malicious files on the most trusted of sites and servers, so seeing the URL doesn’t help as much as you think it would.

I’m not giving the author a hard time about his choices.  Instead, I’m pointing out the fact that there are so few decent security addons for Chrome that he had to choose these.  Let me explain with a single picture:

This picture gives you a pretty good idea of the most dangerous aspect of browsing the web.  Visiting techdrivein.com results in 14 different domains trying to execute javascript on my computer. That’s the thing about javascript.  It’s payload can be delivered from any domain, not just the one you’re visiting.  The most popular methods of malicious infection on the web utilizes javascript to accomplish it’s task, whatever it may be.  Asking nameless people(or McAfee, of all companies) if they trust a website, blocking a flash app and browsing a site via a non-signed SSL connection is going to do you absolutely no good if the site is indeed reputable, but has had it’s code hijacked with a malicious script via either XSS, Iframe, or other method.

I tried using Chrome a little while ago, but due to it’s lack of ad and javascript blocking addons, I wasn’t willing to make the transition.  The very simple fact of the matter is that aside from user ignorance and stupidity, javascript is the single most dangerous aspect of browsing websites.

If you’re concerned enough about security to use any of the addons above, you shouldn’t be using Chrome.

I just wanted to have a good laugh.

Nah, I’m just kidding.  It’s just a bunch of blow-hard asshats that have found yet another scenario that will never actually happen to hear themselves talk.

The Register(UK based) wasted one more page on it than I will, allowing these devil’s advocate dipshits a platform to play what-if. I’ll give you the straight-up scoop, condensing the notice to a minimum length, while retaining the implications:

If Google wanted, they could use the javascript embedded for Analytics to do bad things on your site.

Left unsaid, but equally important are these notices:

1) If your webhost wanted, they could do bad things on your site.
2) If your ISP wanted, they could do bad things on your site.
3) If an employee with access wanted, they could do bad things on your site.
4) If someone is looking over your shoulder when you access a restricted portion of your site, they will be able to do bad things on your site.
5) If someone finds your password cheat-sheet, they will be able to do bad things on your site.

I could keep going, but no matter how hard I tried, I couldn’t come up with any more asinine possibilities than our quoted security experts have come up with.

It’s true.  If Google wanted to alter their code to introduce a malicious payload on a site using their analytics system, they could.  They could also hire ninjas to enter the NOC and steal your physical server.  They could also beat you up for your lunch money.

Dinis Cruz states “If I wanted a backdoor into the website, this would be one of the best ways to do it. It would allow somebody who knew about this to drop a payload in a way that almost wouldn’t be detected.“

For those that missed it, Dinis is proposing that the easiest way to compromise a site is to get a job at Google cleaning cubicles, work your way up to a position in which you have unmitigated control over the production code that Google uses and then alter it to access a restricted area on a site via a vulnerability you introduced.

An added bonus to this method is that you get to ride the Segways on the Google campus and have a certified organic vegan salad for free.