back |

How to make your browser more secure?

The modern web and most bigger websites and services make extensive use of JavaScript. While this is fine and js makes the web experience more interactive, having JS enabled by default should be one of your biggest security concerns. The scripting language opens the doors for malicious actors. Modern browsers have several mitigation tactics to reduce the risk but they are far from being perfect. The best option would be to turn off JS completely. Unfortunately many websites break when you turn off JS in the browser settings. There are extensions that let you decide on a per domain basis whether or not JavaScript should be executed. This way you can browse the web relatively safe. But this can be a pain in the ass when websites rely on scripts that are loaded from lots of different domains. A lot of the bigger websites and even smaller ones make use of these scripts which act as frameworks and such.

I personally do not enjoy browsing the web this way. It feels very complicated at times when you are visiting lots of new websites each day. However, when you stick to the same pages and revisit them daily while only visiting a handful of new sites a week, configuring these browser plug-ins could enable you to browse the web much safer.

If we take reddit as an example, your browser tries to load scripts from these domains:

reddit.com
redditstatic.com
redditspace.com
redd.it
google.com

So google is able to see which subreddits you visit and which posts you are reading. Google is as well able to see that you are writing a reply IMHO (I'm not 100% sure on that). When comparing time stamps, they may be able to identify what your reddit account name is. When signing up for reddit, you as well have to allow scripts from google.com and gstatic.com to be executed (Reddit uses Google ReCaptcha to fight bot registrations). So google should be aware which reddit account is tied to you. To browse reddit and enjoy the addictive endless scroll (doomscrolling), you would have to allow these domains: reddit.com, redditstatic.com. This way you could browse reddit kind of well. To have video playback and all reddit features available, you would also need to allow redditspace.com and redd.it. It is safe to block google.com when using reddit.

Domain Whitelisting isn't the holy grail

While people with a focus on computer security and privacy could profit from the whitelisting domains, this still can be problematic in terms of security. For example, if we take neocities into account: When adding neocities.org to your safelist, all scripts implemented on websites that make use of a neocities subdomain will be allowed to be executed. It doesn't matter if you browse the website example.neocities.org or userXYZ.neocities.org. All scripts those webmasters host on their neocities space are allowed to be executed on a browser level.

NoScript by default lets you whitelist the main domain with ease (click on the noscript logo and then add neocities.org as trusted or temporarily trusted), however, if you only want scripts from example.neocities.org whitelisted, you have to go to to your browser settings / extensions / noscript / preferences / where you could enter a subdomain to the whitelist as well without allowing all scripts from all .neocities.org websites in general.

However, as soon as you want to edit your own neocities website by using the neocities editor, you will have to whitelist neocities.org or otherwise their web editor won't work. You would have to temporarily whitelist the neocities domain and afterwards delete it (or make use of temporary setting) to stay safe.

Interesting Add-ons

JShelter (https://jshelter.org) is an interesting project. One of the minds behind Jsshelter is Giorgio Maone, who is responsible for the widely trusted NoScript Extension.

Main Contributors of JSshelter

Libor Polčák is the lead maintainer and fully committed to the idea of implementing a web extension that works as a firewall for JavaScript APIs.
Giorgio Maone is working on cross-browser support, improvements on code injection and the compatibility between the global JS environment, Workers, and iframes.
Zbyněk Červinka developed a proof-of-concept version of the extension.
Martin Timko developed the first public versions up to 0.2.1 and ported JShelter to Chrome and Opera.
Martin Bednář developed test suites.
Pavel Pohner developed the Network Boundary Scanner.
Pater Horňák ported functionality from Chrome Zero.
Matúš Švancár ported Farbling anti-fingerprinting measures from the Brave browser.
Marek Saloň created Fingerprint Detector and improved the detector.
Radek Hranický created sensor API wrappers.
Martin Zmitko improved performance of the extension.

Noscript Run in Sandbox Run in Virtual Machine Run in a Sandbox inside a Virtual Machine - Well :-D

Can you make Google Chrome able to run Manifest V2 extensions

Did google just blatantly lie when they made this statement: "With Chrome 138 all users on all channels of Chrome have now Manifest V2 extensions disabled. Users can no longer turn them back on." Well it seems like some users of google products are more intelligent than Google thinks. You can allow V2 Extensions on Chrome 138, 139 and even Version No. 140. How long this workaround will last? We will see. I wouldn't consider using Chrome myself at all but some clever minds seem to have found a way to make Chrome Web Manifest V2 compatible again even with newer Versions. So here are two guides that shows you how you can still force Google Chrome or other Chromium based browsers to allow V2 Extensions:
https://midbai.com/en/post/chrome-139-later-enable-manifest-v2/
https://github.com/uBlockOrigin/uBlock-issues/discussions/3690

uBlockOrigin compared to uBlockLite

There is filter size limit.
Cant update filter list without updating extension in the store.
Some type of filters wont work at all.
uBO has tons more functionality that is not covered by filters and directly prohibited by V3.

back |