SN 848: XSinator

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

Regarding the cross-site vulnerabilities, the true is this keep happening over and over again. But I think it’s best not to think which browser is better, rather it’s better to think about using multiple browsers because as far as we know, there is no cross-browsers bug that’s in use. And to any type of leverage cross-browsers attack, bad people have to first break the sandbox models that all the major browsers use and break out of the browser process into another browser process and technically the moment the attack can break out of the browser process, it already have the user level privilege and that’s almost game-over anyway.

Personally, I’m using both FireFox and Chrome, both with two different extensions. I’m using Chrome w/ uBlock Origin in the Incognito mode all the time for general browsing. uBlock Origin is relatively painless to use and offer decent protection, along w/ Incognito that I don’t need to keep track of thing. Everytime I close the browser, all the history get clean up automatically and that does work pretty well as normal random browsing does not need to leave anything behind. FireFox on the other hand, I have uMatrix installed, it’s much more painful to use as normal browser extension. So I only use FireFox for things that are much more important like email & banking. Along w/ uMatrix which I can dial the detail down to which each of those site barely working, which offer a strong protection again most of the cross-site attack. When both browsers are being use this way, I have no need to worry about any random site I came across using Incognito Chrome w/ uBlock will do any cross-site attack anything important. The fact that both FireFox and Chrome are not just two different browsers but they are using two different browser engine make it even more complicated if they need to read each other data.

The example of XS attack on google I think it’s point on, and that’s the reason I implement this two browsers prong the first time I heard about XS attack. In fact you can say Google making it’s worse by putting all it’s egg in one basket when it’s already way too big even as a subsidiary of Alphabet. And I mean Google specifically and not Alphabet. One easy example is gmail, gmail while itself can be consider relatively good email provider (if you don’t care much about how Googlle have access to your email) with extremely efficient spam filter and if you are a gmail user, then you know your email address is at gmail-dot-com and not google-dot-com but you cannot have webmail access via gmail-dot-com but rather only from google-dot-com. WHY? This in fact increase the attack surface to your sensitive email on the web, even if you can add extension to your browser like uMatrix, it will be extremely difficult to separate a bank wanting to offer maps to the nearest ATM location integrated into the same bank website vs a bank that make a sneaky inquiry to your recent search result or your sensitive documents in the Google drive or gmail.

Just a thought.