Sunshine-boy

Level 27
Verified
Hello,
I was searching for A free web isolation product till I found this extension:
Nohack by Apozy
What is Nohack:
Its A simple, lightweight and unobtrusive way to make all websites safer. Apozy sandboxes malicious sites to stop phishing attacks, ransomware, and data leaks. Apozy does not interrupt your browsing habits while protecting you.

There are some other products like:
Web Isolation | Symantec
or
Browser Isolation | Ericom Shield for Secure Browsing
 

Attachments

Sunshine-boy

Level 27
Verified
Good question but idk the answer.This extension lock down your browser.
it also has an informative log:
Code:
NEVER-USED-SITE
Wanted: SITE-USED-BEFORE
Site does not appear in browser history

checkVISUAL-ID-IS-UNIQUE
Wanted: VISUAL-ID-IS-UNIQUE
Site has unique visual elements

closeCSP-NOT-IMPLEMENTED
Wanted: CSP-IMPLEMENTED-WITH-NO-UNSAFE
Content Security Policy (CSP) header not implemented

closeCOOKIES-WITHOUT-SECURE-FLAG
Wanted: COOKIES-SECURE-WITH-HTTPONLY-SESSIONS
Cookies set without using the Secure flag or set over http

checkCROSS-ORIGIN-RESOURCE-SHARING-NOT-IMPLEMENTED
Wanted: CROSS-ORIGIN-RESOURCE-SHARING-NOT-IMPLEMENTED
Content is not visible via cross-origin resource sharing (CORS) files or headers

checkEASY-TO-SEARCH-DOMAIN
Wanted: EASY-TO-SEARCH-DOMAIN
Domain is easy to find in search engine results

checkHPKP-NOT-IMPLEMENTED-NO-HTTPS
Wanted: HPKP-NOT-IMPLEMENTED
HTTP Public Key Pinning (HPKP) header can't be implemented without https

closeREDIRECTION-MISSING
Wanted: REDIRECTION-TO-HTTPS
Does not redirect to an https site

checkREFERRER-POLICY-NOT-IMPLEMENTED
Wanted: REFERRER-POLICY-PRIVATE
Referrer-Policy header not implemented

checkIS-TRUSTED-BY-PEOPLE
Wanted: IS-TRUSTED-BY-PEOPLE
Most people say this site is credible

closeHSTS-NOT-IMPLEMENTED-NO-HTTPS
Wanted: HSTS-IMPLEMENTED-MAX-AGE-AT-LEAST-SIX-MONTHS
HTTP Strict Transport Security (HSTS) header cannot be set for sites not available over https

closeSRI-NOT-IMPLEMENTED-AND-EXTERNAL-SCRIPTS-NOT-LOADED-SECURELY
Wanted: SRI-IMPLEMENTED-AND-EXTERNAL-SCRIPTS-LOADED-SECURELY
Subresource Integrity (SRI) is not implemented, and external scripts are loaded over http

closeX-CONTENT-TYPE-OPTIONS-NOT-IMPLEMENTED
Wanted: X-CONTENT-TYPE-OPTIONS-NOSNIFF
X-Content-Type-Options header not implemented

closeX-FRAME-OPTIONS-NOT-IMPLEMENTED
Wanted: X-FRAME-OPTIONS-SAMEORIGIN-OR-DENY
X-Frame-Options (XFO) header not implemented

closeX-XSS-PROTECTION-NOT-IMPLEMENTED
Wanted: X-XSS-PROTECTION-1-MODE-BLOCK
X-XSS-Protection header not implemented
 

HarborFront

Level 48
Verified
Content Creator
Interesting... but would it still beneficial to have as FF is already using a sandbox, what would be the difference inprotection?! Currently have FF sandbox in SBIE(RAMDisk).
According to its site

....NoHack relies on technology that is already built into the major browsers (Chrome, Firefox, Safari, and IE Edge) to deliver a sandboxed, safe environment
I guess there's no new tech here

:)
 

Prorootect

Level 53
Verified
To give my browsers to an application that takes the entire browser under its wings, I must have total confidence in that application.

So let's see...

First question: why the Chrome Web Store comments are mostly dated between Feb 7, 2017 and Feb 18, 2017, then another from Mar 21, 2017 - all 18 comments, then nothing afterward (all positive of course...)?

If I search on Chrome Web Store for nohack or nohack by apozy - have this response: "Your filtered search for "nohack by apozy" did not match any items."
Sure, it's only found by google or another search engine, landing on Chrome store....

Link on Google: Pentester Academy TV : blog.pentesteracademy.com about apozy.com - redirect to [Apozy | Phishing and malware prevention on Pentester Academy TV] : Apozy | Phishing and malware prevention on Pentester Academy TV What is glyph.medium.com 3rd party request?..

...so many links on the search engine from apozy dev (Apozy CEO and Co-Founder, Rick Deacon), but very fev from independent sources...life is difficult...

Link on Hacker News:
"Hey all,
I’m Rick, the founder of Apozy. We’re a YC-backed company in the current batch and we've created a browser extension that stops people from getting hacked by things like phishing and malware. We're excited to get your feedback, hear your ideas, and answer questions!
I’ve been a hacker and penetration tester for 10 years. I started out by poking around people’s computers in 7th grade, then moved to poking SQL databases behind forms around high school. I eventually wrote a talk about session hijacking on MySpace in 2007 and was absolutely beyond horrified to stand in front of a bunch of people and pretend I know WTF I’m doing.
Soon after I was hacking Fortune 500 companies at a few consulting firms and decided that phishing was a way bigger problem..." - by rickdeaconx on Mar 6, 2017 you see, 2017.
- read the comments too...here: Launch HN: Apozy (YC W17) – Use browsing habits to stop phishing and spot breaches | Hacker News

Norton Safe Web report (Today, April 6, 2018!) for apozy.com says:
UNTESTED Summary: This site has not been tested yet. Here: Report for apozy.com | Norton Safe Web
Trend Micro says this same..."Untested".
Quttera scan result: Clean: FREE Online Website Malware Scanner | Website Security Monitoring & Malware Removal | Quttera

So I don't have the confidence for now, but this could change after some time...

For now I don't have the time ....see you later, sorry
 
Last edited:

Prorootect

Level 53
Verified
On the screenshot from the first post by Sunshine-boy, I see that to notch "Enable active protection" which sandboxes your browser, you should have an account first?.. It's "For authenticated users only"...

- so I'm not interested in this.

Firefox corresponding add-on is called "Apozy Trusted Browsing", and we read: "Apozy sandboxes malicious sites to stop phishing attacks, ransomware and data leaks. It's learns from your browsing habits to stop complex & undiscovered attacks. It's free, open source and privacy friendly."
"28 Users",1 review only:

"Corrupted
Rated 1 out of 5
by Mr bang-bang Ibn Tor, 9 months ago"

I've already many trusted add-ons, so no, thanks.
 
Last edited:

simmerskool

Level 7
Verified
Malware Tester
On the screenshot from the first post by Sunshine-boy, I see that to notch "Enable active protection" which sandboxes your browser, you should have an account first?.. It's "For authenticated users only"...

- so I'm not interested in this.

Firefox corresponding add-on is called "Apozy Trusted Browsing", and we read: "Apozy sandboxes malicious sites to stop phishing attacks, ransomware and data leaks. It's learns from your browsing habits to stop complex & undiscovered attacks. It's free, open source and privacy friendly."
"28 Users",1 review only:

"Corrupted
Rated 1 out of 5
by Mr bang-bang Ibn Tor, 9 months ago"

I've already many trusted add-ons, so no, thanks.
I was wondering about the same things, but did install it for 1-day. Most of its info was not really helpful, it found at least 1 issue with EVERY website I visited, including MT, and reading your similar concerns prompted me to uninstall it.
 

Prorootect

Level 53
Verified
I was wondering about the same things, but did install it for 1-day. Most of its info was not really helpful, it found at least 1 issue with EVERY website I visited, including MT, and reading your similar concerns prompted me to uninstall it.
- haha, surely this is cause famous googletagmanager.com everywhere - blocked everywhere here, e.g. in 3PRB, uMatrix 1.0.0 nice version in Firefox, Script Blocker for Chrome, Domain Whitelist ...
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
It is based on uMatrix (and HTTP Switchboard). It reads what security policies a websites has implemented (I assume based on HTTP Content Security Policy information). When they are not according to advised (ideal) standards the site is contained (or sandboxed) using uMatrix engine.

It uses uMatrix to block downloads and filling in forms, etc according to their own infomation based on your browsing history. I always run Chromium incognito, so it has no history.

1523251914730.png

1523252668528.png
 
Last edited:

Windows_Security

Level 23
Verified
Trusted
Content Creator
Played with it and added uMatrix's third party protection rules, to make it truly a sandbox, steps:
1. Click on options icon (wheel)
2. Select Website Permissions tab
3. Click Editbutton
4. Copy lines below
4. Click save button
6. Click commit buttons

_______________rules to copy

matrix-off: * true
* * * block
* * css allow
* * image allow
* 1st-party * allow

_________________
Disable matrix (ergo the protection) by default
Block everything (* * * block)
Allow css (content style sheets)
Allow image
Allow first party (so effectively all third party except css and image is blocked)
_________________
Usage: enable on risky sites to have 3rd-party (scripts, frames, httprequests) PLUS forms input and download protection.

I use it with Adguard in Chromium browser always running incognito (using Bruce's Blank tab to have blank screen and Material Incognito Light Them to hide - I find - horrible incognito theme and popup)
 
Last edited:

Prorootect

Level 53
Verified
Thanks Windows_Security -
- your posts above gave me the confidence to download... so I downloaded this "Apozy Trusted Browsing" add-on into my Firefox ESR...it's free, no account demand,OK.

Options button lead to Settings page which has "Enable site privacy grades" and "Enable community protection" only to notch by me... doesn't have "Enable active protection" position en Firefox...

I have implemented your additional rules to copy from your previous post...
First, in this version 1.0.16 (which weighs 1.9 MB...) - the RISKS and LOG in icon's pop-up are not scrollable (bug?), then not usable beyond first visible positions... the first 3 positions of Risks are described, but this does not increase my security...

It doesn't know many websites, so it doesn't react on these web sites (and, on the icon, I see that three points, instead of degree of privacy risk from A to F, F is the worst mark for privacy, it seems to me).

Example of website I found with privacy risk of F: The Ultimate Online Privacy Guide - BestVPN.com - 4 Risks, site privacy is 10%, it says.
Our MT - it does't know...but NOW yes, it has "A" for Malwaretips, 'site privacy is 90%' - and then?...
theepochtimes.com it has NOW the C... so this Apozy has some AI, it learn.

A toy that brings me nothing of what I have as add-ons, it seems to me.
It works with signatures (and some rules, dont these by @Windows_Security), much better is 3PRB add-on (for me:))
On Firefox.
 
Last edited:

Windows_Security

Level 23
Verified
Trusted
Content Creator
Yep, the icon colours depending on the risks found. Green means OK, blue is okay with a few remarks, yellow is suspicious and red means that the website could be easily hacked.

So the extension does valuate the risk of that website being hacked. It would be better when it would block apply protections auutomatically, for example
green = disable protection
blue = block downloads
yellow = block downloads and input
red = block third-party stuff, downloads and input

Most of the bad stuff happens when people are redirected from a legitimate website they are visiting to a malware website. People blocking third-party stuff block the most common risks (but third-party blocks do not protect you against first party scripts on phishing websites).
 
Last edited:

Prorootect

Level 53
Verified
Yep, the icon colours depending on the risks found. Green means OK, blue is okay with a few remarks, yellow is suspicious and red means that the website could be easily hacked.

So the extension does valuate the risk of that website being hacked. It would be better when it would block apply protections auutomatically, for example
green = disable protection
blue = block downloads
yellow = block downloads and input
red = block third-party stuff, downloads and input

Most of the bad stuff happens when people are redirected from a legitimate website they are visiting to a malware website. People blocking third-party stuff block the most common risks (but third-party blocks do not protect you against first party scripts on phishing websites).
"Most of the bad stuff happens when people are redirected from a legitimate website they are visiting to a malware website."

- sure, that's why I use indispensable "Redirect Control" addf-on on Firefox and FF forks.
Redirect Control – Add-ons for Firefox
Each one conscious of danger of malicious redirects has to use this add-on.

- So the Nohack by Apozy does valuate the risk of websites - nothing more, sadly...
---> and this is not useful to me.
 
Last edited:

Prorootect

Level 53
Verified

Windows_Security wrote:
"People blocking third-party stuff block the most common risks (but third-party blocks do not protect you against first party scripts on phishing websites)."

Sure, that's why I like so much my:
"Whitelist JavaScript" so "Whitelist or Blacklist JavaScript" add-on by veto: veto64/whitelist_javascript_webextension - extremely simple to use, just click one button – and boom ... Whitelist or Blacklist JavaScript – Add-ons for Firefox

...or
"ScriptFilter" by Baptiste Thémine : Baptistou/ScriptFilter -
Browser support : Firefox 52+, Firefox Android 57+, Chrome 42+, Opera 33+.

So these two block, protect you against first party scripts on all websites...
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Nohack was based on uMatrix, they now switched to uBlock, see pic (I thought it was a nice idea so I am following this extension/saas)

1525173811416.png


Pitty it is impossible to play with options (to guess how it works)
 
Last edited: