Advice Request What Browser Extensions are you using in 2020?

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
Suggested reading for anyone debating whether to use HTTPS Everywhere or not:
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
I read the article and can someone explain how a redirect on the same server from HTTP to HTTPS gives hackers plenty of time to do their evil?

HTTPS everywhere is as usefull as anti conception for a 60 year old woman.

As with pregnant 60 year olds, it does happen from time to time. But the chance you winning the lottery IS WAY HIGHER THAN making a 60 year old pregnant again.

In short: HTTPS EVERYWHERE? Nah not for me, but feel free to check your chances with the next 60 year old you encounter.
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,822
can someone explain how a redirect on the same server from HTTP to HTTPS gives hackers plenty of time to do their evil?
  1. Does an MITM on the HTTP connection
  2. Replaces all the HTTPS links with HTTP ones but remembers the links which were changed
  3. Communicates with the victim client on an HTTP connection for any secure link
  4. Communicates with the legitimate server over HTTPS for the same secure link
  5. Communication is transparently proxied between the victim client and the legitimate server
  6. Images such as the favicon are replaced by images of the familiar "secure lock" icon, to build trust
  7. As the MITM is taking places all passwords, credentials etc are stolen without the Client knowing
Not sure if this is the explanation you wanted or not. I believe this would require the attacker to compromise your machine/router or the server you connect to.
I don't know how prevalent this attack is or the percentage of servers vulnerable to it nowadays, but back in 2016 only 5% of HTTPS servers implemented HSTS. With that said, 5% still means tens to hundreds of thousands of websites have implemented it.
 
Last edited:

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
I read the article and can someone explain how a redirect on the same server from HTTP to HTTPS gives hackers plenty of time to do their evil?

HTTPS everywhere is as usefull as anti conception for a 60 year old woman.

As with pregnant 60 year olds, it does happen from time to time. But the chance you winning the lottery IS WAY HIGHER THAN making a 60 year old pregnant again.

In short: HTTPS EVERYWHERE? Nah not for me, but feel free to check your chances with the next 60 year old you encounter.
Tor browser uses it which have users of some high risk people. It must be useful.
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
@Arequire

The first step is the 60 year old successful inception. Considering it is a redirect on the same server (from HTTP to HTTPS)

intrusion without explanation said:
1. Does an MITM on the HTTP connection



@Handsome Recluse

Every additional security helps. But when the magic "Does an MITM on the HTTP connection" is that easy, HSTS still keeps that window open, see explanation (link), only difference is that the browser remembers it for the time (max-age) set in the header time, which closes down the window of opportunity from each time the address is typed in the adddres bar to once.

To be honest a MITB (man in the browser) attack would be easier, just develop an extension and update it to go bad. People love to stack extensions to protect themselves against all sorts of unlikely events (like playing soccer in knight's armor)

1588662815650.png
 
Last edited:

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
Emsisoft - I don't care about cookies - No, thanks - IMHO the less extensions the better, or you are heading to overkill as you can with AV program of sorts.
Much less and much less intrusively than a local program however.

Don't call it soccer 😖 It's football ⚽
It's putball.
People love to stack extensions to protect themselves against all sorts of unlikely events (like playing soccer in knight's armor)
The stores would quickly remove that though and they'd have to regain followers.
 
  • Like
Reactions: Cortex and toto_10
F

ForgottenSeer 85179

Suggested reading for anyone debating whether to use HTTPS Everywhere or not:
HTTPS everywhere is from EFF. Of course they make it better then it is nowadays

Tor browser uses it which have users of some high risk people. It must be useful.
Tor browser not even use nor had a Adblocker. Also they can't protect you against fingerprinting.

You can read about that in edge and AdGuard thread ;) can't post it here from mobile

What about blocking port 80 firewall will block all http connection of the browser if browser is support using port 443 (https protocol )I think it will be blocked without any problems while access to https still provided what do you think??
Should work but I guess it can make some trouble.
you can't then make easy exceptions at browser level for sites which still not use https
 

DDE_Server

Level 22
Verified
Top Poster
Well-known
Sep 5, 2017
1,173
You can read about that in edge and AdGuard thread ;) can't post it here from mobile
Should work but I guess it can make some trouble.
you can't then make easy exceptions at browser level for sites which still not use https
if you donot want to use HTTP then why you want to make exception
1588696070635.png

also i see adguard desktop there is option for for HTTPs filtering but not HTTP may i will search again for that
or you mean using adguard DNS that is another method
i trust HTTPs for encypted connection filtering but may be add some exclusions
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
i see adguard desktop there is option for for HTTPs filtering but not HTTP
This means Adguard will MITM the encrypted HTTPS connection between the server and your browser. It needs to do this for it to block ads properly. Some AV like Kaspersky, ESET, Bitdefender does this too by default to scan webpages.
HTTP is not encrypted so it doesn't require such method.
 

Cortex

Level 26
Verified
Top Poster
Well-known
Aug 4, 2016
1,465
I have few extensions but I do use AdGuard for desk with additions & anti-tracking on IVPN which gives somewhat unknown anti-tracking I must say, contacting support wasn't very helpful regarding what is & isn't tracked, (support should be in secret service) though it does block Spotify & upsets Office 365 (good) :):) Having no need for MS Office moved again to Softmaker so what O&O blocks is now irrelevant.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top