Browser extensions Security

Here is why AV’s and Browser addons won’t make you more secure

Martin wrote an article about the latest ScriptSafe update and I was reading the comments while almost spilling my coffee all over my keyboard because I was shaking – ’cause I had a laugh flash.

AV is dead
… farewell …. sucker!

I will quote some comments without mentioning a name.

XP with trick POSREADY2009

Firefox ESR – Noscript + U.B.O. + Canvas Defender + No Resource URI Leak

I have ABP + Element Hiding Helper, Canvas Blocker, Decentraleyes, No Resource URI Leak, Self-Destructing Cookies, Privacy Badger, I Don’t Care About Cookies, No Coin (anti-coin miner) and Smart Referer plus most of the “about:config” privacy-related recommendations Martin recommended.

For Firefox: Canvas Defender + Cookie AutoDelete + Decentraleyes + Don’t touch my tabs (rel=noopener) + eCleaner (Forget Button) + Google search link fix + Neat URL + Privacy Badger + Referer Control + Smart HTTPS + uBlock Origin + about:config changes.

Guys, I need to laugh, we had exactly the same story with Antivirus programs and now you gonna do exactly the same mistake with addons/extensions and so-called security programs yet again? Ohhh, it hurts – really!

Here are the logical problems with all of such concepts

  • This only protects your Browser – what if you use Spotify, Steam, mp3tag, IDM… Which are connected to the internet to get some data?
  • How you prevent attacks from inside your PC?! A NAT usually blocks ports by default but allowed programs might be infected in the first place by drive-by infection?
  • Do this help in case you need to login or set cookies to write comments e.g. on ghacks? No, cause it won’t protect your IP in this case only a proxy/VPN would obfuscate your real IP and even then it’s difficult cause platforms like NetFlix blocking VPN’s.
  • There especially in the official Firefox and Chrome store several fake addons/extensions. Your PC won’t come with Chrome/Firefox and the addons pre-installed. Of course you can use a USB stick to made copies (in case of) but does it helps when Windows OS during the installation might call home?
  • Attackers aren’t stupid, it’s the same like with the anti-virus history, they simply test their programs against VirusTotal or against the mentioned extensions to workaround the detection – in hacker terms: making the programs FUD (fully undetectable) or stealth.
  • Newer attacks like browser crypto-mining wasn’t detected by all of these extension (by default). Only advance users are able to detect such threads or by blocking all third-party domains. However this is not a solution for everyone cause it might break your daily visited pages.
  • Running an unsupported OS like XP is in general a bad idea, even if you would only work offline – because? Simple, they don’t have as much protection mechanism as newer OS to avoid drive-by infection. Takes only seconds for a BadUSB to destroy your PC.
  • Threads like IME can’t be disabled easily with any addon/extension. A good NAT is enough to avoid ‘spying‘.
  • Even ‘evil’ hackers are busted by simple mistakes. You think running Tor + TailsOS is enough? You’re sooo, sooo wrong!
  • There is no guide which tells you ‘how to be secure’ on the internet, there some POCs but they won’t tell you’re the entire story, using Veracrypt doesn’t prevent anyone to steal your data while you’re surfing on the mounted partition.

There are a lot of more arguments but I think you get the point. At this point I’m not saying it’s a bad idea to use extensions at all but you might to consider for hardware based solutions which protecting you from making some mistakes. Like using a PI-Hole, a VPN which you can connect directly with your Router or buying a Router with an integrated NAT or a regular expression filter function. Changing the DNS might also help.

Since this topic is very huge I consider to write a more detailed guide about this topic next year.

What is your setup right now, let me know! I’m curious.

2 replies on “Here is why AV’s and Browser addons won’t make you more secure”

Yo yo yo my homie chef koch. Good articles so far.

“Here are the logical problems with all of such concepts…”

So should we throw the towel? Should we accept WE LOST?

Liked by 1 person

Comments are closed.