Hi Confused Computer User,
Well I tell you about them. NoScript as you may have understood from my postings is the main script-blocker on demand inside Firefox or Flock browser, and it does so much more:
http://forum.avast.com/index.php?topic=43432.msg363431;topicseen#msg363431 for a quick and dirty on that one. Then I have Perspectives The extension provides two primary benefits:
1. If you connect to a website with an untrusted (e.g.,self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
2. It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.
Then your question on the CSP, that stands for Content Security Policy:
The last 3 years have seen a dramatic increase in both awareness and exploitation of Web Application Vulnerabilities. 2008 has seen dozens of high-profile attacks against websites using Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) for the purposes of information stealing, website defacement, malware planting, etc.
It seems that while many sites are aware of these threats, and have programs in place to find and remediate the vulnerabilities, the sheer size and complexity of the websites make complete remediation of the security holes implausible. Browser vendors can do more to protect users from client-side attacks involving websites that are vulnerable to the classes of attacks mentioned above. This document proposes a mechanism that enables websites to define Content Security Policy which browsers can choose to enforce, restricting the capabilities of web content that make these attacks possible.
One might ask "if the vulnerable websites are aware of their shortcomings in Application Security, why won't they address the root cause and fix their vulnerabilities?" It is true that the ideal solution is to develop web applications free from any exploitable vulnerabilities. Real world security, however, is usually provided in layers and Content Security Policy intends to be only one layer. Even the hypothetical vulnerability-free website can benefit from Content Security Policy. Though the site may be free of vulnerabilities today, a new vulnerability may be introduced tomorrow which could remain fully mitigated by Content Security Policy until it is detected and fixed properly. So it would help when as many users and webmasters install CSP and support this initiative. This thread was started by me on the MozillaZine forums (polonus aka luntrus)
http://forums.mozillazine.org/viewtopic.php?f=48&t=1073125ABP = easy it is short for Adware Blocker Plus - next to main ABP I run the following complementary add-ons ABP Filter Uploader, ABP Watcher, ABP Element Hiding Helper, and to remove annoying content temporarily or forever and a day I have an extension by the name of YARIP:
http://forums.mozillazine.org/viewtopic.php?f=48&t=1073125 I had this one for ages now, together with the very essential RequestPolicy where I can include and exclude requests for domains and subdomains, would not like to loose this one as well because it is complementary to NoScript against redirect to where malware may reside. Hopes this satisfied your curiosity for a bit, you are welcome with your questions, together with firekeeper with some interesting rules list (based on Snort) this completes the in-browser line of defense of
polonus
