Posted
on January 8, 2009, 7:24 pm,
by justin,
under
RequestPolicy.
I’ve spent the last few days adding support for more browsers to RequestPolicy. As of RequestPolicy 0.4.3, the following are now supported:
- Firefox 3+
- SeaMonkey 2.0 (tested on 2.0a2)
- Flock 2.0
- Fennec 1.0 (tested on 1.0a2)
- Songbird 1.0
Fennec took a bit of fiddling because it’s not well documented yet. However, the code is available and that helped. Here are some screenshots of the fruits of my Fennec labor. A quick look shows that RequestPolicy is the 12th extension to add support for Fennec (RequestPolicy is the most popular experimental one).
I had never actually gotten around to trying Flock before, and that was interesting. I definitely see its value to a large number of social network-using and mucho media-viewing users.
Posted
on December 30, 2008, 8:45 pm,
by justin,
under
RequestPolicy.
The Firefox extension I’ve been working on the past few months is now ready for general usage.
As I describe it on the requestpolicy.com website:
RequestPolicy is a Firefox extension that improves the privacy and security of your browsing by giving you control over when cross-site requests are allowed by webpages you visit.
The lack of user control over cross-site requests is a fundamental area that has been overlooked in browser security. We have great extensions like NoScript to give us control over the execution of scripts and objects in our browser, but cross site requests are still a major privacy and security problem that has been neglected. RequestPolicy provides a strong and secure default policy (blocking cross-site requests) and lets you whitelist cross-site requests as needed. As with extensions such as NoScript, within a week of using the extension, you won’t need to do much whitelisting.
The current version is 0.3.4. You can download it from requestpolicy.com or you can get it from the Mozilla addons site (addons.mozilla.org, a.k.a. AMO). Read the rest of this entry »
One of the more common but still widely forgotten security issues I see is that of forgetting to validate SSL certificates. I’m not talking about accepting certificate mismatches while browsing a mailing list archive. I’m talking about developers programming https communication.
What all developers need to keep in mind are two things:
1) SSL does very little good unless you are talking to who you think you are talking to.
2) The communication library you are using may not be validating SSL certificates.
Regarding #1: Why does SSL do little good without certificate validation? It’s because having an encrypted conversation with a man-in-the-middle is not the idea. In that case, all you’re protecting against is someone snooping on the wire between you and the attacker you are having the SSL conversation with. In the day of BGP attacks and DNS cache poisoning, which I’m lumping together in the “MITM” category for these purposes, the MITM isn’t necessarily only a powerful entity like a government. These aren’t just theoretical risks. Read the rest of this entry »
Posted
on March 11, 2006, 11:23 pm,
by justin,
under
HOWTOs.
This howto will show you how to setup an SSL certificate on a Plesk server so that it will be used when people connect through secure pop, smtp and imap. Read the rest of this entry »