Kitz Forum
Computer Software => Security => Topic started by: AArdvark on August 29, 2015, 02:50:08 AM
-
--Chrome Will Block Flash Advertisements
(August 28, 2015)
As of September 1, 2015, Google's Chrome browser will freeze
"non-essential" Flash advertisements by default. The ads will play only
if users click on the "Run This Plugin" button that will appear with the
ad. "Essential" Flash content, including embedded video players, will
be permitted to run automatically.
http://www.theregister.co.uk/2015/08/28/google_says_flash_ads_out_september/
[Editor's Note (Pescatore): Adobe had a decade to try to make Flash
secure, didn't. In any event, hard to think of any animated
advertisement I would miss if it went away.
(Murray): Opt-in is the right default. That said, our tolerance for
Flash is a measure of our tolerance for risk. By that measure we are
not very serious. Flash is "historically broken," not getting better,
a weak point in the browser, the desktop, ubiquitous, persistent, and
ultimately a risk to the infrastructure.]
-
One nice thing about using an iOS device then, Flash can go and get stuffed.
-
The stupid thing is it is very easy to block Flash so you can choose when to run it.
This works in Firefox & Chrome.
People just do not configure their browsers correctly.
:)
-
I wonder how to selectively block it in IE. IE is exceptionally configurable and of course can be administered by group policy which can lock down settings. that's one reason why I have mandated the use of IE only, and other browsers are restricted to very savvy users or have to live in VMs.
-
@Weaver
How would you want the Flash addon to run ?
Do you have specific websites that you want to allow?
Do you have a defined rule you want to follow?
Just trying to understand what you want as there is some configurability available in IE but not as easily set up as Firefox & Chrome.
-
Its too long since I used IE or Windows, but control over Flash would have to be per-zone, using the IE security zones model, I think. It's the only place where URL-specific conditions can be set, afaik.
Nowadays, I would probably just remove Flash altogether, and maybe put it inside a VM instead, if someone absolutely has to have it.
-
@Weaver
You can specify in the activex add-on itself the url's that are allowed to run Flash. See below:
Defaults to * for all websites but can be changed. (Delete the * and it equals no website can run Flash.)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi1072.photobucket.com%2Falbums%2Fw364%2FGrapheneMan%2Fie-flash_zpsdbjd13bs.png&hash=583b8e160aa5383313d6f240a780043e7507559e)
-
@Aardvark - thank you so much for that. I'm not the only sysadmin that will find that tip useful. It's a long time, too long, since I looked at this.
-
I wonder how to selectively block it in IE. IE is exceptionally configurable and of course can be administered by group policy which can lock down settings. that's one reason why I have mandated the use of IE only, and other browsers are restricted to very savvy users or have to live in VMs.
you dont even need to do that.
goto the addons configuration in IE, double click flash and you will see a default whitelist of *, remove it. Thats it. --edit-- aardvark I see posted a pic of how to do it --
Now it will be blocked by default and you will get a prompt to whitelist on a site if you want to when viewing a site.
The things I use that still use flash are.
1 - TBB speedtest.
2 - Twitch
3 - speedtest.net
4 - nbc sports
5 - bbc news
6 - random sites that seem to have flash embedded in their code as I occasionally get asked if I want to allow flash code to run, even on non multimedia sites. (note i never allow it on these sites and they dont break).
Apparently on phones etc. bbc uses html5 tho, so seems they too lazy to update their desktop content. TBB has a html5 tester but isnt rolled out to members, mrsaffron seems very slow at code changes.
-
@Chrysalis
Is that a temporary whitelist just for that session?
Don't use IE at all, just know enough to use it if I must. :)
-
no it gets listed in that box you did a picture off so saved between sessions.
Sadly if you want to remove an entry you can only do so by wiping the entire whitelist, although it may be possible to remove just one entry in the registry.
Also I recommend doing the same for java and silverlight if they installed.
By the way I configure my IE so it runs like scriptsafe on chrome, or noscript on firefox.
1 - change the default zone to match restricted zone settings. Or at least block javascript and web fonts.
2 - change the trusted zone to the normal default internet zone settings.
Now by default javascript is blocked when browsing, sites like google can add to trusted zone.
One way of an easy temp allow in IE is to keep the activex filtering option enabled by default (will block flash etc.), then on the occasions you want it, untick it.
-
no it gets listed in that box you did a picture off so saved between sessions.
Sadly if you want to remove an entry you can only do so by wiping the entire whitelist, although it may be possible to remove just one entry in the registry.
Also I recommend doing the same for java and silverlight if they installed.
Still justifies my Firefox preference then :D
Dumb to not allow a list to be edited after you allow it to be added to ???
Try not to use Java & Silverlight and lock them down rather than give them any extra permissions, if I need to use them.
I live with a few extra prompts/pop-up questions but it ensures that when I browse I know what is/is not being loaded. :D :D
Firefox + Adblock Plus + NoScript at a minimum is my preference. (I know Firefox can be memory hungry but that is acceptable to me. I have lots of memory)
-
Firefox + Adblock Plus + NoScript at a minimum is my preference.
Firefox + Adblock Plus + Flashblock + Ghostery is my recipe. :)
-
I remain an informed and very experienced IE fan, having looked at every other web browser under the sun. I do like Opera though, but IE's security (split privilege and security zones) and configurability wins out over everything else. I couldn't let my users use something that can't be completely locked down and made tamperproof. I always run the 64-bit version of IE, which is not the default in Win7/Vista, as it's even more secure because malware would need to be 64 bit and I'm not sure that miscreants can be bothered to write x64 code although maybe someone could enlighten me on this?
I also use SRP and group policy heavily, and no users including me ever run as admins.
It's no good scorning me or trolling me because I thought about this for 20 years. :-) :P
-
I'm now almost at 2 years with neither flash nor java installed, it hasn't been a major inconvenience.
-
Firefox + Adblock Plus + NoScript at a minimum is my preference.
Firefox + Adblock Plus + Flashblock + Ghostery is my recipe. :)
:D
I did say at a minimum, I actually run much more incl Ghostery.
That is why I like Firefox, all the useful addons.
I know lots of them are awful toys/tat but there are quite a few essentials that are well written and work ! (Essentials to me, at least)
-
The Firefox add-ons are great especially for a web designer, very seductive. Firefox is just too slow and too insecure for me personally and I couldn't let my users use it as it is again too insecure (still no split-privilege, low integrity whatever it's called) and is non-configurable by group policy as far as I'm aware, unless you perhaps could do some group policy extension hackery.
Apologies if this view is very out of date, which is highly likely, Firefox may very well have improved since I last looked at it.
-
;D
Your wish is my command !
I have not used this but it can be tried out in a test Environment.
Cannot comment on the 'insecure' view, it works for me if you install the right addons for additional security.
Much more configurable that IE.
I will let the 'Chrome acolytes' argue the point in relation to Chrome itself. :D ;)
http://mozillagpo.sourceforge.net/ (http://mozillagpo.sourceforge.net/)
https://addons.mozilla.org/En-us/firefox/addon/gpo-support-for-firefox-and-th/?src=search (https://addons.mozilla.org/En-us/firefox/addon/gpo-support-for-firefox-and-th/?src=search)
-
@loonylion - good for you. I remove Java many many years ago. I'm removing Flash now. ;D
-
Actually, since I have always used to 64-bit IE, and there used to be no 64-bit flash (don't know if there is now), I have been doing without flash anyway for a long time. On my own personal machine I could have my cake and eat it by installing 32 bit Flash in 32-bit IE and switching between the two IE browsers, x64 or x86, to have Flash or no Flash.
-
The issue with firefox is it doesnt drop its user privileges or sandbox it self like IE and chrome, so its more vulnerable than you may think.
Still using noscript and other addons on it do secure it quite a bit as long as you not blindly whitelisting everything.
Also flashblock is pointless now as firefox has click to play plus noscript has the same functionality as flashblock. Also I would suggest ublock origin instead of adblock plus/ghostery, much faster, much better memory efficiency and more powerful with its advanced mode.
Sadly as weaver said firefox is slow, I sort of was used to it before using chrome, but whenever I load a page via firefox now it feels turtle pace compared to chrome.
-
From what little I have read about it, the innards of Firefox are quite a mass of spaghetti with lots of cruft and I think it's rather dragging down the developers so they're not making progress as fast as they would like. It may be that backwards compatibility is holding them back as well seeing as they have so many add-ons maybe there design decisions there that they would regret.
Given that they are eight years behind now (!) on the issue of low privilege there must be something that they are struggling with. Forgive my ignorance, but is there even a Windows x64 version yet?
-
Latest attempt to control 'bad' addons is they are all going to be signed.
I think the last I heard Mozilla said 'No 64 bit version' ....... End of Statement.
There is Waterfox ('Non Mozilla' 64-Bit browser based on Mozilla's Firefox.) https://www.waterfoxproject.org/#about (https://www.waterfoxproject.org/#about)
Never used but I am sure someone mentioned it recently in a post somewhere.
-
Weaver I am pretty sure you right, the problem they have is I bet if they started a fresh with clean code people would leave en masse, the thing that keeps people loyal to firefox is probably a combination of the existing addons and the configurability.
Aardvark they backed down on 64bit, they finally admitted they have to make it for windows, but its not a priority, just nightly builds, probably will take them a 2-3 years I expect. Instead of waiting for things like E10 and 64bit I started using chrome not regretting it for the most part.
Also when I started using 64bit cyberfox all the crashes stopped, so I was hitting 32bit ceiling's in terms of resource usage.
My view is if they dont have the resources to maintain 32 and 64bit for windows they should abandon 32bit and consider it obselete.
http://www.howtogeek.com/165264/heres-why-firefox-is-still-years-behind-google-chrome/