Easiest, one-click way to remove vulnerable SSL3 support from Firefox, while still allowing Mozilla to automatically enforce even safer defaults in future updates:
Painful, yes, but it should take care of this kind of attacks, as long as you can trust HTTPS (e.g. with Convergence).
Furthermore, NoScript 188.8.131.52rc2 introduce an experimental "Allow HTTPS scripts globally on HTTPS documents" mode (in Advanced>HTTPS>Permissions) if you value convenience over finer grained security.
Are there still security issues with having JS enabled?
Fresh from the summary of the upcoming BlackHat talk by Jeremiah Grossman, A Million Browser Botnet:
There is ZERO chance I'm going to use a browser which doesn't allow me to default JS to being disabled. NoScript is also FAR advanced beyond other similar tools, so it would REALLY SUCK to have to use Chromium's lame equivalent, but I will if it is the only choice. At least in other respects Chromium is pretty good.
In what ways is NoScript more advanced than ScriptSafe?
Besides some "minor" features first introduced by NoScript, which advanced the state of the art of browser security (such as the most effective in-browser XSS filter, the ClearClick anti-Clickjacking technology and the Application Boundaries Enforcer module), NoScript holds a modest advantage over all its Chrome-based "clones": basic script blocking which actually works
The patch is not exactly a one-liner, because the implemented behavior is not as straight-forward as just "block 3rd party cookies".
It's "block cross-site cookies from origins which I've not visited yet as a 1st party websites and have already 1st party cookies from".
This means, for instance, that Facebook, Google and Twitter gets likely a free-pass to track almost anybody.
And that once you (accidentally or not) click any ad box, you give a free-pass to its advertising agency too.
Link to Original Source
I doubt they measure number of pages when measuring market share here.
Wrong, that's exactly what they do: Why do you base your stats on page views rather than unique visitors?
And yes, they're aware of the prerendering Chrome stats inflation problem, even though they believe it doesn't significantly skew their stats, for some reason they're unable to explain themselves (sounds like "faith" or "we're too lazy to adjust our data even though we could").
- He will find all your installed extensions among the ones he's looking for, because every Chrome extension have a manifest.json file. This means that he just needs to crawl https://chrome.google.com/webstore/category/extensions for GUIDs of all the installable extensions, and he can detect your full extensions list.
- There's no such a generic detection method for Firefox extensions. You can detect some (e.g. adblockers) by testing for their specific behavior and effects on web pages (e.g. how some DOM elements have been removed/hidden/inserted), but you can't develop a catch-all detection script, because Firefox extensions are generally undetectable.