User: Password:
Subscribe / Log in / New account

Security quotes of the week

Security quotes of the week

Posted Apr 8, 2013 10:35 UTC (Mon) by Duncan (guest, #6647)
In reply to: Security quotes of the week by apoelstra
Parent article: Security quotes of the week

I've been using RequestPolicy for some time now (FWIW in stricter policy-per-host mode, not the default policy-per-second-level-domain mode).

It DOES take a few days/weeks of active hassle to get it setup nicely on one's usual sites, permitting the domains needed for (actually needed) scripting and CSS and for images and similar content, without permitting the all too normal tracking (including off-site ads, also google analytics, the ONE tracker site LWN seems to (ab)use), but once one's normally visited sites are setup, maintenance load goes down DRAMATICALLY. There's still the one-time sites to setup, but at least here, I don't really have as many of them as I might have thought. And when I do follow a link to such a site, I make sure I only allow temporary permissions so it doesn't clutter my permanent list too badly.

Of course I use noscript as well, which means for scripts I often have to permit them in two different spots, noscript and requestpolicy, but again, once it's setup for one's usual sites it's not too much of a hassle.

The one feature I SORELY miss in requestpolicy that's in noscript is the "untrusted" list that's automatically blocked and thus doesn't show up in the primary blocked list at all, but rather in the "untrusted" submenu. Were that feature available, it'd cut down the clutter of "never trust" sites showing up in the candidate allow list dramatically, thus making it much easier to find and allow the site's CDMs only, without having to go thru the whole list of googleanalytics/facebooktracker/twittertracker/etc that I *NEVER* allow, eliminating the "needle in a haystack" effect the requestpolicy list sometimes gives one the feeling of now. That'd be the single best usability enhancement I could think of.

But that said, as to requestpolicy effectiveness, put it this way: With requestpolicy in place I tried but eventually uninstalled collusion, because it was simply a boring rehash of all the (one, two, very occasionally a single handful of) sites I'd previously specifically allowed a particular site to connect to. And even then, in many cases collusion only showed a connection once I deliberately followed a link. Basically, I tried to get collusion to give me the nice diagram of connections displayed in the documentation, and it simply wouldn't, because requestpolicy was simply blocking too much of the tracking web collusion might have otherwise constructed, so there simply wasn't anything interesting to show. I was actually a bit disappointed in collusion, but OTOH, it definitely boosted my faith in requestpolicy. =:^)


(Log in to post comments)

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds