The need to enable secure dns to block dangerous sites especially that google safe browsing is disabled

[feraritn]

Preliminary checklist

• [X] I have read the README
• [X] I have read the FAQs.
• [X] I have searched existing issues for my feature request. This is a new issue (NOT a duplicate) and is not related to another issue.
• [X] I have searched wont fix issues and this request is not among them
• [X] This is a feature request for the Cromite browser; not the website nor F-Droid nor anything else.

Is your feature request related to privacy?

Yes

Is there a patch available for this feature somewhere?

Yes, choose security focused dns provider like dns0 or add option to enable "SafeBrowsingProtectionLevel" policy

Describe the solution you would like

Hello, I see that google safe browsing is disabled, we hope that there will be an optional option where the user can activate google safe browsing which protects users from suspicious sites of phishing, malware, scam virus....

I have read this issue about your explanations about chrome policy with interest.....

and I went to chrome://policy/ and I find the policy "SafeBrowsingEnabled" and I try to disable it to enable google safe browsing but I find that "This policy is deprecated in Google Chrome 83, please use SafeBrowsingProtectionLevel instead. "

https://chromeenterprise.google/policies/?policy=SafeBrowsingEnabled

we hope the "SafeBrowsingProtectionLevel" policy will be added to Cromite, thank you you :)

if this is not possible, I think it is good idea that Cromite Browser enable by default one of these famous ultra secure dns to protect its users, many users are not computer experts and do not know how to activate and change ultra secure dns over https,

after many researches , here is a good dns servers which seems compatible with the philosophy and aspirations of Cromite Web Browser because this dns blocks google domains while in same time blocking also malware, virus sites.....

https://decloudus.com/index.html https://avoidthehack.com/best-dns-privacy#decloudus

"Echo" provides advanced blocking or ads, trackers and malware; "Alpha" has a focus on deGoogling where in addition to blocking ads, trackers, and known malicious domains, it aims to block Google-related domains as well; "Zulu" is a more tame version of "Alpha" where only some Google domains are blocked.

quad9 dns seems to be the dns with the fewest false positives, cira dns seems to be more strict and responsive and seems to block more sites than quad9:

https://www.andryou.com/2020/06/04/comparing-malware-blocking-dns-resolvers-real-world/

dns0 seems to be the most secure dns in the world and it is my personal choice of dns so much so that I have disabled my antivirus.....

https://www.dns0.eu/fr/zero https://www.dns0.eu/fr https://quad9.net/service/service-addresses-and-features https://cleanbrowsing.org/filters/ https://www.cira.ca/en/canadian-shield/configure/summary-cira-canadian-shield-dns-resolver-addresses https://www.cira.ca/fr/bouclier-canadien-de-cira/configure/ https://decloudus.com/

https://dnswarden.com/ https://github.com/dnswarden/dnswarden.github.io https://blitz-setup.ahadns.com/ https://rethinkdns.com/configure https://servers.opennicproject.org/ https://servers.opennic.org/ https://blahdns.com/ https://controld.com/free-dns https://mullvad.net/en/help/dns-over-https-and-dns-over-tls https://dnswarden.com/ https://nextdns.io/fr

Describe alternatives you have considered

Enable by default dns0

https://www.dns0.eu/fr/zero

off topic : clarification : I have several old Google accounts, this is what motivated me a little to repost my issues but this is the last time I do it and perhaps Mr Uazo should himself open issues with the title of the 'issue to remember it because I don't really know if github will delete my issues tomorrow....

apparently, if I make another issue with the same new account, github will block me, I received a message from github telling me github cannot determine my geographical position (probably I changed a lot of flags and command line in my web browser), which may explain why github is blocking me....

[opzch]

Hello, I see that google safe browsing is disabled, we hope that there will be an optional option where the user can activate google safe browsing which protects users from suspicious sites of phishing, malware, scam virus....

If you need this kind of filtering, why not just install an app or extension with these capabilities yourself? GSB blocking quality dropped significantly over the past few years, so additional alternatives are never enough.

if this is not possible, I think it is good idea that Cromite Browser enable by default one of these famous ultra secure dns to protect its users,

A better idea is to set it for the entire system, not just one browser.

many users are not computer experts and do not know how to activate and change ultra secure dns over https,

Mobile: Settings -> Privacy and security -> Use secure DNS Desktop: Settings -> Privacy and security -> Security -> Use secure DNS

Or enable built-in DNS client. https://chromeenterprise.google/policies/?policy=BuiltInDnsClientEnabled https://chromeenterprise.google/policies/?policy=DnsOverHttpsTemplates

Perhaps some of the endpoints could be added to this list:

[feraritn]

I have enough knowledge and I even have hundreds of tools and dns providers that allow me to manipulate ld dns, I speak for beginners or non-experts, I would like to recommend Cromite to my friends, to my twitter followers.....I can't see myself telling them to go to the dns section of the browser and put the values dns0, or cira dns, quad9 dns....they will be scared and tell me it's complicated, and I fear that they will visit malware sites if they do not activate a good dns which protects them, tests have shown google dns and cloudflare dns do not block dangerous scam sites, viruses....and given what is happening in Palestine with horrible crimes against children and women, try to erase the flag in your photo, it's a questionto have a minimum of decency and dignity

[uazo]

Enable by default dns0

Sorry, I do not agree with adding more configurations in the browser, simply because I do not have the time to make the necessary evaluations of services

add option to enable "SafeBrowsingProtectionLevel" policy

i don't agree with that either. one of cromite's goals is not to tie itself to any external service. and then there is the firewall patch that would not allow the use of that service. if there were other services similar to google's safe browsing and if we could create a double proxy, we could add the custom option (as in dns), but as far as i know, there are none.

[feraritn]

We understand :) 💯 Thank you Mr @uazo for these important explanations :)

I even think deactivating safe browsing will improve battery life, and I think dns0 is sufficient to protect us, dns0 is founded by the founder of the famous "nextdns" and technical manager of netflix and dns0 is apparently financed by the European Commission to offer to Europe a sovereign European DNS which respects privacy and so that Europe "frees itself" from the domination of American Big Tech companies and avoids surveillance by the NSA and FBI....

my suggestion was just to make awesome Comite browser even more and more popular.... we hope the dns of ISP of the users will block the malware....

Maybe people who have a google account should enable this option in their Google account, maybe it will enable safe browsing even if safe browsing is disabled in the browser :

https://myaccount.google.com/account-enhanced-safe-browsing?hl=en

and when I recommend Cromite, I would ask my family and friends and twitter followers to activate a secure dns provider like cira, quad9, dns0.....in order to increase their security level.....

I spoke months ago to the developer of adguard dns to integrate google safe browsing into adguard dns and the developer liked the idea and told me that he will investigate the API....so maybe adguard dns can replace an ad blocker and protects users from crypto mining malware viruses..... especially since adguard dns does not practice aggressive blocking and avoids false positives...

@opzch Any way, thank you for your illustrated explanations despite our differences of political opinion and the universal values of peace should bring people together about this ideal whatever our nationality and ideology.

[uazo]

is apparently financed by the European Commission to offer to Europe a sovereign European DNS which respects privacy and so that Europe "frees itself"

buth, I don't think so, where did you read that? if so I'd be in the queue for eu funding, but I've never heard of it

[feraritn]

A few weeks ago, I was hesitating which secure dns to choose between cira, quad9, cleanbrowsing....then it seems to me that I read press articles about Dns0 financed by funds from the European Union.....I will try to find them....

in any case what is certain : @rs the founder of "dns0" is the same founder of the famous "Nextdns" and he is the director of engineering of netflix and founder of Dailymotion and dns0 is a non-profit association so it does not does not sell our data and dns0 is recommended by the trusted site european-alternatives.eu:

https://european-alternatives.eu/product/dns0-eu

[feraritn]

Mr @uazo : I have other questions please : you said: "and then there is the firewall patch that would not allow the use of that service.", so there is a firewall in Cromite which prevents the use of google safe browsing even if we activate this option in our google account ? :

https://myaccount.google.com/account-enhanced-safe-browsing?hl=en

I consult the documentation and it says:

"Windows Cromite-specific features enable Network Service Sandbox by default"

and

"Enable network process sandbox in windows I don't include any setups because I don't like the experience of not knowing what they do, so you must manually run this command on first installation:

cd icacls. /grant "*S-1-15-2-2:(OI)(CI)(RX)"

So, are the firewall and network process sandbox activated by default in Cromite or do we have to activate them manually by modifying flags or adding command lines please ?

[uazo]

so there is a firewall in Cromite which prevents the use of google safe browsing even if we activate this option in our google account ?

yes, that is so. only certain browser calls to the network are allowed

are the firewall and network process sandbox activated by default in Cromite

they are different things and, before you say it, yes, I am flawed in my documentation :( the network process sandbox is active by default but requires user intervention.

is a desktop-only feature, unfortunately the android project was cancelled

(ME) is it possible to know the reasons for the cancellation of this interesting project?

Hi! After some experimenting we determined the process overhead for an out of process network service was too much for Android, and there are other higher priority projects that the team is focusing on.

from https://bugs.chromium.org/p/chromium/issues/detail?id=1262395#c17

[feraritn]

Oh very interesting informations, thank you @uazo :) 💯

Oups, excuse me, It seems I was wrong and DNS0 is not funded by the European Commission but despite that, I think objectively Dns0 made the co founder Mr @rs is the best DNS in the world and it is the most secure DNS in the world:

"Access to a private DNS server is usually free, and dns0.eu is no exception. So, how are investments financed? When questioned on this point, Romain Cointepas assures that dns0.eu is developed on NextDNS funds, the software part of which is widely used. In addition, the initiative seems to appeal to some Internet players, who are making equipment available — it will also be possible to support the project with donations."

https://www.lesnumeriques.com/appli-logiciel/dns0-eu-promet-de-surfer-sur-internet-plus-sereinement-n206479.html

[feraritn]

Mr @uazo , there is indeed a sovereign and censorship-free European DNS financed by the European Union which officially encourages the use of this sovereign DNS to protect European institutions and businesses company and citizens from cyberattacks: :

DNS4EU https://www.joindns4.eu/

but this dns project is not finished and I think Dns0 is the best because it uses A.I and has amazing new exclusive features to "Meet ZERO, enhanced security for highly sensitive environments. Dramatically increase the detection rate of malicious domains, especially in the early stages of their activity, by combining human-confirmed threat intelligence with advanced heuristics that automatically identify high-risk patterns."

[feraritn]

Mr @uazo , even if I try to avoid complicated things, I tried to be courageous since I use a secure dns provider and I like to strengthen security even more so I finally decided to activate network process sandbox, but before that I decided to check if Network Service is Sandboxed in edge and chrome browsers and what was my surprise when I saw in :

chrome://sandbox edge://sandbox

Network Services | Not Sandboxed !!

so network process sandbox is still experimental because not activated in chrome and edge browsers ?

and if we still want to activate network sandbox please, we must click on cmd.exe as administrator then put these values:

cd <C:\cromite\chrome.exe> icacls. /grant "*S-1-15-2-2:(OI)(CI)(RX)" ?

and if we uninstall Cromite, how to delete these values please or these values will be automatically deleted if we uninstall Cromite ?

cd <C:\cromite\chrome.exe> icacls. /grant "*S-1-15-2-2:(OI)(CI)(RX)" ?

[feraritn]

Excuse me again Mr @uazo , i am reading the documantation of network sandbox, it says :

"Cookies and some other data will move location. Due to the added security of the new sandbox, the files that are needed when accessing the network (e.g. Cookies) have been isolated into their own secured folder. While they were previously stored in the root of the profile, they are now stored in a folder called Network along with other network data. Software should not be directly accessing these files, but if you know of any third party software that relies on this location that is running in your environment then.... Enabling the sandbox for the first time will move these files, and they will remain in this location even if the sandbox is later disabled - they are just accessed fine by the Network Service regardless of the sandbox status from that new location."

so if i use downloader yt-dlp Gui with preset "--cookies-from-browser", with network sandboxing enabled , we can no more import cookies from browser to yt-dlp ? or we can't use any more this downloader extension that may be export cookies from browser to yt-dlp ?

https://github.com/54ac/stream-detector

[uazo]

so network process sandbox is still experimental because not activated in chrome and edge browsers ?

experimental for them, stable for us, if by experimental you mean non-active.

how to delete these values please or these values will be automatically deleted if we uninstall Cromite

are permissions on the folder, just delete the folder. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls

we can no more import cookies from browser to yt-dlp ? or we can't use any more this downloader extension that may be export cookies from browser to yt-dlp ?

I don't know.

[feraritn]

Awesome, thank you so much !

[feraritn]

Hello @uazo , i discover this extension that use list of hostname which can improve security by blocking suspicious sites....in addition it allows to get around the problem of migrating from manifest v2 to manifest v3 which will affect the effectiveness of adblockers, perhaps even Cromite could consider integrating this extension instead of adblock plus if adblock plu integrates manifest v3.....

https://add0n.com/adhost.html

https://github.com/ray-lothian/adhost-adblocker/

"An open-source DNS-based ad-blocker that operates based on host filtering to block ads, malware, phishing hostnames

The "adHost" extension uses hostname matching to block ads on all web pages except those that are whitelisted. In this method, a predefined list of hostnames for known advertisers or analytic providers is being blocked. Since text matching is all that is done to block or allow a hostname, this method is faster and less memory bloat compared to RegExp method that add-ons like uBlock, Adblock, or Adblock Plus use. You can use the options page to whitelist a domain (no resource is blocked in tabs with this hostname) or add more hostnames to the blacklist."