Re: Risks associated with using flash | Is there an alternative ?
Here's what I do:
1. I use FF as my full-fledged browser, but only sparingly. When I do use it, it is fully hardened with Adblock Plus, a Cookie Manager, WOT, Better Privacy, and most importantly, NoScript. This last, stops all scripting dead in its tracks. Everything is defaulted to "deny". I only whitelist sites that I absolutely have to, like my banking sites. If anything else is permitted, it is one-time and temporary (see below). NoScript has the added advantage of prohibiting cross-site scripting and a few other tricks that scumbags use to crack browsers.
2. The majority of my browsing is conducted through Links2 in graphics mode. This is a hyper-light, primitive browser that is actually incapable of accepting/storing cookies or running any script including flash. Obviously, it can't show many sites in their full obese pigged-out glory, but I don't care, as I am after the content and not the eye/ear-candy.
3. For sites that simply will not load without flash, I make a decision: if I must access the site, then I fire up FF, temporarily permit it in NoScript and let it drop back to "deny" when I'm finished. In 95% of the cases, I decide that such a site is not important enough to risk permitting scripting to run and I take the attitude that if the designer cannot engage my interest without forcing his scripts down my throat, he doesn't deserve my viewership/patronage. Stated so baldly, it sounds rather arrogant I'm afraid, but I'm not trying to be arrogant; just safe.
I'm convinced that my browser will not be compromised so long as I adhere to these stringent rules.
They aren't for everyone, and even my wife won't put up with this level of paranoia. Her browser is structured far less stringently than mine, but I am convinced that hers is also far more vulnerable. And, to be honest, her surfing habits make me cringe anyway, so I'm not sure browser hardening would do much. In the end, by far the biggest risk factor is the user, and all of these tools are worthless if such users are intent on behaving like fools.
You have to make your own decision on the basis of your risk tolerance, your perception of how bad things are out there and how hungry you are for eye/ear-candy.
I failed to mention that I have an apparmor profile defined for FF and I actually turn it on (it comes off by default). Mine is not the canned profile, but a custom profile that I've trained. Unfortunately, this is a complicated process and far beyond the scope of this thread, but it is a critical component to contain any breakout which my prior steps may have failed to safeguard.
I take further steps too, but we risk getting lost in a general security discussion when what you want is a quick and simple set of suggestions to cover off the biggest holes in flash.
Last edited by DuckHook; December 24th, 2013 at 08:47 AM.
Reason: Additional info
Newb: How far must I jump to clear the ledge halfway down?
Guru: It's bad to jump off cliffs. Let's look at better options.
Newb: Stop harping about "best practices" and just tell me.