

Panic Mode: Privacy Extension for Google Chrome - passfree
https://chrome.google.com/webstore/detail/panic-mode/lamdafciglhnjofdfejeepoemldmblkb

======
znowi
Actually, there's an EFF sponsored tool for that (written in collaboration
with the Tor project) for both Chrome and Firefox:

[https://www.eff.org/https-everywhere](https://www.eff.org/https-everywhere)

~~~
passfree
The only difference is that https-everywhere is trying to play nice and works
only on some web sites that have been tested with the extension. It doesn't
work "everywhere". Panic Mode, on the other hand, forces the user over SSL
regardless if the other end supports or doesn't support SSL. This means that
Panic Mode wont work for general browsing because you will quickly realise
that most web sites do not support SSL or use self-signed certificates, etc.

However, my personal opinion is that sometimes it is better for things to be
broken than to be sorry. If a web site breaks while Panic Mode is on and you
care about your privacy, either something fishy is going on or the site is
simply not good for this.

Panic Mode is more like poor man's VPN tunnel. Https-everywhere is good but
can be fooled in some situations to leak sensitive information.

------
bifrost
Uh, SSL doesn't guarantee privacy, it just guarantees transport privacy
(usually). If the data is stored insecurely, you still are easily vulnerable.
If you're using a trojaned SSL system (PRC, corporate, etc) this doesn't make
you safer at all.

~~~
passfree
You are right. Yet, it is better than nothing.

~~~
annnnd
Actually, no - it is far worse than nothing. It makes you feel secure while
you are not.

I don't understand this line of reasoning - why would HTTPS be the cure for
the privacy problem? So you can post sensitive data through HTTPS to Gmail and
it will be "private"?

~~~
passfree
It is not a cure. I doubt that there is a single technology that can be called
a cure. It is a solution.

~~~
annnnd
My point was that it is neither a cure nor solution. It does of course help
when combined with other means, but this plugin obviously can't supply those.

------
kryten
The irony is that the product it's being plugged into is being issued by one
of the companies at the middle of the PRISM thing and between the source code
and the binary generation there is an unknown number of things that happen
(please no-one spew the crap about Chrome being Chromium - it's not).

Secondarily, the root CA's are an easy target for the NSA, so MITM/re-
transmission time.

And after all, those pesky terrorists are probably using pre-shared OTP's and
any transport resulting in a completely secure channel anyway...

It's all ridiculous.

------
buster
So it breaks pages on purpose without fallback? Have fun using this. I can
recommend [https://chrome.google.com/webstore/detail/kb-ssl-
enforcer/fl...](https://chrome.google.com/webstore/detail/kb-ssl-
enforcer/flcpelgcagfhfoegekianiofphddckof)

It let's you surf over SSL but has a black and a whitelist.

~~~
passfree
Not great for general browsing indeed. However, it is indispensable for things
that matter like banking, etc. I personally feel safer in some situation when
I know that every single packet is forced over SSL and there is not even a
single request that goes out over plain-text HTTP.

~~~
buster
Yes sure, that's why i recommended the other extension (which i am using).
Because there are still a lot of sites out there that break or don't work over
SSL at all.

~~~
passfree
The problem with this approach is that due to the way cookies work you can
still leak stuff like session identifiers if you forget to enlist certain
subdomains and you are browsing other unprotected sites. The privacy in this
case is as good as the weakest link.

I have multiple profiles under Google Chrome. One of them is for sensitive
stuff where Panic Mode is installed and enabled always. I use it only for
things that matter and it is not annoying me.

Here is an example: [http://blog.websecurify.com/2013/03/how-to-improve-your-
brow...](http://blog.websecurify.com/2013/03/how-to-improve-your-browser-
security-with-panicmode.html)

------
ankitoberoi
Not very useful. Only secures your data when it's transferring over the
network. Most of the website I use and have my private data over, are already
forced https.

The problem of your Service Provider giving private data access to the
government, still remains.

------
noerps
"Once Panic Mode is on all requests issued by your browser will be forced over
SSL" have an E for Effort Google Chrome.

------
drivebyacct2
As long as they can subpoena the endpoint, it's mitigated.

If they can compromise/coerce/control a root CA, then everything is largely
moot.

~~~
mtgx
Is it that hard for them to control the root CA? How can we verify that?
Someone should probably look into it.

