Miscellaneous ABE comments

[Nan M]

If this isn't the general ABE development thread, please move my post.

I'm assuming that the rule

Code: Select all

Site LOCAL
Accept from LOCAL
Deny

is what I've been anticipating - - a stopper against somebody (not on the LAN, of course!) guessing the router password?

The roadmap to including web developers in NS is very much as I'd hoped to see, with the application of all the more technical details of Giorgio's work being pushed towards those with both the expertise and the trustworthiness to run them.
It will be wonderful to be able to subscribe to a trusted webmaster's rules - or maybe to some trusted power user's set.

I've sent my bank's webmaster the ABE links and I hope they are smart enough to see the value in attracting customers who have really tried to think about security, as opposed to those who install antivirus tools and cross their fingers.

And the weird hangs are definitely not around any more using 1.9.3.8, either in the Ubuntu system or this one.
Note that Tools|Add-ons is still reporting 1.9.3.7, while NS|Options has it right.

Edit: Clarify the question.

[Alan Baxter]

If this isn't the general ABE development thread, please move my post.

Your wish is my command.

[therube]

ABE + CSRF works

Code: Select all

Site www.dslreports.com/logout
Accept GET POST from SELF
Deny

Discussion: Raising Awareness: CSRF Proof of Concept - DSLR Logout

POC:
Log into http://www.dslreports.com
Visit http://dmiessler.com/development/csrf_poc.php
Check your login status http://www.dslreports.com/loghist
(you have been logged out, unless you've used some other method to mitigate the logout)

Enter the above ABE rule
Revisit the POC:

You are still logged in

[therube]

I guess the real question is how to know that such an exploit exists so that you know to protect yourself against it?
(And then you have to know what these 'GET POST SELF Accept Deny Logout ...' thingamajigs are.)

[GµårÐïåñ]

I am waiting at the moment to see if Giorgio when he has time down the line will add a rule building interface or not, but in the meantime I have started working on a small utility of my own that will help create the rules by having an intuitive interface of pull down reserve words, maybe a small hover description of when to use which, and then box where you can enter the sites and so on and then permissions checkbox or pull down and then it will result in a rule that you can copy and paste into NS ABE. Its still on the drawing board (in my head) and waiting to see if this would be worth it or it will be obsolete by something Giorgio does. So when its all said and done, I am sure we'll have something for creating those rules, done by somebody.

[Nan M]

I guess the real question is how to know that such an exploit exists so that you know to protect yourself against it?
(And then you have to know what these 'GET POST SELF Accept Deny Logout ...' thingamajigs are.)

My take on it is that it's a prophylactic. So any site you are logged in to while you visit others would be listed in the rule - - that is if you don't want your information/ID on that site ripped off.
Unless, of course, the site's webmaster isn't silly enough to have their logout configured the wrong way.
Now which webmaster would you trust, Nan? Hmmmmm. Giorgio for certain is the only one I would so far trust, because I have no coding chops. But only at hackademix.net so far because he's been flat out like a lizard drinking since opening these forums and I wonder whether he's checked the logout routine here.
That's only an example, because I'd be certain that Giorgio wouldn't use software that had a bad credentials routine.

For my critical logons, such as banking, I use a separate profile and don't link out of the domain for the session, so I wouldn't need that particular ABE rule for that profile.
However, for a couple of political web forums I have already added this ABE rule. It doesn't seem to break anything so far.
That's my non-tech take on it, for what it's worth.

[Nan M]

I am waiting at the moment to see if Giorgio when he has time down the line will add a rule building interface or not, but in the meantime I have started working on a small utility of my own that will help create the rules by having an intuitive interface of pull down reserve words, maybe a small hover description of when to use which, and then box where you can enter the sites and so on and then permissions checkbox or pull down and then it will result in a rule that you can copy and paste into NS ABE. Its still on the drawing board (in my head) and waiting to see if this would be worth it or it will be obsolete by something Giorgio does. So when its all said and done, I am sure we'll have something for creating those rules, done by somebody.

One vote here for you to share it when you have it developed if Giorgio's development plan includes contributions from power users.
I'm seeing that a subscription to a service for ABE, that provides rule sets, new rules to cover new exploits, individual rule writing, UIs for such, etc etc would be really welcome to us non-tech users.
I'd pay for such a subscription very willingly.
It would be at least as useful as a subscription to a 'real time' (laughable description when none of them covers zero day stuff) AV definitions update service.
So something set at around AUD25/year would be excellent value from the user perspective.
I would expect support for broken sites, natch. One important broken site, say a banking one, can right now set me back around a couple of hours and although I don't command executive wages, the lost productivity does add up.
Yahoo users, of course, would have to fork out AUD100/year for support

I wonder if that's all too pie-in-the-sky?

[GµårÐïåñ]

First my friend, you are all welcome to it if I make it, no strings. Second, I would never charge for my drop in a bucket contribution to Giorgio's countless hours of work. Finally, we will figure something out that will be good for everyone and level the playing field a bit. The tool I had in mind would actually put the control somewhat in the hands of the user (even the less experienced) to build their rules with slightly more intuitive interface. But, ultimately as we build rules, we can open a specific thread where we have people submit their contributions, suggestions and as we vet them, we can put them on an official list maintained by someone here (I will volunteer gladly) and supervised by Giorgio to make sure its optimized and we can have people download them as they are updated and import them. "MAYBE", just "MAYBE" in the future we will even work on a system of auto-import, auto-update against that list built in. Sort of like ABP filterlists, you know?

[Nan M]

First my friend, you are all welcome to it if I make it, no strings. Second, I would never charge for my drop in a bucket contribution to Giorgio's countless hours of work. Finally, we will figure something out that will be good for everyone and level the playing field a bit. The tool I had in mind would actually put the control somewhat in the hands of the user (even the less experienced) to build their rules with slightly more intuitive interface. But, ultimately as we build rules, we can open a specific thread where we have people submit their contributions, suggestions and as we vet them, we can put them on an official list maintained by someone here (I will volunteer gladly) and supervised by Giorgio to make sure its optimized and we can have people download them as they are updated and import them. "MAYBE", just "MAYBE" in the future we will even work on a system of auto-import, auto-update against that list built in. Sort of like ABP filterlists, you know?

That's all good. None of which I would argue with. The community will make or break any new development that gives users more control of the web.

For clarification, I wasn't pressing you yourself to charge for a service. However, I am very enthusiastic about the whole ABE thing and looking way ahead for the protection of both absolute idiots who only understand the web via clicks, and us with not enough time. There is a place for a paid service in here, I'm sure. It can co-exist in the volunteer ecosystem. Not now, but over a few more hills.

[GµårÐïåñ]

Yeah, it might be a good revenue stream for NS at some point in the future.They can build their own or pay to get the one that is maintained and certified by the supporters, dev and so on.