NoScript Sightings

[Giorgio Maone]

Joanna Rutkowska of Blue Pill virtualization rootkit fame uses NoScript for e-shopping

The full article is being commented on Slashdot right now.

[Grumpy Old Lady]

All the uber-geeks agree; NS? never leave home without it :-)
Seriously prominent endorsement there. Kudos, Giorgio.
For what it's worth (not much, I know eh eh), I believe I've evolved a roughly similar approach as the 3 virtual machines of the elite geek there - only with 2 host systems and one live disk for the (red) ordinary browsing/novice visitor access online. There is simply no way that I would ever store anything important on this Win host, and no way that I would ever use it for any ecommerce or egovernment transactions because of the finite possibility of some kind of kernel nasty not being as quickly discovered, or (more importantly) as transparently revealed to the general community by MS. Linux on the other hand has a much more consistent track record of transparency and quick reaction to kernel mess.
The only thing that has kept me happy enough to continue to do serious business online is not trust in software or hardware - but trust in a couple of individuals: yourself and Linus Torvalds.
And I don't know about anybody else, but I find slashdot comments format a real pain to follow.

[Panajev]

http://news.zdnet.com/2100-9595_22-323572.html

Big NoScript plug .

I hope Google Chrome adds its extension mechanism soon and that NoScript can be offered there too!

[Giorgio Maone]

http://www.us-cert.gov/cas/techalerts/TA09-204A.html

[Grumpy Old Lady]

http://www.computerworld.com.au/article ... _ask_money

One noted* add-on maker applauded the optional request for money. "Mozilla is giving developers a way to better communicate with their users about the costs of maintaining the code, about their future goals and about the ways to contribute (financially, too) for people who find the development roadmap interesting," said Giorgio Maone, the creator of the popular NoScript extension. Maone has long solicited donations for NoScript on his own Web site.
The best thing is that they're trying to...

*my emphasis

But Paypal only?

Developers can use PayPal's micropayment fee offering to reduce the transaction fees for contributions under $12. "After looking at our requirements for trust, security, international currencies, and ease of integration, PayPal was the [best] partner that met our needs for this pilot," said Nguyen.

One more big boost for Ppal's cornering the web payment market there Mozilla. Will you scream when Ppl starts squeezing the pips once its monopoly is secured with those loss-leading discount setups?
Ho hum. Maybe Open Source and WOT will have matured enough by then for a truly trust-based money token system to have evolved also :-)

[Tom T.]

...
One more big boost for Ppal's cornering the web payment market there Mozilla. Will you scream when Ppl starts squeezing the pips once its monopoly is secured with those loss-leading discount setups?...

There's a sticky thread right below this one that tells how those with a US bank account can bypass the PayPig. Perhaps it might be possible for Giorgio to find trusted users in the UK, Asia, and Australia who could do him the same service.

He might also wish to consider opening and publishing a separate bank account of his own for euro-based customers to donate to.

[Tom T.]

XMLHTTPReqest “Ping” Sweeping in Firefox 3.5+ by renowned hacker RSnake (Robert Hansen) excerpt, with a nice plug, not only for NS but specifically for ABE.

Jeremiah brought my attention to the new Firefox 3.5+ CORS (Cross-Origin Resource Sharing) which is a way to do a cross domain XMLHTTPReqest. ... <snip> ... and as a result you can enumerate a substantial amount of internal address space behind the victim’s firewall and relatively quickly. I created a demo here (works only in Firefox 3.5+ and you must enable JavaScript globally for this to work). It won’t work if you just whitelist ha.ckers.org you have to globally allow JavaScript if you use Noscript for the demo to work - and you must disable ABE in Noscript as well.

Is this the first ABE sighting, at least among the world-class hacker community (excluding Giorgio himself and his good friend Sirdarckcat, of course)?

Continued:

I should note that there is a IE8.0 version of Firefox’s XMLHTTPRequest called XDomainRequest, but I didn’t have much time this weekend to try to get it working in both browsers so I have no idea if it has the same issue or not.

Whereupon a commenter produced a POC for IE8.

Conclusion: (RSnake)

Incidentally, Jeremiah and I both gave the thumbs up to the idea of a cross domain XHR several years ago when the Mozilla team first asked us about the concept. Because there are so many other things wrong with the browser Jeremiah and I told them that it wouldn’t change much - the browser is already so broken from a security perspective that it really didn’t matter - a sad commentary thinking back. Of course, it really is all about the implementation.

The last sentence says it all, certainly, but is he referring only to F3.5+, F3+, or all Fx about "being so broken from a security perspective"?
It doesn't sound like this "feature" was such a good thing to introduce, in the long run.

[Giorgio Maone]

The last sentence says it all, certainly, but is he referring only to F3.5+, F3+, or all Fx about "being so broken from a security perspective"?

He means "the browser", as in "the browser concept" or "every web browser, no matter the vendor" (without NoScript, that is )

It doesn't sound like this "feature" was such a good thing to introduce, in the long run.

In facts, you can still disable it by setting the noscript.forbidXHR about:config preference to 2.
http://noscript.net/changelog#1.4.9.4
v 1.4.9.4
=====================================================================
+ Added client-side policy control for new Firefox 3 cross-site XHR,
configurable via noscript.forbidXHR about:config preference:
0 - Allow any XHR
1 - Allow cross-site XHR across trusted sites only (default)
2 - Allow same-site XHR only (like Firefox 2)
3 - Forbid all XHR

[Tom T.]

In facts, you can still disable it by setting the noscript.forbidXHR about:config preference to 2.
http://noscript.net/changelog#1.4.9.4
v 1.4.9.4
=====================================================================
+ Added client-side policy control for new Firefox 3 cross-site XHR,
configurable via noscript.forbidXHR about:config preference:
0 - Allow any XHR
1 - Allow cross-site XHR across trusted sites only (default)
2 - Allow same-site XHR only (like Firefox 2)
3 - Forbid all XHR

Done on this portable test version, thanks.

Curious: On my F2.20, the default is "1". So on F2, 1= same site only?

And from RSnake's article, I got the impression that only F3.5+ had this cross-domain capability anyway. Yet there is the same noscript.forbidXHR in F2 about:config. So is it only the CORS that he mentions that is new in 3.5+ that permits this attack, and it wouldn't work on earlier browsers despite their allowing cross-domain XHR?

[Giorgio Maone]

Curious: On my F2.20, the default is "1". So on F2, 1= same site only?

Yes. Gecko 1.8.x has no cross-site XMLHttpRequest for content.

And from RSnake's article, I got the impression that only F3.5+ had this cross-domain capability anyway.

It was introduced in a 3.0 beta, then removed for security concerns in 3.0 stable.
When I introduced the control feature in NoScript, I did it in response of the 3.0 beta change.

[tlu]

Conclusion: (RSnake)

Incidentally, Jeremiah and I both gave the thumbs up to the idea of a cross domain XHR several years ago when the Mozilla team first asked us about the concept. Because there are so many other things wrong with the browser Jeremiah and I told them that it wouldn’t change much - the browser is already so broken from a security perspective that it really didn’t matter - a sad commentary thinking back. Of course, it really is all about the implementation.

The last sentence says it all, certainly, but is he referring only to F3.5+, F3+, or all Fx about "being so broken from a security perspective"?
It doesn't sound like this "feature" was such a good thing to introduce, in the long run.

I agree that this remark by RSnake is disturbing, indeed. And he's a guy who usually knows what he's talking about. Nevertheless, is this only a remark by a "rejected lover" or has FF really fallen behind other browsers security-wise? And are extensions like Noscript, Refcontrol, Requestpolicy etc. enough to fix these holes, or is a complete overhaul of FF necessary?

I'm a loyal Mozilla supporter, but if someone like RSnake is making such a comment I'm beginning to wonder ...

[Tom T.]

I agree that this remark by RSnake is disturbing, indeed. And he's a guy who usually knows what he's talking about. Nevertheless, is this only a remark by a "rejected lover" or has FF really fallen behind other browsers security-wise? And are extensions like Noscript, Refcontrol, Requestpolicy etc. enough to fix these holes, or is a complete overhaul of FF necessary?

I'm a loyal Mozilla supporter, but if someone like RSnake is making such a comment I'm beginning to wonder ...

RSnake is a loyal user of NoScript, and has said so many times -- hardly a rejected lover. Giorgio and RSnake communicate with each other, to mutual benefit.. Notice that he almost assumes that the user is using NoScript if you read the actual article. And that even if you allowed scripting globally, his attack would still be defeated by ABE.

So, on the contrary, I think this is a stunning endorsement from a widely-respected security expert that NS is an absolute necessity. It keeps FX *ahead* of the other browsers. With your other addons, and perhaps SafeCache and SafeHistory, you 've got the safest browser on the planet, something that IE couldn't come close to. Note I linked a POC for IE -- which has no NS-like defense against this attack.

Also, please re-read Giorgio's comments to my question:

Tom T. wrote:The last sentence says it all, certainly, but is he referring only to F3.5+, F3+, or all Fx about "being so broken from a security perspective"?

Giorgio replied,

He means "the browser", as in "the browser concept" or "every web browser, no matter the vendor" (without NoScript, that is )

Truer words were never spoken. *Nothing in life* is 100%, but with NoScript and the other addons you mentioned, plus perhaps ad-blocking sw, and good AV, you've got what is undoubtedly the safest browser publicly available. IE has no defense, AFAIK, to RS's POC. It's a ringing endorsement of NS and ABE by RSnake -- his attack fails if they're present, and succeeds in their absence. You can't get a better endorsement than that.

[tlu]

RSnake is a loyal user of NoScript, and has said so many times -- hardly a rejected lover.

Tom, I know that. I wasn't referring to RSnake's opinion about NS but rather about the security concept of FF in general.

Giorgio and RSnake communicate with each other, to mutual benefit.. Notice that he almost assumes that the user is using NoScript if you read the actual article. And that even if you allowed scripting globally, his attack would still be defeated by ABE.

True. But again: If he says that "the browser is already so broken from a security perspective that it really didn’t matter" this suggests that he regards the security concept of FF as fundamentally broken (and not only with regards to the XHR issue). And while I whole-heartedly agree that NS is an absolute must, I also think that the browser itself should be as safe as possible without the need to add various extensions to fix its flaws.

But I guess we're getting OT here. This is more a topic for a thread at Mozillazine.

[Giorgio Maone]

this suggests that he regards the security concept of FF as fundamentally broken.

Nope, he's not singling out Firefox at all, and BTW there's nothing like a "security concept of Firefox".
What's he's trying to say is that the web (and the browsers, all the browsers none excluded by reflex) is fundamentally broken from a security standpoint.
Firefox, at least, provides some work-around for this breakage (e.g. NoScript) and is trying to build a slightly less broken web through experimental proposals like CSP.

[tlu]

this suggests that he regards the security concept of FF as fundamentally broken.

Nope, he's not singling out Firefox at all,

Hm, he specifically mentioned the Mozilla Team so I guess with "browser" one sentence later he was certainly not talking about IE ...

What's he's trying to say is that the web (and the browsers, all the browsers none excluded by reflex) is fundamentally broken from a security standpoint.
Firefox, at least, provides some work-around for this breakage (e.g. NoScript) and is trying to build a slightly less broken web through experimental proposals like CSP.

Agreed. But let's face it: We - the NS users - are only a small minority. Most FF users don't know anything about NS. The question remains why its security features have not been implemented in the browser itself. That's good for you, of course , but not for the bog standard user. Perhaps this is what RSnake was referring to.