Do these ABE rules increase security?

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: Do these ABE rules increase security?

Re: Do these ABE rules increase security?

by barbaz » Sun Jul 12, 2015 2:27 pm

yes_noscript wrote:So lets get back to my first question :D
Does the scripts from RobertDrew incease the security or will it break a lot of sites, like the "maximum security" rules?
Image Oh, sorry for misunderstanding

They are not intended as actual rules (and won't work in ABE atm because the 'parent' keyword doesn't exist), just examples so that we could see how the syntax he/she is proposing would look. However, if that syntax gets implemented, those rules would increase security when you are logged in to a sensitive service; otherwise, it's not likely to matter.

Re: Do these ABE rules increase security?

by yes_noscript » Sun Jul 12, 2015 9:11 am

Okay. Good to know.

So lets get back to my first question :D
Does the scripts from RobertDrew incease the security or will it break a lot of sites, like the "maximum security" rules?

Re: Do these ABE rules increase security?

by barbaz » Sat Jul 11, 2015 12:39 am

yes_noscript wrote:My bank site works perfect with that rules. Would "Self++" increase the security more then "Self" ?
No that would decrease security (but I don't know if it'd make much of a difference in practice), so since your bank site works with your rules as is, leave it as SELF.

Re: Do these ABE rules increase security?

by yes_noscript » Fri Jul 10, 2015 10:46 pm

Thanks for your post!

Okay, i remove the "maximum security" rules. Yes, a lot of websites didn't work then so good :mrgreen:

My bank site works perfect with that rules. Would "Self++" increase the security more then "Self" ?

Okay with Google rules. I only use Youtube and many sites use captchas, also i like privacy.

Re: ABE should be able to compare against parent (bug? RFE?)

by barbaz » Fri Jul 10, 2015 6:30 pm

@yes_noscript: Please use code tags instead of quote tags in the future for posting things like that, because the board will linkify things incorrectly otherwise and it's easier to read as code tags (which use monospace font) in these cases anyway (especially if there's a lot of code, where it'd be a big wall of text otherwise).
Also, your post is off-topic so I'm splitting it to its own thread.

Anyway, my comments on your ABE rules with regard to security. The rules I didn't comment on, I think will help your security somehow.

Your "maximum security" rules are just going to break everything that requires any kind of 3rd-party script (or even 3rd-party redirection), and you will probably find yourself editing that all the time to add exceptions. But hey, to each their own - if you want to do that, by all means go for it. ;)
(I don't think they'll add anything to security over NoScript's script blocking.)

Code: Select all

# prevent CSRF
Site *mybanksite*
Accept from SELF
Deny

# prevent insecure resources
Site ^http://.*
Deny from *mybanksite*
Your bank site doesn't have multiple subdomains that are sensitive that need to talk to each other?
I would have thought that you would need SELF++ and maybe another associated site, but if this really works for you, then you can congratulate your bank site's webmasters for good site design.

Code: Select all

# Allow all Google recaptcha and Maps, but sandbox all www.google.com.*
Site ^https?://www\.google\.com/recaptcha/*
Accept
Site ^https?://www\.google\.com/*
Sandbox

Site .youtube.com .ytimg.com .googlevideo.com
Anonymize
Barring Google getting hacked, these do absolutely nothing for security, however they can help protect your privacy.
If Google gets hacked only the first will help you (and only maybe at that, depending on the hack).

Do these ABE rules increase security?

by yes_noscript » Fri Jul 10, 2015 4:44 pm

[ split from viewtopic.php?f=10&t=20993 - barbaz ]

I'm a ABE noob, so i ask myself does the ABE rules posted above increase the security?
I actually use this (found on the forum):
systemrules:
# maximum security 2/2
Site *
Accept from SELF++
Sandbox

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
userrules:
# prevent CSRF
Site *mybanksite*
Accept from SELF
Deny

# prevent insecure resources
Site ^http://.*
Deny from *mybanksite*

# maximum security 1/2
Site *
Accept from SELF++
Anon

# against router NAT pinning
Site ^https?://[^/]+:[0-35-7]
Deny

# Allow all Google recaptcha and Maps, but sandbox all www.google.com.*
Site ^https?://www\.google\.com/recaptcha/*
Accept
Site ^https?://www\.google\.com/*
Sandbox

Site .youtube.com .ytimg.com .googlevideo.com
Anonymize

Top