Years ago, probably back in 2010 (yes it's amazing how long NoScript has been around), I once found a free PDF of matrix math tutorials and it had an associated blog at matrixcookbook.com. You can see the old version at https://web.archive.org/web/20110430075 ... kbook.com/
So of course I probably added that domain into NoScript as trusted.
Aaand then I forgot all about it for 10 years.
So today I'm going through my bloated NoScript trusted sites list out of idle curiosity, wondering what I can cut out.
What is matrixcookbook ?? I don't remember anything about it. Just type it into the address bar and see what happens.
Then the browser seems to want to redirect to some other site on "tncrun.net", which seems strange so I look for other references to that domain.
It turns out it has been used recently as a host of malware and injected code for web skimmers that steal CC info from shopping carts. Nice!
So the problem generally is domains that are initially trusted then later lapse into disuse and get taken over by scammers who in principle may be able to exploit that trust.
The cause of the problem is that we trust names (words on the screen) which are tradable commodities, and don't trust the actual TLS certificate chains and fingerprints which should be destroyed or kept secret after domains lapse or get sold.
Two possible solutions which could perhaps be implemented by NoScript:
- The Trusted Fingerprint Method : Adding an HTTPS site to the trusted list should record the fingerprint of the certificate and trust that, so if the certificate presented by the web site ever changes No Script will not trust it until you affirm trust on the new fingerprint. Maybe some WHOIS domainkey signature could be done on plain http or ftp domains, but I don't know if there is any reliable analogy with non-HTTPS URLs. This check would be done the first time each day that a domain is accessed by the browser.
- The Background Check method : NoScript could store a "last checked date" for each trusted URL, then each day NoScript could check the oldest 1% of the trusted sites to see if their WHOIS domain owner has changed, and remove the domain from the trusted list if it has changed. That way you limit the time in which a domain trust exploit can happen to 100 days.
What do users and developers of NoScript think about this problem and possible solutions?