Page 1 of 1

You need two to tango - host and browser- CSP!

Posted: Tue Jun 23, 2009 5:33 pm
by luntrus
Hi malware fighters,

Cross-site scripting (XSS) now for years has been the number one exploit in websites, being reason enough for the Mozilla Foundation to develop a technology to fight this problem. In recent months the open-source developer has been working on Content Security Policy (CSP), that makes that websites can tell a browser what content is legit to run and what content is not. The browser so can ignore all content that is non-trusted or non-supported by that particular website. The owner of a website can set through CSP from which domains scripts are being allowed to run. The browser for its part will only run those scripts that come from trusted websites, for which a withe-list is being kept.

To determine whether content is legit content or injected or adopted or obfuscated malcontent or suspicious content, CSP will demand that all JavaScript for a certain website is being loaded from an external file from an appointed trusted white-listed host. This gonna mean that all inline script, JavaScript and event-handling HTML attributes will be ignored. Only scripts that have been inserted via a script-tag and that link to a white-listed host the browser will execute. "We realize that this model is completely different from the present free model for the web", according to Brandon Sterne, Mozilla's Security Program Manager. The developer wishes to enroll CSP in phases so it can be implemented fully later this year. luntrus already has the CSP extension running in his browser. Extension source: http://people.mozilla.org/~bsterne/cont ... policy.xpi

More difficult and much harder to perform.
According to Sterne XSS-holes are really valuable assets for attackers and malcoders alike and these exploits are shared over the Internet as soon as they are found up/come out. "Website-owners and web-admins now can sleep somewhat easier as they know the users of their particular websites are being protected, even if a XSS-bug may slip through. CSP can be configured in such a way that it will inform the owners of websites when and if an attack is taking place. Further even users of older browser will benefit from implementing this policy. "The final outcome will be it will be extremely difficult to run an XSS attack for a website that has implemented CSP. All known infection vectors for injecting malscripts will no longer function and this will make a successful attack a great deal more difficult to perform."

luntrus

Re: You need two to tango - host and browser- CSP!

Posted: Tue Jun 23, 2009 5:55 pm
by therube

Re: You need two to tango - host and browser- CSP!

Posted: Wed Jun 24, 2009 1:59 am
by Tom T.
luntrus, this sounds like an excellent concept. Thanks for sharing it here. I have a concern and a question:

1) It seems most web site developes know nothing about security, or don't care, or don't care to spend the time and money to implement secure coding. We see that repeatedly here, where OP says, "foobar.com is triggering NS alerts", and Giorgio replies that foobar.com is poorly coded, doesn't conform to standards, etc. From what I understand of your post and therube's link, this feature is useless if web site admins don't apply it, correct?
This document proposes a mechanism that enables websites to define Content Security Policy
(emphasis mine)

What percentage do you think will bother? Do you remember the IE8 "XSS protection" (or was it clickjacking -- memory is feeble) that required sites to add a line of MS-specified code to help alert IE8 to the issue? I'll bet not 1% did. Large sites like Facebook, Twitter, MySpace, and even Google have had XSS holes, so why would they be any more vigilant in implementing this? They *should*, of course, but I'm not counting on web sites for my security and trust.

2) I'm in favor of adding every layer of security reasonably possible, but is a site secured in this manner any safer to me, when I am running NS in full lockdown mode and allowing only very trusted sites and scripting sources? Do NS XSS, ClearClick, and other features not give the user the same protection?

It takes two to tango, but all of us are tangoing with thousands of unreliable partners, many of them infected (hahaha!). Of course, I'd love to see more server-side security, but since I can't control that, I'm operating on the assumption that it's my task to secure my browser, regardless of what the web sites do (and I don't expect many of them to do this.)

Your thoughts?

Re: You need two to tango - host and browser- CSP!

Posted: Wed Jun 24, 2009 6:51 pm
by luntrus
Hi Tom T.,

Well there certainly is a long way to go if webmasters and site admins should implement it on a grand scale for Mozilla and IE8, because the initiators recon that every website developer is going to implement this at the end of the day. It is not clear if this scheme gets enough momentum we will see this in our lifetime, but the situation on the net with malicious and infecting websites is getting worse and worse - where massive infections of "run of the mill reputable trusted" websites are victims ("gumblar", "beladen" and recently" Nine-ball"-attacks are proof of that growing danger). We know that the community is very slow to react after a threat became imminent and before the water has risen to the web admins' and web hoster's lips takes an average of some 8 years from appearance of the threat in the wild until schemes of active coding against are generally adopted. In these respects users and webmasters are very similar "animals", the one party does not update, patch or SafeHex and likes to use everything a la default out of the box with full admin's rights, the other club does not like to upgrade and patch software, likes functionality over security, and rather forget about vulnerability scanning of the software and website code they use.

If you believe in CSP working an overnight miracle, you're probably rather bet on the miracles of Father XMas, better expect a Rip van Winkle reaction, well you know who is going to use it in the end, the same bunch of people and probably the majority of the security aware users that use NS and RP anyway (I already have CSP in the browser for when it is there at the end of the year).
If all the sites that do not have it will be blacklisted by every browser or link scanner or you get a security alert page a la WOT that is a tactics that could help bringing it in. Because we are swimming against the tide here, half of PC users in the USA do not any longer own their PC but work it on behalf of a bot herder for whatever malvertising purpose or for whatever a malcreant wants to use the zombie for.

So we have a lot of education to do, and then again a lot of users are beyond our reach, either because they never learned to code with security in mind, they do not know the basics of keeping their computers free of malcode or because they know even less, cannot be bothered even and only know how to click - the main rule being - "one could right click, left click and click it away", and if the machine gets really slow or does not seem to function anymore, you dump it and gonna buy a new later and larger model, and I know parties that are not all too eager to change the existing situation.
And there are already, because that is fun, people contemplating ways around CSP: http://www.thespanner.co.uk/2009/06/23/ ... ty-policy/

luntrus

Re: You need two to tango - host and browser- CSP!

Posted: Thu Jun 25, 2009 1:32 am
by Tom T.
Hi luntrus,

Well, I think you've proven my point: Great concept, but most sites won't implement it (or implement it properly), and by the time they do 8 years from now, it will be obsolete, and besides, it's already broken.

Don't get me wrong, I love hearing about any attempt to make the Web safer, and appreciate when you share these things with us. But I'm still assuming that I alone must provide protection for my browser and machine, and not trust any website developer or admin to do that for me.

Regards,
Tom

Re: You need two to tango - host and browser- CSP!

Posted: Thu Jun 25, 2009 1:53 pm
by luntrus
Hi Tom T.,

You are right in your conclusion, as far as I can see it the World Wide Web gonna be dangerous in certain places for a long, long time to come and we should all use SafeHex and close the vulnerability gap ourselves. NS and RP will help us in the near future as will educating each other as what measures to take. I wish you to stay safe and secure on line,

Receive virtual regards fron,

luntrus

Re: You need two to tango - host and browser- CSP!

Posted: Fri Jun 26, 2009 1:22 am
by therube
So instead of granting trust to sites that we want to trust, we are turning over that trust to some website that we are then depending to be trustworthy?

So we "trust" Google. And Google has this CSP setup, so we inherently trust whatever they have in their CSP.

But with ABE, need only trust certain parts of Google, or in relation to certain other domains.

So we do not have to "trust" Google, but we can grant it trust as we want & on an as needed basis.

Is that what the deal is?

We go to mr.porn.com or mr.warez.com & while we might not like it, for whatever reason, we have to Allow JavaScript (say so a Flash movie will play). Now mr.porn.com has a CSP which "trusts" malwaresite1 & malwaresite2 & adsite1 & adsite2 ...

Re: You need two to tango - host and browser- CSP!

Posted: Fri Jun 26, 2009 5:14 am
by Tom T.
@therube: Pretty much my point, taken a bit farther: We already know that we can't trust the "trustworthy" sites, and so need to keep that control in our own hands (so to speak). Of course, you'll never turn over any control to a site operated by some unknown entity. But you make a good additional point: the danger of giving users a false sense of security.

"Hi, welcome to pornwarez.com. We have implemented CSP, so you can disable all those silly, inconvenient "safety" tools in your browser."
Yeah, right. :evil:

"Only *you* can prevent forest fires". (are you old enough to remember Smokey the Bear's slogan?)
"Only *you* can prevent being infected by a site that's been XSS'd, by employing NS XSS protection". etc.

False sense of security is worse than no security.

Re: You need two to tango - host and browser- CSP!

Posted: Fri Jun 26, 2009 8:29 am
by seleko
what happened to CAPS?

Re: You need two to tango - host and browser- CSP!

Posted: Fri Jun 26, 2009 11:34 am
by luntrus
Hi seleko,

I think we are on the brink of getting "off topic" here, because CAPS is just browser related, and CSP is server-browser related security policy. Then for CAPS to be performed in a decent matter, the user must be script savvy and know to handle the subtleties of the browser configuration, again very tweakable and fine-tunable to your every security need, but not the kettle of fish for the average user. It is the same as with the malware expert that knows how to SafeHex his or her Operational System and then "could" do without a resident AV solution, it is for the happy few because the average user will still need AV and a FW and additional anti-spyware. The user that knows how to make his browser secure and knows how to secure his OS (drop your admin rights fully) is in a complete different position then the average user that does not even know how to perform this and why he/she/it should do it. If everybody would apply SafeHex, use CAPS, NS and RP etc. not 50 % of the American users for example were behind a computer they virtually do not own and are part of a botherder's botnet-ring dominion to serve the needs of cybercrime or adclick & Co. That is the situation we have. Try to change it, but if you will get results has to be seen. And there I agree with the others that say to change the security situation you have to start to change it yourself and to learn to do that and get instructions from those that come to visit here. Again thanks to Mr. Giorgio Maone for giving us the possibilities to come to such a very security educational site. I already learned a lot here, also thanks to all the others that post here,

with virtual regards,

luntrus

Re: You need two to tango - host and browser- CSP!

Posted: Fri Jun 26, 2009 12:22 pm
by seleko
I dont think CSP is salvation in the form its planned to realise.
With CAPS it could be made decades ago. nothing else.

If we had a GUI for CAPS more ppl around could use w/o damage for 'emselves. :D

Re: You need two to tango - host and browser- CSP!

Posted: Mon Jun 29, 2009 4:05 am
by seleko
I was told in ABE thread, that CAPS gone for performance reasons.
rip