RFE: Site PINNED Accept from PINNED Deny capability

Discussions about the Application Boundaries Enforcer (ABE) module
dontbuttfeedmebro

RFE: Site PINNED Accept from PINNED Deny capability

Post by dontbuttfeedmebro »

Is an opportunity to reduce CSRF coming with Firefox implementing Public Key Pinning? Major social media sites and other major sites relying on user identity are migrating from http to https and their known-good certificate authorities are being specified; i.e., pinned.

For Public Key Pinned internet web resources, it would be nice if NoScript’s ABE module could supplement CRSF prevention techniques with a built-in simple rule, such as or similar to:

# Prevent most internet sites from forging user requests to Public Key Pinned resources.
Site PINNED
Accept from PINNED
Deny
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: RFE: Site PINNED Accept from PINNED Deny capability

Post by Thrawn »

But what if an attacker chooses to pin their own site?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0
dontbuttfeedmebro

Re: RFE: Site PINNED Accept from PINNED Deny capability

Post by dontbuttfeedmebro »

In the narrow case where a CSRF attack comes from a location that doesn’t violate the relevant Public Key Pinning Rules within Firefox and ABE’s prospective dealing with them for a targeted website (and Mozilla hasn't revoked/ expired the attack Pin), such a ‘Site PINNED’ ABE rule would not block the attack; i.e., would not add a layer to the relevant anti-CSRF arsenal.

Nevertheless, a such ‘Site PINNED’ ABE rule could from the client-side substantially help NoScript users in reducing the possible CSRF attack surface for major social media, major email and other major sites that rely on self-identified users.

Somewhat similarly, the existing ‘Site LOCAL Accept from LOCAL Deny’ rule, in blocking LAN attacks from the Internet, has value--despite that blocking LAN attacks from the LAN requires other security methods and techniques.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Post Reply