Maximum security - do not depend on Javascript settings?

[pepak]

Hi!

Is it possible to somehow get a javascript whitelist in Firefox without having to enable Javascript globally first? NoScript comes very close to what I need, but its security model is unacceptable for me: First I have to enable javascript in Firefox (Tools -> Options -> Content -> Enable Javascript), then NoScript steps in and disables it for all sites, and after that I can whitelist particular sites. My issue with this approach is, if something*) prevents NoScript from running properly, all sites suddenly run with Javascript enabled due to that Firefox setting. What I would like to achieve is: If NoScript is running, it handles javascript permissions; in the other case, javascript is disabled for all sites without exception.

Can it be done with NoScript, or any other addon? Or any other browser for that matter? Opera can do it (but will soon stop being usable due to the move to the Blink core) and Internet Explorer can do it in a fashion (though it lacks many UI features of the other browsers).

*) For example, the NoScript files become damaged, or Firefox decides that NoScript is not compatible with it, some other addon interferes with NoScript, or worst of all, a malicious website finds a way to disable/crash NoScript. The attack vectors are many and varied and just the fact that there hasn't been a successful attack isn't enough to make my concerns go away.

Thanks.

[therube]

Don't recall how or if Content Security Policy works, or not, in conjunction with NoScript?

If it does, suppose you could take NoScript whitelist & set up corresponding rules using CSP.

So then if you removed NoScript, the CSP rules alone would take effect.

I would think the whole thing to be highly awkward & highly unusable.

[pepak]

It's an interesting feature, but I don't really see how it would achieve what I need. I will need to read it more carefully.

[Thrawn]

What interesting concerns you have! I doubt that there is a way for an untrusted website to disable NoScript, since it would be limited to serving up static pages and links, but let's see...

I would not recommend touching Content Security Policy if NoScript is installed. NoScript (partly) depends on CSP, and CSP was *not* designed to handle multiple clients. If you know what you're doing, you can manually edit CSP while using NoScript, but plain CSP is enough work without having to step carefully around conflicts.

You could try using the Tab Permissions addon to disable JavaScript by default on all tabs, and only enable it on tabs where you want NoScript to handle permissions. This is probably more restrictive than you really want, but clearly you want maximum security.

I really can't see a way for NoScript to fail-safe in this scenario. If Firefox disables JavaScript, I doubt that extensions are allowed to turn it back on - and if they did, it would probably remain on if/when such extensions crashed. Giorgio would know more.

Giorgio is pretty diligent about keeping NoScript up to date with new Firefox versions. I've yet to see a situation where NoScript was too old for the newest Firefox. As for NoScript files becoming damaged - yes, profiles can become corrupted, but why not also worry about your configuration file becoming corrupted, which might override your built-in JavaScript settings anyway?

I realise that the absence of a direct attack on NoScript is not proof that it can't happen, but how likely is it, really? Have you researched it?

[pepak]

What interesting concerns you have! I doubt that there is a way for an untrusted website to disable NoScript, since it would be limited to serving up static pages and links, but let's see...

A website may or may not be able to disable NoScript through a bug in Firefox. It might crash NoScript through a bug in either Firefox or NoScript.

You could try using the Tab Permissions addon to disable JavaScript by default on all tabs, and only enable it on tabs where you want NoScript to handle permissions. This is probably more restrictive than you really want, but clearly you want maximum security.

I will research this option. If TabPermissions can work on a per-URL basis, it might be just what I need. Thanks for the suggestion.

I really can't see a way for NoScript to fail-safe in this scenario. If Firefox disables JavaScript, I doubt that extensions are allowed to turn it back on - and if they did, it would probably remain on if/when such extensions crashed. Giorgio would know more.

I was kind of hoping this is possible. It would require a support inside Firefox, but I think I recall there used to be such a functionality, in Firefox 2 or so.

I realise that the absence of a direct attack on NoScript is not proof that it can't happen, but how likely is it, really? Have you researched it?

Actually, quite likely. Javascript is by far the most common determining factor for successful exploits. I did a careful research a few years ago and about 85% of all exploits wouldn't work with JavaScript, with another 10% only working partially. I didn't check for precise percentages lately, but random samplings of current exploits didn't increase my confidence in JavaScript. Now remember, Javascript has been used for about 20 years. In all this time, no browser managed to protect itself or the underlying operating system from javascript-based or javascript-enabled exploits. Why should I trust that the browsers are better able to protect their extensions, and why should I trust that the NoScript developers managed it?

[therube]

> I doubt that there is a way for an untrusted website to disable NoScript

I would be more concerned about other extensions, or plugins.
Or general system malware.

That is certainly feasible.

> If Firefox disables JavaScript, I doubt that extensions are allowed to turn it back on

Not sure what you mean?
FF disabling JavaScript? Or the user disabling JavaScript in FF?
And why wouldn't an extension be able to then re-enable it?


I'll note that JavaScript must be enabled for NoScript to work.
There was a situation, that I don't really recall, but something along the lines of ... if JavaScript is disabled, then you go & install NoScript, NoScript at that point enables JavaScript. To me it's not really a big deal even if I feel that behavior is wrong.

[Thrawn]

Javascript is by far the most common determining factor for successful exploits. I did a careful research a few years ago and about 85% of all exploits wouldn't work with JavaScript, with another 10% only working partially. I didn't check for precise percentages lately, but random samplings of current exploits didn't increase my confidence in JavaScript. Now remember, Javascript has been used for about 20 years. In all this time, no browser managed to protect itself or the underlying operating system from javascript-based or javascript-enabled exploits.

But that's the whole point. An untrusted website won't be able to attack NoScript, because it won't be able to run any JavaScript at all. All it can serve up is a static HTML page.

Don't confuse "JavaScript sandbox has holes that no-one has managed to close" with "Nothing can stop JavaScript from running". NoScript can and does reliably prevent JavaScript from running at all. After all, JavaScript only runs if your browser chooses to run it, and NoScript is sitting inside your browser where it can control things.

Look at it this way: No matter how good the cage, a wild creature inside *might* find a way to escape. But not if you shoot it dead. You can't reliably contain JavaScript, but you can reliably kill it.

[pepak]

NoScript can and does reliably prevent JavaScript from running at all.

I am sure it does, but this is only true as long as NoScript is running. If anything prevents NoScript from running or forces it to stop, then NoScript can't prevent any more javascripts from running. Which is why the dependence on Firefox's "Javascript enabled" is dangerous - if something kills NoScript, then all protection is lost and all scripts can run again.

Look at it this way: No matter how good the cage, a wild creature inside *might* find a way to escape. But not if you shoot it dead. You can't reliably contain JavaScript, but you can reliably kill it.

Which is exactly what I want to do. Kill it. Except if it happens to get trapped in the cage labeled "NoScript" and is green with red spots above eyes - then it can be left alive. But if someone steals the cage "NoScript" and the animals start wandering into the other cages, they should get killed immediately, even if they are green with red spots; it should not happen that someone decides that "there is no NoScript cage anymore, so all the rules are void and everything gets to live".

Basically, your approach is: "You don't need to use a firewall. You are behind a router which will stop anything coming your way." And I respond: "That's very nice, but what if something prevents the router from functioning properly? For example, an electrical surge resets its settings to the default state which happens to be 'allow everything in'. That's when I would appreciate firewall."

[pepak]

To improve on the cage analogy (excellent example, Thrawn!):

As I understand it, NoScript works like this: "Let's place a cage on the trail and see what wanders in. If it is a tiger, let it go, otherwise kill it."

What I want to achieve is this: "Let's place a cage on the trail. If a tiger walks in, let it go. If something else walks in, kill it. If something avoids the cage by skipping over it or running around it or crashing through it or because someone stole the cage in the first place, kill it, even if it is a tiger."

So far I am only getting answers along the line of "Nothing can get around the cage, the entrance it too large. The bars are too strong to break. Also, the people here don't steal. So you don't need to worry about anything avoiding the cage."

My research so far indicates that there may not be any other way, that in the land of Firefox it's not possible to kill anything that avoids the cage. That I can only hope that the cage really is big enough and strong enough and people honest enough that it will work in all possible cases. That no matter what, I can't get a fail-safe for the unlikely case of the cage failing. I would like a confirmation of this theory or a proof to the contrary.

(The proof to the contrary would be better, because I do have rather few alternatives, now that Opera is ditching its power users. Basically, that only leaves Internet Explorer, and I am not too comfortable with that.)

[dhouwn]

I would not recommend touching Content Security Policy if NoScript is installed. NoScript (partly) depends on CSP, and CSP was *not* designed to handle multiple clients. If you know what you're doing, you can manually edit CSP while using NoScript, but plain CSP is enough work without having to step carefully around conflicts.

NoScript traditionally depended on Configurable Security Policies (CAPS) not CSP, are you by any chance mixing those two things up?

[therube]

Sure am.
(Saw what your wrote & immediately, heh, oops.)

KB: Security Policies.

[pepak]

This link looks just like what I need. Thanks a lot!

[Thrawn]

So far I am only getting answers along the line of "Nothing can get around the cage, the entrance it too large. The bars are too strong to break. Also, the people here don't steal. So you don't need to worry about anything avoiding the cage."

There are ways for privileged code, like other addons or malware, to avoid or disable NoScript, but Giorgio has worked very hard to ensure that a simple web page cannot.

Addons have greater privileges within Firefox than web pages do, because they can directly interact with the browser internals, so they can reliably stop website scripts from running, or they can attack each other. Websites don't have that same power - especially if they are not allowed to run any active content. There is no way for a simple HTML page, having nothing except plain HTML forms and headers, to run code and exploit security holes. It can only run code by requesting that the browser run code, and in this case, NoScript makes certain that the browser will refuse.

In this case, the tiger is actually being beamed into the cage, Star Trek style. If NoScript is active, it fiddles with the controls to ensure that the tiger is dead on arrival. The only way to get around that is for someone else on board to interfere; the tiger itself is helpless.

My research so far indicates that there may not be any other way, that in the land of Firefox it's not possible to kill anything that avoids the cage. That I can only hope that the cage really is big enough and strong enough and people honest enough that it will work in all possible cases. That no matter what, I can't get a fail-safe for the unlikely case of the cage failing. I would like a confirmation of this theory or a proof to the contrary.

If anything gets around NoScript, then it is probably something that NoScript is not capable of stopping, like another addon, or simply a virus on the machine.

You're best off looking to external tools. Maybe you could run your browser inside Sandboxie, or a virtual machine.

[ExtensionsRule]

The only secure way to turn off scripting is to run a browser that doesn't incorporate scripting.

In a nutshell, the usefulness of Firefox in the battle for the user to retain effective control of their browser is the ability of extensions to monkey so deep down with the works. Containment is futile in such an ecosystem. There is no cage, only the willingness of the majority to restrain themselves.

The development of Security Policies is dynamic and Maone is part of that team.


Without Maone on the Mozilla security watch, I'd be ditching Firefox and reverting to scriptless browsing and phoning the bank.

[Thrawn]

In a nutshell, the usefulness of Firefox in the battle for the user to retain effective control of their browser is the ability of extensions to monkey so deep down with the works. Containment is futile in such an ecosystem. There is no cage, only the willingness of the majority to restrain themselves.

Containment of *addons* is futile, yes, but don't confuse that with containment of web pages. The power of addons means that they can indeed effectively contain web pages.

The development of Security Policies is dynamic and Maone is part of that team.

Without Maone on the Mozilla security watch, I'd be ditching Firefox and reverting to scriptless browsing and phoning the bank.

I wish he were! Mozilla doesn't seem to be paying all that much attention to what NoScript is doing. Apart from click-to-play, I guess, and I don't know whether that was inspired by NoScript or by FlashBlock.