NoScript and Spectre-Meltdown

General discussion about the NoScript extension for Firefox

NoScript and Spectre-Meltdown

Postby kukla » Fri Jan 05, 2018 8:54 pm

If I'm not mistaken, attack vector is via JavaScript. Can NoScript offer protection beyond browsing mostly with JS disabled, except for completely known, trusted sites?* Any particular suggestions for protection with NoScript?

*No guarantee there either, since even those can sometimes be hacked.
Mozilla/5.0 (iPad; CPU OS 9_3_5 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13D15 Safari/601.1
kukla
Senior Member
 
Posts: 206
Joined: Mon May 04, 2009 12:08 am

Re: NoScript and Sceptre-Meltdown

Postby Giorgio Maone » Sat Jan 06, 2018 1:29 am

kukla wrote:If I'm not mistaken, attack vector is via JavaScript.

Correct, that's the easiest way to remotely exploit Spectre.
kukla wrote:Can NoScript offer protection beyond browsing mostly with JS disabled, except for completely known, trusted sites?* Any particular suggestions for protection with NoScript?
*No guarantee there either, since even those can sometimes be hacked.

The same rules suggest to prevent any JS-exploitable vulnerability, "known or not known yet" as advertised:
  1. limit your whitelist to HTTPS-only matcheds sites (green closed lock icon), because otherwise an attacker controlling your network could inject its malicious payload inside random unencrypted pages.
  2. keep the XSS filter enabled, otherwise an attacker could exploit a XSS vulnerability in a trusted site to inject its malicious payload in it, even if encrypted
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8252
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: NoScript and Spectre-Meltdown

Postby jawz101 » Mon Jan 08, 2018 5:55 pm

@Giorgio- is web assembly a separate technology that will one day need protections?
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
jawz101
Senior Member
 
Posts: 54
Joined: Sun Jul 10, 2011 11:13 pm

Re: NoScript and Spectre-Meltdown

Postby Giorgio Maone » Mon Jan 08, 2018 6:05 pm

jawz101 wrote:@Giorgio- is web assembly a separate technology that will one day need protections?

Web Assembly is subject to the same rules/restrictions as JavaScript (they share the same runtime, but by writing web assembly you're able to better model your performance optimization at a lower abstraction level).
So NoScript covers is just like it covers JavaScript.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8252
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy


Return to NoScript General

Who is online

Users browsing this forum: No registered users and 3 guests