NoScript Sightings

General discussion about the NoScript extension for Firefox
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript Sightings

Post by Giorgio Maone »

tlu wrote:
Giorgio Maone wrote:
tlu wrote:this suggests that he regards the security concept of FF as fundamentally broken.
Nope, he's not singling out Firefox at all,
Hm, he specifically mentioned the Mozilla Team so I guess with "browser" one sentence later he was certainly not talking about IE ... ;)
I can reassure you.

He was talking about IE (which, incidentally, has its own equally broken cross-site request mechanism), about Safari/Chrome (which both use WebKit and implement HTML 5, therefore CORS) and about any other browser around, including but not especially Firefox, which is the browser he uses for everyday browsing: why would he choose the most broken of all, if he really believed so?

He was talking about "the browser" in general, and its breakage (or better, the breakage of the web) is what he and Jeremiah have been preaching for years.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Jim Too
Senior Member
Posts: 58
Joined: Mon Mar 23, 2009 4:30 pm

Re: NoScript Sightings

Post by Jim Too »

tlu wrote: Agreed. But let's face it: We - the NS users - are only a small minority. Most FF users don't know anything about NS. The question remains why its security features have not been implemented in the browser itself. That's good for you, of course :) , but not for the bog standard user. Perhaps this is what RSnake was referring to.
One of the reasons that NS is so effective "out of the box" is that it operates in default deny, but default deny is a two edge sword. It takes awhile to "train" NS so that it allows scripts from the sites you normally visit. The "bog standard" user might get frustrated with the research and training that is necessary and either allow scripts globally or allow all scripts on the current page without looking. Even for sites that I do trust, I don't allow scripts to run from all the sites that a trusted site links to. An online whitelist might help in this regard and would also provide a mechanism for globally disallowing a compromised site. Add the ability for an online blacklist (to override locally whitelisted domains) and you would provide a mechanism to protect against a compromised site.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090727 Minefield/3.6a1pre
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript Sightings

Post by Giorgio Maone »

Jim Too wrote:Add the ability for an online blacklist (to override locally whitelisted domains) and you would provide a mechanism to protect against a compromised site.
You already have a blacklist built-in in Firefox, it's the "Safe Browsing" feature fed in real time with Google's compromised sites database.
I doubt any in-house NoScript online blacklist could be more up-to-date than a Google-managed resource.
Even so, no blacklist alone can be nearly as safe as an intelligently managed whitelist.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NoScript Sightings

Post by Tom T. »

Jim Too wrote:
tlu wrote: Agreed. But let's face it: We - the NS users - are only a small minority. Most FF users don't know anything about NS. The question remains why its security features have not been implemented in the browser itself. That's good for you, of course :) , but not for the bog standard user. Perhaps this is what RSnake was referring to.
One of the reasons that NS is so effective "out of the box" is that it operates in default deny, but default deny is a two edge sword. It takes awhile to "train" NS so that it allows scripts from the sites you normally visit. The "bog standard" user might get frustrated with the research and training that is necessary and either allow scripts globally or allow all scripts on the current page without looking.
Or, as many do, just uninstall it. Things which I believe are still on the "to-do" list are a first-run splash screen with the Beginner's Guide and a link to FAQ, and a compiled Help file so that NS will have a built-in online Help button (and/or F1) as many other apps do. These might increase both the adoption and retention rates, as per this thread from a new user. It might also help convince Mozilla to include NS as part of a default install of Fx, a topic that's come up more than once before. Even if it were installed disabled by default, but with a splash screen advising of its capabilities and where to get the needed information, it would be an improvement. I'd prefer that it be enabled by default, again with the splash screen, and an "out" that users can "temprorarily" disable it until they've had a chance to learn about its use, features, and necessity.

The Internet is an unsafe place. No one gets in a car for the first time and drives off. You need to spend some time learning how to use this powerful tool first, or else endanger yourself and everyone else on the road. But people take a computer OOB, turn it on, and expect to drive the Internet Autobahn without care or fear. This is the *big* picture: If you want the convenience of a car or the Web, you must learn a little first. You don't need the high-tech stuff. You don't need to know how your car's engine works, only how to turn the key and start it. You don't need to know how the transmission works ....

You don't need to know all of the details of *how* NS does what it does, but you need to know what buttons to push when, just as in driving a car -- and what *not* to do.

The easier we can make this task for novices, the better the chance it will become a standard for Fx (and others in the industry -- Google is considering it). But the Internet is not a zero-knowledge tool, and users need to be educated to that fact. This is what RSnake and Jeremiah knew -- browsing in general isn't safe (this Web 2.0 stuff was a huge step backwards in that regard, IMHO, and it's getting worse, with "desktop applications" -- no, thank you) -- and it doesn't matter which browser, if the user is uneducated. The educated users, like, say, RSnake, use Firefox with NoScript and ABE, either of which defeat the exploit that was the subject of this part of the thread.
Even for sites that I do trust, I don't allow scripts to run from all the sites that a trusted site links to. An online whitelist might help in this regard and would also provide a mechanism for globally disallowing a compromised site. ....
How is the whitelist to be maintained, and by whom? Who will know when the site is compromised? Who will know when it's been repaired?
What if your standards of privacy or acceptable risk are different from mine?

NoScript's fundamental concept is taking your browser out of the hands of the Web 2.0 "architects" and giving control back to you. Keep your whitelist as small as possible, and only for sites you visit frequently and trust completely. Use "temporarily allow", on a case-by-case and script-by-script basis, *only* when the function you need won't work otherwise (else why allow it, no matter how trusted? -- one more way of avoiding a possibly-compromised site and malicious script). Only *then* do you ask yourself, "Do I trust this site"? and, if so, TA only that which is needed.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
mik33mik
Posts: 18
Joined: Fri Mar 20, 2009 11:59 am

Re: NoScript Sightings

Post by mik33mik »

Eduardo Vela Nava, David Lindsay @ Black Hat:
Our Favorite XSS Filters and How to Attack Them

Presentation (pdf)

They have shown how bypass NoScript XSS filter
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10
Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: NoScript Sightings

Post by Grumpy Old Lady »

So Sirdarckcat's moved to the centre of a brutal and expansionist empire? Oh no, he's not in .us he's in another one - .cn ;-) Working on tunnelling through the Great Firewall perhaps.
That man is so very entertaining :-))
Following the standards is for loosers, so java made their own...
If you can use Firefox, use Firefox+NoScript
A taste of what can be wrecked with the new vids

HTML5 will allow attributes in closing tags
and
HTML5 includes "seamless" iframes
could allow for pure css-based XSS attacks
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript Sightings

Post by Giorgio Maone »

Grumpy Old Lady wrote: So Sirdarckcat's moved to the centre of a brutal and expansionist empire? Oh no, he's not in .us he's in another one - .cn ;-) Working on tunnelling through the Great Firewall perhaps.
That man is so very entertaining :-))
I actually helped him to relocate by introducing him to some Chinese acquaintances of mine :)
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: NoScript Sightings

Post by Grumpy Old Lady »

I actually helped him to relocate by introducing him to some Chinese acquaintances of mine :)
(-:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: NoScript Sightings

Post by therube »

The 1.9.8.3 changes close the above "blackhat" exposures?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090717 SeaMonkey/2.0b1
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript Sightings

Post by Giorgio Maone »

therube wrote:The 1.9.8.3 changes close the above "blackhat" exposures?
They were already closed before the presentation (since 1.9.6, exactly).
1.9.8.3 fixes a different issue, reported privately by Sirdarckcat this morning.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

John Graham-Cumming plugging NS on Steve Gibson's show

Post by Tom T. »

Steve Gibson's weekly security podcast for 05 November 2009, entitled, "The Oxymoron of 'JavaScript Security'", featured John Graham-Cumming, author of "The Geek Atlas", and co-founder of sw company Electric Cloud, explaining the inherent and probably un-fixable problems in JS, with a theme of "JavaScript Must Die".

The good (Il buono), aside from the general exposure of JS insecurity: Graham-Cumming says that his defense is NoScript. :D
Steve Gibson agrees.
Steve's co-host, Leo, who runs Fx (and other browsers) on Mac and does *not* use NS, said,
I've got to quickly go instead [[probable typo for "install" -- T.T.]] NoScript on all my machines. <snip> How many times have I said that before? But this time I'm going to really do it. You did finally scare me into it.
The bad (il cattivo): Extensive mention is made of XSS attacks, without once mentioning NS XSS protection.
Similarly, there is reference to CSRF attacks without reference to ABE.
Giorgio, would you care to write to Steve? I've tried in the past, with only partial success.

The ugly (il brutto): It is still expressed and implied that NS is annoying (I would find being pwned or having my bank account drained *much* more annoying. But that's just MHO.) and that it is for power-users only, not friendly for Mom. OTOH, Gibson had previously whined about the pop-up bar, without ever reading the FAQ or the UI to see that he could turn it off...

High-quality mp3
Lower-bandwidth mp3
Pdf
Text version
View as Web page
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: NoScript Sightings

Post by Alan Baxter »

Adobe Flash attack vector exploits insecure web design • The Register
Surfers are advised to mitigate against the possible risk of attack by disabling Flash in their browsers or by using browser plug-ins, such as NoScript for Firefox or ToggleFlash for IE, to reduce their exposure whenever possible.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
User avatar
nimd4
Posts: 10
Joined: Tue Apr 14, 2009 9:03 am

Re: NoScript Sightings

Post by nimd4 »

I'm late to the discussion and I won't take long (or get into it ;)). It's great how you've spotted Steve Gibson, btw. I have always liked him, but that's just according to the (anti-micro$oft :)) website; the campaign xd. Anyway, NoScript is freedom.

Freedom that programmers and software developers, perhaps, don't and didn't have, ie. due to "market demands" (very questionable, yes). It is illogical for anyone to not like the NoScript add-on (not to mention its ideology). The continuous development, support and the benefits... tremendous. Thank you very much, thanks to all. :)
Z68A-G43 (G3) - i7-3770 - Vengeance 2x4GB 2133MHz - GTX 650 Gainward
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NoScript Sightings

Post by Tom T. »

nimd4 wrote:... It's great how you've spotted Steve Gibson, btw. ...
I was reading Gibson long before I discovered NoScript or Firefox -- still on IE. He talked about the dangers of scripting back then, but there wasn't that much you could do about it in IE -- "all" or "nothing" at any given site. Gibson was among those who first piqued my interest in security matters specifically.

But I came to Fx + NS *long* before Gibson did, and he's taking a surprisingly long time to realize all of its features and benefits. Still, any additional source of exposure is good, and Gibson has sent a number of listeners to NoScript, for which of course we're grateful.

In any event, on behalf of the entire team here, thanks for the kind words. :)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: NoScript Sightings

Post by Tom T. »

Nice plug for NoScript from security organization SANS, as quoted http://forums.informaction.com/viewtopi ... 259#p14259
Actual article: http://isc.sans.org/diary.html?storyid=7765
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Post Reply