Page 3 of 11

Re: NoScript Sightings

Posted: Mon Jul 27, 2009 4:55 pm
by Giorgio Maone
tlu wrote:
Giorgio Maone wrote:
tlu wrote:this suggests that he regards the security concept of FF as fundamentally broken.

Nope, he's not singling out Firefox at all,

Hm, he specifically mentioned the Mozilla Team so I guess with "browser" one sentence later he was certainly not talking about IE ... ;)

I can reassure you.

He was talking about IE (which, incidentally, has its own equally broken cross-site request mechanism), about Safari/Chrome (which both use WebKit and implement HTML 5, therefore CORS) and about any other browser around, including but not especially Firefox, which is the browser he uses for everyday browsing: why would he choose the most broken of all, if he really believed so?

He was talking about "the browser" in general, and its breakage (or better, the breakage of the web) is what he and Jeremiah have been preaching for years.

Re: NoScript Sightings

Posted: Mon Jul 27, 2009 5:45 pm
by Jim Too
tlu wrote:Agreed. But let's face it: We - the NS users - are only a small minority. Most FF users don't know anything about NS. The question remains why its security features have not been implemented in the browser itself. That's good for you, of course :) , but not for the bog standard user. Perhaps this is what RSnake was referring to.


One of the reasons that NS is so effective "out of the box" is that it operates in default deny, but default deny is a two edge sword. It takes awhile to "train" NS so that it allows scripts from the sites you normally visit. The "bog standard" user might get frustrated with the research and training that is necessary and either allow scripts globally or allow all scripts on the current page without looking. Even for sites that I do trust, I don't allow scripts to run from all the sites that a trusted site links to. An online whitelist might help in this regard and would also provide a mechanism for globally disallowing a compromised site. Add the ability for an online blacklist (to override locally whitelisted domains) and you would provide a mechanism to protect against a compromised site.

Re: NoScript Sightings

Posted: Mon Jul 27, 2009 6:03 pm
by Giorgio Maone
Jim Too wrote:Add the ability for an online blacklist (to override locally whitelisted domains) and you would provide a mechanism to protect against a compromised site.

You already have a blacklist built-in in Firefox, it's the "Safe Browsing" feature fed in real time with Google's compromised sites database.
I doubt any in-house NoScript online blacklist could be more up-to-date than a Google-managed resource.
Even so, no blacklist alone can be nearly as safe as an intelligently managed whitelist.

Re: NoScript Sightings

Posted: Tue Jul 28, 2009 12:27 am
by Tom T.
Jim Too wrote:
tlu wrote:Agreed. But let's face it: We - the NS users - are only a small minority. Most FF users don't know anything about NS. The question remains why its security features have not been implemented in the browser itself. That's good for you, of course :) , but not for the bog standard user. Perhaps this is what RSnake was referring to.


One of the reasons that NS is so effective "out of the box" is that it operates in default deny, but default deny is a two edge sword. It takes awhile to "train" NS so that it allows scripts from the sites you normally visit. The "bog standard" user might get frustrated with the research and training that is necessary and either allow scripts globally or allow all scripts on the current page without looking.

Or, as many do, just uninstall it. Things which I believe are still on the "to-do" list are a first-run splash screen with the Beginner's Guide and a link to FAQ, and a compiled Help file so that NS will have a built-in online Help button (and/or F1) as many other apps do. These might increase both the adoption and retention rates, as per this thread from a new user. It might also help convince Mozilla to include NS as part of a default install of Fx, a topic that's come up more than once before. Even if it were installed disabled by default, but with a splash screen advising of its capabilities and where to get the needed information, it would be an improvement. I'd prefer that it be enabled by default, again with the splash screen, and an "out" that users can "temprorarily" disable it until they've had a chance to learn about its use, features, and necessity.

The Internet is an unsafe place. No one gets in a car for the first time and drives off. You need to spend some time learning how to use this powerful tool first, or else endanger yourself and everyone else on the road. But people take a computer OOB, turn it on, and expect to drive the Internet Autobahn without care or fear. This is the *big* picture: If you want the convenience of a car or the Web, you must learn a little first. You don't need the high-tech stuff. You don't need to know how your car's engine works, only how to turn the key and start it. You don't need to know how the transmission works ....

You don't need to know all of the details of *how* NS does what it does, but you need to know what buttons to push when, just as in driving a car -- and what *not* to do.

The easier we can make this task for novices, the better the chance it will become a standard for Fx (and others in the industry -- Google is considering it). But the Internet is not a zero-knowledge tool, and users need to be educated to that fact. This is what RSnake and Jeremiah knew -- browsing in general isn't safe (this Web 2.0 stuff was a huge step backwards in that regard, IMHO, and it's getting worse, with "desktop applications" -- no, thank you) -- and it doesn't matter which browser, if the user is uneducated. The educated users, like, say, RSnake, use Firefox with NoScript and ABE, either of which defeat the exploit that was the subject of this part of the thread.

Even for sites that I do trust, I don't allow scripts to run from all the sites that a trusted site links to. An online whitelist might help in this regard and would also provide a mechanism for globally disallowing a compromised site. ....

How is the whitelist to be maintained, and by whom? Who will know when the site is compromised? Who will know when it's been repaired?
What if your standards of privacy or acceptable risk are different from mine?

NoScript's fundamental concept is taking your browser out of the hands of the Web 2.0 "architects" and giving control back to you. Keep your whitelist as small as possible, and only for sites you visit frequently and trust completely. Use "temporarily allow", on a case-by-case and script-by-script basis, *only* when the function you need won't work otherwise (else why allow it, no matter how trusted? -- one more way of avoiding a possibly-compromised site and malicious script). Only *then* do you ask yourself, "Do I trust this site"? and, if so, TA only that which is needed.

Re: NoScript Sightings

Posted: Thu Jul 30, 2009 4:05 pm
by mik33mik
Eduardo Vela Nava, David Lindsay @ Black Hat:
Our Favorite XSS Filters and How to Attack Them

Presentation (pdf)

They have shown how bypass NoScript XSS filter

Re: NoScript Sightings

Posted: Fri Jul 31, 2009 6:05 am
by Grumpy Old Lady


So Sirdarckcat's moved to the centre of a brutal and expansionist empire? Oh no, he's not in .us he's in another one - .cn ;-) Working on tunnelling through the Great Firewall perhaps.
That man is so very entertaining :-))
Following the standards is for loosers, so java made their own...

If you can use Firefox, use Firefox+NoScript

A taste of what can be wrecked with the new vids

HTML5 will allow attributes in closing tags

and
HTML5 includes "seamless" iframes
could allow for pure css-based XSS attacks

Re: NoScript Sightings

Posted: Fri Jul 31, 2009 6:36 am
by Giorgio Maone
Grumpy Old Lady wrote:So Sirdarckcat's moved to the centre of a brutal and expansionist empire? Oh no, he's not in .us he's in another one - .cn ;-) Working on tunnelling through the Great Firewall perhaps.
That man is so very entertaining :-))

I actually helped him to relocate by introducing him to some Chinese acquaintances of mine :)

Re: NoScript Sightings

Posted: Sat Aug 01, 2009 7:45 am
by Grumpy Old Lady
I actually helped him to relocate by introducing him to some Chinese acquaintances of mine :)


(-:

Re: NoScript Sightings

Posted: Wed Aug 19, 2009 12:49 am
by therube
The 1.9.8.3 changes close the above "blackhat" exposures?

Re: NoScript Sightings

Posted: Wed Aug 19, 2009 1:12 am
by Giorgio Maone
therube wrote:The 1.9.8.3 changes close the above "blackhat" exposures?

They were already closed before the presentation (since 1.9.6, exactly).
1.9.8.3 fixes a different issue, reported privately by Sirdarckcat this morning.

John Graham-Cumming plugging NS on Steve Gibson's show

Posted: Mon Nov 09, 2009 4:17 am
by Tom T.
Steve Gibson's weekly security podcast for 05 November 2009, entitled, "The Oxymoron of 'JavaScript Security'", featured John Graham-Cumming, author of "The Geek Atlas", and co-founder of sw company Electric Cloud, explaining the inherent and probably un-fixable problems in JS, with a theme of "JavaScript Must Die".

The good (Il buono), aside from the general exposure of JS insecurity: Graham-Cumming says that his defense is NoScript. :D
Steve Gibson agrees.
Steve's co-host, Leo, who runs Fx (and other browsers) on Mac and does *not* use NS, said,
I've got to quickly go instead [[probable typo for "install" -- T.T.]] NoScript on all my machines. <snip> How many times have I said that before? But this time I'm going to really do it. You did finally scare me into it.

The bad (il cattivo): Extensive mention is made of XSS attacks, without once mentioning NS XSS protection.
Similarly, there is reference to CSRF attacks without reference to ABE.
Giorgio, would you care to write to Steve? I've tried in the past, with only partial success.

The ugly (il brutto): It is still expressed and implied that NS is annoying (I would find being pwned or having my bank account drained *much* more annoying. But that's just MHO.) and that it is for power-users only, not friendly for Mom. OTOH, Gibson had previously whined about the pop-up bar, without ever reading the FAQ or the UI to see that he could turn it off...

High-quality mp3
Lower-bandwidth mp3
Pdf
Text version
View as Web page

Re: NoScript Sightings

Posted: Mon Nov 16, 2009 5:12 pm
by Alan Baxter
Adobe Flash attack vector exploits insecure web design • The Register
Surfers are advised to mitigate against the possible risk of attack by disabling Flash in their browsers or by using browser plug-ins, such as NoScript for Firefox or ToggleFlash for IE, to reduce their exposure whenever possible.

Re: NoScript Sightings

Posted: Fri Nov 20, 2009 6:20 pm
by nimd4
I'm late to the discussion and I won't take long (or get into it ;)). It's great how you've spotted Steve Gibson, btw. I have always liked him, but that's just according to the (anti-micro$oft :)) website; the campaign xd. Anyway, NoScript is freedom.

Freedom that programmers and software developers, perhaps, don't and didn't have, ie. due to "market demands" (very questionable, yes). It is illogical for anyone to not like the NoScript add-on (not to mention its ideology). The continuous development, support and the benefits... tremendous. Thank you very much, thanks to all. :)

Re: NoScript Sightings

Posted: Sat Nov 21, 2009 12:07 am
by Tom T.
nimd4 wrote:... It's great how you've spotted Steve Gibson, btw. ...

I was reading Gibson long before I discovered NoScript or Firefox -- still on IE. He talked about the dangers of scripting back then, but there wasn't that much you could do about it in IE -- "all" or "nothing" at any given site. Gibson was among those who first piqued my interest in security matters specifically.

But I came to Fx + NS *long* before Gibson did, and he's taking a surprisingly long time to realize all of its features and benefits. Still, any additional source of exposure is good, and Gibson has sent a number of listeners to NoScript, for which of course we're grateful.

In any event, on behalf of the entire team here, thanks for the kind words. :)

Re: NoScript Sightings

Posted: Sat Dec 19, 2009 1:13 am
by Tom T.
Nice plug for NoScript from security organization SANS, as quoted viewtopic.php?p=14259#p14259
Actual article: http://isc.sans.org/diary.html?storyid=7765