http://localhost Blocked.

[-kg-]

Having done a search on the site (and through Google) and finding no answer, I'll initiate a thread. NoScript seems to be blocked a script from "http://localhost", which I know is my local computer. This is only happening on one site (so far), the link to which is:

Code: Select all

www.lifewithdogs.tv

(domain name only -- Tom T.)

Code: Select all

http://www.lifewithdogs.tv/2013/02/tethered-dog-who-gave-up-on-life-finally-knows-happiness/?fb_comment_id=fbc_130631547106658_163571_130660563770423#f383d47d8fc8a46

(full address of link -- T.T.)

This problem has me perplexed. I can't understand why NoScript would block a "script" from my local computer. It begs me to wonder if something got "installed" (to my browser...it's highly unlikely to have been installed under Linux), and if something has, I'd like to track it down and eliminate it. It's only from this one site (again, so far), and if it starts showing up regularly, I'll update this thread.

I'm running Linux Mint 13 Cinnamon 64-bit on a Toshiba laptop, Firefox 18.0.2, and NoScript version 2.6.4.4 which is, I assume, the latest.

If I've posted this to the wrong forum, I apologize and authorize the Admins to move it to an appropriate forum. I'm more used to several Linux Help Forums, most notably the Ubuntu Help Forums, of which I've been a contributing member for several years. Most every sub-Forum is for help.

[Tom T.]

No worries about which sub-forum.

JSView add-on reports the script source that you cite to be

Code: Select all

http://localhost/ads/TheReefTankcom/ftag.js

It appears that the script is trying to run *through* your localhost (or install it there), which I don't like. Continue to disallow it.

ABE FAQ describes a few situations in which web sites themselves (not advertisers) require modification of NoScript's ABE component to permit use of 127.0.0.1, sometimes with a port number appended, but always numerically, not as "localhost". And it does not cite any need to allow "localhost".

I searched and don't have anything on my machhine with "reeftank" in it, and I suspect you don't, either, unless you allow this script.

Unless Giorgio or anyone else can provide a legitimate reason why a site would attempt to load ads in this manner, it seems pretty slimy to me.

(Forgive me for sanitizing the URL in your post, but we wish to avoid even the slightest suspicion that anyone is posting to spam for a site. I don't consider that at all likely here, but if we apply it uniformly as much as possible...)


ETA:

NoScript version 2.6.4.4 which is, I assume, the latest.

2.6.5.5, although that shouldn't affect the issue at hand.
Are you set up for automatic updates, or at least, automatic notifications of updates?

[-kg-]

Thank you very much, Tom T. I appreciate the expeditious answer to my query.

It appears that the script is trying to run *through* your localhost (or install it there), which I don't like. Continue to disallow it.

I shall. In fact, it's going on my "Untrusted" list. Hopefully, it won't affect anything I wish to run, but so be it.

ABE FAQ describes a few situations in which web sites themselves (not advertisers) require modification of NoScript's ABE component to permit use of 127.0.0.1, sometimes with a port number appended, but always numerically, not as "localhost". And it does not cite any need to allow "localhost".

Again, hopefully I'm not doing "damage" by putting 'localhost' in my untrusted list.

Unless Giorgio or anyone else can provide a legitimate reason why a site would attempt to load ads in this manner, it seems pretty slimy to me.

It seemed a bit off to me, as well.

(Forgive me for sanitizing the URL in your post, but we wish to avoid even the slightest suspicion that anyone is posting to spam for a site. I don't consider that at all likely here, but if we apply it uniformly as much as possible...)

Nothing to forgive, is there? I was hesitant to post it, lest I violate a board rule.

ETA:

NoScript version 2.6.4.4 which is, I assume, the latest.

2.6.5.5, although that shouldn't affect the issue at hand.
Are you set up for automatic updates, or at least, automatic notifications of updates?

Oh yes! I receive them regularly. As I said, I'm running Linux Mint, and NoScript as well as Firefox are updated. Of course, Firefox is updated per the repos, and NoScript updates automatically and fairly regularly.

I'm an author who does research on a wide variety of subjects. While I may never again visit the referenced site, I can't guarantee it, nor can I guarantee that I won't run across this again. Now I have something else to research..."reeftank." Attempts to "advertise" to me usually have a reverse effect; I won't buy what they're selling even if I need it desperately and it's the only thing of its kind available. I'm not amenable to something being shoved down my throat!

[Tom T.]

.... Continue to disallow it.

I shall. In fact, it's going on my "Untrusted" list. Hopefully, it won't affect anything I wish to run, but so be it.

It had occurred to me in the previous post that placing it in Untrusted might be a good idea. I just did, and I don't expect anything to break, since nothing legitimate should be trying to access it.

ABE FAQ describes a few situations in which web sites themselves (not advertisers) require modification of NoScript's ABE component to permit use of 127.0.0.1, sometimes with a port number appended, but always numerically, not as "localhost". And it does not cite any need to allow "localhost".

Again, hopefully I'm not doing "damage" by putting 'localhost' in my untrusted list.

Not at all. ABE can only tighten NoScript's permissions, never loosen them. So when you don't want NoScript to allow a script, ABE is irrelevant.

However, if you have time, you might wish to browse through the ABE FAQ. Its primary purpose is quite related to our issue here: To prevent the Internet from requesting/accessing/grabbing your local stuff. If you open NoScript Options > Advanced > ABE and click SYSTEM on the left-hand side, you will see the default system-wide rule that is ABE's primary purpose for being:

Code: Select all

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

If we look at Section 1.3 of ABE Rules .pdf, we see that LOCAL represents your local or private network.

Therefore, this primary rule prevents any site outside of your local resources -- "local" referring to your LAN, devices on it, your computer, including its localhost, your router -- from requesting anything inside that barrier, while still allowing the devices on your LAN to share resources, print, access the router, etc. Hence the acronym for "Application Boundaries Enforcer".

Unless Giorgio or anyone else can provide a legitimate reason why a site would attempt to load ads in this manner, it seems pretty slimy to me.

It seemed a bit off to me, as well.

As you know, the primary purpose of NoScript, and of this support site, is the *prevention* of malware, rather than being a malware-detection or -investigation site (of which there are some very good ones). But while not intending to dig any further, my gut is telling me that this is an attempt to install, at the least, adware, probably causing ad pop-ups at various times. Sheesh, there is no such domain as "localhost/ads".

... Now I have something else to research..."reeftank." Attempts to "advertise" to me usually have a reverse effect; I won't buy what they're selling even if I need it desperately and it's the only thing of its kind available. I'm not amenable to something being shoved down my throat!

Or into your local system or hard drive.

If you're so inclined, you might wish to inquire of that site master why there is an attempt by an ad script to access the machine's localhost, and let her/him know how you feel about the site allowing such practices, and what you said about blacklisting that advertised product forever. Please feel free to post the reply here -- it could be interesting.

Regards,
- Tom

[Thrawn]

Again, hopefully I'm not doing "damage" by putting 'localhost' in my untrusted list.

Unless you're running a local web server - which I do, at work, but you probably don't - then you should be fine. You certainly won't damage anything; the worst that would happen is that you'd need to whitelist it before a local server would work properly.

[-kg-]

A bit of an update:

I blacklisted the "localhost," but I seem to be experiencing a bit of a problem that might be associated with it. I am a member of a legitimate site who uses "https", but uses a self-signed security certificate. It seems that when I try to sign in and record an exception, my browser won't let me permanently record it, just temporarily.

This happens only in the browser in which I disallowed "localhost" scripting, not in any other browser on the affected machine, nor in the FF browser installed on my desktop (Ubuntu 12.04), which is the same release. Neither does it happen on Iceweasel under Debian Squeeze, which is FF, in essence, though a very early release.

I suppose the only thing to do is to "re-trust" it and see what happens. It's not a major problem, but one I'm sure you'd be interested in.

[Tom T.]

I don't trust anyone who signs their own security certificate.

That is an interesting experience. Please do see whether allowing localhost in NS changes the situation, and let us know.
But I don't see how scripting is involved there, especially since it *will* allow the exception temporarily. NS would ask you for temp-allow or permanent whitelist.
You don't see localhost in NS > Untrusted menu when this happens, right? And we are talking only about allowing script from a site via NoScript, not any other mechanism in Firefox security configuration.

Other than that, in the week since I added localhost to Untrusted, nothing has broken, nor has any site even asked for it to be allowed.

Any feedback to/from the webmaster?

[Thrawn]

I don't trust anyone who signs their own security certificate.

Oh, I don't know. Self-signing doesn't weaken the cryptography. It just means that you have to independently verify that the certificate is the correct one - eg via the Perspectives addon, or offline methods - instead of trusting that every single certificate authority pre-installed by Mozilla did it for you (because if a single one is dodgy, that's enough to produce a certificate that your browser will trust without question).

[Tom T.]

instead of trusting that every single certificate authority pre-installed by Mozilla did it for you (because if a single one is dodgy, that's enough to produce a certificate that your browser will trust without question).

Yes, that's a bad problem for all browsers. I used to delete the dodgy-looking ones, until I accidentally deleted an OK one, and had a heck of a time reinstalling it.
I prefer sites that use reputable authorities like VeriSign, etc., even though they, too, have had problems.

Nothing is ever truly safe or secure...

[Thrawn]

instead of trusting that every single certificate authority pre-installed by Mozilla did it for you (because if a single one is dodgy, that's enough to produce a certificate that your browser will trust without question).

Yes, that's a bad problem for all browsers. I used to delete the dodgy-looking ones, until I accidentally deleted an OK one, and had a heck of a time reinstalling it.
I prefer sites that use reputable authorities like VeriSign, etc., even though they, too, have had problems.

Nothing is ever truly safe or secure...

Try Perspectives. It contacts notaries around the world to ask them which certificate they see for the site, and how long they've seen it. Works on the premise that any attempt to impersonate a legitimate site will be a) localised, or b) detected and taken down in short order. You can continue to use the existing verification system, but Perspectives can give you more confidence, *and* give you a way to check up on certificates that are self-signed or otherwise not verifiable in the normal way.

[Tom T.]

Try Perspectives....

Why, I just might do that! (I just did).

Still, though,

Perspectives does not do anything to protect you against a poorly run website....

It's always the human at one end or the other, and nothing we can do about that (sigh). ... but it looks like yet another good layer of "defense-in-depth". Will let you know MHO after some experience with it. Thanks for the tip.

[Tom T.]

Try Perspectives....

Why, I just might do that! (I just did). ... it looks like yet another good layer of "defense-in-depth". Will let you know MHO after some experience with it. Thanks for the tip.

I think this has been a fair trial period, and wanted to let you know I'm pleased with Perspectives. Certificate Patrol has gotten awfully "noisy" lately, and I like how Perspectives operates silently unless/until an inconsistent site is visited. I didn't even realize it was doing anything until I clicked on it while on Yahoo Mail login page. Impressive! Even better, it gave me a very reassuring false positive when I logged into my own router (which is configured to accept HTTPS logins only), because of course no notaries can verify my personal router (I hope!). Proof that it does alarm when they can't give suitable stats on it. Thanks again.


FWIW, still no problems with localhost in Untrusted, for us non-web-server users.

[Thrawn]

I think this has been a fair trial period, and wanted to let you know I'm pleased with Perspectives.

Glad you like it .

Certificate Patrol has gotten awfully "noisy" lately, and I like how Perspectives operates silently unless/until an inconsistent site is visited.

Yeah, Cert Patrol doesn't really handle sites that use multiple certificates from multiple authorities, which lots do...I tried to submit a feature request to have it remember past certificates, and not complain if they were presented again, but couldn't find a way to submit it. Their online chat forum - which, by the way, falls foul of the NAT Pinning rule - doesn't seem to be monitored.

FWIW, still no problems with localhost in Untrusted, for us non-web-server users.

No, there wouldn't be . Except maybe if you had addons that interact with sites via localhost (like GFK Internet Monitor, apparently). But that doesn't sound like good design to me.