Is default-deny for JavaScript necessary for good security?
Posted: Sat Oct 03, 2009 7:45 pm
First, let me say that I am using NoScript, and I value its default-deny for plug-ins and IFRAMEs and its protections: ClearClick, XSS, JAR, HTTPS and ABE. I appreciate all the volunteer effort that Giorgio and the support team put into designing, debugging and supporting NoScript. I created this topic to dialog on the subject, and I am open to learning new things.
Some background on me... I haven't programmed in JavaScript, but I am a professional programmer. I have been programming in many languages for about 33 years, and I have been studying PC security for about 7 years in my spare time. I share my PC with a non-technical spouse, who doesn't have the understanding or experience to decide which sites are dangerous. I have observed that she learns to allow all sites when blocking is frequent and she has the power of choice. Therefore, I spent considerable effort to provide decision-free security with high usability/convenience. This includes globally allowing JavaScript since it is used by a significant percentage of legitimate sites I have experienced.
My decision-free security consists of a number of applications, Windows configurations and behavior policies. These are too numerous to include in this post. Instead, I would like to create in this thread a list of JavaScript vulnerabilities and security counter-measures (other than default-deny of JavaScript). If we find even one JavaScript vulnerability without a corresponding counter-measure, then the answer to the question in the subject is "yes". I would like to limit this thread to PC security since I am not familiar with Mac and Linux security outside of Firefox.
1. Vulnerability: JavaScript can move or resize existing windows, raise or lower windows, disable or replace context menus, hide the Firefox status bar or change status bar text.
Counter-measure: Firefox's Tools|Options|Content tab|JavaScript Advanced menu allows the user to block these JavaScript behaviors.
2. Vulnerability: The JavaScript implementation on a given platform has yet-to-be-discovered buffer overflow errors that allow an attacker access outside of the sandbox and into the OS to do great damage.
3. Vulnerability: There are various scenarios involving an attack by a site on the client such that site steals the user's credentials or impersonates the user to access a banking site and steal money from the user.
Counter-measure: Close and re-open Firefox immediately before and after accessing a financial website. Configure Firefox to delete cookies when closing Firefox.
Note that many of these counter-measures are wise even with default-deny of JavaScript by NoScript, because there is the danger that the user, even temporarily, allows a dangerous site, or a trusted site gets attacked and begins to host malicious JavaScript.
Please add more vulnerabilities and, if you know them, counter-measures.
Some background on me... I haven't programmed in JavaScript, but I am a professional programmer. I have been programming in many languages for about 33 years, and I have been studying PC security for about 7 years in my spare time. I share my PC with a non-technical spouse, who doesn't have the understanding or experience to decide which sites are dangerous. I have observed that she learns to allow all sites when blocking is frequent and she has the power of choice. Therefore, I spent considerable effort to provide decision-free security with high usability/convenience. This includes globally allowing JavaScript since it is used by a significant percentage of legitimate sites I have experienced.
My decision-free security consists of a number of applications, Windows configurations and behavior policies. These are too numerous to include in this post. Instead, I would like to create in this thread a list of JavaScript vulnerabilities and security counter-measures (other than default-deny of JavaScript). If we find even one JavaScript vulnerability without a corresponding counter-measure, then the answer to the question in the subject is "yes". I would like to limit this thread to PC security since I am not familiar with Mac and Linux security outside of Firefox.
1. Vulnerability: JavaScript can move or resize existing windows, raise or lower windows, disable or replace context menus, hide the Firefox status bar or change status bar text.
Counter-measure: Firefox's Tools|Options|Content tab|JavaScript Advanced menu allows the user to block these JavaScript behaviors.
2. Vulnerability: The JavaScript implementation on a given platform has yet-to-be-discovered buffer overflow errors that allow an attacker access outside of the sandbox and into the OS to do great damage.
3. Vulnerability: There are various scenarios involving an attack by a site on the client such that site steals the user's credentials or impersonates the user to access a banking site and steal money from the user.
Counter-measure: Close and re-open Firefox immediately before and after accessing a financial website. Configure Firefox to delete cookies when closing Firefox.
Note that many of these counter-measures are wise even with default-deny of JavaScript by NoScript, because there is the danger that the user, even temporarily, allows a dangerous site, or a trusted site gets attacked and begins to host malicious JavaScript.
Please add more vulnerabilities and, if you know them, counter-measures.