[CLOSED BY OP] How do I tell if a script is safe?

[jason67]

If I want to view an FLV, what should I be looking for in the script to know whether to allow it or not? Is there anything specific that stands out as a clear no-no, or do you really have to know what your doing with this kind of stuff?

[Tom T.]

See FAQ: "What Is A Trusted Site?" for some guidance. Similarly, consider who made the video -- someone reputable, or an unknown? We'd also hope that respectable sites wouldn't knowingly host malicious videos, even by amateurs, as with YouTube. What I do is have *all* boxes checked in the NoScript > Options > Embeddings tab, then, for example, whitelist YouTube and ytimg.com. BUT .. I do not uncheck "Forbid Flash". Instead, when the placeholder appears (the red NoScript block-logo), I click on it and confirm OK. This way, only that single video is allowed, and no others. Even with that video, or all Flash, allowed, you will still have NoScript's protection against cross-site scripting attacks, or "XSS".

If you are referring to specific javascript code that you've encountered and have questions about, please feel free to post the code here, using the "Code" button on the toolbar.

I'm not sure if that answers your question, but I hope it's a start.

[jason67]

Thanks for the reply.

I do not uncheck "Forbid Flash". Instead, when the placeholder appears (the red NoScript block-logo), I click on it and confirm OK.

Yeah that's what I'm doing as well. I just don't know what to make of the script that appears and asks whether to allow it or not. It is a large trusted site (I suppose), I was just wondering if the users themselves have the ability to inject code when they upload the videos, or if it solely comes down to the site itself once the videos have been uploaded.

You mentioned youtube, could users potentially upload malicious videos to be executed?

[Tom T.]

I just don't know what to make of the script that appears and asks whether to allow it or not.

You mentioned youtube, could users potentially upload malicious videos to be executed?

Ah, you were referring to this dialog box. This is not actually a script. If you look closely, you'll see that it's just YouTube's extensive description of the video. The initial "Temporarily allow (address) swf/" .. and the end "(<EMBED>, application/x-shockwave-flash)" is NoScript asking you if you want to allow that particular object or application -- in this case a Shockwave Flash, or swf, object. What's in between is not JavaScript code, it's information about the video. Look closely: "length_seconds=152", "url=(location of this video)" "title"Olivia+Newton+John", location of the thumbnail, various authors and view counters, etc.

As for malicious uploads, I don't immediately see why not, but I'm not a YouTube uploader, and only a once-in-a-while viewer. So I don't know what, if any, vetting they do for malicious code, and I didn't immediately see a link to it in their Help.

I'd welcome input from anyone, support team or user, who has information on whether YouTube scans uploaded material in any way.

My fall-back (defense in depth) is to use a virtualized environment for the browser, so that any malicious code that does load cannot escape the virtual container, or "sandbox", and therefore can't write to your hard drive or execute code on your machine. Also good common sense is not to have such an object or window open while you have any sensitive site, like your online bank, in another window, even sandboxed.

There are many virtualization solutions out there, some of which create a cloned copy of your entire machine, pretty much. Much lighter is Sandboxie, which merely clones the browser, Fx profile, and other needed files, including the necessary Windows files. In its safest setting, this sandbox is emptied every time you close the browser, so any malcode would have written to the *cloned* system and Registry files -- which get dumped. Your *real* hard drive, system files, etc. remain untouched.

This site can't officially endorse or be responsible for another party's product, but fellow support team member Alan Baxter and I like to rely on Sandboxie when we're asked to visit questionable sites, and/or to disable NoScript, for investigative purposes. It comes in both nagware and payware versions, so you have the choice of buying or putting up with the nagware screen. Again, that's just a personal opinion, not supported or endorsed by this forum, but you might like to check it out along with other sandboxing solutions (ZoneAlarm has one now, I understand, in one of their paid versions.)

Hope this helps, and looking forward to feedback on the issue of whether YouTube takes steps to prevent malicious uploads.

[therube]

Well its been pointed out that Flash can do Javascript & as we all know about JavaScript ...

Flash being a plugin, works outside of the realm of the browser, so does not abide by its rules ...

What youtube does, wouldn't have a clue.
And even if they do something, what do the 1,000s of other sites that host Flash videos do?

Then there is also the fact that on a good number of sites you need to allow JavaScript even to view videos.

So you have JavaScript on the site, & JavaScript (potential) in the video ...

Anyhow, if viewing it is that important to me, I do what it takes to view it - up to the point that I don't feel safe, & then I'll just skip it. (I don't skip much.)

Now if a site says you need to download a codec ... STAY AWAY!

[GµårÐïåñ]

To simply answer your question, there is no simple way to know. There is no generic magic bullet or all encompassing way to evaluate something for a threat. The fact is that anything can be used maliciously if you think hard enough. It comes down to either you know enough programming to figure it out on your own and satisfy yourself, rely on others and their evaluations for you, or just cross your fingers and hope that your trust in the entity you are visiting is not misplaced and that they are not going to serve you any bad scripts or that their IT is good enough to prevent being hijacked.

[Tom T.]

@ jason67: I think with therube's and GµårÐïåñ's input added to mine, really the best defense is defense in depth. Although I mentioned one or two particular sandboxing or virtualization solutions, I know that there are dozens out there. Shop around, read the reviews in reputable tech magazines, etc. and get your browser inside an environment where no malice can leave that sandbox.

Yes, I'm taking a chance every time I use my Yahoo Mail, because I have to allow their scripting. They're a large and reputable company, but what if they were hacked five minutes ago? It's happened to every large site -- Google, Yahoo, and multiply to social sites like MySpace, Facebook, and Twitter. The best sites fix it quickly. But have a good firewall, keep your anti-virus up to date, allow the minimum (as you, therube, and I have already agreed), stay away from shady places... and contain the browser, just in case.

I'm sorry that there is no simple answer to "How do I know if this script (or video) is safe?" It's a question that comes up a lot. Defense in depth is your best bet.

Anything else we can do to help you, let us know.

[jason67]

Great replies guys, thankyou. The sandbox is a great additional security step I hadn't heard of before.

[Tom T.]

You're very welcome, jason67. I'll mark this as closed for now, but not locked. If you need any additional assistance on this particular issue, you can still post to it. If you have any other questions or issues, just start a new thread. Cheers.

[Tom T.]

jason, if you're still with us, I wanted to mention another feature of Sandboxie that probably some other products have as well -- make sure that they do before you choose one. That is , that not just the browser, but *any* app can be run sandboxed. A choice is added to the context menu.

Example: You *download* a video, rather than play it in your browser. (Of course, you scan it with your AV first, which is why if there's an easy choice, I prefer to d/l rather than play in the browser.) You right-click the video and click "Run sandboxed". Your chosen media player -- Windows Media Player, Apple Quick Time, or any other -- will be run inside the sandbox, so that *if* there is malcode in it, it should not be able to get outside the sandbox, and therefore do no damage. Then you would always close the sandbox and empty the contents, so any malcode is also emptied.

You can play the same video as often as you like in this way. So be sure this feature is included in whichever you select.
Cheers.