NoScript as an attack surface: review of a 2013 quote

General discussion about the NoScript extension for Firefox
Post Reply
grahamperrin
Posts: 11
Joined: Sun Jan 27, 2019 5:39 pm

NoScript as an attack surface: review of a 2013 quote

Post by grahamperrin »

A January 2013 answer in Information Security Stack Exchange, part of which was quoted in a November 2019 question:
Take into consideration that NoScript will also increase the attack surface
My response: https://security.stackexchange.com/a/223723/13575 – the second part of the answer (below the dividing line).

Thoughts?

TIA
Mozilla/5.0 (X11; FreeBSD amd64; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.3
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript as an attack surface: review of a 2013 quote

Post by barbaz »

How about putting that quote in context? -
https://security.stackexchange.com/a/27957 wrote: For starters, Chrome has better security features and a larger security effort than Firefox.

It's true that JavaScript can be involved in exploitation and exploit kits use JS to hide exploits and profile the browser for exploitation. But disabling JS should not be considered a silver bullet for browser security.

More than just blocking JS, NoScript brings to Firefox security features which Chrome already has, like XSS protection. And features that Chrome lacks, like Clickjacking protection and protection against plugin based attacks. Take into consideration that NoScript will also increase the attack surface.

There isn't a clear winner here considering that the security of Firefox + NoScript depends on the user configuring NoScript and the usability trade-off.

For more about browser security read the Browser Security Handbook by Michal Zalewski. His book, The Tangled Web: A Guide to Securing Modern Web Applications extends this handbook.
(red coloring mine)

Notice how that statement seems a total non-sequitur, and that no explanation was provided. And when asked to clarify, they responded with this -
It means that NoScript is also a target for exploitation. As browsers get harder to exploit, attackers focus more on pluggins and addons. NoScript parses a lot of input so there are a lot of possibilities for buffer overflows and other attacks.
That last sentence is drivel.

As for the other two sentences - if the attack surface provided by NoScript is the size of a pea, the attack surface provided by all active content functionality would be the size of Jupiter.

Also, keep in mind that "attack surface" only means "things that are exposed to potential attack". Whether something is "attack surface" or not is a separate question from how vulnerable or exploitable it is.
*Always* check the changelogs BEFORE updating that important software!
-
grahamperrin
Posts: 11
Joined: Sun Jan 27, 2019 5:39 pm

Re: NoScript as an attack surface: review of a 2013 quote

Post by grahamperrin »

Thanks, was my response reasonable?
Mozilla/5.0 (X11; FreeBSD amd64; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.3
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript as an attack surface: review of a 2013 quote

Post by barbaz »

grahamperrin wrote: Mon Jan 06, 2020 6:29 am was my response reasonable?
Could you please be more specific about what about your response you would like us to evaluate?

In any case, you might want to take another look at this statement -
It's reasonable to assume that extensions for Firefox in general (not NoScript in particular) have a far smaller attack surface.
Not a reasonable assumption.
*Always* check the changelogs BEFORE updating that important software!
-
grahamperrin
Posts: 11
Joined: Sun Jan 27, 2019 5:39 pm

Re: NoScript as an attack surface: review of a 2013 quote

Post by grahamperrin »

Thanks

With apologies for a late response (I must have overlooked an e-mail notification):
barbaz wrote: Tue Jan 07, 2020 1:42 am Not a reasonable assumption.
I struck through that part of my answer in Stack Exchange.
Mozilla/5.0 (X11; FreeBSD amd64; rv:74.0) Gecko/20100101 Firefox/74.0
Post Reply