NoScript Calling Out

[J-5438]

Hello,

I'm a long time user of NoScript ... up until it went to versions 2.0+ ... then strange things began to happen. NoScript is, without any client-side request or notification, 100% completely on its own, when I launch my Firefox Browser version 3.0.19 to "about:blank", trying to connect out to TCP port 443 at 82.103.140.42. My DNS resolves this connection attempt to "ciccio.maone.net". This happens even when I have *ALL* of the URLs in the whitelist removed.

I checked the "options" and saw nothing explaining this. Maybe I missed something.

Why is NoScript attempting to 'call out' from my computer without my authorization?

Please advise. Thank you.

J-5438

[dhouwn]

Why is NoScript attempting to 'call out' from my computer without my authorization?

To improve the user experience.

Nah, just joking,
the real reason is described here: http://hackademix.net/2010/07/28/abe-pa ... r-routers/

[J-5438]

OK, thanks for the link, although I do think NoScript may be in an area of network security that it may not really be designed to be in. Unsure, though. However, I do protect my router by *enabling* the DMZ and placing a bogus IP address there (192.168.1.227) so any unwanted inbound traffic should drop into the 'bit bucket'. Since doing that I have never seen any more unwanted inbound packets in my software firewall's logs. I'll also have a further look at the technological aspects of what NoScript is doing in more detail

Best regards,

J-5438

[Giorgio Maone]

Since doing that I have never seen any more unwanted inbound packets in my software firewall's logs. I'll also have a further look at the technological aspects of what NoScript is doing in more detail

In fact, the ABE feature we're talking about protects you from a different and much more subtle kind of attack onto your LAN resources: you won't see any inbound packet from cross-zone CSRF or DNS rebinding attacks, but rather a request starting from your own PC (the one you're running the browser on) and actually originating from your browser: in other words, the packets will flow from your PC to the resource under attack, i.e. everything inside your LAN, even though the attack is driven from outside.
I doubt you've got firewall rules blocking your PC from accessing local resources, have you?

[J-5438]

I doubt you've got firewall rules blocking your PC from accessing local resources, have you?

Hello Giorgio,

It's been many years (4-6+ ... IIRC) since I first solved an issue with NoScript with you!

As far as my Kerio 2.1.5 rules go, I really wouldn't know how to configure them to prevent my PC from accessing local resources on my router. The best I think I've been able to do is to completely lock up Internet Explorer and /never/ use it and also edit the registry to lock down the "My Computer" zone (zone 0) as much as possible.

However, my Kerio 2.1.5 logs are now empty since playing the DMZ 'trick' and of course I have deactivated remote access on my Linksys router. On a single workstation with just one wired router, no ActiveX in the browser and a software firewall, I don't see how there would be any vulnerabilities except for Shockwave. Maybe a test website for Firefox and NoScript would be possible? My router's logs, OTOH, are filled with Chinese incoming IP addresses

Best Regards,

J-5438

[Giorgio Maone]

On a single workstation with just one wired router, no ActiveX in the browser and a software firewall, I don't see how there would be any vulnerabilities except for Shockwave.

CSRF, XSS, DNS Rebinding, none of these require more than a working browser (with no plugins/activeX whatsoever).

Maybe a test website for Firefox and NoScript would be possible? My router's logs, OTOH, are filled with Chinese incoming IP addresses

What's your router's IP? (I could portscan using CSRF, or check whether it's vulnerable to http://noscript.net/abe/wan, but I'm too lazy for that... )

[J-5438]

What's your router's IP? (I could portscan using CSRF, or check whether it's vulnerable to http://noscript.net/abe/wan, but I'm too lazy for that... [/quote]

-------------------------------------------------------------------------------------------------------------------------------


WAN IP = 76.93.187.235 ... from 'too sunny' San Diego.

I have to get used to HTTP newsgroup forums (LOL) as I can't seem to quite
figure out the quoting/reply system. You could probably knock me offline for
a moment with an RST packet, IIRC ... but anyhow -- scan away!

Regards,

J-5438