[RESOLVED] ABE re-enabled on restart after disabling

[ssj100]

(Split as O/T from NS Development, HTTPS Mixed content by Tom T.)

Just a note that somewhere along the line, NoScript is forcing ABE codes to be enabled. If you disable the code and restart Firefox, the code will be "automatically" enabled again. Giorgio Maone, pretty sure this is a bug?

[ssj100]

Just a note that somewhere along the line, NoScript is forcing ABE codes to be enabled. If you disable the code and restart Firefox, the code will be "automatically" enabled again. Giorgio Maone, pretty sure this is a bug?

Can anyone reproduce this? Thanks.

[Tom T.]

Just a note that somewhere along the line, NoScript is forcing ABE codes to be enabled. If you disable the code and restart Firefox, the code will be "automatically" enabled again. Giorgio Maone, pretty sure this is a bug?

Can anyone reproduce this? Thanks.

No, not on either Fx 3.6.24 or Fx 8.0 -- and I run both browsers sandboxed. But with the necessary write permissions to enable preferences like this to be written through to the hard drive.

If you use any sort of sandbox or virtual machine (VM), that could be the issue.
Else, do you have Admin privilege on the machine?
Any other write-privilege restrictions?

Sorry that there was no answer to your June post, probably because no one could reproduce it. Because of both the time lag and the fact that it's O/T to the original thread, I'm splitting this to a new thread in NoScript Support. Please check the above suggestions, and advise whether the issue is solved. Thanks.

[ssj100]

Yes I do run Firefox sandboxed by default, but I've tested this issue outside of Sandboxie and I can reproduce it. However, I'm testing in a Limited User Account on Windows XP - are you also on Windows XP? I've also tested in a freshly installed VM (Windows XP) in an Administrator account and can also reproduce it.

[Tom T.]

Yes I do run Firefox sandboxed by default, but I've tested this issue outside of Sandboxie and I can reproduce it. However, I'm testing in a Limited User Account on Windows XP - are you also on Windows XP?

Yes, as you can see by the user agent string printed in the lower right of each post. (IIRC, guest users can't see that, only registered users.) NT 5.1 = XP

Reproducing outside Sandboxie isn't quite so meaningful if you're limiting your own account privileges. (Good safety move while browsing, though.) Disconnect from the Internet (for safety), log in as Admin, and see if you can still reproduce the issue, first outside of Sandboxie, then, if the change is saved successfully, from within Sandboxie.

I've also tested in a freshly installed VM (Windows XP) in an Administrator account and can also reproduce it.

OK, Admin privilege now, but the freshly-installed VM needs to have write privileges through to the non-virtual (real) hard drive in order to save such preferences. I don't know which brand you're using, but it doesn't matter -- consult your VM documents for how to configure such permissions.

Just out of curiosity, in your limited-user, sandboxed browser, are you able to save other preferences, like bookmarks, cookie permissions, other NoScript settings, etc.?

[ssj100]

Thanks for the information. I think I'll probably leave it alone, as it sounds like it's a Limited User Account issue etc, which is something I will not change - the main use of NoScript for me is actually to load web pages faster haha (since it blocks a lot of "junk"). The odd thing is that this is a change that I noticed with NoScript - there was a time when this did not happen, even inside Sandboxie or in a VM. That's why I thought it was a bug - it only occurred after I upgraded NoScript to a certain version (can't remember which one now, but it was probably the versions since around June 2011).

[Tom T.]

Thanks for the information. I think I'll probably leave it alone, as it sounds like it's a Limited User Account issue etc, which is something I will not change - the main use of NoScript for me is actually to load web pages faster haha (since it blocks a lot of "junk"). The odd thing is that this is a change that I noticed with NoScript - there was a time when this did not happen, even inside Sandboxie or in a VM. That's why I thought it was a bug - it only occurred after I upgraded NoScript to a certain version (can't remember which one now, but it was probably the versions since around June 2011).

And definitely *not* after updating Sandboxie? ... "freshly installed" VM should require a write permission, too, as suggested above.

Just out of curiosity, is there a reason that you need to disable ABE? The default protection is substantial -- keeps web sites from getting inside your local network, accessing router settings, etc., and adds additional CSRF protection.

If you need specific exceptions, and can't find the format in the ABE FAQ, the Forum will be happy to assist you in writing them. One-time-only, then you can leave ABE on all the time.

[ssj100]

And definitely *not* after updating Sandboxie? ... "freshly installed" VM should require a write permission, too, as suggested above.

No, I don't think Sandboxie has anything to do with it, as I can reproduce the issue outside of Sandboxie.

Not sure what you mean by the VM requiring a write permission? I use VirtualBox and I run a "freshly installed" Windows XP with it - I almost always revert back to the "baseline" snapshot after doing any experimenting.

Just out of curiosity, is there a reason that you need to disable ABE? The default protection is substantial -- keeps web sites from getting inside your local network, accessing router settings, etc., and adds additional CSRF protection.

I wanted to disable ABE because I've added the following rule in (to block potential web-logging via "mixed content"):

Code: Select all

Site http:
Deny INC from https:

More here:
http://ssj100.fullsubject.com/t287p30-w ... ttack#2345

[Tom T.]

And definitely *not* after updating Sandboxie? ... "freshly installed" VM should require a write permission, too, as suggested above.

No, I don't think Sandboxie has anything to do with it, as I can reproduce the issue outside of Sandboxie.

With Admin privilege?

Not sure what you mean by the VM requiring a write permission? I use VirtualBox and I run a "freshly installed" Windows XP with it - I almost always revert back to the "baseline" snapshot after doing any experimenting.

Exactly. Which is why it's not saving the "disable ABE" change that you made *inside the VM*.

Just out of curiosity, is there a reason that you need to disable ABE? The default protection is substantial -- keeps web sites from getting inside your local network, accessing router settings, etc., and adds additional CSRF protection.

I wanted to disable ABE because I've added the following rule in (to block potential web-logging via "mixed content"):

Code: Select all

Site http:
Deny INC from https:

More here:
http://ssj100.fullsubject.com/t287p30-w ... ttack#2345

I replied there. I defeat the attack, and login to Yahoo Mail without mixed content, using only scripting permissions. (and perhaps one Hosts file entry - not sure if that's relevant; please check out my reply at the other topic.)

Thanks for your strong support of NoScript at your forum. However,

Of course, the fact that a lot of us use a tightly configured Sandboxie perhaps makes NoScript less useful haha.

No way. Without NS, you are vulnerable to attacks *inside the browser*, such as XSS and CSRF. The sandbox keeps malware out of your hard drive, but having one site steal your login cookie or run malicious code on a site you trust or do a Clickjacking attack, etc., etc., can hurt you very badly, and no sandbox will prevent that, unless you run each tab in a separate sandbox, AND those individual sandboxes are in fact totally isolated from each other. Which still would not defeat Clickjacking, which can be executed on the single sandboxed tab that you're on, *invisibly*. Plus history attacks within the same tab, etc. etc. Why take chances?

Please share this information with your readers.

For the majority of web-sites, there is no need to allow every single script to view/use it properly. Many scripts relate to advertising and other "junk" content anyway.

A fairly long, but by no means inclusive, list of such advertising sites was just recently posted here, by Your Humble Servant, with the team's collaboration, of course. I hope you find it useful. Please feel free to post the direct link to that at your site.

[Tom T.]

I've tried Noscript long ago, used it for several days, but I found it drove me nuts, as I spent so much time tweaking it to unblock content I wanted to view. Maybe I'll give it another try and put more effort, especially in the early going, to whitelist my commonly visited sites.

Please advise wat0114, and all other NoScript-fearing users , to read the NoScript Quick Start Guide. Then perhaps take a bit of spare time now and then to browse the NoScript FAQ.

Building a whitelist of your fave sites (bank, tube, mail, whatever) happens on the first time that you visit them, so the needed list populates quickly. Sites used only once in a great while might be better off with "temporarily allow" (click "Revoke temporary permissions" before leaving the site), but that's a trade-off between having a lot of sites at which to do temp-allowing and having a whitelist of manageable length. I spend very little time in the NS menu deciding what to allow, except for unknown sites that users post about here.

And tell them that if they have any questions that are not answered at the above sources, or by searching this Forum, *please* do not hesitate to post them here!
It's why we're here.

[ssj100]

With Admin privilege?

Not sure what this has to do with Sandboxie potentially causing the issue when I can reproduce it outside of Sandboxie?

Exactly. Which is why it's not saving the "disable ABE" change that you made *inside the VM*.

I think you have mis-understood (or perhaps you're not familiar with how VM's work?). I disable ABE within the VM and then I quit Firefox (all within the same session). When I open Firefox again (within the same session), ABE is magically re-enabled. This has nothing to do with going back to a baseline snapshot and losing settings. This is easily reproducible for anyone using a VM.

Please share this information with your readers.

It's not really my forum. If you want to spread more information on that web-site about NoScript, feel free to join and post. I never said NoScript is not useful. I just said NoScript is arguably less useful (I also said it with a laugh haha) when using Sandboxie (with my security setup/approach). For example, when I do online banking now, only my bank IP can communicate with my system. That alone probably defeats any malicious data mining. However, I also use a sandboxed browser for banking/transactions which always empties when the browser closes. This means I go straight to my banking web-site with what is pretty much a freshly installed browser with no cookies/history etc.

Anyway, I still don't understand why ABE requires real system hardware access to save its configuration? Are you saying it can't be fully tested in a VM? Can you please explain why exactly that is the case? Thanks.

Regardless, I always have ABE enabled now (I can't disable it anyway because of this "bug"), and it doesn't appear to affect any web-sites. So it's all good I guess. It's just a little odd that I'm the only one noticing this "bug", or at least the only one making any noise about it.

[dhouwn]

This is easily reproducible for anyone using a VM.

I can't remember having such an issue when using XP in a VM. Also, it doesn't make sense.

[ssj100]

This is easily reproducible for anyone using a VM.

I can't remember having such an issue when using XP in a VM. Also, it doesn't make sense.

When did you test it?

Yes, it doesn't make sense at all. But I was surprised that I could reproduce it in a freshly installed Windows XP (Administrator account, unsandboxed).

[Tom T.]

With Admin privilege?

Not sure what this has to do with Sandboxie potentially causing the issue when I can reproduce it outside of Sandboxie?

I'm asking whether the non-sandboxed issue occurs only in the Limited User Account, in which case, the LUA is not giving permission to make NS config changes. That's why I asked if it occurs when you run as Admin, non-sandboxed. In that case, it should save, always. If it doesn't, then there's a puzzle to solve.

There could also be a lack of Sandboxie permisssions, which is why I asked whether you are able to save cookie permissions, bookmarks, etc. (Yes, it is actually possible to have two issues at the same time.

Ronen Tzur (Tzuk) should be answering the question of how to do this, but *unoffically*, here are my *personal* edits to the SB config file that are relevant to this issue. (Others are needed depending on what other add-ons you have installed). I take no responsibility for anyone else using them. Your setup may be different. Use at your own risk only. Newer versions of SB may change these; I have an older version. Ask RT.

Code: Select all

OpenFilePath=firefox.exe,%AppData%\mozilla\firefox\profiles\*\cert8.db
OpenFilePath=firefox.exe,%AppData%\mozilla\firefox\profiles\*\cookies.sqlite
OpenFilePath=firefox.exe,%appdata%\mozilla\firefox\profiles\*\permissions.sqlite
OpenFilePath=firefox.exe,%AppData%\Mozilla\Firefox\Profiles\*\prefs.js

Exactly. Which is why it's not saving the "disable ABE" change that you made *inside the VM*.

I think you have mis-understood (or perhaps you're not familiar with how VM's work?).

I am familiar with VM. The full scenario was not described. I understood you to mean that when you closed the VM, the next restart re-enabled ABE. No worries; you've described it now.

I disable ABE within the VM and then I quit Firefox (all within the same session). When I open Firefox again (within the same session), ABE is magically re-enabled. This has nothing to do with going back to a baseline snapshot and losing settings. This is easily reproducible for anyone using a VM.

*That* is what was missing before: that you were in the same VM, never closed, but only closing/restarting Fx. Thank you.

So, the same questions: Is Fx sandboxed *within the VM*? If so, see the above SB permissions needed.
Do you have Admin privilege *within the VM*? If still running as LU, the VM may very properly not grant you privilege to change these settings, because the VM is supposed to act exactly as the HD copy would.

If you want to make a permanent save of changes through both Sandboxie and VM, you'll need to grant permissions to *both*. Naturally, going back to baseline will lose whatever was changed from the baseline.

Please share this information with your readers.

It's not really my forum.

Oh. Perhaps I was misled by "ssj100 Security Forums", and your name as Admin. Silly me.

If you want to spread more information on that web-site about NoScript, feel free to join and post. I never said NoScript is not useful. I just said NoScript is arguably less useful (I also said it with a laugh haha) when using Sandboxie (with my security setup/approach). For example, when I do online banking now, only my bank IP can communicate with my system. That alone probably defeats any malicious data mining.

I may accept the invitation to post at that thread, if time permits. (Have spent a lot of time on this issue, as you have.)

Sounds like a firewall config, which is cool. But some banks do call data-mining scripts and run them. Not sure if your IP lock defeats that, cuz I don't know the details of how you did it, but NS prevents that by your allowing bank.com and default-denying dataminer.com.

However, I also use a sandboxed browser for banking/transactions which always empties when the browser closes. This means I go straight to my banking web-site with what is pretty much a freshly installed browser with no cookies/history etc.

Assuming that you meant "fresh" sandboxed browser to start (previously closed and dumped), then yes, that is exactly the right thing to do. Kudos.

Anyway, I still don't understand why ABE requires real system hardware access to save its configuration? Are you saying it can't be fully tested in a VM? Can you please explain why exactly that is the case? Thanks.

ABE should work perfectly well in a VM. You just need to configure it in your "baseline" snapshot, and make any changes in that baseline itself. Otherwise, as said before, changes made during a session will be lost when the VM session ends.

Regardless, I always have ABE enabled now (I can't disable it anyway because of this "bug"), and it doesn't appear to affect any web-sites. So it's all good I guess. It's just a little odd that I'm the only one noticing this "bug", or at least the only one making any noise about it.

Which is why I still suspect the various permissions issues discussed above. If you're happy, fine, especially since ABE no longer breaks sites for you.
Still curious about the "can't disable", but no, no one else has reported it, and I can't reproduce it. So whether you want to investigate what's up above is up to you.

Please let us know either way. If the investigation isn't going any farther, I'd like to mark the topic "Resolved".

ETA:

But I was surprised that I could reproduce it in a freshly installed Windows XP (Administrator account, unsandboxed).

dhouwn and you posted while I was writing that very long post; hence, I missed that part about Admin unsandboxed.

[ssj100]

So, the same questions: Is Fx sandboxed *within the VM*?

No, it is not sandboxed. Sandboxie is not even installed within the VM. In fact, nothing is, except Firefox (and NoScript) - it's a freshly installed Windows XP.

Do you have Admin privilege *within the VM*?

Yes, I have Admin privilege within the VM. There's only one account - again, it's a freshly installed Windows XP, and therefore no other user accounts have been created apart from the default account - this default account is always an Admin account with Windows XP.

Sounds like a firewall config, which is cool. But some banks do call data-mining scripts and run them. Not sure if your IP lock defeats that, cuz I don't know the details of how you did it

Are you saying that some banks try to steal your bank login details? If so, I don't see the point - they can abuse your money anyway haha. As for my firewall configuration, I have an IPSec rule which when enabled, only allows communication from my IP address to my bank's sole IP address (and vice versa) via Port 443, TCP protocol. Any other communication that doesn't fall under those specifications is blocked by default. Therefore, only my bank can steal my information, which they effectively have anyway!