Making sure I understand...

Discussions about the Application Boundaries Enforcer (ABE) module
WilliamBell

Making sure I understand...

Post by WilliamBell »

I want to make sure I have my logic correct and am not opening myself up to bad things here.

Let's say I want to allow amazonaws.com on site1.com and site2.com and Deny it on every other site. Is the following the correct method to implement this?

Code: Select all

Site .site1.com
Accept from .site1.com .amazonaws.com
Deny

Code: Select all

Site .site2.com
Accept from .site2.com .amazonaws.com
Deny
I would then allow amazonaws.com in my whitelist.

Is this correct? Also, how can I verify with my own eyes that amazonaws.com is being blocked everywhere else?

Thanks for your time.
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Making sure I understand...

Post by Giorgio Maone »

The meaning of rules is the opposite of what you seem to pursue.

ABE rules work on HTTP requests, and their subject ("Site") is the destination (the URL you're gonna load), while the from cause is the origin (the page where the link or the embeddings is found).

Therefore, if you want amazonaws.com and its subdomains to accept requests from site1.com and site2.com (and subdomains) while denying requests from everywhere else (and thus being blocked), you need to write

Code: Select all

Site .amazonaws.com
Accept from .site1.com .site2.com
Deny
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
WilliamBell

Re: Making sure I understand...

Post by WilliamBell »

Thanks for the clarification, looks like I had it exactly backwards. Glad I asked before I went crazy. :)

What can I do to see the blocking in action?

Thanks so much.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Making sure I understand...

Post by Giorgio Maone »

WilliamBell wrote: What can I do to see the blocking in action?
Since by design ABE doesn't trigger visible notifications when blocking embedded items (notifications are only for documents), but logs everything anyway, you can monitor ABE's activity by looking at messages starting with "[ABE]" in your Error Console (Ctrl+Shift+J).
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Making sure I understand...

Post by Tom T. »

Giorgio Maone wrote:The meaning of rules is the opposite of what you seem to pursue....

Therefore, if you want amazonaws.com and its subdomains to accept requests from site1.com and site2.com (and subdomains) while denying requests from everywhere else (and thus being blocked), you need to write

Code: Select all

Site .amazonaws.com
Accept from .site1.com .site2.com
Deny
WilliamBell wrote:Thanks for the clarification, looks like I had it exactly backwards.
FWIW, the wording of the rules is indeed counter-intuitive to the non-tech user, IMHO.

For example, if I want to allow a YouTube video while I'm on goodsite.com, I would think, "Accept (Flash object) AT (not "from") goodsite.com, because that is where I'm choosing to accept it. And I'm accepting it FROM YouTube - the source of the Flash object that I wish to allow to run.

Giorgio's explanation makes perfect sense from the point of view of the HTTP Request system, but if it makes you feel any better, it took me a little bit of time to become accustomed to it at first.

@ Giorgio: Should the ABE FAQ and the ABE Rules .pdf include any such explanations, since ABE usage is rapidly spreading from the higher-tech user base to the low- or non-tech user population?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Making sure I understand...

Post by GµårÐïåñ »

Not that counter-intuitive actually. Think like this:

Site Area51 (the object of our concern)
Accept from USAF USMC CIA (allow those listed to have access to it)
Deny (no one else)

So its pretty clear that the site is the object of your concern/access, and the next line are those who have access to it and by default everyone else is denied. Just saying...
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Making sure I understand...

Post by Tom T. »

GµårÐïåñ wrote:....So its pretty clear that the site is the object of your concern/access, and the next line are those who have access to it and by default everyone else is denied. Just saying...
True -- it's intuitive to the IT pro or tech-savvy user.

But the non-tech user doesn't think of Site.com having *access* to Flash Object.
S/he thinks of Flash Object having access, or "being allowed to enter" TO, or AT, Site.com. -- vs. "From".

The OP's question itself evinces this.

It may be a bit easier for a non-pro like myself, even if a fairly dedicated non-pro, to empathize with the average user than for a long-time professional like yourself. This is true in almost any field that I have experienced, btw, ranging from business to sports to academics to ... :)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.27) Gecko/20120216 Firefox/3.6.27
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Making sure I understand...

Post by Thrawn »

Tom T. wrote:
GµårÐïåñ wrote:....So its pretty clear that the site is the object of your concern/access, and the next line are those who have access to it and by default everyone else is denied. Just saying...
True -- it's intuitive to the IT pro or tech-savvy user.

But the non-tech user doesn't think of Site.com having *access* to Flash Object.
S/he thinks of Flash Object having access, or "being allowed to enter" TO, or AT, Site.com. -- vs. "From".
Maybe the trouble is the word 'Site'. Non-tech user hears 'site' and thinks 'the site I'm visiting'. They don't think of the Flash video as a 'site'. The site, to them, is what appears in the address bar.

Of course, changing that would break every rule ever written. But theoretically, could the ABE syntax introduce more intuitive aliases for Site and/or From?
So the default rule could then be written as, eg:

Code: Select all

Resource LOCAL
Accept At LOCAL
Deny
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Making sure I understand...

Post by GµårÐïåñ »

No, Site here is meant as SITE. Not a resource, which can be image, flash, java, so on. Those would be inclusion objects and have their own extended handling on another line within the more advanced rules. That was just focusing on the basic rule structure.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Making sure I understand...

Post by Tom T. »

GµårÐïåñ wrote:No, Site here is meant as SITE. Not a resource, which can be image, flash, java, so on. Those would be inclusion objects and have their own extended handling on another line within the more advanced rules. That was just focusing on the basic rule structure.
How about just "Source"?

Code: Select all

Source java-vm@http:www.example.com
Accept from .example.com
Deny
This may be more intuitive to non-tech users: Flash objects, IFRAMEs, Java, ogg-video, and scripts all come from a source.

So the user understands: Something from this source wants to load at example.com. Let that source load (whatever it is -- script, java-vm, etc.) at example.com, but nowhere else.

This doesn't in any way affect the ability of the more advanced user to use INCLUSION, etc. in their rules.

Edit: Allowing AT as an alias for FROM would indeed be more intuitive to the non-tech user, as it doesn't require an understanding of the HTTP Request model upon which the syntax was based. And adding this would not break existing rules.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Making sure I understand...

Post by GµårÐïåñ »

Matter of semantics my friend and the terminology would degrade the scope, quality and intent of the tool. But hey, ultimately up to the guy builds it. Sometimes it is what it is and the user needs to just learn, understand and accept it, not try to change it or "dumb" it down (no offense intended, its the only word I could think of) just so it appeals to people who don't get it, which mind you are the minority of the people who use NS not the majority. I say if you are going to use a professional tool like this and took time to understand its usefulness, then get used to the terminology too.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Making sure I understand...

Post by Thrawn »

With all due respect to Guardian's expertise, I disagree: I think that Site in this context does mean a resource or set of resources. The ABE rules define Site syntax as:

Code: Select all

Site <resource>
Where
A <resource> is typically an URI pattern (literal, glob or regexp) designing a request destination (site)...
So in ABE syntax, Site = resource.
And this makes sense, because when you specify eg

Code: Select all

Site www.example.com
it's actually shorthand for

Code: Select all

Site *://www.example.com/*
ie the set of all resources located at www.example.com on any protocol.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (Linux; U; Android 2.2.1; en-gb; GT-S5570 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Making sure I understand...

Post by Tom T. »

GµårÐïåñ wrote:Matter of semantics
Semantics matter.
.. the terminology would degrade the scope, quality and intent of the tool.

How?

It degrades the scope by ______________________________________

It degrades the quality by _____________________________________

It degrades the intent by ______________________________________
(please fill in the blanks)
"dumb" it down (no offense intended, its the only word I could think of)
How about these: "Make it more accessible to a larger number of users?"
just so it appeals to people who don't get it, which mind you are the minority of the people who use NS not the majority.
True three or four years ago, perhaps, but a look at the questions posted on this board indicate growing numbers of lower-tech users. Which is a *good* thing.
Should only the elite be protected from Web dangers?

Why is NS free? Why has Giorgio spent so much time trying to port it to Chrome?
Because he wants it in the hands of as many as possible, to make the Net a bit safer for *all* of us, not just the high-tech.
I say if you are going to use a professional tool like this and took time to understand its usefulness, then get used to the terminology too.
What is so harmful about making the present terminology, which frankly is absolutely counter-intuitive to the non-tech user according to previous posts, more intuitive and simpler, so that far more people can have this protection?

What Thrawn said: You know that I respect your expertise, and I value your friendship. But statements like the above tend to give the impression that we want to "keep secrets" from those who do not live in the tech world, as you do.

Why is it a "professional tool"? Are only IT professionals supposed to use it? OMG, :o I had better stop using ABE, stop using NS, stop moderating here, and get back to IE or AOL, as many non-professionals do.

One user accused this forum of "hiding things", for unknown motivation. If we charged for support, then maybe there is a motivation to keep one's "trade secrets". But I've spent a great deal of time trying to unlock those "secrets", which in the long run brings more safety to more people, and, selfishly, less work for us. :D

.. and been thanked for it many times, as this user kindly wrote:
Incidentally, your documentation is nicely written, unlike what I have often encountered on too many occassions elsewhere. I appreciate your having taken the time to do so, as it makes it much easier to understand obviously, and it is more efficient.
NoScript Quick Start Guide
Site-Specific-Permission Questions? PLEASE READ THIS FIRST!
Why must I "Temporarily allow all this page" REPEATEDLY?
SOME SITES YOU MIGHT NOT WANT TO ALLOW
List of scripts for which NS runs surrogate

All of these were posted in our private forum for discussion before being approved and posted publicly. I don't remember you objecting to any; on the contrary, I remember mostly support. (Won't bother to search through the discussions, unless you want me to.)

Should someone who does not know the mechanics of an internal-combustion engine, or of hydraulic dual-caliper disk brakes, not be allowed to drive a car?
No, the manufacturers label things in a manner that is easily understood.

"Gas pedal" or "throttle" instead of "Pedal to increase the amount of fuel-air mixture per cylinder, while simultaneously advancing ignition spark timing."
Should I do "Brake pedal", "Steering Wheel", and "Transmission" or "Shift Lever"? ;)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Making sure I understand...

Post by GµårÐïåñ »

I'll simply answer all of it by saying, when you try to use a more "common" term if you will, you are introducing ambiguity and causing it to mean more than one thing and that has a far more reaching severe effect in the long term than just taking time to get it right. I pose the following as an example, without looking it up, ask someone to explain positive reinforcement and negative reinforcement, and I will bet you a case of beer that 99% of people will define and describe it incorrectly due to the ambiguity in the naming convention used. You read it then, and find out, crap, it was nearly the opposite. This is why when you say PC everyone thinks, oh windows machine, no, its not. Its a personal computer which can be linux, mac, or windows. I can go on but as is obvious, there is a bit of a professional and experience bias involved here where I have seen how not properly distinguishing terms have led much of the industry, even among professionals, to hear something and think it means something else due to the ambiguity that was introduced to make it more "friendly" early on and it came back to bite the industry in the arse. So now you say something that should be obvious, there is a slew of questions that follow, you mean this or this? How is that more beneficial? How is that helpful that if someone reading a manual, won't be sure what you mean and which you mean? I'll leave it at that, its my two cents, consensus is neither necessary nor will it change the facts. To each their own on this and dissent is welcome, but so is hopefully learning to acknowledge the value of it later on.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Making sure I understand...

Post by GµårÐïåñ »

Thrawn wrote:With all due respect to Guardian's expertise, I disagree: I think that Site in this context does mean a resource or set of resources. The ABE rules define Site syntax as:

Code: Select all

Site <resource>
Where
A <resource> is typically an URI pattern (literal, glob or regexp) designing a request destination (site)...
So in ABE syntax, Site = resource.
You are right to a point. A site is a site, its an object. Now that object can come from various places, those places are resources. Like you can get a tie from your dad or brother, or uncle, but the tie is still a tie, the person your got it from is your resource. The tie doesn't become a shoe or a shirt if you got it from your dad, versus your brother versus your uncle, does it?

bob.com is your uncle, senior.com is your dad, brother.com is your brother, they are difference sources, but they are all still SITE, so being different in value, makes them different resources, but doesn't change them from being a SITE none the less.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Post Reply