Do these ABE rules increase security?

Discussions about the Application Boundaries Enforcer (ABE) module
yes_noscript

Do these ABE rules increase security?

Post by yes_noscript » Fri Jul 10, 2015 4:44 pm

[ split from https://forums.informaction.com/viewtopic.php?f=10&t=20993 - barbaz ]

I'm a ABE noob, so i ask myself does the ABE rules posted above increase the security?
I actually use this (found on the forum):
systemrules:
# maximum security 2/2
Site *
Accept from SELF++
Sandbox

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny


userrules:
# prevent CSRF
Site *mybanksite*
Accept from SELF
Deny

# prevent insecure resources
Site ^http://.*
Deny from *mybanksite*

# maximum security 1/2
Site *
Accept from SELF++
Anon

# against router NAT pinning
Site ^https?://[^/]+:[0-35-7]
Deny

# Allow all Google recaptcha and Maps, but sandbox all www.google.com.*
Site ^https?://www\.google\.com/recaptcha/*
Accept
Site ^https?://www\.google\.com/*
Sandbox

Site .youtube.com .ytimg.com .googlevideo.com
Anonymize
Last edited by barbaz on Fri Jul 10, 2015 6:57 pm, edited 3 times in total.
Reason: un-linkify an accidentally posted live link to I don't know what; split to new topic
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.6) Gecko/20150626 PaleMoon/25.6.0b1

barbaz
Senior Member
Posts: 9263
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE should be able to compare against parent (bug? RFE?)

Post by barbaz » Fri Jul 10, 2015 6:30 pm

@yes_noscript: Please use code tags instead of quote tags in the future for posting things like that, because the board will linkify things incorrectly otherwise and it's easier to read as code tags (which use monospace font) in these cases anyway (especially if there's a lot of code, where it'd be a big wall of text otherwise).
Also, your post is off-topic so I'm splitting it to its own thread.

Anyway, my comments on your ABE rules with regard to security. The rules I didn't comment on, I think will help your security somehow.

Your "maximum security" rules are just going to break everything that requires any kind of 3rd-party script (or even 3rd-party redirection), and you will probably find yourself editing that all the time to add exceptions. But hey, to each their own - if you want to do that, by all means go for it. ;)
(I don't think they'll add anything to security over NoScript's script blocking.)

Code: Select all

# prevent CSRF
Site *mybanksite*
Accept from SELF
Deny

# prevent insecure resources
Site ^http://.*
Deny from *mybanksite*

Your bank site doesn't have multiple subdomains that are sensitive that need to talk to each other?
I would have thought that you would need SELF++ and maybe another associated site, but if this really works for you, then you can congratulate your bank site's webmasters for good site design.

Code: Select all

# Allow all Google recaptcha and Maps, but sandbox all www.google.com.*
Site ^https?://www\.google\.com/recaptcha/*
Accept
Site ^https?://www\.google\.com/*
Sandbox

Site .youtube.com .ytimg.com .googlevideo.com
Anonymize

Barring Google getting hacked, these do absolutely nothing for security, however they can help protect your privacy.
If Google gets hacked only the first will help you (and only maybe at that, depending on the hack).
*Always* check the changelogs BEFORE updating that important software!
-

yes_noscript

Re: Do these ABE rules increase security?

Post by yes_noscript » Fri Jul 10, 2015 10:46 pm

Thanks for your post!

Okay, i remove the "maximum security" rules. Yes, a lot of websites didn't work then so good :mrgreen:

My bank site works perfect with that rules. Would "Self++" increase the security more then "Self" ?

Okay with Google rules. I only use Youtube and many sites use captchas, also i like privacy.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.6) Gecko/20150626 PaleMoon/25.6.0b1

barbaz
Senior Member
Posts: 9263
Joined: Sat Aug 03, 2013 5:45 pm

Re: Do these ABE rules increase security?

Post by barbaz » Sat Jul 11, 2015 12:39 am

yes_noscript wrote:My bank site works perfect with that rules. Would "Self++" increase the security more then "Self" ?

No that would decrease security (but I don't know if it'd make much of a difference in practice), so since your bank site works with your rules as is, leave it as SELF.
*Always* check the changelogs BEFORE updating that important software!
-

yes_noscript

Re: Do these ABE rules increase security?

Post by yes_noscript » Sun Jul 12, 2015 9:11 am

Okay. Good to know.

So lets get back to my first question :D
Does the scripts from RobertDrew incease the security or will it break a lot of sites, like the "maximum security" rules?
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.6) Gecko/20150711 PaleMoon/25.6.0b2

barbaz
Senior Member
Posts: 9263
Joined: Sat Aug 03, 2013 5:45 pm

Re: Do these ABE rules increase security?

Post by barbaz » Sun Jul 12, 2015 2:27 pm

yes_noscript wrote:So lets get back to my first question :D
Does the scripts from RobertDrew incease the security or will it break a lot of sites, like the "maximum security" rules?

Image Oh, sorry for misunderstanding

They are not intended as actual rules (and won't work in ABE atm because the 'parent' keyword doesn't exist), just examples so that we could see how the syntax he/she is proposing would look. However, if that syntax gets implemented, those rules would increase security when you are logged in to a sensitive service; otherwise, it's not likely to matter.
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply