NoScript Sightings
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: NoScript Sightings
Joanna Rutkowska of Blue Pill virtualization rootkit fame uses NoScript for e-shopping
The full article is being commented on Slashdot right now.
The full article is being commented on Slashdot right now.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
-
- Senior Member
- Posts: 240
- Joined: Fri Jul 03, 2009 7:20 am
Re: NoScript Sightings
All the uber-geeks agree; NS? never leave home without it :-)
Seriously prominent endorsement there. Kudos, Giorgio.
For what it's worth (not much, I know eh eh), I believe I've evolved a roughly similar approach as the 3 virtual machines of the elite geek there - only with 2 host systems and one live disk for the (red) ordinary browsing/novice visitor access online. There is simply no way that I would ever store anything important on this Win host, and no way that I would ever use it for any ecommerce or egovernment transactions because of the finite possibility of some kind of kernel nasty not being as quickly discovered, or (more importantly) as transparently revealed to the general community by MS. Linux on the other hand has a much more consistent track record of transparency and quick reaction to kernel mess.
The only thing that has kept me happy enough to continue to do serious business online is not trust in software or hardware - but trust in a couple of individuals: yourself and Linus Torvalds.
And I don't know about anybody else, but I find slashdot comments format a real pain to follow.
Seriously prominent endorsement there. Kudos, Giorgio.
For what it's worth (not much, I know eh eh), I believe I've evolved a roughly similar approach as the 3 virtual machines of the elite geek there - only with 2 host systems and one live disk for the (red) ordinary browsing/novice visitor access online. There is simply no way that I would ever store anything important on this Win host, and no way that I would ever use it for any ecommerce or egovernment transactions because of the finite possibility of some kind of kernel nasty not being as quickly discovered, or (more importantly) as transparently revealed to the general community by MS. Linux on the other hand has a much more consistent track record of transparency and quick reaction to kernel mess.
The only thing that has kept me happy enough to continue to do serious business online is not trust in software or hardware - but trust in a couple of individuals: yourself and Linus Torvalds.
And I don't know about anybody else, but I find slashdot comments format a real pain to follow.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Re: NoScript Sightings
http://news.zdnet.com/2100-9595_22-323572.html
Big NoScript plug .
I hope Google Chrome adds its extension mechanism soon and that NoScript can be offered there too!
Big NoScript plug .
I hope Google Chrome adds its extension mechanism soon and that NoScript can be offered there too!
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: NoScript Sightings
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
-
- Senior Member
- Posts: 240
- Joined: Fri Jul 03, 2009 7:20 am
Re: NoScript Sightings
http://www.computerworld.com.au/article ... _ask_money
But Paypal only?
Ho hum. Maybe Open Source and WOT will have matured enough by then for a truly trust-based money token system to have evolved also :-)
*my emphasisOne noted* add-on maker applauded the optional request for money. "Mozilla is giving developers a way to better communicate with their users about the costs of maintaining the code, about their future goals and about the ways to contribute (financially, too) for people who find the development roadmap interesting," said Giorgio Maone, the creator of the popular NoScript extension. Maone has long solicited donations for NoScript on his own Web site.
The best thing is that they're trying to...
But Paypal only?
One more big boost for Ppal's cornering the web payment market there Mozilla. Will you scream when Ppl starts squeezing the pips once its monopoly is secured with those loss-leading discount setups?Developers can use PayPal's micropayment fee offering to reduce the transaction fees for contributions under $12. "After looking at our requirements for trust, security, international currencies, and ease of integration, PayPal was the [best] partner that met our needs for this pilot," said Nguyen.
Ho hum. Maybe Open Source and WOT will have matured enough by then for a truly trust-based money token system to have evolved also :-)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Re: NoScript Sightings
There's a sticky thread right below this one that tells how those with a US bank account can bypass the PayPig. Perhaps it might be possible for Giorgio to find trusted users in the UK, Asia, and Australia who could do him the same service.Grumpy Old Lady wrote:...
One more big boost for Ppal's cornering the web payment market there Mozilla. Will you scream when Ppl starts squeezing the pips once its monopoly is secured with those loss-leading discount setups?...
He might also wish to consider opening and publishing a separate bank account of his own for euro-based customers to donate to.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
Re: NoScript Sightings
XMLHTTPReqest “Ping” Sweeping in Firefox 3.5+ by renowned hacker RSnake (Robert Hansen) excerpt, with a nice plug, not only for NS but specifically for ABE.
Continued:
Conclusion: (RSnake)
It doesn't sound like this "feature" was such a good thing to introduce, in the long run.
Is this the first ABE sighting, at least among the world-class hacker community (excluding Giorgio himself and his good friend Sirdarckcat, of course)?RSnake wrote:Jeremiah brought my attention to the new Firefox 3.5+ CORS (Cross-Origin Resource Sharing) which is a way to do a cross domain XMLHTTPReqest. ... <snip> ... and as a result you can enumerate a substantial amount of internal address space behind the victim’s firewall and relatively quickly. I created a demo here (works only in Firefox 3.5+ and you must enable JavaScript globally for this to work). It won’t work if you just whitelist ha.ckers.org you have to globally allow JavaScript if you use Noscript for the demo to work - and you must disable ABE in Noscript as well.
Continued:
Whereupon a commenter produced a POC for IE8.I should note that there is a IE8.0 version of Firefox’s XMLHTTPRequest called XDomainRequest, but I didn’t have much time this weekend to try to get it working in both browsers so I have no idea if it has the same issue or not.
Conclusion: (RSnake)
The last sentence says it all, certainly, but is he referring only to F3.5+, F3+, or all Fx about "being so broken from a security perspective"?Incidentally, Jeremiah and I both gave the thumbs up to the idea of a cross domain XHR several years ago when the Mozilla team first asked us about the concept. Because there are so many other things wrong with the browser Jeremiah and I told them that it wouldn’t change much - the browser is already so broken from a security perspective that it really didn’t matter - a sad commentary thinking back. Of course, it really is all about the implementation.
It doesn't sound like this "feature" was such a good thing to introduce, in the long run.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: NoScript Sightings
He means "the browser", as in "the browser concept" or "every web browser, no matter the vendor" (without NoScript, that is )Tom T. wrote:The last sentence says it all, certainly, but is he referring only to F3.5+, F3+, or all Fx about "being so broken from a security perspective"?
In facts, you can still disable it by setting the noscript.forbidXHR about:config preference to 2.Tom T. wrote:It doesn't sound like this "feature" was such a good thing to introduce, in the long run.
http://noscript.net/changelog#1.4.9.4
v 1.4.9.4
=====================================================================
+ Added client-side policy control for new Firefox 3 cross-site XHR,
configurable via noscript.forbidXHR about:config preference:
0 - Allow any XHR
1 - Allow cross-site XHR across trusted sites only (default)
2 - Allow same-site XHR only (like Firefox 2)
3 - Forbid all XHR
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Re: NoScript Sightings
Done on this portable test version, thanks.Giorgio Maone wrote: In facts, you can still disable it by setting the noscript.forbidXHR about:config preference to 2.
http://noscript.net/changelog#1.4.9.4
v 1.4.9.4
=====================================================================
+ Added client-side policy control for new Firefox 3 cross-site XHR,
configurable via noscript.forbidXHR about:config preference:
0 - Allow any XHR
1 - Allow cross-site XHR across trusted sites only (default)
2 - Allow same-site XHR only (like Firefox 2)
3 - Forbid all XHR
Curious: On my F2.20, the default is "1". So on F2, 1= same site only?
And from RSnake's article, I got the impression that only F3.5+ had this cross-domain capability anyway. Yet there is the same noscript.forbidXHR in F2 about:config. So is it only the CORS that he mentions that is new in 3.5+ that permits this attack, and it wouldn't work on earlier browsers despite their allowing cross-domain XHR?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at a professional level; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 testiing portable version
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: NoScript Sightings
Yes. Gecko 1.8.x has no cross-site XMLHttpRequest for content.Tom T. wrote: Curious: On my F2.20, the default is "1". So on F2, 1= same site only?
It was introduced in a 3.0 beta, then removed for security concerns in 3.0 stable.Tom T. wrote: And from RSnake's article, I got the impression that only F3.5+ had this cross-domain capability anyway.
When I introduced the control feature in NoScript, I did it in response of the 3.0 beta change.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Re: NoScript Sightings
I agree that this remark by RSnake is disturbing, indeed. And he's a guy who usually knows what he's talking about. Nevertheless, is this only a remark by a "rejected lover" or has FF really fallen behind other browsers security-wise? And are extensions like Noscript, Refcontrol, Requestpolicy etc. enough to fix these holes, or is a complete overhaul of FF necessary?Tom T. wrote: Conclusion: (RSnake)The last sentence says it all, certainly, but is he referring only to F3.5+, F3+, or all Fx about "being so broken from a security perspective"?Incidentally, Jeremiah and I both gave the thumbs up to the idea of a cross domain XHR several years ago when the Mozilla team first asked us about the concept. Because there are so many other things wrong with the browser Jeremiah and I told them that it wouldn’t change much - the browser is already so broken from a security perspective that it really didn’t matter - a sad commentary thinking back. Of course, it really is all about the implementation.
It doesn't sound like this "feature" was such a good thing to introduce, in the long run.
I'm a loyal Mozilla supporter, but if someone like RSnake is making such a comment I'm beginning to wonder ...
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090726 Ubuntu/9.04 (jaunty) Minefield/3.6a1pre AutoPager/0.5.2.2 (http://www.teesoft.info/)
Re: NoScript Sightings
RSnake is a loyal user of NoScript, and has said so many times -- hardly a rejected lover. Giorgio and RSnake communicate with each other, to mutual benefit.. Notice that he almost assumes that the user is using NoScript if you read the actual article. And that even if you allowed scripting globally, his attack would still be defeated by ABE.tlu wrote:I agree that this remark by RSnake is disturbing, indeed. And he's a guy who usually knows what he's talking about. Nevertheless, is this only a remark by a "rejected lover" or has FF really fallen behind other browsers security-wise? And are extensions like Noscript, Refcontrol, Requestpolicy etc. enough to fix these holes, or is a complete overhaul of FF necessary?
I'm a loyal Mozilla supporter, but if someone like RSnake is making such a comment I'm beginning to wonder ...
So, on the contrary, I think this is a stunning endorsement from a widely-respected security expert that NS is an absolute necessity. It keeps FX *ahead* of the other browsers. With your other addons, and perhaps SafeCache and SafeHistory, you 've got the safest browser on the planet, something that IE couldn't come close to. Note I linked a POC for IE -- which has no NS-like defense against this attack.
Also, please re-read Giorgio's comments to my question:
Giorgio replied,Tom T. wrote:The last sentence says it all, certainly, but is he referring only to F3.5+, F3+, or all Fx about "being so broken from a security perspective"?
Truer words were never spoken. *Nothing in life* is 100%, but with NoScript and the other addons you mentioned, plus perhaps ad-blocking sw, and good AV, you've got what is undoubtedly the safest browser publicly available. IE has no defense, AFAIK, to RS's POC. It's a ringing endorsement of NS and ABE by RSnake -- his attack fails if they're present, and succeeds in their absence. You can't get a better endorsement than that.He means "the browser", as in "the browser concept" or "every web browser, no matter the vendor" (without NoScript, that is )
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Re: NoScript Sightings
Tom, I know that. I wasn't referring to RSnake's opinion about NS but rather about the security concept of FF in general.Tom T. wrote: RSnake is a loyal user of NoScript, and has said so many times -- hardly a rejected lover.
True. But again: If he says that "the browser is already so broken from a security perspective that it really didn’t matter" this suggests that he regards the security concept of FF as fundamentally broken (and not only with regards to the XHR issue). And while I whole-heartedly agree that NS is an absolute must, I also think that the browser itself should be as safe as possible without the need to add various extensions to fix its flaws.Giorgio and RSnake communicate with each other, to mutual benefit.. Notice that he almost assumes that the user is using NoScript if you read the actual article. And that even if you allowed scripting globally, his attack would still be defeated by ABE.
But I guess we're getting OT here. This is more a topic for a thread at Mozillazine.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090726 Ubuntu/9.04 (jaunty) Minefield/3.6a1pre AutoPager/0.5.2.2 (http://www.teesoft.info/)
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: NoScript Sightings
Nope, he's not singling out Firefox at all, and BTW there's nothing like a "security concept of Firefox".tlu wrote:this suggests that he regards the security concept of FF as fundamentally broken.
What's he's trying to say is that the web (and the browsers, all the browsers none excluded by reflex) is fundamentally broken from a security standpoint.
Firefox, at least, provides some work-around for this breakage (e.g. NoScript) and is trying to build a slightly less broken web through experimental proposals like CSP.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Re: NoScript Sightings
Hm, he specifically mentioned the Mozilla Team so I guess with "browser" one sentence later he was certainly not talking about IE ...Giorgio Maone wrote:Nope, he's not singling out Firefox at all,tlu wrote:this suggests that he regards the security concept of FF as fundamentally broken.
Agreed. But let's face it: We - the NS users - are only a small minority. Most FF users don't know anything about NS. The question remains why its security features have not been implemented in the browser itself. That's good for you, of course , but not for the bog standard user. Perhaps this is what RSnake was referring to.What's he's trying to say is that the web (and the browsers, all the browsers none excluded by reflex) is fundamentally broken from a security standpoint.
Firefox, at least, provides some work-around for this breakage (e.g. NoScript) and is trying to build a slightly less broken web through experimental proposals like CSP.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090726 Ubuntu/9.04 (jaunty) Minefield/3.6a1pre AutoPager/0.5.2.2 (http://www.teesoft.info/)