Tell me what you think about "sandbox" solutions

General discussion about web technology.
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Tell me what you think about "sandbox" solutions

Post by Tom T. »

therube wrote:This site & some sites intend on being benign. But that does not make them so.
Alan Baxter wrote:Are you saying this site has a known vulnerability?
@ therube, thanks for the support, friend.
@ Alan Baxter, it's the "unknown" vulnerabilities that scare me: the ones that haven't been discovered yet, but might be tomorrow or next month or year... Which all of them are. I mean, every vuln is unknown until someone discovers it.
NS has an amazing record of having features that have blocked some attacks that didn't exist at the time the feature was added. But we can't rely on that always to happen.
And as you and I discussed, one of these days, Giorgio's good friends Sirdarckat or RSnake are going to find a way to hack him for the fun of it. I guess you are also deliberately ignoring my previous post that I do usually allow scripting here, except when reading your pm's. :D :D :D
GµårÐïåñ wrote:I am going to re-read Giorgio's post, re-read my own stuff and your stuff and compose my thoughts offline until it makes sense to me and then post it, how is that ?
You have far more important things to do than to explain to me how a bank was hacked by an email. I enjoy learning these things, but I don't work for a bank or IT or security, so it's not important that I understand the mechanics of it. Many thanks for your constant willingness to educate me, my good friend, but save your time and energy for your killer month. if I get curious enough, I'll research it on my own. Thanks again.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ »

Tom T. wrote:You have far more important things to do than to explain to me how a bank was hacked by an email. I enjoy learning these things, but I don't work for a bank or IT or security, so it's not important that I understand the mechanics of it. Many thanks for your constant willingness to educate me, my good friend, but save your time and energy for your killer month. if I get curious enough, I'll research it on my own. Thanks again.
Sounds good and thanks for understanding but I usually try to finish what I start and will try put a bit more effort into clearing it up if I can. :mrgreen:
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Tell me what you think about "sandbox" solutions

Post by Alan Baxter »

Tom T. wrote: I guess you are also deliberately ignoring my previous post that I do usually allow scripting here, except when reading your pm's. :D :D :D
Yup. I read it but couldn't think of a witty comeback. Night, night.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Tell me what you think about "sandbox" solutions

Post by therube »

Alan Baxter wrote:
therube wrote:This site & some sites intend on being benign.
But that does not make them so.

Mozillazine had (has?) an exploit against it.
There is nothing to say that this site does not, or may not in the future.

So blankly accepting some site IMO is wrong.
Are you saying this site has a known vulnerability?

Same with the MozillaZine forums. If its current implementation of phpBB has a known exploit, please let the rest of us know exactly what it is, so we can take appropriate precautions.
No I am not say this site has any vulnerabilities.

Just saying that IMO to accept ANY site is the wrong way to go about it. Cause what was not exploited yesterday, may be exploited today.

Mozillazine. There was something (that I don't recall what it was any longer) that either Giorgio advised of of (some time ago) or came to light in one of its' threads, or via one of those hacking boards? Whatever it was, perhaps was no grave issue, but there was an issue. Perhaps Giorgio remembers & may know if it still exists.
I was asserting the obvious fact that they are intentionally and in good faith choosing to be as to not harm their users.
Understood. And in that regard, you can add this site & mozillazine to a list of "good faith" sites.

But again, IMO, just because they go about things in good faith, does not mean that they won't fall victim to an exploit that will affect their visitors.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22pre) Gecko/20090327 SeaMonkey/1.1.16pre
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Tell me what you think about "sandbox" solutions

Post by Alan Baxter »

@therube
Thank you for your clarification. What I do, and recommend to others, is Allow JavaScript only on sites you trust to have benign intentions, and then only when necessary. Short of not ever allowing JavaScript on any site at all, can you recommend a safer approach? I really want to know if you and I approaching this differently, and if so, what might be a safer way.

The question remains: "Do I Allow forums.informaction.com or not?" If I recall correctly, there are some features in this version of phpBB which require JavaScript. I don't recall what they are, but I remember Allowing JavaScript in a forum with a similar implementation because something worked better that way. I don't want to have to rediscover it here. I think this site has benign intentions.

I usually use "Temporarily Allow" when I do need to Allow a site, but only to prevent creating a huge whitelist of sites I rarely visit. "Temporarily Allow" doesn't protect me if a site has been hacked.
therube wrote:No I am not say this site has any vulnerabilities.

Just saying that IMO to accept ANY site is the wrong way to go about it. Cause what was not exploited yesterday, may be exploited today.
I agree. But this isn't ANY site. forums.informaction.com is a site with benign intentions which has features that require JavaScript. Should I Allow it or not? I'm not asking you to assure me it hasn't been hacked.
Mozillazine. There was something (that I don't recall what it was any longer) that either Giorgio advised of of (some time ago) or came to light in one of its' threads, or via one of those hacking boards? Whatever it was, perhaps was no grave issue, but there was an issue. Perhaps Giorgio remembers & may know if it still exists.
I think that was the old implementation that allowed users to mark up their posts with html.
therube wrote:
Somebody, I don't know who, wrote:I was asserting the obvious fact that they are intentionally and in good faith choosing to be as to not harm their users.
Understood. And in that regard, you can add this site & mozillazine to a list of "good faith" sites.

But again, IMO, just because they go about things in good faith, does not mean that they won't fall victim to an exploit that will affect their visitors.
Yeah, I know. Good catch on that energy company's web site you mentioned elsewhere.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ »

therube wrote:But again, IMO, just because they go about things in good faith, does not mean that they won't fall victim to an exploit that will affect their visitors.
Absolutely agreed, I never suggest laying down due diligence. ;)
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Tell me what you think about "sandbox" solutions

Post by therube »

Other then the defaults, I generally never allow ANY sites except on a Temporary (Allow) basis.

I never Temporary Allow any sites unless there is functionality that I require that I cannot get otherwise.

I always approach a site Not Allowed. If something does not work, I'll TA. If still not working as expected, I'll explore the other domains & make a best guess.

Well, forums.informaction.com needs JavaScript for the Smilies to work. So unless you know the code (& I sure which the code was visible on a mouseover) then you need to enable JavaScript for that. Other then that, that is the only thing off the top of my head that requires JavaScript.

So now you know my answer. I keep it disabled here. If I want a smilie, I'll TA.

And I don't really do this for "security" reasons (at least here) but more that if it does not provide an enhancement by having it enabled, then why enable it. Secondary (here at least) would be "security" concerns.

Now on unknown sites, which are blocked in any case & by default, I look at it that since JavaScript is disabled, & since JavaScript is one of the more common ways in which various exploits work, then so much the better for me. (Ask an IE user how he "disables" JavaScript & then Temporarily Allows it for an individual domain, LOL.)

Then comes the convenience factor.

If there were sites that required JavaScript & if I were visiting them regularly enough that it got old to TA them each time, I would whitelist them & be done with it.

Bank of America, I do Not allow. I go there fairly regularly. Some aspects of the site work without JavaScript. Some work better without JavaScript. Some do not work without JavaScript. So for the parts that do not need it & for the parts that work better without it, I keep it blocked. Then when I go to a part that requires it (Online Bill Pay), I then enable it, but not before. I also like to keep my BoA windows open, & with JavaScript enabled, they will timeout, "closing" to the BoA main page. But I can go in as normal, get an overview of my accounts, view individual accounts, then open a window for Bill Pay. I'll get a JavaScript warning there, so I TA, do my bill pay stuff, opening a few windows there, & once I've complete my transactions, I'll block BoA again, leaving all windows open. Therefore my data is still viewable, & no timeouts. Works for me, & works better, more convenient that if I had BoA defaulted whitelisted.

There is no right or wrong. There is what works for me & separately what works for you. And yes, sometimes I'll get frustrated trying to figure out why a site does not work. Is it because of some domain I didn't allow or because I blocked IFRAME or ... Just all part of the process.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22pre) Gecko/20090327 SeaMonkey/1.1.16pre
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ »

Good points, I personally don't use JavaScript unless absolutely needed and even then usually on a temporary basis and immediately revoked when done. Just to make a point that I have nothing against anyone or anything, even on MY OWN sites that operate on a strict principle of do no harm and are "most" often self developed and not third-party solutions, I will not enable JavaScript for regular interaction unless I am testing a function or developing for it. So what does that say about trust no one or nothing :D Even between me, myself and I, there is nothing that says a vulnerability cannot occurs when writing code, it happens. Its the nature of the beast. But that being said, someone who knows me and trusts me will know that if they enable JS on my site, barring any act of evil to circumvent my sites' security, they are safe there and have nothing to worry about.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Tell me what you think about "sandbox" solutions

Post by Tom T. »

I share therube's philosophy (if not his level of knowledge) 100%. (No smiley alt text on mouseover for me. Have to r-click > Properties to find them.)

But to get back to the original name of this thread, what is the harm in running the browser sandboxed, so that IF you wish to allow or TA, and IF the site has been hacked, you are not among the pwned?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ »

Tom T. wrote:I share therube's philosophy (if not his level of knowledge) 100%. (No smiley alt text on mouseover for me. Have to r-click > Properties to find them.)

But to get back to the original name of this thread, what is the harm in running the browser sandboxed, so that IF you wish to allow or TA, and IF the site has been hacked, you are not among the pwned?
Good point, there is always that.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Tell me what you think about "sandbox" solutions

Post by therube »

There is nothing wrong with sandboxing.

But, that will not help you with Phishing, password stealing type attacks. If you give up the information in a sandbox it is no different then giving it up outside of the sandbox.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090327 Firefox/2.0 SeaMonkey/2.0b1pre
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ »

therube wrote:There is nothing wrong with sandboxing.

But, that will not help you with Phishing, password stealing type attacks. If you give up the information in a sandbox it is no different then giving it up outside of the sandbox.
Agreed, but I think Tom and in general everyone concedes to that by now. :P
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 FirePHP/0.2.4
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Tell me what you think about "sandbox" solutions

Post by Tom T. »

therube wrote:There is nothing wrong with sandboxing.But, that will not help you with Phishing, password stealing type attacks. If you give up the information in a sandbox it is no different then giving it up outside of the sandbox.
Agreed. Avoiding phishing is mostly user common sense. I was just trying to get back to the original topic, i. e. "Tell me what you think about "sandbox" solutions". Cheers!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Tell me what you think about "sandbox" solutions

Post by Alan Baxter »

Thank you for the detailed response, therube.
Tom T. wrote:Avoiding phishing is mostly user common sense.
If common sense was a sufficient defense, then phishing wouldn't work. Don't underestimate the power of social engineering. It would be hubristic for one to think they're too smart to get caught by a phish. I almost fell for an ebay one myself.
I was just trying to get back to the original topic, i. e. "Tell me what you think about "sandbox" solutions". Cheers!
Glad you mentioned this. After I posted it, I started thinking the following question I asked might have been getting off topic:
The question remains: "Do I Allow forums.informaction.com or not?"
Then I realized it wasn't off topic at all. Sandboxing makes the answer: "Sure, go ahead. You're protected."
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Tell me what you think about "sandbox" solutions

Post by GµårÐïåñ »

I find everyone's contributions and perspective valuable and I do not mind any subject brought up and feel free to get as far off topic or stay as on topic as you wish. You never know when going "off topic" might bring you in new territory to consider. Sometimes getting lost is the best way to find something new. I enjoy the power of combined knowledge and value it greatly, any and all contributions I receive. I want to thank you all for even spending your valuable time answering my question and I always look forward to it.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 FirePHP/0.2.4
Post Reply