InformAction Forums

dhouwn wrote:

iDrugoy wrote:it becomes so only in case you are made to execute some code on that page manually.

You mean if you click on a let's say tinyurl link manually?

You don't need to click anything.
There are several ways to trigger automatic navigation from any web page, and they don't even involve Javascript (e.g. iframes, regular frames, meta refreshes and so on).
Especially with (invisible) frames and iframes you woulnd't even notice the XSS attack happening.

Anyway, regarding the OP, I surely won't add anything like that to NoScript 2 while there's so much changing (and so much work to be done) in NoScript 3 regarding permission management.

Regarding about:permissions, the internal Firefox sqlite-based permissions backend (which about:permissions relies upon) is absolutely inadequate to support NoScript for performance reasons (been there, tested that before starting the NSA project), so if I ever decide to integrate NoScript with about:permission the work involved is gonna be far from trivial.

dhouwn wrote:You mean if you click on a let's say tinyurl link manually?

A new tab will open with a bad site. And what the threat is?

dhouwn wrote:There are certain schools of thought that would disagree, according to them programs should be simple (and somewhat atomic) but also extensible through other programs, ie. new features as separate programs esp. if the new features are not features everyone might use.

Above all there should be some kind of logic.
There are 2 lists that NS works with. One of them has an editor. But why only one?

Tom T. wrote:The saying about the hedgehog was crude, vulgar, and did sound aggressive and insulting.

I knew you got me wrong. It's the a russian analogue to a saying that you mentioned. I thought you might just find it interesting. I didn't mean to use it against you, as you are not threatening me.

Tom T. wrote:That is your opinion, and you're certainly entitled to it. But then why have you used it for so long? (rhetorical question - don't need to answser.)

Who said I used it? 1.5 years ago I installed it, I found that it is almost unusable for me and I did write feature requests / some small bug reports on this forum. Most of them got ignored. After a week of usage I did turn it off. Then 1.5 years have passed and someone asked a question about NS on my local forum and I decided to give it a new try. The things I requested looong time ago - are still undone. And I uninstalled NS. During this conversation I re-installed it, but it's probably temporary, since I really won't write my own rules for all the sites I visit. I could, but in my opinion that is just wrong.
I am now trying to evaluate some of NS' protections.

Tom T. wrote:Others reading your post may believe that they won't suffer much without NS, and that is why it is not a good deed and should be refuted - as dhouwn did with a single example.
Thank you for toning down the conversation.

You just dropped a word about XSS and figuratively linked to FAQ, where is no good explanation of how it works. So all this threatening users seems like threatening people with zombies/witches/god/satan - none of this really exists. It's not god who makes it storm, it's just sometimes happens in environment. And praying to satan/witches/zombies/god won't save you from a storm, but weather forecasts may foresee it's happening.

Giorgio Maone wrote:You don't need to click anything.
There are several ways to trigger automatic navigation from any web page, and they don't even involve Javascript (e.g. iframes, regular frames, meta refreshes and so on).
Especially with (invisible) frames and iframes you woulnd't even notice the XSS attack happening.

That is interesting info, but it is still generally unclear for me yet of how XSS work.
You mean that there is a situation possible when some GoodSite's page is XSS vulnerable and if you enter some code - it will be executed and you/GoodSite might actually send some of your private info to a 3rd party, by executing this code. Right?
How do iframes/frames/invisible frames make my browsing vulnerable?
If I surf a BadSite that pretends to be a GoodSite - I'll get know by it's address.
If a GoodSite was hacked and there is an iframe/frame - it's actually the problems of that site (by law), as the hack in that case may be more serious and some databases were already downloaded [or something like that], so no NS will protect your private info stored on that site.
Am I correct?

Giorgio Maone wrote:Anyway, regarding the OP, I surely won't add anything like that to NoScript 2 while there's so much changing (and so much work to be done) in NoScript 3 regarding permission management.

It's a pity.
I seriously don't understand why don't you want to let NS users actively use the subscriptions' system.

Giorgio Maone wrote:Regarding about:permissions, the internal Firefox sqlite-based permissions backend (which about:permissions relies upon) is absolutely inadequate to support NoScript for performance reasons (been there, tested that before starting the NSA project), so if I ever decide to integrate NoScript with about:permission the work involved is gonna be far from trivial.

I was not talking about storing such data in that particular sqlite file. I just meant that NS could (and IMHO it should) just use that page, as it is just targeted to be used for it.
I would also like to see there per site policy of sending referrers, but RefControl is dead for long by now (it's development has stopped ~2 years ago).

iDrugoy wrote: That is interesting info, but it is still generally unclear for me yet of how XSS work.
You mean that there is a situation possible when some GoodSite's page is XSS vulnerable and if you enter some code - it will be executed and you/GoodSite might actually send some of your private info to a 3rd party, by executing this code. Right?

Almost. If GoodSite is vulnerable, all you need to do is browsing BadSite (or even following a real link to GoodSite which I crafted for you) and GoodSite can be forced to send me your personal information or otherwise let me impersonate you on the fly.

iDrugoy wrote: How do iframes/frames/invisible frames make my browsing vulnerable?

Because BadSite can open GoodSite and make it work on your behalf without you noticing.
E.g., if Paypal is vulnerable (and it's been multiple times in the past), my BadSite can open a checkout page inside an invisible frame and send myself $10.000 from your balance, impersonating your account.
It's easier if you're already logged in (it can be done in just one shot), but even if you aren't, the password manager can work against you (a XSS can read the auto-filled information and/or auto-submit the login form), or I can trick you with the perfect phising site (i.e. the real site, complete with legitimate EV SSL green badge) and make you believe you're donating to the Red Cross.

iDrugoy wrote: If I surf a BadSite that pretends to be a GoodSite - I'll get know by it's address.

No you won't, becuase BadSite will redirect you to GoodSite, you'll see "goodsite.com" on the address bar, and all the regular SSL security info will be OK.
Except, my own bad scripts will be silently running against you inside GoodSite.

iDrugoy wrote: If a GoodSite was hacked and there is an iframe/frame - it's actually the problems of that site (by law), as the hack in that case may be more serious and some databases were already downloaded [or something like that], so no NS will protect your private info stored on that site.

That's an entirely different class of vulnerabilities, i.e. either a proper intrusion or a SQL injection which leads to persistent XSS.
Above we've talked about reflective XSS, which is much more elusive.

iDrugoy wrote: Am I correct?

No you aren't, but it's not your fault.
Even if it's not terribly complicate, it took several years for web professionals to wrap up their heads around this matter, and most of them still screw up when it comes to protect their applications.

Thx for making things more clear, Giorgio.

Giorgio Maone wrote:No you won't, becuase BadSite will redirect you to GoodSite, you'll see "goodsite.com" on the address bar, and all the regular SSL security info will be OK.
Except, my own bad scripts will be silently running against you inside GoodSite.

Wow, that is a real surprise for me. How can I have a GoodSite opened (and goodsite.url shown in address bar).
[and just to make sure: that is called CSRF (or XSRF) in the above case, right?]
It is hard to believe, so to make things clear I will ask the following:
Is it enough just to visit a BadSite, to be automatically redirected to a GoodSite + automatically execute some harmful code there?
Or there are some other requirements need to be met for such a situation to happen? What are they?

Giorgio Maone wrote:No you aren't, but it's not your fault.
Even if it's not terribly complicate, it took several years for web professionals to wrap up their heads around this matter, and most of them still screw up when it comes to protect their applications.

I knew that it is quite a major problem and there are lot of nuances, but I wont to know at least the basics: under what circumstances I may be a victim of all those XSS/XSRF.

iDrugoy wrote: Is it enough just to visit a BadSite, to be automatically redirected to a GoodSite + automatically execute some harmful code there?

Automatically and invisibly.
Yes, provided that GoodSite is vulnerable to XSS.

iDrugoy wrote: Or there are some other requirements need to be met for such a situation to happen? What are they?

See above: the only requirement is GoodSite being vulnerable. Easier than you can imagine, just google for "XSS prevalence".

Now that there is greater understanding all around, may I try a suggestion to our new friend?

iDrugoy wrote:I won't manually create rules for every site I visit.

You don't need to, and I think that is part of the misunderstanding here.

NoScript, in its default setting, provides protection against XSS, Clickjack, and all scripts except those in the default whitelist. See FAQ 1.5. The default list enables use of the most common web services "right out of the box": GMail and other Google services; Microsoft webmail and services; Yahoo! mail service; PayPal; and YouTube. Everything else is blocked.

If you don't use any of the above, just delete them from Whitelist. For example, I use Yahoo, but not Gmail, MS, or PayPal, so I deleted those. Easy.

For all other sites, please review the NoScript Quick Start Guide. Once you allow the necessary and trusted scripts for, let's say, MyBank.com, then you never have to think about it again. Every visit to MyBank works (until they change it, grr), and any third-party scripts (ads, data-miners) stay blocked. Since allowing is a matter of one click (or two if you choose not to open NS menu on mouse hover), there really isn't any "rule writing" required, nor do you need to store them elsewhere.

"Untrusted" is not actually necessary. *All* scripts are untrusted by default. The purpose of marking privacyinvader.com as Untrusted is mere convenience: It will never again show in the menu of scripts offered, thereby not annoying you, and it shortens the menu of scripts, so you can focus on unfamiliar ones. And you can always remove it from Untrusted by pointing to Untrusted in the menu where this script appears, then temporarily or permanently allowing it. But the default zone (the entire universe that you haven't chosen to allow) is blocked exactly the same as the Untrusted list. Is this more clear?

There is a principle that dates back to the very early decades of computer science, called "The Priniciple Of Least Privilege". In short: if the site will work for you without a certan script, then don't allow the script. Even if it's harmless, you save a bit of bandwidth, resources, etc. But it's good practice. Allow the minimum necesary to make the site work -- and please remember, this is *one time only*. A few clicks. No rules to write.

As for what is a trusted site, please see FAQ 1.11.
Please note the experimental feature that many users like very much:

NoScript offers a "Site Info" page which can help you to assess the trustworthyness of the web sites shown in your NoScript menu. You can access this service by middle-clicking or shift-clicking the relevant menu item.

This offers you several sources where others report their experiences with web sites and their scripts.

Other ways to check sites for yourself are in my post here. And please let me know your opinion of it, as some version of it may be worth posting permanently as a guide.

I know that it sounds easier to let someone else make these decisions. But there really aren't very many. The list of advertisers at Yahoo that I linked there is an easy save to a text document. When you see one, mark it Untrusted. You'll never see it again. Unless you want to support goodsite.com with ad revenue, but not allow the ads at other sites. Then just leave it in the default-block zone -- that is, do nothing -- and temporarily allow it at goodsite.com only. Simple?

Incidentally, this is one (of many) reasons why subscriptions are not desirable. You might want to allow some advertisers at sites you would like to help support, whereas the subscription list is a one-size-fits-all (does that idiom translate well into Russian?) that would probably make them all Untrusted.

Another feature, though you don't need to read the article just now: Some pages got "smart", and started to demand that you allow, say, google-analytics.com, a data-mining script, or the page won't load for you. So Signore Maone created a Surrogate Script that satisfies the page, while returning a bunch of nothing to Google. The page now works for you, but your privacy is protected. Many such surrogates exist. The list is in about:config noscript.surrogate. If you don't recognize the name in the Name field, look in the Value field.

You don't need to write rules or do *anything* for this protection, either -- these run automatically, so long as you leave the script in either default (deny) or Untrusted.

Are you starting to see new value in NoScript that you did not know of before?

Lastly (for now): Embeddings page in Options. Safest is to check *everything*. Then if you visit, say, YouTube, all videos are blocked by default; no annoyance of one running as soon as you arrive. Choose the one you want, click on the NoScript logo in the screen, confirm OK to temporarily allow this Flash object. Two clicks, no more.

Coming soon in NS 3.x for Desktop, it will be easy to do this per-site: To allow, say, Flash at goodsite.com, friend.com, and comrade.ru, but nowhere else. (But you can temporary-allow it anywhere else, as always.)

If you have any further questions that are not made clear in the FAQ, or answered by searching this forum, plese feel free to post them here.

And yes, the language barrier caused me to perceive your saying as offensive. Thank you for explaining it to me. We don't need another Cold War.

I also misguessed your level of technical knowledge, such as of XSS, because you knew immediately that about:config stores in prefs.js, and some other things that made it clear that you were not a technical novice. Perhaps I should have referred you to Wikipedia's article on XSS, especially the Mitigation section on disabling scripts, which makes it very plain that NoScript is the best defense for the user side.

You have kindly listened to me. Now it is my turn to listen to you. The NoScript Quick Start Guide was an attempt to make learning the basics of NoScript easier for new users. If you haven't read it, please do so when you have a chance, and give your feedback. Of course it was a team effort, even though my name is on it. I wrote the first draft, and then there were many fine suggestions, revisions, etc. from all team members. Revised, more feedback, etc. until the final draft was approved by Giorgio. And it has been edited a few times since. So it was very much a group effort, of course. But my name is still on it as principal author. If you think it could be improved to make the new user's experience better, please suggest how. You may do so by private message (PM) if you don't wish to do so publicly, though of course public discussion invites other opinions.

In summary, the blacklist is only a convenience, not a necessity, and no rule-writing is required, only a few clicks the first time you visit a given site. The protections are all automatic.

The vodka is on me. Cheers!

(I was going to toast in Russian, but then I remembered that we had to ban Cyrillic here, because of a certain evil group of spammers using it on an English-language page. Sorry!)

I wrote a really long answer to you, but someone deleted it.
Goodbye.

iDrugoy wrote:I wrote a really long answer to you, but someone deleted it.
Goodbye.

I've checked the Moderator Logs. There is no record of any Moderator, or the Administrator, deleting any post by you since my last post.

Are you sure it got posted? We all goof sometimes, and I've been known to forget to hit "submit" after "preview".

Either try once more, or PM me. No one can delete my PMs except the Administrator, who has no reason to do so, since they're not public and I can delete them myself.

Without a record of deletion in the Logs, I don't see how this could happen. (Dropped Internet connection in the middle of things?)

Yes I'm 100% sure. It was so long that I had to divide it into 3 posts.
There was some forum error, that made me stallowned every time I clicked preview/submit, until I found out that forum doesn't let me quote you with the urls you provided. After I deleted those urls and made them plain text - everything got posted OK.
If that's not the moderators - then it's the forum, which is buggy.

iDrugoy wrote:Yes I'm 100% sure. It was so long that I had to divide it into 3 posts.
There was some forum error, that made me stallowned every time I clicked preview/submit, until I found out that forum doesn't let me quote you with the urls you provided. After I deleted those urls and made them plain text - everything got posted OK.
If that's not the moderators - then it's the forum, which is buggy.

I don't want to bother Giorgio about this, because as said, he wants to get the cool 3.x features into the desktop version as soon as possible, but as a guess:
All my links were to other places on this site or on Giorgio's sites (FAQ, Hackademix, etc.), except for two, to Wikipedia. They were about XSS, but it's not like it's a hacker site or something. There may be a limit on how many total links a user can include in one post. -- since you said doing them in plain text worked.

It's reasonable. Like any forum or blog that accepts user content, we get our share of spammers, constantly. Someone with nine links in one post is likely to be a spammer. Obviously, that doesn't apply to moderators.

There may also be "flooding" limitations on posting three times in a row on the same topic, or on the total word count. Just how many words are we talking about here?

The fact that you could make this short post proves that you weren't banned or anything. Try addressing just a couple of issues at a time, using the plain-text URLs or wrapping them in "code" tags: Then perhaps wait a while before either editing the first part to add Part 2, or just posting Part 2. And so on.

We've had problems with PM spam, but if you use the above style for links, and send those PMs to me in chunks as well, I can put them together and post them here if the other doesn't work.

I know that this must be very annoying to you, but please understand that we're trying to keep out the spammers and the flooders.

I just checked the Moderator logs again, and I can assure you that no action has been taken against you or any of your posts, nor is your username on the Banned list, so I'm fairly confident that it's the issues above: too many links, posts, or words.

This is not always easy, to be both a "helper" and a "police officer", if you know what I mean, but I'm sorry for your troubles. One way or another, we'll get your posts up there.

Also, please know that the entire Moderators team is all unpaid volunteers, who donate whatever time we can spare to support what we think is a very worthwhile and necessary product, but still have to make a living in the Real World. So if replies do not come rapidly, please understand.

Thank you for your patience.