InformAction Forums

I use noscript in firefox and it has something called "ABE" included within the advanced tab. When I go through the process (every few months) of having to perform a re-signup for my internet connection I get an error from ABE and have to disable ABE to continue. When I have to do this signup I find myself in a situation where the websites do not load (they spend forever "looking up example.com") and I have to go to a particular IP or web address and click through a few buttons to reactivate my connection, after which I get redirected to my ISP's homepage and then all websites start loading properly when I go to their URLs. I re-enable ABE afterwards. What is ABE doing, I've read the page on the noscript site about it but couldn't understand that page very well? Is this sort of disabling safe? Why would I have an issue with ABE when doing this signup process with my ISP?

My ISP's homepage has adverts on it from some pretty untrustworthy sources, I really need to block any scripts from these adverts and any content coming from their domains for the sake of my security. Ordinarily noscript does excellent work at blocking adverts as well as scripts. But during this signup process I have to disable ABE, does that put me at risk from any exploits or drive-bys coming from the adverts on corners of the homepage I get redirected to (note that I have set the advertising domains as "untrusted" domains). Obviously I still don't see the adverts, Because noscript is blocking their domains somewhat, but with ABE disabled temporarily does this let malicious scripts sneak round or anything?

Thanks

I think it's not an explanation of what ABE does that you need most right now...

Got any custom ABE rules?
If so, just post the messages you see in the Browser Console (Ctrl-Shift-J) when ABE fires, and ignore the rest of this post.
Assuming not, read on:

Well, OK, here's your explanation: what ABE does by default is prevent websites from accessing your local network. Without ABE they can use your browser as a medium with which to tamper with your local network, router, services on your PC, etc; with ABE enabled, they're blocked from doing so.
Now to respond to the problem at hand:

another-question wrote:I use noscript in firefox and it has something called "ABE" included within the advanced tab. When I go through the process (every few months) of having to perform a re-signup for my internet connection I get an error from ABE and have to disable ABE to continue.

You should *not* need to allow access to your PC or local network just to sign up for something, period.
Please post the message from ABE that you see in the Browser Console (Ctrl-Shift-J) when this happens.

another-question wrote:When I have to do this signup I find myself in a situation where the websites do not load (they spend forever "looking up example.com") and I have to go to a particular IP or web address and click through a few buttons to reactivate my connection, after which I get redirected to my ISP's homepage and then all websites start loading properly when I go to their URLs. I re-enable ABE afterwards. What is ABE doing, I've read the page on the noscript site about it but couldn't understand that page very well? Is this sort of disabling safe? Why would I have an issue with ABE when doing this signup process with my ISP?

Disabling ABE in this situation does NOT sound safe to me (see explanation above).
It especially sounds unsafe after you say this:

another-question wrote:My ISP's homepage has adverts on it from some pretty untrustworthy sources, I really need to block any scripts from these adverts and any content coming from their domains for the sake of my security. Ordinarily noscript does excellent work at blocking adverts as well as scripts. But during this signup process I have to disable ABE, does that put me at risk from any exploits or drive-bys coming from the adverts on corners of the homepage I get redirected to (note that I have set the advertising domains as "untrusted" domains).

.. and in response to the question at the end - exploits: yes; drive-bys: I don't know, I'd guess it depends at least partially on what software you are running

another-question wrote:Obviously I still don't see the adverts, Because noscript is blocking their domains somewhat, but with ABE disabled temporarily does this let malicious scripts sneak round or anything?

No, really, NoScript doesn't add entire modules that have nothing to do with your security.
I think I've given you enough information that you can now figure out the answer to this question
(but I'll tell you anyway: yes it does let malicious scripts sneak around and do malicious things that they'd otherwise be blocked from)

I have no custom ABE rule's I left ABE in the default settins when I set up noscript, the only noscript settings I have atered from default are the trusted/untrusted list and the options for what things to show on the menu/bottom bar and other appearance ones.


I couldn't copy the message, the message (it appeared as a bar across the top of the page with the ABE logo (a little cartoon of lincoln's head) and some text saying something about web addresses. The text in this message wasn't highlightable so I couldn't easily copy it, it seemed to be stating something about the URL I was at at the time(the URL itself was from a domain which belongs directly to my ISP) and about another similar URL also belonging to the ISP directly. I think the message wa ssaying something a about a request from one page to "get" another page having been blocked by ABE, both pages were http or https I think, though I can't remember perfectly. I was too stupid to think of taking a screenshot and saving it for later reference.

The homepage I talk about with the dodgy adverts did not load until after the re-sign-up process, the order of what went on, roughly is...
1.turned on the computer and plugged in the ethernet, pages were not loading which means I had to go to the re-sign-up page for my ISP.
2.I have this re-sign-up page's IP address saved in a text file, so I was able to go straight to it and knew it was the right page.
3.I then had to allow a few scripts, to enable the button on the page, these scripts I allowed were from sources which should be trustworthy (the ISP itself)
4.Then I clicked the button, and where it should simply redirect to the ISP's homepage and say that the re-sign-up was completed, it instead gave the ABE error
5.At that point I disabled ABE
6.And clicked the button again, this time it worked and redirected to the ISP's homepage
7.Because I had only allowed scripts from the ISP's own domain then when I was redirected to the homepage the nasty adverts did not load, and the domain they were coming from was listed as one from which scripts were forbidden. At this point I set the advertisers domain as an untrusted one*, thinking do so would be helpful in future.

*although I already knew that the domain was a nasty one, from having looked up information about the domian on web of tust the first time I had ever seen it listed as a blocked domain and wondered what it was.


The previous time I had tried it through chrome, where everthing worked but ofcourse the nasty advertising domain loaded when I reached the ISP's homepage.

All the time sbefore that it had worked through firefox with noscript enabled and I had not had any ABE error,s though I did ofcourse need to allow the scripts from the ISP's own domain on these previous occasions.






This all occured on a page which I get every few months when I have to "re-sign-up" with my ISP for my connection, although in the past I have never had the ABE message. It has only occured the last two times. I am sure the page was the genuine page, and not some total imposter of a page.


I don't have a home network as such, where I live is a block of flats where one just plugs an ethernet cable from computer to wall socket and goes online via that. One has to redo the sign up with the ISP every few months through this. I don't have any router or such, just a little ethernet socket on the wall (like an old telephone socket), a computer and an ethernet cable.

" just to sign up for something"
To clarify when I say re-sign-up this isn't like a forum or webmail login, it happens on a webapge alright, but it happens when one's connection is in a state where any page you visit gets redirected back to this same webpage, and the webpage in question is an IP adress rather thna a http or https which then redirects to the ISP's homepage (a normal HTTPS page) and re-enables the ability to visit any web address after you do this signup. I don't understand connection methods well enough to give a better description.


You say that without ABE enabled things can tamper with "your local network, router, services on your PC, etc", would you have to allow pages as well for exploits to happen here, as in is ABE an extra protective layer as well as the script blocking? Or does allowing things through ABE circumvent all the protection which script blocking gives? It's drive-bys/exploits I am concerned about, stuff involving routers and home networks doesn't apply to me (as far as I can tell) but the risk of something being able to fiddle with services on my PC (as in the things you see under the services tab of task manager) is pretty concerning. Does the fact I had to disable ABE for those few minutes mean that for that time none of noscript's script blocking was actually doing anything?

I would like to be able to find a way to get through the re-sign-up page next tome it happens without having to disbale ABE, especially given the risks you describe disabling ABE as having, but the problem is that when I have to deal with this signup page I am in a situation where I cannot get to the internet at all until it is done. My knowledge of networks is almost none, my knowledge of security covers only things related to the browser and to stuff like viruses pretending to be other file types or pretending to be safe exe files, or running themselves through java/flash/browser exploits. For security my solution has been the following:
:Run noscript, and only allow sites to run scripts when they have "fnacy" content which i need to access and the site is one which is trustworthy
:Never use Internet explorer
:Run a good antivirus
:Keep programs up to date, and keep windows up-to-date on the security updates
:Never run exe files you can't absolutely trust the ource of
:Scan everything you download
:Never let plugins be automatic
:Never trust adverts or advertising domains
:Do a second opinion scan every few weeks
:Leave windows' firewall in it's default active and running setting

I've never known anything detailed about networks.


The problem is that the only way I found to get the re-sign-up thing done was to either temporarily use another browser (one without noscript's protection at all), or to disbale ABE (though the rest of noscript could all run fine whilst during the re-sign-up process).

Thanks for that ctrl+shift+J trick, I never knew about it before, it might have helped with copying the error message if I had known this trick at that time.

I would try and give more information but I don't know what other descriptions to give, and this all happened some days ago now so none of it is still in my browsing history any more.

Extra note:
I always assumed that if you used noscript didn't allow scripts from any domain which couldn't be trusted, and you kept plugins on "ask to activate" (for those one uses sometimes) or fully deactivated (for all the rest) then you would be safe from drivebys/exploits. As the scriptblocking would leave them unable to run anything which might let them start executing viral code on your system.

OK that is a long post... sorry, I can't reply to you in a single post, I need to split it up.

I think unfortunately we will not be able to do more troubleshooting (or answer your questions) until you need to go through this again. So I can't actually help you through this, all I can do is explain to you how to troubleshoot it, sorry.
I hope you can understand; if not, feel free to ask for clarification.

Next time it happens, please collect the following information:
1) "[ABE]" message(s) from the Browser Console (Ctrl-Shift-J)
2) Reverse DNS lookups of all domains, all CNAME records they resolve to. We need all the IP addresses.
3) If you have NoScript Options > Advanced > ABE > WAN IP ∈ LOCAL checked (it's the default), look at your WAN IP as shown by NoScript before & after the connection reset

Here is a crash course in how to add an exception to ABE (you may have to do this repeatedly):

- Look at the message in the Browser Console (Ctrl-Shift-J). From https://noscript.net/abe/users.html:

https://noscript.net/abe/users.html wrote:Whenever a certain rule is matched, a message is logged in the browser's Error Console in the form:

MATCHING_PATTERN: ACTION on {MATCHING_SITE << ORIGIN1[, ORIGIN2, ...], ORIGINAL_ORIGIN - REQUEST_TYPE}

where

• MATCHING_PATTERN is the Site pattern which has been found matching
• ACTION is the ABE action issued (Deny, Anonymize...)
• MATCHING_SITE is the actual URI of the matching request
• ORIGIN1, ORIGIN2 and so on is the chain of origin URI (more than one if redirections occurred), while ORIGINAL_ORIGIN is always the URI of the origin which triggered the load
• REQUEST_TYPE represents the type of the request (document, subdocument, image and so on) as defined in Mozilla's XPCOM nsIContentPolicy interface

- Evaluate the risk... as far as I know, there is NO legitimate reason for this to connect to 127.0.0.1 (aka localhost), but given that this is your ISP there _may_ possibly be legitimate reason for a connection to your WAN IP. Nothing else is LOCAL in your setup so anything else... the risk is totally unknown..

- Add an exception above MATCHING_PATTERN, in the same ruleset as MATCHING_PATTERN. Your exception will probably have a form something like In general, MATCHING_SITE should be a pattern matching the entire domain andpossibly protocol and port, ORIGIN* should also be limited likewise. For cases like this it's simplest to trust single hosts, because the ABE syntax for the whole domain / whole IP is to just put it there as-is (e.g. http://example.com, https://example.com, http://example.com:8080 would all be covered by just example.com but foo.example.com would not be included).
More details on ABE syntax found in ABE Rules .pdf


If any of that seems incoherent please ask for clarification, I'm typing this up kind of quickly and I may be making wrong assumptions about what you already know.

(reply continues...)

Looking at your security setup, I do notice one potential hole - and unluckily for you, it's one that ABE helps protect...

Windows firewall in default configuration is NOT good enough. You are plugging your computer directly into an untrusted network, and you could receive connections from ANY source - and if you haven't used nmap on your computer from a remote source, you don't know what ports you got services (read: "possible hacker targets") listening on.

I would recommend the following:
: Configure Windows firewall to block ALL incoming connections
: Use a firewall program that controls what programs are allowed to connect in or out. When I've helped people set up Windows machines, we've used the free version of Windows7FirewallControl (I think they've made a Windows8FirewallControl for Win 8 though I've never tried that), but the machines I've helped set up are behind a router.
: Speaking of routers, if it's in your budget, get a router even if you only have one computer. That is, a router which also doubles as an advanced firewall - it being a "hardware firewall", such a device is a better firewall than anything you use on your computer can ever be. (Router may even come with the bonus of wi-fi for you. Setting that up was discussed in another thread here, which I can try to dig up if you care.)
Don't bother with a router that doesn't come with a firewall built into it. Also, I don't think routers are the only devices that have hardware firewalls, but I haven't directly played with anything else.
: Run a network traffic monitor in the background the whole time - one that you can always see on your computer screen. The only one I know of is NetWorx. Make sure you know all the "regular" traffic, so that you can easily spot anything out of place. If you're curious what the traffic is, fire up Wireshark (this may tell you more about your computer than anything else would).

Oh, sorry, you were also asking some questions about ABE's interaction with the rest of NoScript.
Short answer: ABE is completely separate from the rest of NoScript, what you do in ABE doesn't control settings of the rest of NoScript, and vice versa.

(Slightly longer answer: permissions are independent, BUT if you use the Sandbox directive in an ABE rule then site will show as not Allowed and you won't be able to (Temp-)Allow it until you remove the Sandbox directive and reload the page.
But I suppose that's a little beyond what you want to know right now...)

Sorry, I still don't think I understand. I'll take a look at the firewall settings though and see whether I can set up blocking of other incoming connections than those which are blocked by default. I'm guessing that an incoming connection which isn't blocked by ABE or the firewall could result in an attacker running his malware exe files on my system without being blocked by UAC or anything else.

To clarify, my firewall is set so it blocks all incoming connections except those matching an allowed list of rules. This allowed list is fairly long, but I think everything on it is a windows default.

I don't know anything about Windows firewall advanced settings, I've just used the "On, Block incoming connections" + "Don't allow exceptions" settings in the control panel.

another-question wrote:Sorry, I still don't think I understand.

If you can be more specific about what you don't understand I can try to clarify.

Ok, let's not go for understanding then, let's just try to find something which works.
As for the firewall stuff I can look to other sources for advice on the best settings.

Until I next get one of these re-sign-up things should I just continue using noscript as normal?

Then when I next need to re-sign-up copy the text from the ABE dialog using ctrl+shift+j

And look at the ABE warning with that description you give in one of your posts in mind

Then see if the re-sign-up can be completed without disabling ABE

Otherwise, disable ABE for the few minutes needed but leave the rest of noscript (the script blocking and such) all running as usual

This way atleast when I am redirected to the ISP's homepage when the re-sign-up process is complete the nasty adverts won't be able to load, so I will be safe from drive-by malvertising

Then, with the re-sign-up done, re-enable ABE and post on this thread any information I can find.

Also try and see if I can find whether my IP address before and after the re-sign-up process has changed.

Is this probably the best way to proceed? the next time I have to re-sign-up might not be for several months though, does this forum lock threads which haven't been posted to for weeks, or would I still be able to post here in a few months time?

I can see from your description that disabling ABE is clearly risky, but for this short a period, when I only visit about 3 web pages, and still have script blocking to prevent the advertising domain from loading is it hugely risky? Or should it be fine to disable AB for the few minutes needed to re-sign-up? I guess that even with ABE disabled having the rest of noscript working beats using another browser without script blocking for doing the re-sign-up process with?






Also one other thing, which is not directly related to ABE, can I just check, other than viruses delivered in downloads a user makes deliberately and then opens, what kinds of infection method can noscript NOT protect against? Is it good for stopping all drive-by and exploit methods as long as the user doesn't allow a dodgy site to run scripts? Or are there some types of exploit/drive-by which cannot be stopped by noscript, things where one has to hope that layers behind the browser (things like one's antivirus) can catch what slips past noscript?




Thanks

another-question wrote:Until I next get one of these re-sign-up things should I just continue using noscript as normal?

Yes

another-question wrote:Then when I next need to re-sign-up copy the text from the ABE dialog using ctrl+shift+j

And look at the ABE warning with that description you give in one of your posts in mind

Yes
Download locally the following, because it sounds like you'll be out of Internet access during this process:
- this thread (once we've answered as many of your questions as currently possible)
- https://noscript.net/abe/users.html
- ABE Rules .pdf

another-question wrote:Then see if the re-sign-up can be completed without disabling ABE

In order to do this you will need to write an exception in ABE, the resources above should have what you'll need to know to figure it out.

another-question wrote:Otherwise, disable ABE for the few minutes needed but leave the rest of noscript (the script blocking and such) all running as usual

Before you disable ABE entirely, try disabling
NoScript Options > Advanced > ABE > WAN IP ∈ LOCAL
For some reason I suspect this would be the likely culprit.

another-question wrote:This way atleast when I am redirected to the ISP's homepage when the re-sign-up process is complete the nasty adverts won't be able to load, so I will be safe from drive-by malvertising

Then, with the re-sign-up done, re-enable ABE and post on this thread any information I can find.

Also try and see if I can find whether my IP address before and after the re-sign-up process has changed.

Yes, please post your findings and see if your IP changes.

As for the redirections, you might want to look into installing NoRedirect and set it to block all redirects (remove all existing rules; then add: Regex: .* , check only "Source")
You _may_ (if redirection is done without JS methods) then get the chance to re-configure NoScript *before* loading the page w/ "nasty" ads.

another-question wrote:the next time I have to re-sign-up might not be for several months though, does this forum lock threads which haven't been posted to for weeks, or would I still be able to post here in a few months time?

It's always been fine to post in old, dead threads if your post is related to the thread; we've recently amended Forum Rules to explicitly say it's OK.
Note of course that in such distant future, it may not necessarily be me who responds to your posts, I don't know how active I (or any other currently active Support Team member) will be on this board in several months...
(but hopefully I'll still be at least somewhat around )

another-question wrote:I can see from your description that disabling ABE is clearly risky, but for this short a period, when I only visit about 3 web pages, and still have script blocking to prevent the advertising domain from loading is it hugely risky? Or should it be fine to disable AB for the few minutes needed to re-sign-up? I guess that even with ABE disabled having the rest of noscript working beats using another browser without script blocking for doing the re-sign-up process with?

(Note: I assume that the ISP is a trusted party unless I have reason to believe otherwise - in this case, that reason is what you say about who they sell ads.)
A few thoughts:
- see above about NoRedirect
- You can also disable individual ABE rulesets. You say it's SYSTEM giving you trouble, so how about blocking the advertisers' domains outright in USER? You would then disable only SYSTEM if it really gives you trouble.
(I wrote Deny INCLUSION instead of just DENY because I don't know if your ISP require redirection through these domains and I don't want to give you more trouble.)

another-question wrote:Also one other thing, which is not directly related to ABE, can I just check, other than viruses delivered in downloads a user makes deliberately and then opens, what kinds of infection method can noscript NOT protect against? Is it good for stopping all drive-by and exploit methods as long as the user doesn't allow a dodgy site to run scripts? Or are there some types of exploit/drive-by which cannot be stopped by noscript, things where one has to hope that layers behind the browser (things like one's antivirus) can catch what slips past noscript?

I'm not expert in this stuff, especially not on Windows, which I don't use... all I know is that on Mac you actually have to download and run something to get an infection, *or* expose yourself to malicious active content (normally Java) on the Web. I assume it's the same deal on Linux & *BSD, but there you would probably have to enter your root password for something to do really unrecoverable damage to the system (root is equivalent of SYSTEM user on Windows).

another-question wrote:Thanks

You're welcome

OK, thank you. I'll wait until this issue happens again, then if I can't solve it using the information in this thread and those links (all of which I have now downloaded) I will come back here and post all the information I can gather about my issue.
Thanks

It happened again about ten minutes ago. I had disconnected from the internet and then I went to reconnect pages weren't loading so I had to go to my Isp's signup page, I tried to re-sign-up and got the ABE error again. I post below what I copied although for privacy I have replaced all the shown Ip adresses and web addresses with notes showing where they were in the error message. The web address of the signup page which I had to visit in the first place I have rewritten as "http://(example1).com/" and the page I am redirected to I have rewritten as "http://(example2).com/?referer=signupwizard" . "example1" and "example2" are both domains I recognise as belonging to my ISP. See below:

"[ABE] <LOCAL> Deny on {GET http://(example1).com:(potentially private number)/index.php?url=(example2).com%252f%3freferer%253dsignupwizard <<< http://(example2).com/?referer=signupwizard, http://(example1).com/ - 6}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny"

I couldn't see any domains listed in this error message (I copied it with the ctrl+shift+j trick you suggested) which looked vastly out of plac(nothing from third parties, just what you see listed above, all of which are parts of my ISP's website), they all belonged to my ISP. Then the really weird bit happened.
I took out the ethernet cable again, then with no connection at all I opened firefox, opened noscript's options, and turned off ABE. I then closed firefox, and then plugged the ethernet cable back in. Then I opened firefox again, but this time my homepage (google) just loaded straight away, I hadn't needed to re-sign-up at all. It was as if turning off ABE and then opening firefox again without it meant I didn't even need to do the re-sign-up. With the internet connection working again I have now re-enabled ABE and everything seems to be working.

Can you perhaps interpret, from the error message I have provided and from the fact that temporarily turning off ABE, without even visiting my ISP's sign page or hompeage to which I am redircted after signup, seemed to get my connection re-signed-up again.

I couldn't copy my "WAN ip address from before and after this though because I don't know where the wan ip address is displayed.


Thanks for your help

add above the default SYSTEM rule (The "potentially private number" probably isn't private, it's just the port that it's trying to connect to.)

another-question wrote:It happened again about ten minutes ago. I had disconnected from the internet and then I went to reconnect pages weren't loading so I had to go to my Isp's signup page, I tried to re-sign-up and got the ABE error again. I post below what I copied although for privacy I have replaced all the shown Ip adresses and web addresses with notes showing where they were in the error message. The web address of the signup page which I had to visit in the first place I have rewritten as "http://(example1).com/" and the page I am redirected to I have rewritten as "http://(example2).com/?referer=signupwizard" . "example1" and "example2" are both domains I recognise as belonging to my ISP.

That's odd, ABE thinks your ISP signup page is LOCAL...
Please do reverse DNS lookups of the example1 and example2 and see if any of these match your WAN IP or are in any of these ranges, and if so can you post which range (or whether it's your WAN IP)?
(We do not need to see your actual WAN IP.)

I think you can do reverse DNS lookups on Windows with nslookup on the command prompt: type nslookup followed by the domain name enclosed in double quotes (nslookup "example.com").

another-question wrote:Then the really weird bit happened.
I took out the ethernet cable again, then with no connection at all I opened firefox, opened noscript's options, and turned off ABE. I then closed firefox, and then plugged the ethernet cable back in. Then I opened firefox again, but this time my homepage (google) just loaded straight away, I hadn't needed to re-sign-up at all. It was as if turning off ABE and then opening firefox again without it meant I didn't even need to do the re-sign-up. With the internet connection working again I have now re-enabled ABE and everything seems to be working.

Most likely this only has to do with unplugging & replugging the ethernet cable, which could reset your connection...

another-question wrote:Can you perhaps interpret, from the error message I have provided and from the fact that temporarily turning off ABE, without even visiting my ISP's sign page or hompeage to which I am redircted after signup, seemed to get my connection re-signed-up again.

Can we perhaps interpret what?

another-question wrote:I couldn't copy my "WAN ip address from before and after this though because I don't know where the wan ip address is displayed.

It should be listed in the WAN IP checkbox in ABE options tab, but I don't think you can copy it from there. You can look it up on the Internet though: https://duckduckgo.com/?q=what+is+my+ip ... &ia=answer
Or just take a screenshot.