google.com whitelisted and potential protection bypass

[Beaver]

Hi,

I noticed that google.com is now on the default whitelist, which sounds a little crazy to me. Aren't the benefits way greater than the downsides ?

I searched for a reasoning but instead found this. The article describes a way to bypass NoScript because when a domain is whitelisted, all of its subdomains also are. At the time, googleapis.com used to be whitelisted by default, so storage.googleapis.com was too, and anyone could upload HTML and JS to this subdomain, effectively bypassing NoScript's protection by abusing the whitelist. Giorgio fixed it by whitelisting ajax.googleapis.com instead.

Isn't there a similar risk with google.com in the default whitelist ? Are we sure other whitelisted sites don't have abusable subdomains ?

[barbaz]

FAQ 1.5


google is whitelisted mainly because some users have Gmail webmail, and could not use it without that - and they may need to email Giorgio to get support. Also some commonly used google services (e.g. maps & youtube) are whitelisted by default, in part so that we don't get overloaded with mundane support requests.

The article describes a way to bypass NoScript because when a domain is whitelisted, all of its subdomains also are.

What's the issue? This is by design and a LOT more convenient than individually whitelisting subdomains all the time. If you don't want whitelist subdomains, add

Code: Select all

http://thedom.ain
https://thedom.ain

instead of just thedom.ain

I don't see any "bypass", just a chance that some users don't understand what they're trusting (or what NoScript trusts by default).

Are we sure other whitelisted sites don't have abusable subdomains ?

Probably not, because the Internet changes all the time. If you find one that does, please report it privately to Giorgio.

[Beaver]

Yes, I did read the FAQ and understand the reason why google.com is allowed. I hope only usability scripts are hosted on http(s)://google.com, and not tracking stuff.

Anyway if it's for Gmail, why not allow http(s)://google.com directly then ? (and necessary subdomains, if any)

For my own use I don't have a whitelist, but I'm concerned about the default for other people. Something as generic as *.google.com, when Google is one of the biggest privacy invaders out there, that's not quite ideal... Even if there is no subdomain where people can upload their own stuff.

[therube]

> google.com is now on the default whitelist

Default, but you can change that.
I don't allow google.com.
There, done.

Likewise, you choice not to have any whitelist at all.
Sure it might improve "security" or "privacy", but also might affect usability.

And so long as one understands that, there should be no issues.

[Guest]

Defaults are made for convenience and for people who don't understand what's up. I'm saying allowing *.google.com for them doesn't sound good at all, and if subdomain[1-9].google.com needs to be allowed for Gmail to work, then it should be better to add every subdomain explicitly rather than what is being done currently.

It's not for me, it's for those who don't get technicalities. http(s)://google.com > *.google.com

I hope I'm clear.

[barbaz]

Defaults are made for convenience and for people who don't understand what's up

... and for people who expect their favorite this or that or the other to "just work" with no effort on their part?
Note that, it's also some Google APIs and JS libraries are hosted on subdomain(s) of google.com instead of googleapis.com, so disallowing google.com will mean some significant number of websites break.

I'm saying allowing *.google.com for them doesn't sound good at all, and if subdomain[1-9].google.com needs to be allowed for Gmail to work, then it should be better to add every subdomain explicitly rather than what is being done currently.

Gmail users likely use more Google services than just Gmail, and obviously they already trust Google, so why the extra effort? It's all run by the same entity (Google/Alphabet), and from a security standpoint, either you trust an entity or you don't, there is no "half-trust". Subdomain blocking in a case like this would only be useful for helping individual intermediate or advanced users customizing their Google experience the way they want it.

If on the other hand there becomes some sort of arbitrary-cloud-hosting-for-random-entities on a subdomain of google.com (as there is with googleapis) or the like, then we should revisit this.
Until then, there's no security advantage, whereas it's much more work maintaining the whitelist to keep up with every subdomain change.

It's not for me, it's for those who don't get technicalities.

Then unless one of the people you think it's for is a friend of yours, why are you taking our time and energy over your nebulous distrust of 1) Google and 2) NoScript's user-facing design?
All of us on the Support Team have worked with "those who don't get technicalities" enough that we understand them reasonably well, and I for one don't see any reason why what they've got is bad for them.

I hope I'm clear.

You're perfectly clear, we just disagree with you.

[Beaver]

I want to recommend NoScript and I want it to keep being improved, so I'm pointing at stuff that seem improvable. A suggestion is not an order nor a bitter complaint.

Regarding my distrust of Google, it's pretty sane and logical IMO. Google is everywhere, not just on Google.com, and allowing *.google.com means any code from any google.com subdomain will be allowed to run on any whitelisted site. Google tracks people all over the web. Fortunately some of Google (sub)domains are more about tracking than others, that's where having a fine-grained list is useful.

I understand you have constraints and stuff. Do what you want! ^^

[Mc]

I also wouldn't want it default whitelisted and I also need no help here. I often think about, what would be good or bad for others in security and privacy, so I don't agree, that we should let you, the Support Team, care and feel save.

[barbaz]

@Beaver NoScript is a security tool, not a privacy tool. Any privacy benefits it has are side-effects and only side-effects, not more. While I agree with you that Google is quite ubiquitous, is in the data mining business, and has several tracking domains (most of which are *not* [sub]domains of google.com), you still have not pointed to a concrete security downside of whitelisting all of google.com by default when Gmail needs to be whitelisted by default. And tracking sites usually have a scriptless alternative, e.g. 1x1 GIFs. If you want privacy you need a proper request blocking tool such as Policeman or µMatrix, they work well alongside NS.

@Mc what do you mean by "care and feel save"?

[Thrawn]

I also wouldn't want it default whitelisted

How often do you create a new profile?

Once you've removed google.com from your whitelist, it should be gone. If it somehow comes back in an update, then that would be a bug and you should report it here. Otherwise, you've presumably set up your whitelist the way you want, so you have no problem, right?

and I also need no help here.

Your experience does not constitute the default. I'd suggest that Giorgio has a better idea of what "most users" of his extension want as defaults. And in this case, the decision is made even clearer by the fact that the people who don't want Google will also be the people, like yourself, who have sufficient interest and skill to take 5 seconds and remove it.

I often think about, what would be good or bad for others in security and privacy

So does Giorgio! And if you look at the number of reviews on AMO complaining bitterly about NS being too paranoid and breaking sites, and indicating that the person won't run it as a result, and if you consider all the side benefits of keeping it, even if you allow scripts globally, then I think you'll agree that a somewhat permissive default that keeps people on the tool will protect the most people.

so I don't agree, that we should let you, the Support Team, care and feel save.

Well, feel free to send Giorgio a message rebuking us, but it was his chosen default, not ours . We just agree with him.

If you honestly don't think he's putting serious time and energy into helping others be safe, then I don't think you've really thought it through. But feel free to make a better tool.

[Mc]

@Mc what do you mean by "care and feel save"?

-save / +safe

How often do you create a new profile?

Me? I wrote, I need no help here. It's not whitelisted in my profiles.
So please calm down.

When Gmail needs to be whitelisted by default, none needs to have it default whitelisted, who never would use it.

[barbaz]

When Gmail needs to be whitelisted by default, none needs to have it default whitelisted, who never would use it.

Agreed, but unfortunately there is currently no way to tell who uses Gmail and who doesn't at install time atm. I think that NoScript 3 will have a configuration wizard of some sort, maybe there can be a "customize the default whitelist" section where people can select (via checkboxes) whether they use Gmail, Google maps, Hotmail, and/or any of the other various similar default-whitelisted sites, provided such a "page" doesn't make the wizard too lengthy or complex... what are your thoughts on that idea?

[Mc]

I'm not sure if just this one must be part of the configuration. An information about the issue might be enough.

[barbaz]

<Mc> barbaz: thanks that's certainly not easy to solve, but i think a user of NoScript just must be able to handle this, if he gets an information about the issue anywhere
<barbaz> Mc: the main question i have is whether you think a NS configuration wizard would get too long or complex if pages / details like that are added. (i don't know what it's like now because noscript 3 is mobile only and i don't have a mobile device)
<Mc> barbaz: the configuration IS already too complex in the Options we have now, so it only can become better

<barbaz> Mc: well that information is the FAQ. how do you suggest to show (or link) it to the users in question?
<Mc> barbaz: i've no idea, if it would be possible to add a NoScript warning on the webmail site
<barbaz> Mc: so warn if the site *is* [default-]whitelisted (& offer a link to the faq) when the site comes up in the user's noscript menu & is allowed to run scripts? the challenge there is to not have the warning too much in the user's face... maybe if there's a different NS icon (or NS icon on a different-colored background?) + menu entry offering a link to the faq?
<Mc> barbaz: that wouldn't help much, so the warning should come up, if it's not (yet) whitelisted
<barbaz> Mc: that suggestion makes me think of having two different modes for using NS - one with the webmail sites & the like pre-whitelisted (the status quo); and the other with a more minimal whitelist but, when the user visits the webmail site or whatever, prompt them if they want to add to their whitelist, the group of sites included in the larger default whitelist for that site, & offer the faq link in a "learn more" type way.
<barbaz> Mc: also, Thrawn had previously suggested an "interactive mode" for NS, which I'm thinking can kind of has a use case here too...

[barbaz]

This is the topic I was referring to re: Thrawn's idea of interactive mode: viewtopic.php?f=10&t=18768