Clear temporary permission after some time

[Riar]

Hello!

Is it possible to automatically clear temporary permission after some time they been given to a domain?

If it was possible or could be implemented, I would feel safer if my temporary permissions cleared every 10 min (since last page visit?). I think it would offer better security, less attack surface over time and it would reduce the time certain networks could track me.

Thanks!

[barbaz]

There is no security advantage to that.. and NoScript is a security tool, not a privacy tool. See viewtopic.php?f=7&t=18846 where a similar idea was discussed, much of what was said there applies also here.

[Riar]

There is no security advantage to that.. and NoScript is a security tool, not a privacy tool. See viewtopic.php?f=7&t=18846 where a similar idea was discussed, much of what was said there applies also here.

I would say there is a security advantaged to this. Many attacks these days are from ads or hacked websites. While a particular cdn-domain (or ad network) was fine two hours ago, it may not be secure right now. Saying that if a domain won't attack you straight away, it won't attack you in five hours is no longer true. Besides multiple sites uses the same CDN-domain or ad-domains these days. Revoking these temporary permissions automatically would reduce the attack surface and lower the risk of attacks. It's not perfect but it would still provide benefits.

[barbaz]

Many attacks these days are from ads or hacked websites.

https://noscript.net/faq#compromised_trusted

You anyway should never script-allow something you think is that risky!

While a particular cdn-domain (or ad network) was fine two hours ago, it may not be secure right now. Saying that if a domain won't attack you straight away, it won't attack you in five hours is no longer true. Besides multiple sites uses the same CDN-domain or ad-domains these days.

This makes zero sense to me. Can you explain more please?

Revoking these temporary permissions automatically would reduce the attack surface and lower the risk of attacks. It's not perfect but it would still provide benefits.

One reason it's not perfect is because it'd get you accustomed to Temporarily Allowing stuff thinking it had just been revoked - and given that some malicious domains are Unicode-lookalikes to other domains...

[Riar]

You anyway should never script-allow something you think is risky!

The problem is, anything could be risky. Your favourite trusted website could one day be hacked. With that mindset you don't ever need NoScript. Just turn off javascript, java, flash and all other plugins in Firefox. However I use NoScript to stay safe but still be able to use scripts on websites that I trust, but may not always be secure.

This makes zero sense to me.

http://www.theverge.com/2015/8/25/92023 ... nerability

During one hour, banners on the newspaper website you visit daily may infect your computer with malware. Most hours it won't. You can't trust any website, CDN or ad-network at all. That's why I want to revoke temporary permission automatically.

One reason it's not perfect is because it'd get you accustomed to Temporarily Allowing stuff thinking it had just been revoked - and given that some malicious domains are Unicode-lookalikes to other domains...

First, that is still a risk and problem for NoScript users even without automatically revoking permissions. Including automatically revoking of permission won't make this problem worse or better.
Second, I have yet to hear about this method of social engineering your way around to get to NoScript users. This is currently in my opinion not a threat at all.
Third, if this was a big problem for NoScript users, then we need to remove revoking temporary permissions completely. Users could be fooled here!

You don't always need to temporarily allow a domain either. On most websites I only need to temporarily allow a domain once or twice each day for like 10 minutes to watch a video or login. After that, no need for it. I would stay a lot more secure if those permissions would be removed after let's say 10 minute than not.

And finally. I don't use NoScript to allow as much scripts as possible. In fact, it's the opposite. I want to block as much as I can. I mean, it makes sense right? It's called NoScript. If I wanted to have these domain temporarily allowed for days or weeks, then I could just permanently allow them. Temporary should really be temporary! There are no security risks with this, in fact just a bit more security.

[barbaz]

The problem is, anything could be risky.

(That is true. I edited my wording slightly while you were posting.)

One hour banners on the newspaper website you visit daily may infect your computer with malware. Most hours it won't.

So never Allow them, not even temporarily. Problem solved.

You can't trust any website, CDN or ad-network at all.

Right.. well, in the same way you can't trust any dog at all, because some dogs bite people.
That's not the NoScript security model though: FAQ 1.11

First, that is still a risk and problem for NoScript users even without automatically revoking permissions.

No it's not. If you've Temp-Allowed the real site, and the lookalike site shows up in your menu, you'll know something's wrong. However, if the real site temporary permission is automatically revoked, you won't think anything is wrong seeing that the fake site is not Temp-Allowed.

Second, I have yet to hear about this method of social engineering your way around to get to NoScript users. This is currently in my opinion not a threat at all.

When discussing potential threats, we need facts, not opinions. Unless, of course, in your opinion these two domains are OBVIOUSLY (at a glance) very different?

Code: Select all

exаmple.com
example.com

Third, if this was a big problem for NoScript users, then we need to remove revoking temporary permissions completely. Users could be fooled here!

It would take a pretty stupid user, to be fooled by this after deliberately revoking temporary permissions. User would then notice it popping up weirdly ("why is this listed twice") and/or in unexpected places. With auto-revoking temporary permissions, even smart user would dismiss that stuff as the result of auto-revoking of the temporary permission (and possibly buggy NoScript).

You don't always need to temporarily allow a domain either. On most websites I only need to temporarily allow a domain once or twice each day for like 10 minutes to watch a video or login. After that, no need for it. I would stay a lot more secure if those permissions would be removed after let's say 10 minute than not.

The way to make that more secure is following the suggestion in FAQ 8.10. That's security because that way you know exactly what you're dealing with.

And finally. I don't use NoScript to allow as much scripts as possible. In fact, it's the opposite. I want to block as much as I can. I mean, it makes sense right? It's called NoScript. If I wanted to have these domain temporarily allowed for days or weeks, then I could just permanently allow them. Temporary should really be temporary!

Good, I'm glad we're on the same page there.

[Riar]

So never Allow them, not even temporarily. Problem solved.

Not always a practical solution as some ads need to be shown before you get to watch a clip or access a website.

Right.. well, in the same way you can't trust any dog at all, because some dogs bite people.
That's not the NoScript security model though: FAQ 1.11

So you think it's better to allow a website until web browser is closed, than let's say 10 minutes? How is former more secure?

No it's not. If you've Temp-Allowed the real site, and the lookalike site shows up in your menu, you'll know something's wrong. However, if the real site temporary permission is automatically revoked, you won't think anything is wrong seeing that the fake site is not Temp-Allowed.

And with automatically revoking, those two (real domain + look alike) will show up. The user will see both domains and you will know something is wrong. So yes it is!

When discussing potential threats, we need facts, not opinions. Unless, of course, in your opinion these two domains are OBVIOUSLY (at a glance) very different?

And how would todays NoScript user work this out? They would allow both of them, or just one at random. How is this good in any way? And why is this a problem just for this function? I mean, this would exist for todays NoScript too right?

What you are pointing out, is a flaw with how NoScript is currently displaying domain names. If you fix that, then we won't have this problem at all.

It would take a pretty stupid user, to be fooled by this after deliberately revoking temporary permissions. User would then notice it popping up weirdly ("why is this listed twice") and/or in unexpected places. With auto-revoking temporary permissions, even smart user would dismiss that stuff as the result of auto-revoking of the temporary permission (and possibly buggy NoScript).

Easily fixed. Write next to the domain name that it's been automatically revoked X minutes ago. Now the user knows exactly which the real domain name is.

The way to make that more secure is following the suggestion in FAQ 8.10. That's security because that way you know exactly what you're dealing with.

That security won't provide the kind of security I am asking for.

[Riar]

So to fix any potential issues with this idea:
- Display next to a domain name if it's been automatically revoked. This could just be a simple symbol or something to denote this.
- Improve displaying of domain in the list of domains, to avoid look-alikes fooling users.

And then, barbaz problems with this would be sorted!

[barbaz]

Not always a practical solution as some ads need to be shown before you get to watch a clip or access a website.

That is what surrogate script are for.
Surrogate Script

So you think it's better to allow a website until web browser is closed, than let's say 10 minutes? How is former more secure?

If automatically revoked entries are marked (nice suggestion I'm thinking a different color, e.g. red or blue), then security is exactly the same either way, and the feature you ask for is just a convenience for certain types of browsing session (see the thread I linked above). OTOH, usability would be a problem, because revoking permissions even without reloading causes scripted parts of pages to stop working. That's solved by making it optional to only auto-revoking those temporary permissions that aren't used on any open tab, which is what was discussed in the other thread.

And how would todays NoScript user work this out? They would allow both of them, or just one at random. How is this good in any way? And why is this a problem just for this function? I mean, this would exist for todays NoScript too right?

Actually, users who see a domain show up twice (or the like) in today's NoScript, come to these forums and ask us about it. Here's just one example: viewtopic.php?f=8&t=19464

If you fix that, then we won't have this problem at all.

Can't be fixed. Much of the unicode stuff can partially be fixed by forcing punycode in browser (about:config > set network.IDN_show_punycode to true), but even at that not everyone can, say, tell a 'l' from a '1' easily.

That security won't provide the kind of security I am asking for.

Then I think I'm not understanding what you're trying to achieve that auto-revoking temporary permissions would solve. It sounds to me like you want to emulate per-page permissions. Is this not correct?

[barbaz]

I have re-posted your suggestion to mark sites that had automatically-revoked temporary permissions, in the other thread.

[Riar]

I have re-posted your suggestion to mark sites that had automatically-revoked temporary permissions, in the other thread.

Thanks.

I am now going to stop discussing this as I only registered to suggest this. I do understand that not every user would want this functionality.

However with how I use my computer, I tend to build up many temporary permissions. It can go weeks or months between computer reboots. I normally only restart Firefox when it requires updates. I often manually clear temporary permissions when I remember, but with how I use my computer I think I would get better security if NoScript automatically revoked my temporary permissions. However, I am also looking into changing my behaviour when allowing scripts anyway.

Finally, I want to thank you for your contribution to my idea. It's nice to talk about the upsides and downsides of an idea. If the owner doesn't like it, it's fine. I am still going to use NoScript regardless as I think it's the best addon ever made for Firefox.

Cheers

[barbaz]

You're welcome.