InformAction Forums

With NoScript's current HTTPS features it is possible to enforce HTTPS on sites, 'fix' HTTPS cookies and disable all active content unless it is from HTTPS. However, it is not possible to block all HTTP content on HTTPS pages to protect from attacks like this:
https://ie.microsoft.com/testdrive/brow ... edcontent/

It would be nice for NoScript to have this feature and to have an option to enable it globally(for all sites instead of just the ones in HTTPS enforcing list.)

What do you think of this?

I guess you can already use ABE to this effect.
Try adding the following rule to your NoScript Options|Advanced|ABE USER ruleset: (I put twitter as a sample exception for this rule).

Ok, that's nice and blocks the example correctly, though it doesn't block all HTTP content in such a way that Firefox adds the blue icon to the URL bar to show a correct secure connection.

Thanks, interesting tip. Never looked much at NoScript beyond the white-list of scripts.

However, I suppose you could still argue that by using exceptions, you are still theoretically putting yourself at risk for the sites you are applying exceptions for. For example, a malicious logger script/process could still harvest your Hotmail login data if you put Hotmail into the exception list. Correct?

ssj100 wrote:Thanks, interesting tip. Never looked much at NoScript beyond the white-list of scripts.

However, I suppose you could still argue that by using exceptions, you are still theoretically putting yourself at risk for the sites you are applying exceptions for. For example, a malicious logger script/process could still harvest your Hotmail login data if you put Hotmail into the exception list. Correct?

HTTPS won't save you by a "malicious logger script/process" anyway, because if it's a keylogger, or a screenscraper, or a XSS a DOM walker we're talking about, it won't sniff the network communication (which is encrypted by HTTPS) but the unencrypted data in the login web page.

That said, exceptions (my twitter.com was just an example) to a HTTPS enforcing rule are meant not to break sites which actively enforce plain HTTP on some pages, otherwise the web site won't work correctly. If a web site has such a foolish setup, it doesn't deserve my sensitive data anyway.

Well if you use Hotmail, you'll need to add "live.com" into the exceptions list of your code, otherwise you can't login!

Regardless, I've got a question or two regarding "mixed content" logging - how exactly would a "malicious logger" do this? Would it be through eg. hijacking of the site's javascript properties? With the example that Microsoft gives, it shows that it doesn't require any "extra" scripts for it to work - all you need is to allow "microsoft.com". I suppose this means if you allowed your banking site's script(s) to run, NoScript wouldn't protect you from such malicious logging unless you used ABE? And therefore, going by this theory, there's no way NoScript would protect you (since you'd need to allow "live.com" in your ABE code) if you use Hotmail as your e-mail?

ssj100 wrote:Well if you use Hotmail, you'll need to add "live.com" into the exceptions list of your code, otherwise you can't login!

This mean the site is buggy beyond any hope (because it forces unencrypted HTTP on some exchanges, for inexplicable reasons), and you should stop using it by principle.

ssj100 wrote: Regardless, I've got a question or two regarding "mixed content" logging - how exactly would a "malicious logger" do this?

If some content is served through HTTP, and the attacker controls part or all of the network infrastructure you're using (e.g. the DNS, or the exit node you're using if you're connected through TOR), a man in the middle attack is possible: the malicious party will replace the HTTP content with its own, causing the HTTPS site to load through compromised HTTP a script which can access the DOM of the main page and read any data there, including passwords, or even load and read other pages using hidden frames or XHR.

Notice, though, that the scenario above is different from the "Firesheep" attack, because Firesheep doesn't rely on "mixed content", i.e. a HTTPS page embedding HTTP elements, but a sloppy/incomplete HTTPS implementation, i.e. a site which doesn't use HTTPS, or use it only for some pages, and anyway doesn't enforce a strict HTTPS policy (which, on the contrary, means that HTTP should be not allowed on that domain at all). A "Firesheep" attack doesn't require scripting (the attacker just passively sniffs the network traffic), but on the other hand is easily defeated by forcing HTTPS, if the site supports it.

ssj100 wrote:With the example that Microsoft gives, it shows that it doesn't require any "extra" scripts for it to work - all you need is to allow "microsoft.com".

I'm not sure I follow you here. Which is the example Microsoft gives?

ssj100 wrote:I suppose this means if you allowed your banking site's script(s) to run, NoScript wouldn't protect you from such malicious logging unless you used ABE?

Who told you that? If all the content on the banking site is forced to HTTPS, and supposing there's no system-level keylogger installed by a trojan (in which case you'd have definitely bigger troubles), no malicious logging will happen unless the bank site itself has been succesfully compromised.

Notice also that in the bank scenario NoScript will actively prevent another kind of attack which could work-around even a full-HTTPS web site security, i.e. cross-site scripting attacks injection malicious scripts.

ssj100 wrote:And therefore, going by this theory, there's no way NoScript would protect you (since you'd need to allow "live.com" in your ABE code) if you use Hotmail as your e-mail?

Don't forget the original premise: if HTTPS cannot be fully enforced (and if this is the case, the site is definitely to blame with great shame), Nocript cannot protect you on an hostile network, i.e. when the attacker controls the DNS, or can sniff the traffic (in a public WiFi hotspot, for instance).
But as I told you, if this is the case you'd better change your provider (GMail provides full HTTPS encryption, for instance).

Thanks for the comments. Very helpful.

The Microsoft example is here:
https://ie.microsoft.com/testdrive/brow ... dgrove.htm

What do you think about it?

ssj100 wrote:Thanks for the comments. Very helpful.

The Microsoft example is here:
https://ie.microsoft.com/testdrive/brow ... dgrove.htm

What do you think about it?

Nothing. Firefox shows quite clearly that the site is unsafe: even though the address is https://, the identity icon is not blue nor green, meaning that I can't rely on encryption and should not enter sensitive credentials.

Well, by using your NoScript code (above), it blocks it anyway.

ssj100 wrote:Well, by using your NoScript code (above), it blocks it anyway.

Yes, NoScript is awesome . I was only noticing that IE9 is not much better than vanilla Firefox

Yes indeed. By the way, why do you use the symbol ^ before http and https for that code above?

ssj100 wrote:Yes indeed. By the way, why do you use the symbol ^ before http and https for that code above?

Oh, just habit to use regular expressions. It means "start anchor", i.e. the matching string must start with whatever follows.

However in recent NoScript versions it's unneeded, because scheme-only patterns are automatically converted into left-anchored regexps.
Therefore the rule can be simplified as:

Thanks, yes I tested it without ^ and it still worked, hence my curiosity.

Just another query. Can I just confirm:

This code means live.com and twitter.com are exempted from the rule (presumably the "comma" separates it out): This code means nothing is exempt from the rule (I notice I have to put the "full stop" to ensure the code works): Thanks.