InformAction Forums

I was composing a new message, with this subject "Could we have NS as a general-purpose redirect blocker?" However, I was surprised that when I previewed my message, the forum redirected me to this url. It seems that something about this particular subject line triggers this redirection behavior, and that this serves as my case-in-point for the following request.

Now this didn't raise concern for me at all, were it not for the knowledge that the destination url is a "friendly." Even though it says evil, it is a site that hosts various proof-of-concept codes. So perhaps this was a prank after all that caught me a bit surprised, or an unintentional bug that had been overlooked, but now eventually exposed.

The browser has a little known feature that can block automatic page redirects or reloads. In its original incarnation, it was deemed merely as an "...accessibility feature." But it is not surprisping if prominent events in the news invite attacks such as this and this.

Such feature can be a first line of defense against attacks that redirect to drive-by malware downloads and masquerading pages that trick users to infect their system. This feature is known as the "Warn me when sites try to redirect or relaod the page" option, falling under the advanced section, general tab, accessibility subsection of the browser options.

In its current state, it falls short in several points, which should have made it more a security measure than an accessibility feature:

1.) It fails to distinguish between redirection to another page within the same domain, or redirection to another page from a different domain. Moreover, this is further amplified as the info bar that appears does not indicate the url that the redirect points to. This is essential as it determines if one is to allow the redirect to occur depending upon the destination page, irrespective of its destination domain.

2.) It fails to block all known redirection techniques, as expemplified by the aformentioned prank. I do not claim to know all redirection techniques, but I can offer up another test case in which it fails to notify of the redirect, such as this.

Leaving the current implementation behind, perhaps NoScript can bank on the former's shortcomings and provide a security-oriented approach.

I know NS already has an implementation in place, but only works for untrusted sites. It would be nice if this redirection blocker can be elevated as a general-purpose utility that can protect against all known redirection techniques, whether by javascript or html headers, that is active for all sites.

And perhaps NS can go a little further by offering options such as to allow same domain redirections to occur, or to notify against automatic page reloads. Of course when the implementation is ripe, then adding features like whitelisting would be like putting cream on top.

NoScript is more than a javascript whitelisting add-on, it has been a security device that is a MUST for every Gecko-based browsers, and even for all browsers if they can support its implementation for that matter. Even if allowing all scripts to run globally, it has several other indespensable features that make your browser, as the tag line says, "...really safer..."

Just sharing my thoughts

/m

It seems that for some reason, the particular url preview becomes translated like this http://evil.hackademix.net/images/stall ... pg#preview. Looks like a server-side glitch.

Anyway, if somebody else could try to reproduce this prank, then there you have it. Just make sure you use the subject line indicated, and treat yourself to an apparently easter-egg-like find that I have uncovered.

After some fiddling with the glitch, I have narrowed down the trigger of the prank. It seems that whenever the subject line contains the word "general", the page would redirect to the prank. This happens for ANY username, and even if the recaptcha code is not filled out, completely or correctly.

I don't know what connection there is between the "general" and being "stalloned" as in the prank, but this is looking somewhat interesting.

It's an antispam measure.
I can't check the filter right now, but I suppose in the past we got a spam wave with "general" in the subject.

Giorgio Maone wrote:It's an antispam measure.

Seems that the antispam measure doesn't like anything "general". Oh, and uh redirecting to that "stallowned" image is like rick-rolling a potential spammer.

Anyway, about having redirect control being integrated with NS, as the browser implementation is insufficient and not security-oriented, any thoughts on the matter?

Redirections (especially same-domain, but often cross-domain too as seen in many online banking sites) are an essential tool of a web application, for instance to close a transaction triggered by a POST request turning it in a GET request for the result.

Furthermore, redirections per-se don't pose any security risk for NoScript users, who have mitigations in place for anything the landing page, if untrusted, may attempt.

Therefore, even though I agree a finer-grained control on redirections as an accessibility issue would be desirable, I don't believe it belongs in NoScript.

Giorgio Maone wrote:Therefore, even though I agree a finer-grained control on redirections as an accessibility issue would be desirable, I don't believe it belongs in NoScript.

I just thought that since NoScript can touch on http headers and implement features such as x-frame-options or hsts that are normally handled by the browser, coupled with an existing implementation that only works for untrusted sites at the moment, then I had hoped to make the implementation work like a general purpose feature, like ABE, HTTP, etc.

But anyway, multiple layers of security doesn't hurt, and since redirections are usually cross-site domain navigations, then I'll just have RequestPolicy handle the shortcomings of the browser-provided implementation, though at the moment RP implementation needs more improvement for the task.

It just goes to show a familiar saying that "one just can't have it all." Point well recieved and understood.