InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Feature request: auto whitelist local ips

https://forums.informaction.com/viewtopic.php?t=7731

Page 1 of 1

Feature request: auto whitelist local ips

Posted: Thu Nov 24, 2011 11:54 pm
by Ostfriese
Hi,
I'm using some network hardware (gateway, printserver etc) which have web interfaces for configuration. So I think it would be helpful if noscript would auto whitelist local ip adresses (192.168.x.y).

Re: Feature request: auto whitelist local ips

Posted: Fri Nov 25, 2011 3:24 am
by Tom T.
Without even trying to think of ways in which this could be misused (exploited), is it really so difficult to click *once* on "Allow 192.168.1.1", as I once did, and never have to bother again? (I have a similar setup.)

Or to open NoScript > Options > Whitelist and add https://192.168.1.1? (I'm assuming you took the additional precaution of configuring the router's Web interface to accept only secure, https connections.)

Being a holiday, I'll leave to others the challenge of finding exploits for the fact that not all hw uses the same local IP, so the proposal would indeed have to be in the wildcard form of 192.168.*.*. ... or whether any hw uses other non-publicly-routable spaces, like 5.x or 10.x. (Hamachi VPN uses 5.x.x.x)

Tongue-in-cheek, couldn't the "allow" have been done more quickly than the post here? ;)
Happy Thanksgiving Day from the USA! :)

Re: Feature request: auto whitelist local ips

Posted: Fri Nov 25, 2011 5:32 am
by Alan Baxter
Ostfriese wrote:I think it would be helpful if noscript would auto whitelist local ip adresses (192.168.x.y).
I think that's covered already by subnet matching.
http://noscript.net/features#sitematching
Whitelisting 192.168 should allow your whole subnet.

Re: Feature request: auto whitelist local ips

Posted: Sat Nov 26, 2011 10:44 am
by Tom T.
Alan Baxter wrote:
Ostfriese wrote:I think it would be helpful if noscript would auto whitelist local ip adresses (192.168.x.y).
I think that's covered already by subnet matching.
http://noscript.net/features#sitematching
Whitelisting 192.168 should allow your whole subnet.
Thanks to Alan for pointing to that. However, you still might consider considering securing the web interface to allow only https connections.

The FAQ isn't clear on whether subnet matching permits protocol matching as well, e. g. https://192.168.

Which is why Giorgio's FAQ and my humble opinion are in agreement:
Giorgio Maone wrote:By the way, most of the time you prefer not to fiddle with your whitelist manually: just use the NoScript "Allow" and "Forbid" menu items, it's much simpler and error free!
Disconnect from the internet for safety, open the interface, allow 192 etc., configure to https if not already done so. Probably have to re-login to https://192.whatever. Then allow https://192.168.whatever.whatever yours is, and revoke the permission for http://192.etc.

Just hardening it a little bit more, says the guy in the tinfoil hat. :D
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited