Results 1 to 10 of 10

Thread: DT's NoScript Configuration Guide

Hybrid View

  1. #1
    Dangertux is offline Chocolate Ubuntu Mocha Blend
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,771
    Distro
    Ubuntu 10.04 Lucid Lynx

    DT's NoScript Configuration Guide

    I just posted this here... If someone thinks it needs its own thread feel free to make it so or tell me to make it so and I'll make the thread and delete this, it just isn't really Ubuntu-centric and its more relevant to this discussion.

    P.S : If you guys like it I can jusjt copy paste it to the wiki

    So yeah...lol.. Also the VUPEN thing -- You guys clearly haven't seen the new Chrome POC's. It's getting nasty (they're paying $1000+ for anyone who wants to do the research and submit POC though)

    DT's NoScript Configuration Guide


    This is a quick run-through of configuring NoScript under Firefox. You can get NoScript here : http://noscript.net/getit



    Click the NoScript (S) icon next to your URL bar in firefox and choose "Options"


    General Tab

    Default Settings are Fine

    Whitelist Tab

    You should add a list of frequently visited sites that you trust. Please note Whitelisting a site will not stop NoScript from protecting you from XSS/CSRF and ABE violations (we'll explain this more later). You will notice there are already some sites whitelisted for you. If for some reason you do not trust those sites you may highlight them and click "Remove Site" and it will no longer be in the whitelist. You should add trusted top-level sites to make it easier.

    Adding a whitelisted site

    Simply type the domain of the site into the "Address of Website Bar" and click "Allow" example : http://ubuntuforums.org or ubuntuforums.org




    After you have whitelisted the sites you commonly visit and trust you are done here.

    Note : You need to weight the probability that the site is secure when whitelisting it. For example: http://canonical.com (probably okay) http://superleethackersecrets.ru (probably not so much) Keep in mind this is entirely subjective and unless you plan on running a vulnerability assessment against the site all you can do is trust the administration of that site.

    Embeddings Tab



    This is an important tab and we will be modifying the default settings considerably here. Outside of the default settings you probably also want to place a check in the boxes ("Forbid <IFRAME>", "Forbid <FRAME>", "Forbid WebGL", "No placeholder objects from sites marked as untrusted"). Additionally for ease of use you may wish to choose "Collapse Blocked Objects" this doesn't add or detract security, it just makes sites displaying blocked cross site content display more clearly.

    "Apply these restrictions to Whitelisted Sites" : This should probably be left unchecked unless you are super paranoid and want to break all your favorite sites.

    Appearance Tab

    This is entirely up to you, and depends on how you want NoScript to display itself. I leave it at default, and will not discuss it further here.

    Notifications Tab

    This is how noisy NoScript is going to be. It will not change the amount of protection NoScript gives you, however it will tell you when NoScript alerts you or doesn't alert you to different blocked content or actions. The default settings are fine here as well.

    Advanced Tab


    These are your advanced NoScript options and contain several sub tabs which we will go through now.
    Untrusted sub-tab



    For untrusted sites you will wish to place a check in the following boxes ("Forbid bookmarklets", "Forbid META redirections inside <NOSCRIPT> tags">

    Trusted sub-tab


    The default settings for this sub tab are acceptable so long as you are not "Trusting" sites that should not be trusted, refer to the same procedure as whitelisting.

    XSS sub-tab


    This tab allows you to configure your cross site scripting protection and whitelisting. It offers the ability for you to enter regular expressions for pattern matching of sites to trust cross site content from. By default the settings in the XSS tab are relatively secure. If you do not know regex I do not suggest attempting to learn here as a typo can lead you from trusting cross-site content from "look alike domains" like fakebook.com as opposed to facebook.com. If you wish to learn about basic regex here is a decent explanation : http://linuxreviews.org/beginner/tao...r_expressions/

    HTTPS sub-tab

    This subtab allows you to force SSL on certain sites (of your choosing) as well as affect SSL cookie behavior. It has two sub-sub-tabs "Behavior" and "Cookies"

    Behavior sub-sub-tab




    I would not recommend using "Force forbid active web content unless it comes from a HTTPS connection" as it will break the vast majority of websites. However I do recommend forcing HTTPS for sites where you store important information and or conduct financial transactions. In my example you can see I added my banks and social networking sites. You may type them in the pane seperating them with newlines. When you have done that move to the "Cookies" sub-sub tab.

    Cookies sub-sub-tab



    This sub sub tab allows you to force cookie encryption over SSL. All major sites should support this functionality, and as you can see from the example I added the same sites that I chose to force SSL for in the previous tab. You add them in the same manner. Once you are done we can move on to the ABE Tab

    ABE Tab

    This stands for Application Boundary Enforcement. This is one of the ways NoScript prevents things like NAT Pinning and some DNS based attacks. The default settings are fine, however its important to understand the major role this plays in your protection. I'm sure many of us know that 192.168.1.1 is a private address, meaning you might find it on your home network. Possibly your router's IP address. That being said, no internet based host should be sending anything to this address. If it is doing so it is likely attempting to use your machine as a relay to send code to another machine on your network, otherwise known as NAT pinning. That being said, if you are hosting a home server, this may cause issues if you are on the same network with the server, so don't freak out of if you get an ABE warning visiting your own website.

    External Filters Tab


    Again the default settings here are fine. However, a brief overview of what this tab does, it allows you to create filters to block certain MIME types. For those who don't know a MIME type is essentially a file type. Like we all know .jpg is an image, or .fmv is a flash movie file. This allows you to set up filters based on those file types, on a site by site basis. This allows extremely fine grained control, so much so that we're not going to cover it here however if you would like to try to experiment I would suggest picking a content rich site and creating filters one by one to block all the content on the site but the static html. That should get you familiar with MIME type blocking.


    After you are done configuring NoScripts Options, make sure "Forbid Scripts Globally" is Enabled (this will not effect your whitelisted sites). Restart your browser and surf safer

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: DT's NoScript Configuration Guide

    Awesome job on the guide, DT. I have stickied it for now.

    Maybe you can put it up on your site, or on the wiki.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Dangertux is offline Chocolate Ubuntu Mocha Blend
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,771
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: DT's NoScript Configuration Guide

    Quote Originally Posted by CharlesA View Post
    Awesome job on the guide, DT. I have stickied it for now.

    Maybe you can put it up on your site, or on the wiki.

    This has been on my site for a while, thanks for the sticky. I meant to add it to the wiki forever ago and never got around to it.

    Hopefully I can get some time this weekend to knock that out.

    DT \x00

  4. #4
    Join Date
    Sep 2011
    Beans
    1,531

    Re: DT's NoScript Configuration Guide

    Hello. I put DT's NoScript Configuration guide into the Basic Security Wiki. Maybe someone can proofread it for me?

    I kind of hate the formatting I used, suggestions are welcome.

  5. #5
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: DT's NoScript Configuration Guide

    Quote Originally Posted by Ms. Daisy View Post
    Hello. I put DT's NoScript Configuration guide into the Basic Security Wiki. Maybe someone can proofread it for me?

    I kind of hate the formatting I used, suggestions are welcome.
    Looks good from the glance I took of it. The double horizontal rules kinda look odd, but not too bad.

    Maybe it would be better to have that one on it's own wiki page with a link from the BasicSecurity one?
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  6. #6
    Join Date
    Feb 2012
    Beans
    Hidden!

    Re: Because I love you guys so much and don't want you to get XSS'ed :-)

    Thanks for the guide. A good starting point for a great security tool

  7. #7
    Join Date
    Sep 2011
    Beans
    1,531

    Re: Because I love you guys so much and don't want you to get XSS'ed :-)

    OK, this guide now officially lives on its own wiki page

    https://wiki.ubuntu.com/BasicSecurity/NoScript

  8. #8
    Join Date
    Mar 2011
    Beans
    665

    Re: Because I love you guys so much and don't want you to get XSS'ed :-)

    It's worth noting that you should probably use NoScript even if you whitelist globally. Less annoying but still helps keep things secure.

  9. #9
    Join Date
    Jun 2008
    Location
    Across The Pond
    Beans
    762
    Distro
    Xubuntu 12.04 Precise Pangolin

    Re: DT's NoScript Configuration Guide

    Very helpful. Thanks.
    "Everybody is ignorant, only on different subjects." Will Rogers

  10. #10
    Join Date
    Oct 2012
    Location
    here and there, they say.
    Beans
    Hidden!
    Distro
    Ubuntu 12.10 Quantal Quetzal

    Re: DT's NoScript Configuration Guide

    Many thanks for the comprehensive guide. I appreciate all the time and effort that went into making this - and its corresponding wiki page. Now I can breathe a tad easier...

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •