Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Noscript is not enough!

  1. #1
    Join Date
    Dec 2006
    Beans
    217

    Noscript is not enough!

    So recently (or not so recently depending on how fast posts get moderated around here (I've been a bad boy)) reddit was hit by a javascript attack that made its own readers (a relativly tech informed crowd) attackers, many like myself use noscript to prevent this kind of thing.

    Unfortunately NoScript comes from a broken way of thinking, "you can identify attacking sites and trusted sites", the attack code for this was coming from reddit.com (a site you have to allow in order to use reddit). The only way this sort of bug can be protected against is by use of javascript filtering tools such as controldescripts that filter javascript request by type and domain, with such a tool it would be possible to protect yourself much more effectively.

    using such tools complex rulesets could do something like this:
    mouseclick is submitting info -> allow
    mouseover is requesting data -> allow
    mouseover is submitting data -> request user confirmation
    javascript function is doing something weird -> request user confirmation
    javascript is trying to use a known exploit* -> deny and notify user
    ...etc

    You could also combine this with domain checking to have lists of pages where you allow
    • no-js (untrusted),
    • simple-JS (google, youtube, etc) but [it might allow functionality but could prevent tracking],
    • complex-js (facebook, etc) [all the ajax stuff means simple-JS wouldn't work]
    • all-JS (fancynewsite.com) [even the complex list of functions you allow just isn't enough]

    such tools could also help the paranoid among us use website that require JS while disabling mousetracking and sending of data on non-click actions.

    *rulesets could significantly reduce the impact of 0-days

    Why am i posting here? Well I've been saying this stuff to anybody that will listen for a while, but now reddit (a fairly big tech orientated site has been hit and no-script sat idly by) so maybe somebody might listen.
    Why am I not using it myself if I'm so clever? I'm not and i know very little about JS so my attempts at rule-sets were useless!

  2. #2
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,721
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

  3. #3
    Join Date
    Apr 2009
    Location
    Ellensburg, WA
    Beans
    1,441
    Distro
    Ubuntu

    Re: Noscript is not enough!

    Extensions are mainly open-source, have you thought of making a fork?

  4. #4
    -grubby is offline May the Ubuntu Be With You!
    Join Date
    Aug 2007
    Beans
    Hidden!

    Re: Noscript is not enough!

    You may wish to contact the maintainer of NoScript about this.

  5. #5
    Join Date
    Dec 2006
    Beans
    217

    Re: Noscript is not enough!

    Extensions are mainly open-source, have you thought of making a fork?
    I think i addressed this with:
    Why am I not using it myself if I'm so clever? I'm not and i know very little about JS so my attempts at rule-sets were useless!
    This makes my chances of making the extension (which AFAIK are mainly written in JS) and the rulesets next to nil. I think the extension is pretty much already there in the form of control de scripts but I don't know enough about JS to make useful rulesets. I also don't think its possible to do automatic per domain stuff (like noscripts allow TLD by deafult)

  6. #6
    Join Date
    Dec 2006
    Location
    Riga, Latvia
    Beans
    74
    Distro
    Ubuntu Karmic Koala (testing)

    Re: Noscript is not enough!

    You repeatedly imply that somehow "tech oriented crowds" are supposed to be insusceptible to JavaScript XSS annoyances. Being "tech oriented" does not mean one will start avoiding JavaScript.

    I for one have always considered such extensions to be too paranoid already.

  7. #7
    Join Date
    Dec 2007
    Location
    The last place I look
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Noscript is not enough!

    ghostery will at least show you the domains behind the site you are on. yeah, if a site has XSS wholes in it, it is stupid to allow it in noscripts. thats a no-brainer. if you allow somthing, then you have...well...allowed it.

  8. #8
    Join Date
    Jan 2007
    Beans
    1,795

    Re: Noscript is not enough!

    Thanks for the information.

  9. #9
    Join Date
    Dec 2006
    Beans
    217

    Re: Noscript is not enough!

    Quote Originally Posted by doas777 View Post
    ghostery will at least show you the domains behind the site you are on. yeah, if a site has XSS holes in it, it is stupid to allow it in noscripts. thats a no-brainer. if you allow somthing, then you have...well...allowed it.
    The problem is without access to a websites source code and detailed knowledge of the language they use its impossible to tell if a website is vulnerable to XSS until it gets hit.

    You repeatedly imply that somehow "tech oriented crowds" are supposed to be insusceptible to JavaScript XSS annoyances. Being "tech oriented" does not mean one will start avoiding JavaScript.
    My point is that in the past those seeking security turned to tools like noscript to defend themselves against the evils code on the internet, which does not provide nearly as much protection as they assume, but does make general web browsing much more difficult. "Tech oriented" people are likely to want the option of browsing securely, noscript is not the right tool for this.

  10. #10
    Join Date
    Feb 2008
    Location
    Shasta County, CA
    Beans
    91
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Noscript is not enough!

    NoScript is an excellent tool.
    If you allow a site it generally allows any script from that domain (though it does do some blocking) but it does not guarantee XSS security. It is one of many technologies that help.

    My browser crashes far less often with NoScript enabled, it's worth it to me just for that.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •