This might be interesting devt:
http://firekeeper.mozdev.org/index.html

Would this offer any better protection in general than FF itself with NoScript and AdBlock plus. ??

alpha version only.

I dont think I could get the test pages links to do anything in FF
(did not test with IE6)

Interesting. I installed it. The options in the extension are grayed so I cant change anything...
Well, I´ll run it for a while and see if it does anything useful :)

Neither Adblock Plus nor NoScript are really security solutions, they will rarely be helpful when it comes to security. But this FireKeeper extension doesn't seem to make much sense either. It is a classical IDS, routes all HTTP traffic through itself and looks for suspicious strings. The rules (http://www.mozdev.org/source/browse/~checkout~/firekeeper/src/chrome/content/rules/default.rules) come from snort and are meant for all browsers - most entries refer to vulnerabilities in Internet Explorer or plugins (note that plugins download their data themselves so that this extension won't help). There are only two rules that are related to Mozilla. One is an ancient bug in Mozilla 1.0 (the Suite, not Firefox). The other is document.domain JavaScript property. By design document.domain could in fact be an issue but disabling it will break a number of major sites (I tried). And anyway, it is better to disable document.domain using CAPS (http://www.mozilla.org/projects/security/components/ConfigPolicy.html) since the IDS can easily be tricked by changing the code on the page slightly (and JavaScript is a very flexible language, you can write the same thing in many different ways).

This rules list is compiled from published vulnerabilities - but the vast majority of published Firefox vulnerabilities are already fixed. And because the IDS searches only for some known string it is easily tricked by changing this string slightly (intentionally or not). So the most recommendable course of action is still to keep your browser updated. And if you install an IDS you should install it in your operating system so that it catches all traffic. An IDS as a browser extension misses too much and isn't very helpful.

This looks awesome. I'll wait till the full version comes out though. Not much of a testing guy.

-{ Quote: "Neither Adblock Plus nor NoScript are really security solutions, they will rarely be helpful when it comes to security. But this FireKeeper extension doesn't seem to make much sense either. It is a classical IDS, routes all HTTP traffic through itself and looks for suspicious strings. The rules (http://www.mozdev.org/source/browse/~checkout~/firekeeper/src/chrome/content/rules/default.rules) come from snort and are meant for all browsers - most entries refer to vulnerabilities in Internet Explorer or plugins (note that plugins download their data themselves so that this extension won't help). There are only two rules that are related to Mozilla. One is an ancient bug in Mozilla 1.0 (the Suite, not Firefox). The other is document.domain JavaScript property. By design document.domain could in fact be an issue but disabling it will break a number of major sites (I tried). And anyway, it is better to disable document.domain using CAPS (http://www.mozilla.org/projects/security/components/ConfigPolicy.html) since the IDS can easily be tricked by changing the code on the page slightly (and JavaScript is a very flexible language, you can write the same thing in many different ways).

This rules list is compiled from published vulnerabilities - but the vast majority of published Firefox vulnerabilities are already fixed. And because the IDS searches only for some known string it is easily tricked by changing this string slightly (intentionally or not). So the most recommendable course of action is still to keep your browser updated. And if you install an IDS you should install it in your operating system so that it catches all traffic. An IDS as a browser extension misses too much and isn't very helpful." }-

Thanks, that's what I thought. I'll pass.

@ Wladimir Palant

thankyou: very useful :thumb:

-{ Quote: "Neither Adblock Plus nor NoScript are really security solutions, they will rarely be helpful when it comes to security" }-

I only use Adblock to get rid of ads, so I cant say anything about adblocks security features. But Noscript does enhance my security enormously, or so I believe. When using it I never have to worry about any malware that might come from web pages. Simply because with Noscript they cant execute the scripts that brings malware. If that isnt security solution I dont know what is :)

Maybe I have misunderstood Noscript completely and something else (unknown to me) is preventing me from getting infected when I visit sites like those that are mentioned in the long thread about trojans on the loose (http://www.wilderssecurity.com/showthread.php?t=136452) or is it firefox itself that blocks malware by design, regardless of the ability to run java scripts?

I am quite certain that most attacks can be performed without scripts if one only tries hard enough (e.g. see http://ha.ckers.org/blog/20070228/steal-browser-history-without-javascript/ and http://ha.ckers.org/blog/20070302/portscanning-without-javascript-part-2-2/). The remaining attacks are of the kind that is fixed in Firefox before even being published (not so in Internet Explorer which is why I used to disable JavaScript back when I used it). Also, tricking a user into whitelisting a site in NoScript shouldn't be too difficult, social engineering is pretty effective. But that all is a separate and very long discussion, and off-topic here.

PS: Trojan sites tend to target Internet Explorer because it is an easy target - lots of well-known vulnerabilities, many of them open for months, lots of users using old unpatched versions. I installed Firefox on the computer of a relative after he managed to infect himself with a bad trojan after only two weeks. It has been several months now and all is quiet, despite of JavaScript and everything (automatic updates are activated of course). I installed Firefox on computers of several other unexperienced users as well and I have yet to hear of a single malware infection.

-{ Quote: "I only use Adblock to get rid of ads, so I cant say anything about adblocks security features. " }-

Since Wladimir is the developer of Adblock Plus, he should definitely know about them if they exist;)

But I'm also interested why Noscript in Wladimir's opinion isn't a good measure against Javascript related security leaks - given that most FF leaks are somehow related to Javascript AFAIK.

-{ Quote: "
But I'm also interested why Noscript in Wladimir's opinion isn't a good measure against Javascript related security leaks - given that most FF leaks are somehow related to Javascript AFAIK." }-

Sorry, Wladimir, didn't see your reply. Will look into the links provided by you.

Oh, and on the point of Adblock's security features - there are none :)

I am not sure why some people promote Adblock Plus as a security solution (amongst others the PC World magazine). One reason are probably the rare cases of malware infestation through ads. The other should be the MySpace worms where some recommendations were to block the worm's addresses. Both are more cases of being lucky rather than of benefiting from good protection.

This looks like a good extension looking forward to the final release.

BTW wat did u mean by Adblock Plus is not security. i think it is it protects u from pop ups.

-{ Quote: "This looks like a good extension looking forward to the final release." }- You obiously didn't read the postings above.

-{ Quote: " BTW wat did u mean by Adblock Plus is not security. i think it is it protects u from pop ups." }-
Again - Wladimir is the programmer of Adblock Plus. He should know best what this extension can do for you and what it can't.

Popups are not so much a security issue but rather a nuisance.

I did it didn't say anything about the IDS extension :-\

Who is the developers of the IDS extension?


BTW i also got Filterset.G Updater what does that give updates for the Adblock Plus?

-{ Quote: "I did it didn't say anything about the IDS extension :-\
" }-
Sorry. Your remark seemed to be related to the topic of this thread.

-{ Quote: "BTW i also got Filterset.G Updater what does that give updates for the Adblock Plus?" }-

You should read http://adblockplus.org/en/faq_project#filterset.g and http://adblockplus.org/blog/filtersetg-i-call-********

sry i meant to say i am lookig forward to the final release of the IDS extension firekeeper:)

-{ Quote: "I am quite certain that most attacks can be performed without scripts if one only tries hard enough (e.g. see http://ha.ckers.org/blog/20070228/steal-browser-history-without-javascript/ " }-

Too bad it was fixed in firefox already, it would´ve been nice to see it working. But thanks for an interesting read.

-{ Quote: "Too bad it was fixed in firefox already, it would´ve been nice to see it working." }-
It isn't fixed, see bug 147777 (https://bugzilla.mozilla.org/show_bug.cgi?id=147777). It is being worked on but I don't think we will see the results before Firefox 3.0 - it is a big change, too dangerous to check this in on a stable branch. The demo works for me in Firefox 2.0.0.2.

-{ Quote: "I am quite certain that most attacks can be performed without scripts if one only tries hard enough (e.g. see http://ha.ckers.org/blog/20070228/steal-browser-history-without-javascript/ and http://ha.ckers.org/blog/20070302/portscanning-without-javascript-part-2-2/).
" }-
Most attacks? those are very specific and limited "attacks", and I'd dare to add that hardly somebody would have put any effort into developing them if NoScript did not exist in first place ;)
That said, next NoScript release will "immunize" users from those scriptless tricks too.
-{ Quote: "
The remaining attacks are of the kind that is fixed in Firefox before even being published (not so in Internet Explorer which is why I used to disable JavaScript back when I used it)." }-
Looks like you missed, for one, Zalewski recent activity (http://www.google.it/search?q=Michal+AND+Zalewski+AND+Firefox), also dubbed "Month of Firefox bugs". It's not the first time and it won't be the last that Firefox vulnerabilities are published far before they're patched or even known to developers, and it will get worse and worse as Firefox's popularity grows (we're gonna have more vulnerabilities left hidden on purpose, in order to exploit them quietly for money, while ATM we mainly see "white hats" publishing them just for glory).

Are you seriously stating that Firefox community's absolute supremacy in security responsiveness (any comparison with IE is hilarious) can be enough to justify the dumbest idea in computer security (http://www.ranum.com/security/computer_security/editorials/dumb/index.html)?
-{ Quote: "Also, tricking a user into whitelisting a site in NoScript shouldn't be too difficult, social engineering is pretty effective." }-
Social engineering can also be pretty effective at stealing your purse or entering your home and then rob everything and cut your throat, but this sad truth doesn't imply leaving your door open to anybody (not even asking "who's there?") is a good idea.
Firefox is safe, but Firefox with NoScript is safer than vanilla Firefox, plain and simple.
How much safer still depends on user's smartness.
And while "educating users" is deemed another dumb idea in security, I do hope a few NoScript users at least are smart enough to take full advantage of it. ::)

Giorgio, while you certainly wrote a great extension, disabling JavaScript is common practice in IE (and a usual recommendation) - aren't you giving yourself a little too much credit? :) My point was precisely that the percentage of users disabling JavaScript is still comparably low, that's why most exploits still require it. The two I quoted are proof-of-concept exploits, if it ever became more relevant people would develop more.

-{ Quote: "That said next NoScript release will "immunize" users from those scriptless tricks too." }-
How are you going to do this? Are you going to disable multipart responses? And CSS? :)
Sorry but I think what dbaron is doing there with CSS is the way to go, and you cannot do this in an extension. As to port scanning - the web is broken, I don't see any good solutions :( At least Firefox makes it difficult by blocking a number of ports (and yes, there was a bug there that will be closed in Firefox 2.0.0.3 - and the exploit worked without JavaScript).

-{ Quote: "Looks like you missed, for one, Zalewski recent activity (http://www.google.it/search?q=Michal+AND+Zalewski+AND+Firefox), also dubbed "Month of Firefox bugs"." }-
I didn't. I also didn't miss Firefox 2.0.0.3 release candidates that fix the new issues (the old ones have been fixed in Firefox 2.0.0.2 already). These aren't particularly critical bugs and the window of opportunity was only a few days - not really worth exploiting for that reason ("far before" is certainly an exaggeration). Note that a vulnerability (http://adblockplus.org/blog/speaking-of-ie-security) comparable to the worst one reported by Zalewski (XSS through null-byte injection) has been reported for IE almost a year ago and is still unpatched - in comparison any Firefox vulnerability is absolutely worthless to blackhats.

-{ Quote: "Are you seriously stating that Firefox community's absolute superior security responsiveness (any comparison with IE is hilarious) is enough to justify the dumbest idea in computer security (http://www.ranum.com/security/computer_security/editorials/dumb/index.html)?" }-
Remember the image buffer overflows? Why don't you apply the same idea there, there could be more vulnerabilities in those images... While I recognize the advantages of keeping the attack surface low, you still have to consider whether a huge disadvantage in usability justifies a small security advantage.

PS: More links for you: Password stealing without JavaScript (http://kuza55.blogspot.com/2007/02/breaking-firefoxs-rcsr-fix.html) aka bug 371515 (https://bugzilla.mozilla.org/show_bug.cgi?id=371515), Anti-DNS pinning (http://ha.ckers.org/blog/20070308/practical-anti-dns-pinning-writeup/) (XMLHttpRequest used in this particular attack but JavaScript is generally unnecessary).

-{ Quote: "Giorgio, while you certainly wrote a great extension" }-
Thanks, you too Wladimir.

-{ Quote: "Disabling JavaScript is common practice in IE (and a usual recommendation)" }-
How much common, I don't know because it's a royal PITA. Notwithstanding, you too admittedly used to bear such a sacrifice for security sake (with IE! Before NoScript!!! What a masochist :o ).
An usual recommendation also for Firefox, we hear it almost every time a security bullettin is issued.
Only that lately, the mantra isn't just "Disable JavaScript" anymore: they rather suggest to use NoScript. Maybe because it's deemed an... hmm... usable solution?

-{ Quote: "aren't you giving yourself a little too much credit?" }-
As you don't give yourself (neither to Rue and Sorensen before you) credit for inventing content-blocking, I don't give myself credit for "Default Deny", "Reduce attack surface" or "Whitelist executable". Both our extensions just turned those existing and valuable but quite impractical concepts into a real option for users.
IE zones have been around for a long time, and Opera 9 implements shameless rip-off features both from NoScript (Site preferences) and AdBlock (Content blocker), but their usability is near to zero.
NoScript tries to transform a "standard security recommendation", which almost nobody but hardcore geeks were willing to follow, into something bearable for mom (and for a few perverts, even pleasurable - you know, that dirty lust for control).

-{ Quote: "My point was precisely that the percentage of users disabling JavaScript is still comparably low, that's why most exploits still require it. The two I quoted are proof-of-concept exploits, if it ever became more relevant people would develop more." }-
Amusing, the same argument most IE zealots use against Firefox: if it becomes more relevant, it will be more targeted. By this logic, we should stick with IE or at least keep Firefox secret so our ecosystem stays relatively quiet. And we should drop NoScript to prevent frustrated crackers from diverting to new techniques? :)

-{ Quote: "Sorry but I think what dbaron is doing there with CSS is the way to go" }-
I know it very well and I agree, but I just don't want my users to wait for Firefox 3.0 (optimistically, as the bug has been reported by dbaron himself 5 years ago).
There are other ways to work around in the meanwhile.
-{ Quote: "and you cannot do this in an extension" }-
YOU DON'T TELL ME WHAT I CAN AND WHAT I CANNOT DO!!!
Man, you kicked me into hysteria mode ;D

-{ Quote: "As to port scanning - the web is broken, I don't see any good solutions :(" }-
I tend to agree, but I do have a solution for the time being. I'll be happy to discuss it with you as soon as NoScript 1.1.4.7 is out.
With IPV6 things will go even worse, but we -- both you and I -- will be hopefully be still here to save the world :P

-{ Quote: "I also didn't miss Firefox 2.0.0.3 release candidates that fix the new issues (the old ones have been fixed in Firefox 2.0.0.2 already). These aren't particularly critical bugs and the window of opportunity was only a few days - not really worth exploiting for that reason ("far before" is certainly an exaggeration)." }-
-{ Quote: "most attacks can be performed without scripts [...] The remaining attacks are of the kind that is fixed in Firefox before even being published" }-
The last two sentences are obviously false, instead ;)
And on a side note ("eat your own dog food"), I do know core Mozilla developers who install just one extension (guess which?)
Let me repeat it once more (as it seems such an elusive concept): Firefox is safer with NoScript because "Default Permit" is the #1 dumbest idea in computer security (http://www.ranum.com/security/computer_security/editorials/dumb/index.html)

-{ Quote: "Remember the image buffer overflows? Why don't you apply the same idea there, there could be more vulnerabilities in those images... While I recognize the advantages of keeping the attack surface low, you still have to consider whether a huge disadvantage in usability justifies a small security advantage." }-
Now we're really comparing apples to oranges:
Images
PROS: Images are a primary feature defining the very essence of the web as we know it (http://www.squarefree.com/pornzilla/) and the true secret mission of Firefox (http://www.squarefree.com/pornzilla/why-firefox.html).
CONS: they may be exploited using quite difficult, non-portable techniques, mostly to crash your browser but in very exceptional cases to execute remote code, if and only if you or your image decoding library provider (M$ anyone?) spreaded here and there absolutely idiotic programming errors (http://en.wikipedia.org/wiki/Buffer_overrun) you're warned about during the very first lesson of your very first C/C++ class. On a side note, if the core browser developer team is prone to this kind of errors too, HTML or even plain text files are unsafe as well and we can shut down the WWW ;)
Client side in-browser executable content (Java, JavaScript, Flash)
PROS: It's cool. Hey, we can do almost all the same (computational) stuff server side, but it's not so cute, snappy and... hmm... flashy?
Oh well, it's not that easy enumerating all the good things these wonderful goodies can do, simply because they're Turing complete (http://en.wikipedia.org/wiki/Turing_complete). It's been surely a great idea embedding such powerful toys inside an HyperText browser, executing code continuously downloaded from the internet for your pleasure (you don't even need to ask or know about it). OK, it's sandboxed, but sandboxes are meant to be evaded, and many great entertainment numbers (e.g. playing with your authentication cookies, guessing your navigation history, spoofing the current web address) don't even require any privilege escalation.
How does that fascist NoScript dare to censor the creativity of script authors, who now need users to (horror!) express their consent before being awarded with the honour of watching their fireworks? :-X
CONS: none. It's so easy imagining all the possible codepaths of an imperative, possibly dynamic, language to prevent vulnerabilities. It's far more trivial than preventing those incredibly challenging buffer overflows! ::)
-{ Quote: "Password stealing without JavaScript (http://kuza55.blogspot.com/2007/02/breaking-firefoxs-rcsr-fix.html) aka bug 371515 (https://bugzilla.mozilla.org/show_bug.cgi?id=371515)" }-
Internet is broken, but here we're talking about Her Majesty the Cosmic Perpetually Self-Gaping Great Breakage From Outer Space (http://www.myspace.com), no less.
Putting arbitrary user generated content from everybody and his sister all stuffed under the same domain deserves perpetual exile in the deepest of the beryllium mines on Planet Slashdot, with a ruthless CowboyNeal-shaped droid kicking your ass ad libitum.
But I'm sure you agree with me and with Saint Albert (http://rescomp.stanford.edu/~cheshire/EinsteinQuotes.html) about those two things supposed to be infinite :-*

Good night or good morning for now (5 AM here...)

LOL, how did this thread morph into adblock vs noscript????

-{ Quote: "LOL, how did this thread morph into adblock vs noscript????" }-

Quick recap, then...

-{ Quote: "Firekeeper IDS for FireFox!
Would this offer any better protection in general than FF itself with NoScript and AdBlock plus. ??" }-
-{ Quote: "
Neither Adblock Plus nor NoScript are really security solutions, they will rarely be helpful when it comes to security. But this FireKeeper extension doesn't seem to make much sense either." }-
-{ Quote: "Noscript does enhance my security enormously, or so I believe. When using it I never have to worry about any malware that might come from web pages. Simply because with Noscript they cant execute the scripts that brings malware. If that isnt security solution I dont know what is :)

Maybe I have misunderstood Noscript completely and something else (unknown to me) is preventing me from getting infected when I visit sites like those that are mentioned in the long thread about trojans on the loose (http://www.wilderssecurity.com/showthread.php?t=136452) or is it firefox itself that blocks malware by design, regardless of the ability to run java scripts?" }-
-{ Quote: "I'm also interested why Noscript in Wladimir's opinion isn't a good measure against Javascript related security leaks - given that most FF leaks are somehow related to Javascript

(posting in the NoScript Mozillazine thread (http://forums.mozillazine.org/viewtopic.php?p=2794006#2794006))
Giorgio, it would be very interesting to read your opinion about Wladimir Palant's remarks in this thread: http://www.wilderssecurity.com/showthread.php?t=168176" }-
and so it happens... (http://www.wilderssecurity.com/showpost.php?p=963115&postcount=19)

Just not to stay totally off-topic, I'll add that I basically share Wladimir's POV about IDSs: the concept itself is #2 of The 6 dumbest ideas about computer security (http://www.ranum.com/security/computer_security/editorials/dumb/index.html) ("Enumerating Badness").

#1, "Default Permit", has many faces: one is "Overlooking NoScript (http://noscript.net)" ;)

Hello,
We got some heavy cannon on the loose here.... best to lurk and watch :)
Welcome, Wladimir and Giorgio, great work guys...
Mrk

Giorgio, I did in fact use IE's zone policies five years ago with the same effect as NoScript today. I know lots of people still do.

-{ Quote: "Only that lately, the mantra isn't just "Disable JavaScript" anymore: they rather suggest to use NoScript. Maybe because it's deemed an... hmm... usable solution?" }-
I didn't deny that NoScript is more usable than IE's zone policies or the "Disable JavaScript" checkbox. However, the tendency on the web is that more web sites are using JavaScript - with a good reason, with JavaScript they can provide their users a far better web experience. Surfing without JavaScript sucked five years ago, it sucks even more today. I can imagine that it looks much like this: "What, why doesn't this stupid web site work? Well, lets try to disable NoScript." If this is really a common usage pattern (which I suspect) then you aren't surfing any safer than without NoScript.

For what is worse, this model stands and falls with the security of the trusted sites - this has always been critical about IE's zone model. A single XSS hole in one of them and NoScript is worthless. Like the 8 holes I recently discovered on Yahoo that you whitelist by default - it's a pity they have been fixed already, I should have kept quiet about them :). But you don't have to go that far, finding vulnerabilities on Yahoo is comparably difficult. Good that you put Mozillazine on the default exceptions list, this site is ridden with XSS holes. I'll send you a link to my demo page with a mail.

-{ Quote: "Let me repeat it once more (as it seems such an elusive concept): Firefox is safer with NoScript because "Default Permit" is the #1 dumbest idea in computer security (http://www.ranum.com/security/computer_security/editorials/dumb/index.html)" }-
See above.

-{ Quote: "PROS: It's cool. Hey, we can do almost all the same (computational) stuff server side, but it's not so cute, snappy and... hmm... flashy?" }-
Well, then why don't you de-anonymize your email address on the server? :)
I wonder why Google needed JavaScript for their excellent web mail client? Maybe because without it it would be nowhere near excellent?
-{ Quote: "OK, it's sandboxed, but sandboxes are meant to be evaded" }-
Hm... Privilege escalation from JavaScript? Do you have any specific vulnerability in mind (one that wouldn't require ActiveX)?
-{ Quote: "and many great entertainment numbers (e.g. playing with your authentication cookies, guessing your navigation history, spoofing the current web address) don't even require any privilege escalation." }-
Even more so - they don't even require JavaScript :)
Session Fixation works without JavaScript - so much about authentication cookies. Navigation history - see posts above. Spoofing the current web address - see http://sla.ckers.org/forum/read.php?3,4318.
-{ Quote: "How does that fascist NoScript dare to censor the creativity of script authors, who now need users to (horror!) express their consent before being awarded with the honour of watching their fireworks? :-X " }-
LOL
In the end everybody decides for himself whether he should use NoScript.

-{ Quote: "Internet is broken, but here we're talking about Her Majesty the Cosmic Perpetually Self-Gaping Great Breakage From Outer Space (http://www.myspace.com), no less." }-

MySpace is written by incompetents, no question. But the point was that you can steal a password even without JavaScript - through a simple XSS hole, of the kind that you find in almost every site that uses server-side scripting. Yay, server-side scripting is evil! :)

-{ Quote: "Good night or good morning for now (5 AM here...)" }-
We are in the same timezone :)

I tend to agree with both, and both fail to see something, exactly because you're so immersed in this (you're developers).

NoScript isn't the solution for everything, and it depends on the user, correct.
But that really doesn't desqualify it as a security measure. Everything else also depends on the user, does that mean that firewalls (configuration depends on user) and Anti-Spyware (it isn't a solution for everything either) aren't security solutions?

And Giorgio Maone, why do you think Opera's site preferences are a rip off?
;D
Is it not an obviously predictable feature in all browsers?

(yes, i use Opera)

-{ Quote: "
NoScript isn't the solution for everything, and it depends on the user, correct.
But that really doesn't desqualify it as a security measure. Everything else also depends on the user, " }-

Exactly my thoughts. Using Noscript or any other extension/tool doesn't mean that the user can disable "brain.exe".

The difference to firewalls is the value/cost ratio.

Firewalls: value is high, going without one will likely result in malware infections. Cost is low, most of the time the firewall is sitting in background silently and doesn't bother the user. Breakage by firewalls is comparably rare.

NoScript: value is low for the reasons outlined above - users are conditioned to disable NoScript when something appears to be broken, the vulnerabilities NoScript protects you from are rarely critical and/or open long enough to be abused by somebody (great work on the side of Gecko developers here). Furthermore, I sent Giorgio a demo that works around NoScript quite trivially without requiring any user action - and that is a problem with the whole concept, I am looking forward to the answer. So the added security value is very low. The cost on the other hand is extremely high. Disabling JavaScript will break most web sites and make web surfing much less comfortable.

Of course everybody decides for himself which value/cost ratio is still high enough for him. But promoting NoScript as the ultimate security solution is certainly wrong, it creates a false sense of security.

Ok, i'll wait for his response.
But one note (granted, it's a choice of words):
-{ Quote: " users are conditioned to disable NoScript when something appears to be broken" }-
Not disabling NoScript, but allowing the site we want to work, temporarily or add to whitelist. With NoScript. Again, only words, but it's better this way:)

-{ Quote: "
NoScript: value is low for the reasons outlined above - users are conditioned to disable NoScript when something appears to be broken, the vulnerabilities NoScript protects you from are rarely critical and/or open long enough to be abused by somebody (great work on the side of Gecko developers here).
...
So the added security value is very low. The cost on the other hand is extremely high. Disabling JavaScript will break most web sites and make web surfing much less comfortable.
" }-
Wladimir, you're exaggerating. I agree that Noscript is no fool-proof solution (that's why I said that one shouldn't turn off brain.exe). But let's face reality: It's true that there are cases where "trustworty" sites, where you possibly would have enabled JS, had been hacked - Noscript wouldn't have been a protection against attacks in these cases. But they are extremely rare. On the other hand, Noscript is especially valuable for sites which I load the first time (e.g. via googleing around) - they are not trustworthy by definition, and I have the chance to deliberately decide what to do. Without Noscript I wouldn't have.

Regarding comfort: I guess most of us surf the same sites 85% of their time. If you enable JS for these (trustworthy and hopefully not hacked) sites and just put Doubleclick, Googleanalytocs and the like on Noscript's blacklist you won't suffer any setback in comfort.


-{ Quote: "Furthermore, I sent Giorgio a demo that works around NoScript quite trivially without requiring any user action - and that is a problem with the whole concept, I am looking forward to the answer." }-
So do I. If the demo really works, I hope that Giorgio will find a solution for this, too.

tlu, I am talking about XSS (Cross-Site Scripting) vulnerabilities and those are very common. Mozillazine is full with them, the admins there either don't know about XSS or don't consider it a threat. But you can find some on Yahoo (without much trouble) and Google (you have to search for a while) as well. If you don't publish the vulnerability chances are that you will be able to abuse it for a few months.

I am discussing this with Giorgio on IRC right now. He has some ideas, I have some counter-arguments, we'll see what comes out of it.

-{ Quote: "tlu, I am talking about XSS (Cross-Site Scripting) vulnerabilities and those are very common. Mozillazine is full with them, the admins there either don't know about XSS or don't consider it a threat." }-
BTW, just before starting my conversation with Wladimir, I was issuing an advisory to erase mozillazine.org from the whitelist. It works just fine with JS disabled, it was only a courtesy for their AdSense revenue.

Back to Wladimir :)

-{ Quote: "BTW, just before starting my conversation with Wladimir, I was issuing an advisory to erase mozillazine.org from the whitelist. It works just fine with JS disabled, it was only a courtesy for their AdSense revenue." }- Thanks - done.

-{ Quote: " Back to Wladimir :)" }-
Yeah - if your collaboration ...aargh, cooperation ;D will result in an even better Noscript, none of us users will complain :thumb: Good luck!

Just keep up the good work guys. Browsing has never been safer, more productive and enjoyable than with Firefox + NoScript+ Adblock Plus.
Thanks for the efforts.

As you already know, Wladimir and I had a pleasant and frank chat together this afternoon.
Wladimir is going to blog about some of the topics we covered.
I'd be very happy if I had time to start a blog (and I'm struggling to find it as soon as possible) but a short and hopefully objective report follows here:

Despite the title of this post (an homage to the general dramatic perception of this thread), we did not spend a word about AB+ because it is not and it doesn't want to be a security tool (it's not its purpose).
NoScript can't currently protect you against XSS attacks targeted to a whitelisted site.
This is a well known issue of domain-based security models, but maybe the user base is not aware enough that if even just one of the sites in your whitelist is vulnerable to an XSS attack, NoScript protection is considerably weakened: specifically, the attacker can launch from its blacklisted site a script executed in the context of the vulnerable whitelisted site.
Of course, the culprit is a security vulnerability of the target site, not a fault of NoScript neither of Firefox, but the effect is that any site aware of the website bug can take advantage of it, working around NoScript against users who trust the buggy site.
What should we do about that?
According to Wladimir, NoScript is broken without hope: if its security advantage is lost as soon as a whitelisted site is compromised, it's not worth the effort.
My opinion is obviously different, even if moving from the same premises: we should cut down our whitelists as much as possible, using Temporary Allow and only if scripts are strictly mandatory for operating a site you know.
If the compromised site is not on your whitelist, XSS attacks will fail.
That said, I'm also actively developing and testing prevention measures for notable XSS vectors, and I'll progressively implement them into NoScript, keeping you posted. These new features can't obviously surrogate the IT departments (or the billing departments, if you prefer) of the companies you decide to trust (and yes, it happened also to Google and Yahoo). Please sue them, if you've got problems from any XSS attack exploiting their bugs. I (and Wladimir, perhaps) will be glad to help for a modest fee ;)
We also talked about scriptless attacks, and specifically about scriptless port scanning. I won't dig into the technical details here yet, but we more or less agreed my solution can be satisfactory (at least until IPV6, as I anticipated in a previous post of mine).
In the end, Wladimir opinion seems to be "NoScript is better than nothing, if you can bear it" (but his blog post will obviously speak more authoritatively than my impression).
I'm still convinced that NoScript makes Firefox safer, even if keeping brain.exe enabled (as tlu brilliantly put it) plays a greater role in NoScript's effectiveness than it's generally perceived.

Back at work, now (and it's a lot, my friends!) :-*

Thanks, Giorgio, that's more or less it. Only two clarifications (just to be sure): your port scanning idea solves one part of the problem but we agreed that it is certainly better than nothing. And I stick to my opinion that there is little value added by disabling JavaScript even though removing the default whitelist in NoScript is a big improvement. But it is up to the user to decide whether this added value is enough justification for him.

Also, there are ways to use Adblock Plus to improve security, especially once it gets a few new (http://adblockplus.org/blog/status-of-immediate-unblocking-feature) features (http://adblockplus.org/blog/recognizing-third-party-content) that I am currently working on - but it isn't the usual usage patterns. I think I will write about that in my blog post and I should find time to create a proper documentation once these features are there.

How about something for the desktop, not an extension?:P
(i use Opera... sometimes FF...)

I have to say it was nice to see you both make your points, keep to the subject and not lower yourself to name calling or other childish junk. I hold both you in high regard because of the work you have done. I hope better things come out of your chatting and voicing of opinions.

My blog post on this topic is now live: http://adblockplus.org/blog/blacklists-whitelists-and-security

Wladimir, Giorgio,

Thanks, guys, for this highly interesting and prolific discussion - I'm glad that I pointed Giorgio to this thread :)

I guess, we are all eagerly awaiting the next Noscript version. It will probably prove that it makes a lot of sense that two of the most brilliant FF extension developers talk to each other from time to time.

-{ Quote: "It will probably prove that it makes a lot of sense that two of the most brilliant FF extension developers talk to each other from time to time." }-
Agreed ;)

-{ Quote: "[...]
This rules list is compiled from published vulnerabilities - but the vast majority of published Firefox vulnerabilities are already fixed. And because the IDS searches only for some known string it is easily tricked by changing this string slightly (intentionally or not). So the most recommendable course of action is still to keep your browser updated. And if you install an IDS you should install it in your operating system so that it catches all traffic. An IDS as a browser extension misses too much and isn't very helpful." }-

Hi,

I've found your discussion on this forum and I would like to add few
words in Firekeeper's defence. The main goal of Firekeeper is to
detect and block malicious sites not to protect Firefox against
unpatched vulnerabilities. Running IDS outside a browser is not so
useful in protecting against such sites. Protection requires some user
interaction, user should have an ability to decide what to do with
suspicious site (block it or not). It is hard to achieve such
interaction in a convenient way if IDS/IPS is not integrated within a
browser. It is easy to bypass general purpose IDS by encrypting or
compressing HTTP traffic. Firekeeper has access to decrypted and
decompressed data.

Now Firekeeper rules are detecting only some old attacks, but this is
an alpha release and most efforts are focused on developing engine
code not rules. Of course, not every attack is possible to be detected
in this way, but some are. Javascript is a really flexible language but so
are regular expressions used by Firekeeper and I think it makes
Firekeeper quite a powerful tool (Take a look at short tutorial that
shows how to detect attacks related to one of bugs discovered recently
by Michal Zalewski: http://firekeeper.mozdev.org/rule_writing_howto.html)

Let me cite 3 questions and answers from Firekeeper FAQ:

"What is Firekeeper?
Firekeeper is an Intrusion Detection and Prevention System integrated
within Firefox. Its main goal is to detect and inform the user about
malicious sites that are trying to use some known browsers
vulnerabilities to get control over the user's machine or to do some
other suspicious action."

"What Firekeeper is not?
Firekeeper is not an enhancement of Firefox patch process. Although,
it can be useful to protect a browser against attacks utilising some
newly found, not yet fixed browser bugs, but it is not its main and
most useful application."

and also "Why Firekeeper approach is useful?
Today's common approach to protect browsers is just to patch them as
soon as possible when new bug is found. When the user visits a
malicious site she usually never learns about it, information about
suspicious action is lost. In contrast, Firekeeper approach is to
inform the user about every recognisable attack attempt even when
user's browser is not vulnerable to this particular attack. It is
important, because next time user visits the same malicious site, it
can use different attack and this time user's system can be vulnerable
to it. With Firekeeper user can block the site first time she visits
it and never come back to it again."

Cheers,
Jan Wrobel

Thanks for this explanation, Jan. That makes sense. However, in that case the more general rules have to be removed - using document.domain is certainly not a sign of a malicious web site.

This has been a great thread
thanks to all three of you.
Very illuminating discussions.

There is a thread here: Must have FF extensions (http://www.wilderssecurity.com/showthread.php?t=122085&highlight=firefox)
You both feature prominently. :)

Already have the ABP and NoScript running: obvious improvements to MY benefit happening :Thanks Giorgio and Wladimir: the whole user base of FF owes you :D

Jan: looking forward to seeing the development go on.

Really wonderful efforts.
Heh: Brain.exe = Wetware online.

Respect.

Good news: Latest NoScript development version (http://noscript.net/getit#devel) (a release candidate, actually) features effective anti-XSS countermeasures neutralizing reflective XSS attacks launched as a NoScript evasion attempt :)

And my opinion on why it is a bad solution: http://adblockplus.org/blog/usability-vs-security

I have to say that NoScript is a great tool but I agree with the fact that it´s not really a bulletproof security solution. Because sometimes you have no other choice than to enable scripting because otherwise a site won´t work. This means that you can still get exploited, correct? But the new protection feature against XSS sounds really interesting. :)

Btw, I have disabled scripting in all of my browsers (Maxthon, FF and Opera) not so much for security but more for speed. I´ve noticed that websites load like 10 times faster, amazing. That´s why a tool like NoScript is so cool, you can allow only a couple of your favorite sites to use script, and enjoy full surfing speed for all others. I really hate Javascript. :thumbd:

The increased speed is not because JavaScript is slow per se - it is because these scripts have to load from third-party servers. If you block the scripts in Adblock Plus you will see the same effect (and even more because you can block frames and images as well).

I really didn´t now this, but can´t browsers be improved to render javascript more quickly? Overall I still think that javascript is not needed most of the time, most sites would work just fine without these nonsense. It would be cool however if for example GreaseMonkey scripts could somehow still work with scripting disabled, but I guess I´m saying something stupid now, is this even possible?

Oh and btw, is it true that the new Ad Hunter in Maxthon v2 is actually better in blocking ads than AdBlock Plus? I was very disappointed with the new system which could not instantly block objects, but luckily this has been fixed now with the new "FloatButton".

http://forum.maxthon.com/index.php?showtopic=52606
http://www.softpedia.com/get/Internet/Browsers/Maxthon-Combo.shtml

I doubt that - but I am biased because I am the developer of Adblock Plus :)

Personally I think AdBlock is pretty good, so that´s why I wondered if it was true or not. Some people even say that AdBlock is only hiding ads, but I don´t think it´s true.

-{ Quote: "Maxthon blocks ads even before they are rendered in the HTML unlike Firefox. So in terms of ad blocking M2 is way way way way more powerful. Much more powerful than Ad muncher even." }-

Adblock (the old one, without "Plus") does have an option to hide the ads instead of really blocking them and this option isn't exactly well-labeled so that it is easy to misconfigure. Adblock Plus always blocks ads so that they are not downloaded at all. So yes, Maxthon's statement above is pure non-sense.

I have Adblock Plus on both computers and the web pages load a LOT faster then with all the ads. Some seep through but I zap them haha.

-{ Quote: "Personally I think AdBlock is pretty good, so that´s why I wondered if it was true or not. Some people even say that AdBlock is only hiding ads, but I don´t think it´s true." }-

Nah, they are referring to the built in CSS blocking method in firefox. That only hides.

-{ Quote: "And my opinion on why it is a bad solution: http://adblockplus.org/blog/usability-vs-security" }-
Wladimir, I wonder if you still stick to that opinion. In your newest (http://adblockplus.org/blog/legal-implications-of-security-research) article you presented a link to this (http://www.csoonline.com/read/010107/fea_vuln.html)excellent article which is really a scaring reading. You presented links to XSS attacks in a previous posting here yourself, and well-known RSnake was quoted in above article by saying that most websites are vulnerable to XSS. This opinion is confirmed by the German magazine "PC Professionell" which publishes an article in their 5/2007 issue about the dangers of Web 2.0. They checked about 20 websites, and although this test was only sketchy they found XSS vulnerabilities in about 50% of those sites. And you know quite well that there have been hundreds of reported XSS attacks in the past, let alone the ones that have never been disclosed.

All in all, it's rather clear that this threat is not only theoretical but reality, and that we will have to live with it for a long time.

Now, with the new Noscript versions that have XSS counter-measures which seem to be rather effective - would you still talk about "another round of madness" as you did in your blog? If the XSS threat is becoming a growing problem, aren't these counter-measures absolutely legitimate and necessary? Especially since the side effects are relatively small in my experience (and Giorgio is still fine-tuning this new approach so further improvements can be expected).

Wladimir, I usually love to read your blog - but in this case I'm unable to reproduce the logic of your arguments.

Yes, my opinion on this didn't change. XSS is a very common problem, and I think that Jeremiah Grossman's statement about 80% of sites being vulnerable to XSS is correct. If anything, it is an understatement. So far XSS hasn't been exploited too much (except for a few XSS worms and phishing mail) but this problem will become more and more important in future.

So I don't say that you should not do anything about XSS. I just say that what NoScript is doing will not solve anything. I see statements on RSnake's forum like "I turned it off. I got too many errors with it." Mind you, these are security specialists. If they cannot stand this "protection", how are regular users supposed to use it?

Then, I got some confirmation about my assumption - most people who use NoScript will turn it off if it is seems to break something. This doesn't happen without a reason, NoScript breaks things far too often without a good reason, so people get conditioned to turn it off. And that means that you are no safer with NoScript than you are without.

Finally, NoScript doesn't solve the XSS problem and it doesn't even try. It attempts to prevent XSS'ing into whitelisted sites, which is a simple way to work around NoScript. Applying the same concept to the entire web would only result in people uninstalling NoScript - because it breaks the web.

Now to the real solutions. There have been a few changes in Firefox recently that make it harder to exploit XSS vulnerabilities. More are to follow, e.g. three of my patches are awaiting review and I was told that they are wanted for Firefox 2 as well. New features that will help web sites protect against XSS are planned for Firefox 3 and Firefox 4, and there seems to be much more discussion on that topic.

However, all this will only help sites which are aware of the problem and try to do something about it. Effective XSS protection is currently very hard because it is such a wide topic. You cannot expect every web developer to study all the different ways in which a site can be compromised. So if protecting against XSS can be made simpler many sites will be helped. But I don't believe that a site that doesn't validate user input in any way (still very common) can be helped. So to get rid of XSS browser vendors and web developers must work together - that's the only solution.

-{ Quote: "Yes, my opinion on this didn't change. XSS is a very common problem, and I think that Jeremiah Grossman's statement about 80% of sites being vulnerable to XSS is correct. If anything, it is an understatement. So far XSS hasn't been exploited too much (except for a few XSS worms and phishing mail) but this problem will become more and more important in future." }-
Agreed. I was only puzzled because you wrote in your blog that "it seems that NoScript is a solution in search of a problem". You might argue if Giorgio's XSS counter-measures are the right ones - but why is he "in search of a problem" ???

-{ Quote: "So I don't say that you should not do anything about XSS. I just say that what NoScript is doing will not solve anything. I see statements on RSnake's forum like "I turned it off. I got too many errors with it." Mind you, these are security specialists. If they cannot stand this "protection", how are regular users supposed to use it?" }-
That's not my experience. Maybe I'm just going to the "wrong" sites ;). I just had some occurrences, and the examples presented in your blog are no longer a problem in the newest version since Giorgio did and is still doing some fine-tuning for this new technology.

-{ Quote: "Then, I got some confirmation about my assumption - most people who use NoScript will turn it off if it is seems to break something. This doesn't happen without a reason, NoScript breaks things far too often without a good reason, so people get conditioned to turn it off. And that means that you are no safer with NoScript than you are without." }-
Another thesis I don't support. For me, all sites work with Noscript if I want them to work. And if really most users turn it off after some time (I doubt that) - what does that prove? I'm one of the few posters here in this forum who advocates the use of a limited user account in Windows. But at least 95% of all other posters here don't follow me because they say: It's so complicated, it breaks many application, and so forth. Does that mean that using a user account is worthless from a security standpoint? Of course not. The same true for Noscript.

-{ Quote: "Finally, NoScript doesn't solve the XSS problem and it doesn't even try." }-
Nobody (including Giorgio) ever said that Noscript is the final solution for the XSS problem.

-{ Quote: " It attempts to prevent XSS'ing into whitelisted sites, which is a simple way to work around NoScript. " }-
Indeed, and that's the only thing that can be expected. And I think it's doing well what it does - which doesn't mean that there is no room for improvement.

-{ Quote: "Now to the real solutions. There have been a few changes in Firefox recently that make it harder to exploit XSS vulnerabilities. More are to follow, e.g. three of my patches are awaiting review and I was told that they are wanted for Firefox 2 as well. New features that will help web sites protect against XSS are planned for Firefox 3 and Firefox 4, and there seems to be much more discussion on that topic." }-
That's good to read! But:

-{ Quote: "However, all this will only help sites which are aware of the problem and try to do something about it. Effective XSS protection is currently very hard because it is such a wide topic. You cannot expect every web developer to study all the different ways in which a site can be compromised. So if protecting against XSS can be made simpler many sites will be helped. But I don't believe that a site that doesn't validate user input in any way (still very common) can be helped. So to get rid of XSS browser vendors and web developers must work together - that's the only solution." }-
Absolutely! But I'm afraid that it will take a long time until all web admins will be aware of this problem and will have the knowledge to circumvent it. And don't forget: Firefox is not the only browser in this world - are you sure that Microsoft is joining you on your trip (and the majority of websites is still optimized for IE!)? That's why I'm convinced that Noscript with its XSS counter-measures is still important. It might not be the right tool for everyone - these people have to bear the consequences.

The quote about issues with XSS countermeasures was about the newest version - there was a lot more complaining about the previous version of course that simply had a bug that sometimes prevented you from logging in on whitelisted sites.

No, I didn't mean that XSS countermeasures are a solution in search of a problem. They have a clearly defined problem: by using an XSS hole in one of the sites in the default whitelist any site can easily run JavaScript despite NoScript. I found an XSS hole in one of Giorgio's own sites as proof-of-concept (actually two but the second could not be exploited). That's what this XSS protection is meant to fix and nothing else. A solution in search of a problem however is NoScript itself. It tries to create this problem by suggesting that you are not safe if you run Firefox with JavaScript enabled. This is far from being true but some people believe this unfortunately. Of course you are somewhat more vulnerable with JavaScript but at the moment this stands in no proportion to the inconvenience of surfing without JavaScript.

I am ready to admit that there are some people who like you have no issues using NoScript - but I doubt that they are many. I also admit that I am one of those Windows users who use an administrator account. So far it seems that using a proper browser, updating the system whenever necessary, not forgetting about your firewall and being careful with what you download is already a sufficient security solution. I am confident that my system will not be compromised, but if it ever happens there will be not much difference whether it will be an admin account or a restricted account. At least not enough difference to justify some major inconveniences. So yes, unless using a restricted account on Windows will become significantly less problematic I don't see much value in this solution (note that I always use a restricted account on Linux).

Finally: sure, XSS is a relatively new problem and awareness comes slowly. Five years ago nobody knew about it and not even the security experts understood the implications. This is changing now. And all browser vendors will have to follow, even Microsoft. Firefox has had a head start but I definitely expect Microsoft to adopt most of these solutions as pressure rises. But that's off-topic anyway - or have you heard of plans to port NoScript to Internet Explorer?

Looking at your response again, you might have the misconception that disabling JavaScript gets rid of XSS. Yet despite the name there is more to XSS than scripting. We have already seen attackers injecting pure HTML without any JavaScript, mainly for phishing schemes at the moment. XSS can also be exploited for defacement, making web sites display manipulated information - again without any JavaScript.

Without having to read this whole thread.... What is the verdict on Firekeeper IDS for FireFox?

Use it or not?

Sorry, just too lazy to sift through this thread! ::)

I was the only one criticizing the concept of Firekeeper, and I recognized that I misunderstood the idea after author's comments here (http://www.wilderssecurity.com/showthread.php?t=168176&page=2#post969982). But Firekeeper is in very early alpha stages at the moment so that it isn't really useful for anything but testing the concept.

-{ Quote: "I was the only one criticizing the concept of Firekeeper, and I recognized that I misunderstood the idea after author's comments here (http://www.wilderssecurity.com/showthread.php?t=168176&page=2#post969982). But Firekeeper is in very early alpha stages at the moment so that it isn't really useful for anything but testing the concept." }-

Thanks! Will keep an eye on it... And thanks for adblock plus by the way!

-{ Quote: "Thanks! Will keep an eye on it... And thanks for adblock plus by the way!" }-You will probably change your mind after reading XSS sample using Zone Alarm link (http://www.wilderssecurity.com/showthread.php?t=174195).

In particular regarding these two posts

http://www.wilderssecurity.com/showpost.php?p=1002678&postcount=38-{ Quote: "Recap:

* Using Noscript gives protection from XSS type 1 and, to a certain extent, from XSS type 2.
This protection tends to zero if you whitelist everything, and tends to infinite if you don't whitelist anything.
* When in doubt, and the site seems to already work fine or the content doesn't appear that valuable, don't whitelist.
When in doubt, the content is really valuable and it requires JavaScript (it doesn't work at all otherwise), just "temporary allow".
* The only reason to drop your doubts is the site owner's reputation being such precious that he would refund any amount for damages you may receive from a XSS (which is your problem, but his fault by definition).
You really don't need JavaScript to take your slashdot fix, read a blog or watch some porn" }-
http://www.wilderssecurity.com/showpost.php?p=1002745&postcount=41 (My bold red)-{ Quote: "But yes, Firekeeper for the known plus NoScript for the unknown sounds like a tough combo" }-Mike