Firekeeper IDS for FireFox

This might be interesting devt:
http://firekeeper.mozdev.org/index.html

Would this offer any better protection in general than FF itself with NoScript and AdBlock plus. ??

alpha version only.

I dont think I could get the test pages links to do anything in FF
(did not test with IE6)

 

Interesting. I installed it. The options in the extension are grayed so I cant change anything...
Well, I´ll run it for a while and see if it does anything useful

 

Neither Adblock Plus nor NoScript are really security solutions, they will rarely be helpful when it comes to security. But this FireKeeper extension doesn't seem to make much sense either. It is a classical IDS, routes all HTTP traffic through itself and looks for suspicious strings. The rules come from snort and are meant for all browsers - most entries refer to vulnerabilities in Internet Explorer or plugins (note that plugins download their data themselves so that this extension won't help). There are only two rules that are related to Mozilla. One is an ancient bug in Mozilla 1.0 (the Suite, not Firefox). The other is document.domain JavaScript property. By design document.domain could in fact be an issue but disabling it will break a number of major sites (I tried). And anyway, it is better to disable document.domain using CAPS since the IDS can easily be tricked by changing the code on the page slightly (and JavaScript is a very flexible language, you can write the same thing in many different ways).

This rules list is compiled from published vulnerabilities - but the vast majority of published Firefox vulnerabilities are already fixed. And because the IDS searches only for some known string it is easily tricked by changing this string slightly (intentionally or not). So the most recommendable course of action is still to keep your browser updated. And if you install an IDS you should install it in your operating system so that it catches all traffic. An IDS as a browser extension misses too much and isn't very helpful.

 

This looks awesome. I'll wait till the full version comes out though. Not much of a testing guy.

 

Thanks, that's what I thought. I'll pass.

 

@ Wladimir Palant

thankyou: very useful

 

I only use Adblock to get rid of ads, so I cant say anything about adblocks security features. But Noscript does enhance my security enormously, or so I believe. When using it I never have to worry about any malware that might come from web pages. Simply because with Noscript they cant execute the scripts that brings malware. If that isnt security solution I dont know what is

Maybe I have misunderstood Noscript completely and something else (unknown to me) is preventing me from getting infected when I visit sites like those that are mentioned in the long thread about trojans on the loose or is it firefox itself that blocks malware by design, regardless of the ability to run java scripts?

 

I am quite certain that most attacks can be performed without scripts if one only tries hard enough (e.g. see http://ha.ckers.org/blog/20070228/steal-browser-history-without-javascript/ and http://ha.ckers.org/blog/20070302/portscanning-without-javascript-part-2-2/). The remaining attacks are of the kind that is fixed in Firefox before even being published (not so in Internet Explorer which is why I used to disable JavaScript back when I used it). Also, tricking a user into whitelisting a site in NoScript shouldn't be too difficult, social engineering is pretty effective. But that all is a separate and very long discussion, and off-topic here.

PS: Trojan sites tend to target Internet Explorer because it is an easy target - lots of well-known vulnerabilities, many of them open for months, lots of users using old unpatched versions. I installed Firefox on the computer of a relative after he managed to infect himself with a bad trojan after only two weeks. It has been several months now and all is quiet, despite of JavaScript and everything (automatic updates are activated of course). I installed Firefox on computers of several other unexperienced users as well and I have yet to hear of a single malware infection.

 

Since Wladimir is the developer of Adblock Plus, he should definitely know about them if they exist

But I'm also interested why Noscript in Wladimir's opinion isn't a good measure against Javascript related security leaks - given that most FF leaks are somehow related to Javascript AFAIK.

 

Sorry, Wladimir, didn't see your reply. Will look into the links provided by you.

 

Oh, and on the point of Adblock's security features - there are none

I am not sure why some people promote Adblock Plus as a security solution (amongst others the PC World magazine). One reason are probably the rare cases of malware infestation through ads. The other should be the MySpace worms where some recommendations were to block the worm's addresses. Both are more cases of being lucky rather than of benefiting from good protection.

 

This looks like a good extension looking forward to the final release.

BTW wat did u mean by Adblock Plus is not security. i think it is it protects u from pop ups.

 

You obiously didn't read the postings above.

Again - Wladimir is the programmer of Adblock Plus. He should know best what this extension can do for you and what it can't.

Popups are not so much a security issue but rather a nuisance.

 

I did it didn't say anything about the IDS extension

Who is the developers of the IDS extension?


BTW i also got Filterset.G Updater what does that give updates for the Adblock Plus?

 

Sorry. Your remark seemed to be related to the topic of this thread.

You should read http://adblockplus.org/en/faq_project#filterset.g and http://adblockplus.org/blog/filtersetg-i-call-bullshit

 

sry i meant to say i am lookig forward to the final release of the IDS extension firekeeper

 

Too bad it was fixed in firefox already, it would´ve been nice to see it working. But thanks for an interesting read.

 

It isn't fixed, see bug 147777. It is being worked on but I don't think we will see the results before Firefox 3.0 - it is a big change, too dangerous to check this in on a stable branch. The demo works for me in Firefox 2.0.0.2.

 

Most attacks? those are very specific and limited "attacks", and I'd dare to add that hardly somebody would have put any effort into developing them if NoScript did not exist in first place
That said, next NoScript release will "immunize" users from those scriptless tricks too.

Looks like you missed, for one, Zalewski recent activity, also dubbed "Month of Firefox bugs". It's not the first time and it won't be the last that Firefox vulnerabilities are published far before they're patched or even known to developers, and it will get worse and worse as Firefox's popularity grows (we're gonna have more vulnerabilities left hidden on purpose, in order to exploit them quietly for money, while ATM we mainly see "white hats" publishing them just for glory).

Are you seriously stating that Firefox community's absolute supremacy in security responsiveness (any comparison with IE is hilarious) can be enough to justify the dumbest idea in computer security?

Social engineering can also be pretty effective at stealing your purse or entering your home and then rob everything and cut your throat, but this sad truth doesn't imply leaving your door open to anybody (not even asking "who's there?") is a good idea.
Firefox is safe, but Firefox with NoScript is safer than vanilla Firefox, plain and simple.
How much safer still depends on user's smartness.
And while "educating users" is deemed another dumb idea in security, I do hope a few NoScript users at least are smart enough to take full advantage of it.

 

Giorgio, while you certainly wrote a great extension, disabling JavaScript is common practice in IE (and a usual recommendation) - aren't you giving yourself a little too much credit? My point was precisely that the percentage of users disabling JavaScript is still comparably low, that's why most exploits still require it. The two I quoted are proof-of-concept exploits, if it ever became more relevant people would develop more.

How are you going to do this? Are you going to disable multipart responses? And CSS?
Sorry but I think what dbaron is doing there with CSS is the way to go, and you cannot do this in an extension. As to port scanning - the web is broken, I don't see any good solutions At least Firefox makes it difficult by blocking a number of ports (and yes, there was a bug there that will be closed in Firefox 2.0.0.3 - and the exploit worked without JavaScript).

I didn't. I also didn't miss Firefox 2.0.0.3 release candidates that fix the new issues (the old ones have been fixed in Firefox 2.0.0.2 already). These aren't particularly critical bugs and the window of opportunity was only a few days - not really worth exploiting for that reason ("far before" is certainly an exaggeration). Note that a vulnerability comparable to the worst one reported by Zalewski (XSS through null-byte injection) has been reported for IE almost a year ago and is still unpatched - in comparison any Firefox vulnerability is absolutely worthless to blackhats.

Remember the image buffer overflows? Why don't you apply the same idea there, there could be more vulnerabilities in those images... While I recognize the advantages of keeping the attack surface low, you still have to consider whether a huge disadvantage in usability justifies a small security advantage.

PS: More links for you: Password stealing without JavaScript aka bug 371515, Anti-DNS pinning (XMLHttpRequest used in this particular attack but JavaScript is generally unnecessary).

 

Thanks, you too Wladimir.

How much common, I don't know because it's a royal PITA. Notwithstanding, you too admittedly used to bear such a sacrifice for security sake (with IE! Before NoScript!!! What a masochist ).
An usual recommendation also for Firefox, we hear it almost every time a security bullettin is issued.
Only that lately, the mantra isn't just "Disable JavaScript" anymore: they rather suggest to use NoScript. Maybe because it's deemed an... hmm... usable solution?

As you don't give yourself (neither to Rue and Sorensen before you) credit for inventing content-blocking, I don't give myself credit for "Default Deny", "Reduce attack surface" or "Whitelist executable". Both our extensions just turned those existing and valuable but quite impractical concepts into a real option for users.
IE zones have been around for a long time, and Opera 9 implements shameless rip-off features both from NoScript (Site preferences) and AdBlock (Content blocker), but their usability is near to zero.
NoScript tries to transform a "standard security recommendation", which almost nobody but hardcore geeks were willing to follow, into something bearable for mom (and for a few perverts, even pleasurable - you know, that dirty lust for control).

Amusing, the same argument most IE zealots use against Firefox: if it becomes more relevant, it will be more targeted. By this logic, we should stick with IE or at least keep Firefox secret so our ecosystem stays relatively quiet. And we should drop NoScript to prevent frustrated crackers from diverting to new techniques?

I know it very well and I agree, but I just don't want my users to wait for Firefox 3.0 (optimistically, as the bug has been reported by dbaron himself 5 years ago).
There are other ways to work around in the meanwhile.

YOU DON'T TELL ME WHAT I CAN AND WHAT I CANNOT DO!!!
Man, you kicked me into hysteria mode

I tend to agree, but I do have a solution for the time being. I'll be happy to discuss it with you as soon as NoScript 1.1.4.7 is out.
With IPV6 things will go even worse, but we -- both you and I -- will be hopefully be still here to save the world

The last two sentences are obviously false, instead
And on a side note ("eat your own dog food"), I do know core Mozilla developers who install just one extension (guess which?)
Let me repeat it once more (as it seems such an elusive concept): Firefox is safer with NoScript because "Default Permit" is the #1 dumbest idea in computer security

Now we're really comparing apples to oranges:
Images
PROS: Images are a primary feature defining the very essence of the web as we know it and the true secret mission of Firefox.
CONS: they may be exploited using quite difficult, non-portable techniques, mostly to crash your browser but in very exceptional cases to execute remote code, if and only if you or your image decoding library provider (M$ anyone?) spreaded here and there absolutely idiotic programming errors you're warned about during the very first lesson of your very first C/C++ class. On a side note, if the core browser developer team is prone to this kind of errors too, HTML or even plain text files are unsafe as well and we can shut down the WWW
Client side in-browser executable content (Java, JavaScript, Flash)
PROS: It's cool. Hey, we can do almost all the same (computational) stuff server side, but it's not so cute, snappy and... hmm... flashy?
Oh well, it's not that easy enumerating all the good things these wonderful goodies can do, simply because they're Turing complete. It's been surely a great idea embedding such powerful toys inside an HyperText browser, executing code continuously downloaded from the internet for your pleasure (you don't even need to ask or know about it). OK, it's sandboxed, but sandboxes are meant to be evaded, and many great entertainment numbers (e.g. playing with your authentication cookies, guessing your navigation history, spoofing the current web address) don't even require any privilege escalation.
How does that fascist NoScript dare to censor the creativity of script authors, who now need users to (horror!) express their consent before being awarded with the honour of watching their fireworks?
CONS: none. It's so easy imagining all the possible codepaths of an imperative, possibly dynamic, language to prevent vulnerabilities. It's far more trivial than preventing those incredibly challenging buffer overflows!

Internet is broken, but here we're talking about Her Majesty the Cosmic Perpetually Self-Gaping Great Breakage From Outer Space, no less.
Putting arbitrary user generated content from everybody and his sister all stuffed under the same domain deserves perpetual exile in the deepest of the beryllium mines on Planet Slashdot, with a ruthless CowboyNeal-shaped droid kicking your ass ad libitum.
But I'm sure you agree with me and with Saint Albert about those two things supposed to be infinite

Good night or good morning for now (5 AM here...)

 

LOL, how did this thread morph into adblock vs noscript?

 

Quick recap, then...

and so it happens...

Just not to stay totally off-topic, I'll add that I basically share Wladimir's POV about IDSs: the concept itself is #2 of The 6 dumbest ideas about computer security ("Enumerating Badness").

#1, "Default Permit", has many faces: one is "Overlooking NoScript"

 

Hello,
We got some heavy cannon on the loose here.... best to lurk and watch
Welcome, Wladimir and Giorgio, great work guys...
Mrk

 

Giorgio, I did in fact use IE's zone policies five years ago with the same effect as NoScript today. I know lots of people still do.

I didn't deny that NoScript is more usable than IE's zone policies or the "Disable JavaScript" checkbox. However, the tendency on the web is that more web sites are using JavaScript - with a good reason, with JavaScript they can provide their users a far better web experience. Surfing without JavaScript sucked five years ago, it sucks even more today. I can imagine that it looks much like this: "What, why doesn't this stupid web site work? Well, lets try to disable NoScript." If this is really a common usage pattern (which I suspect) then you aren't surfing any safer than without NoScript.

For what is worse, this model stands and falls with the security of the trusted sites - this has always been critical about IE's zone model. A single XSS hole in one of them and NoScript is worthless. Like the 8 holes I recently discovered on Yahoo that you whitelist by default - it's a pity they have been fixed already, I should have kept quiet about them . But you don't have to go that far, finding vulnerabilities on Yahoo is comparably difficult. Good that you put Mozillazine on the default exceptions list, this site is ridden with XSS holes. I'll send you a link to my demo page with a mail.

See above.

Well, then why don't you de-anonymize your email address on the server?
I wonder why Google needed JavaScript for their excellent web mail client? Maybe because without it it would be nowhere near excellent?

Hm... Privilege escalation from JavaScript? Do you have any specific vulnerability in mind (one that wouldn't require ActiveX)?

Even more so - they don't even require JavaScript
Session Fixation works without JavaScript - so much about authentication cookies. Navigation history - see posts above. Spoofing the current web address - see http://sla.ckers.org/forum/read.php?3,4318.

LOL
In the end everybody decides for himself whether he should use NoScript.

MySpace is written by incompetents, no question. But the point was that you can steal a password even without JavaScript - through a simple XSS hole, of the kind that you find in almost every site that uses server-side scripting. Yay, server-side scripting is evil!

We are in the same timezone