Firekeeper IDS for FireFox

[Longboard]

This might be interesting devt:
http://firekeeper.mozdev.org/index.html

Would this offer any better protection in general than FF itself with NoScript and AdBlock plus. ??

alpha version only.

I dont think I could get the test pages links to do anything in FF
(did not test with IE6)

[sukarof]

Interesting. I installed it. The options in the extension are grayed so I cant change anything...
Well, I´ll run it for a while and see if it does anything useful

[Wladimir Palant]

Neither Adblock Plus nor NoScript are really security solutions, they will rarely be helpful when it comes to security. But this FireKeeper extension doesn't seem to make much sense either. It is a classical IDS, routes all HTTP traffic through itself and looks for suspicious strings. The rules come from snort and are meant for all browsers - most entries refer to vulnerabilities in Internet Explorer or plugins (note that plugins download their data themselves so that this extension won't help). There are only two rules that are related to Mozilla. One is an ancient bug in Mozilla 1.0 (the Suite, not Firefox). The other is document.domain JavaScript property. By design document.domain could in fact be an issue but disabling it will break a number of major sites (I tried). And anyway, it is better to disable document.domain using CAPS since the IDS can easily be tricked by changing the code on the page slightly (and JavaScript is a very flexible language, you can write the same thing in many different ways).

This rules list is compiled from published vulnerabilities - but the vast majority of published Firefox vulnerabilities are already fixed. And because the IDS searches only for some known string it is easily tricked by changing this string slightly (intentionally or not). So the most recommendable course of action is still to keep your browser updated. And if you install an IDS you should install it in your operating system so that it catches all traffic. An IDS as a browser extension misses too much and isn't very helpful.

[cheater87]

This looks awesome. I'll wait till the full version comes out though. Not much of a testing guy.

[Devil's Advocate]

Quote:

Originally Posted by Wladimir Palant

Neither Adblock Plus nor NoScript are really security solutions, they will rarely be helpful when it comes to security. But this FireKeeper extension doesn't seem to make much sense either. It is a classical IDS, routes all HTTP traffic through itself and looks for suspicious strings. The rules come from snort and are meant for all browsers - most entries refer to vulnerabilities in Internet Explorer or plugins (note that plugins download their data themselves so that this extension won't help). There are only two rules that are related to Mozilla. One is an ancient bug in Mozilla 1.0 (the Suite, not Firefox). The other is document.domain JavaScript property. By design document.domain could in fact be an issue but disabling it will break a number of major sites (I tried). And anyway, it is better to disable document.domain using CAPS since the IDS can easily be tricked by changing the code on the page slightly (and JavaScript is a very flexible language, you can write the same thing in many different ways).

This rules list is compiled from published vulnerabilities - but the vast majority of published Firefox vulnerabilities are already fixed. And because the IDS searches only for some known string it is easily tricked by changing this string slightly (intentionally or not). So the most recommendable course of action is still to keep your browser updated. And if you install an IDS you should install it in your operating system so that it catches all traffic. An IDS as a browser extension misses too much and isn't very helpful.

Thanks, that's what I thought. I'll pass.

[Longboard]

@ Wladimir Palant

thankyou: very useful

[sukarof]

Quote:

Neither Adblock Plus nor NoScript are really security solutions, they will rarely be helpful when it comes to security

I only use Adblock to get rid of ads, so I cant say anything about adblocks security features. But Noscript does enhance my security enormously, or so I believe. When using it I never have to worry about any malware that might come from web pages. Simply because with Noscript they cant execute the scripts that brings malware. If that isnt security solution I dont know what is

Maybe I have misunderstood Noscript completely and something else (unknown to me) is preventing me from getting infected when I visit sites like those that are mentioned in the long thread about trojans on the loose or is it firefox itself that blocks malware by design, regardless of the ability to run java scripts?

[Wladimir Palant]

I am quite certain that most attacks can be performed without scripts if one only tries hard enough (e.g. see http://ha.ckers.org/blog/20070228/st...ut-javascript/ and http://ha.ckers.org/blog/20070302/po...ript-part-2-2/). The remaining attacks are of the kind that is fixed in Firefox before even being published (not so in Internet Explorer which is why I used to disable JavaScript back when I used it). Also, tricking a user into whitelisting a site in NoScript shouldn't be too difficult, social engineering is pretty effective. But that all is a separate and very long discussion, and off-topic here.

PS: Trojan sites tend to target Internet Explorer because it is an easy target - lots of well-known vulnerabilities, many of them open for months, lots of users using old unpatched versions. I installed Firefox on the computer of a relative after he managed to infect himself with a bad trojan after only two weeks. It has been several months now and all is quiet, despite of JavaScript and everything (automatic updates are activated of course). I installed Firefox on computers of several other unexperienced users as well and I have yet to hear of a single malware infection.

[tlu]

Quote:

Originally Posted by sukarof

I only use Adblock to get rid of ads, so I cant say anything about adblocks security features.

Since Wladimir is the developer of Adblock Plus, he should definitely know about them if they exist

But I'm also interested why Noscript in Wladimir's opinion isn't a good measure against Javascript related security leaks - given that most FF leaks are somehow related to Javascript AFAIK.

[tlu]

Quote:

Originally Posted by tlu

But I'm also interested why Noscript in Wladimir's opinion isn't a good measure against Javascript related security leaks - given that most FF leaks are somehow related to Javascript AFAIK.

Sorry, Wladimir, didn't see your reply. Will look into the links provided by you.

[Wladimir Palant]

Oh, and on the point of Adblock's security features - there are none

I am not sure why some people promote Adblock Plus as a security solution (amongst others the PC World magazine). One reason are probably the rare cases of malware infestation through ads. The other should be the MySpace worms where some recommendations were to block the worm's addresses. Both are more cases of being lucky rather than of benefiting from good protection.

[chaos16]

This looks like a good extension looking forward to the final release.

BTW wat did u mean by Adblock Plus is not security. i think it is it protects u from pop ups.

[tlu]

Quote:

Originally Posted by chaos16

This looks like a good extension looking forward to the final release.

You obiously didn't read the postings above.

Quote:

BTW wat did u mean by Adblock Plus is not security. i think it is it protects u from pop ups.

Again - Wladimir is the programmer of Adblock Plus. He should know best what this extension can do for you and what it can't.

Popups are not so much a security issue but rather a nuisance.

[chaos16]

I did it didn't say anything about the IDS extension

Who is the developers of the IDS extension?


BTW i also got Filterset.G Updater what does that give updates for the Adblock Plus?

[tlu]

Quote:

Originally Posted by chaos16

I did it didn't say anything about the IDS extension

Sorry. Your remark seemed to be related to the topic of this thread.

Quote:

BTW i also got Filterset.G Updater what does that give updates for the Adblock Plus?

You should read http://adblockplus.org/en/faq_project#filterset.g and http://adblockplus.org/blog/filtersetg-i-call-********

[chaos16]

sry i meant to say i am lookig forward to the final release of the IDS extension firekeeper

[sukarof]

Quote:

Originally Posted by Wladimir Palant

I am quite certain that most attacks can be performed without scripts if one only tries hard enough (e.g. see http://ha.ckers.org/blog/20070228/st...ut-javascript/

Too bad it was fixed in firefox already, it would´ve been nice to see it working. But thanks for an interesting read.

[Wladimir Palant]

Quote:

Originally Posted by sukarof

Too bad it was fixed in firefox already, it would´ve been nice to see it working.

It isn't fixed, see bug 147777. It is being worked on but I don't think we will see the results before Firefox 3.0 - it is a big change, too dangerous to check this in on a stable branch. The demo works for me in Firefox 2.0.0.2.

[Giorgio Maone]

Quote:

Originally Posted by Wladimir Palant

I am quite certain that most attacks can be performed without scripts if one only tries hard enough (e.g. see http://ha.ckers.org/blog/20070228/st...ut-javascript/ and http://ha.ckers.org/blog/20070302/po...ript-part-2-2/).

Most attacks? those are very specific and limited "attacks", and I'd dare to add that hardly somebody would have put any effort into developing them if NoScript did not exist in first place
That said, next NoScript release will "immunize" users from those scriptless tricks too.

Quote:

Originally Posted by Wladimir Palant

The remaining attacks are of the kind that is fixed in Firefox before even being published (not so in Internet Explorer which is why I used to disable JavaScript back when I used it).

Looks like you missed, for one, Zalewski recent activity, also dubbed "Month of Firefox bugs". It's not the first time and it won't be the last that Firefox vulnerabilities are published far before they're patched or even known to developers, and it will get worse and worse as Firefox's popularity grows (we're gonna have more vulnerabilities left hidden on purpose, in order to exploit them quietly for money, while ATM we mainly see "white hats" publishing them just for glory).

Are you seriously stating that Firefox community's absolute supremacy in security responsiveness (any comparison with IE is hilarious) can be enough to justify the dumbest idea in computer security?

Quote:

Originally Posted by Wladimir Palant

Also, tricking a user into whitelisting a site in NoScript shouldn't be too difficult, social engineering is pretty effective.

Social engineering can also be pretty effective at stealing your purse or entering your home and then rob everything and cut your throat, but this sad truth doesn't imply leaving your door open to anybody (not even asking "who's there?") is a good idea.
Firefox is safe, but Firefox with NoScript is safer than vanilla Firefox, plain and simple.
How much safer still depends on user's smartness.
And while "educating users" is deemed another dumb idea in security, I do hope a few NoScript users at least are smart enough to take full advantage of it.

[Wladimir Palant]

Giorgio, while you certainly wrote a great extension, disabling JavaScript is common practice in IE (and a usual recommendation) - aren't you giving yourself a little too much credit? My point was precisely that the percentage of users disabling JavaScript is still comparably low, that's why most exploits still require it. The two I quoted are proof-of-concept exploits, if it ever became more relevant people would develop more.

Quote:

Originally Posted by Giorgio Maone

That said next NoScript release will "immunize" users from those scriptless tricks too.

How are you going to do this? Are you going to disable multipart responses? And CSS?
Sorry but I think what dbaron is doing there with CSS is the way to go, and you cannot do this in an extension. As to port scanning - the web is broken, I don't see any good solutions At least Firefox makes it difficult by blocking a number of ports (and yes, there was a bug there that will be closed in Firefox 2.0.0.3 - and the exploit worked without JavaScript).

Quote:

Originally Posted by Giorgio Maone

Looks like you missed, for one, Zalewski recent activity, also dubbed "Month of Firefox bugs".

I didn't. I also didn't miss Firefox 2.0.0.3 release candidates that fix the new issues (the old ones have been fixed in Firefox 2.0.0.2 already). These aren't particularly critical bugs and the window of opportunity was only a few days - not really worth exploiting for that reason ("far before" is certainly an exaggeration). Note that a vulnerability comparable to the worst one reported by Zalewski (XSS through null-byte injection) has been reported for IE almost a year ago and is still unpatched - in comparison any Firefox vulnerability is absolutely worthless to blackhats.

Quote:

Originally Posted by Giorgio Maone

Are you seriously stating that Firefox community's absolute superior security responsiveness (any comparison with IE is hilarious) is enough to justify the dumbest idea in computer security?

Remember the image buffer overflows? Why don't you apply the same idea there, there could be more vulnerabilities in those images... While I recognize the advantages of keeping the attack surface low, you still have to consider whether a huge disadvantage in usability justifies a small security advantage.

PS: More links for you: Password stealing without JavaScript aka bug 371515, Anti-DNS pinning (XMLHttpRequest used in this particular attack but JavaScript is generally unnecessary).

[Giorgio Maone]

Quote:

Originally Posted by Wladimir Palant

Giorgio, while you certainly wrote a great extension

Thanks, you too Wladimir.

Quote:

Originally Posted by Wladimir Palant

Disabling JavaScript is common practice in IE (and a usual recommendation)

How much common, I don't know because it's a royal PITA. Notwithstanding, you too admittedly used to bear such a sacrifice for security sake (with IE! Before NoScript!!! What a masochist ).
An usual recommendation also for Firefox, we hear it almost every time a security bullettin is issued.
Only that lately, the mantra isn't just "Disable JavaScript" anymore: they rather suggest to use NoScript. Maybe because it's deemed an... hmm... usable solution?

Quote:

aren't you giving yourself a little too much credit?

As you don't give yourself (neither to Rue and Sorensen before you) credit for inventing content-blocking, I don't give myself credit for "Default Deny", "Reduce attack surface" or "Whitelist executable". Both our extensions just turned those existing and valuable but quite impractical concepts into a real option for users.
IE zones have been around for a long time, and Opera 9 implements shameless rip-off features both from NoScript (Site preferences) and AdBlock (Content blocker), but their usability is near to zero.
NoScript tries to transform a "standard security recommendation", which almost nobody but hardcore geeks were willing to follow, into something bearable for mom (and for a few perverts, even pleasurable - you know, that dirty lust for control).

Quote:

My point was precisely that the percentage of users disabling JavaScript is still comparably low, that's why most exploits still require it. The two I quoted are proof-of-concept exploits, if it ever became more relevant people would develop more.

Amusing, the same argument most IE zealots use against Firefox: if it becomes more relevant, it will be more targeted. By this logic, we should stick with IE or at least keep Firefox secret so our ecosystem stays relatively quiet. And we should drop NoScript to prevent frustrated crackers from diverting to new techniques?

Quote:

Originally Posted by Wladimir Palant

Sorry but I think what dbaron is doing there with CSS is the way to go

I know it very well and I agree, but I just don't want my users to wait for Firefox 3.0 (optimistically, as the bug has been reported by dbaron himself 5 years ago).
There are other ways to work around in the meanwhile.

Quote:

Originally Posted by Wladimir Palant

and you cannot do this in an extension

YOU DON'T TELL ME WHAT I CAN AND WHAT I CANNOT DO!!!
Man, you kicked me into hysteria mode

Quote:

Originally Posted by Wladimir Palant

As to port scanning - the web is broken, I don't see any good solutions

I tend to agree, but I do have a solution for the time being. I'll be happy to discuss it with you as soon as NoScript 1.1.4.7 is out.
With IPV6 things will go even worse, but we -- both you and I -- will be hopefully be still here to save the world

Quote:

Originally Posted by Wladimir Palant

I also didn't miss Firefox 2.0.0.3 release candidates that fix the new issues (the old ones have been fixed in Firefox 2.0.0.2 already). These aren't particularly critical bugs and the window of opportunity was only a few days - not really worth exploiting for that reason ("far before" is certainly an exaggeration).

Quote:

Originally Posted by Wladimir Palant

most attacks can be performed without scripts [...] The remaining attacks are of the kind that is fixed in Firefox before even being published

The last two sentences are obviously false, instead
And on a side note ("eat your own dog food"), I do know core Mozilla developers who install just one extension (guess which?)
Let me repeat it once more (as it seems such an elusive concept): Firefox is safer with NoScript because "Default Permit" is the #1 dumbest idea in computer security

Quote:

Originally Posted by Wladimir Palant

Remember the image buffer overflows? Why don't you apply the same idea there, there could be more vulnerabilities in those images... While I recognize the advantages of keeping the attack surface low, you still have to consider whether a huge disadvantage in usability justifies a small security advantage.

Now we're really comparing apples to oranges:
Images
PROS: Images are a primary feature defining the very essence of the web as we know it and the true secret mission of Firefox.
CONS: they may be exploited using quite difficult, non-portable techniques, mostly to crash your browser but in very exceptional cases to execute remote code, if and only if you or your image decoding library provider (M$ anyone?) spreaded here and there absolutely idiotic programming errors you're warned about during the very first lesson of your very first C/C++ class. On a side note, if the core browser developer team is prone to this kind of errors too, HTML or even plain text files are unsafe as well and we can shut down the WWW
Client side in-browser executable content (Java, JavaScript, Flash)
PROS: It's cool. Hey, we can do almost all the same (computational) stuff server side, but it's not so cute, snappy and... hmm... flashy?
Oh well, it's not that easy enumerating all the good things these wonderful goodies can do, simply because they're Turing complete. It's been surely a great idea embedding such powerful toys inside an HyperText browser, executing code continuously downloaded from the internet for your pleasure (you don't even need to ask or know about it). OK, it's sandboxed, but sandboxes are meant to be evaded, and many great entertainment numbers (e.g. playing with your authentication cookies, guessing your navigation history, spoofing the current web address) don't even require any privilege escalation.
How does that fascist NoScript dare to censor the creativity of script authors, who now need users to (horror!) express their consent before being awarded with the honour of watching their fireworks?
CONS: none. It's so easy imagining all the possible codepaths of an imperative, possibly dynamic, language to prevent vulnerabilities. It's far more trivial than preventing those incredibly challenging buffer overflows!

Quote:

Originally Posted by Wladimir Palant

Password stealing without JavaScript aka bug 371515

Internet is broken, but here we're talking about Her Majesty the Cosmic Perpetually Self-Gaping Great Breakage From Outer Space, no less.
Putting arbitrary user generated content from everybody and his sister all stuffed under the same domain deserves perpetual exile in the deepest of the beryllium mines on Planet Slashdot, with a ruthless CowboyNeal-shaped droid kicking your ass ad libitum.
But I'm sure you agree with me and with Saint Albert about those two things supposed to be infinite

Good night or good morning for now (5 AM here...)

[Devil's Advocate]

LOL, how did this thread morph into adblock vs noscript?

[Giorgio Maone]

Quote:

Originally Posted by Devil's Advocate

LOL, how did this thread morph into adblock vs noscript?

Quick recap, then...

Quote:

Originally Posted by Longboard (OP)

Firekeeper IDS for FireFox!
Would this offer any better protection in general than FF itself with NoScript and AdBlock plus. ??

Quote:

Originally Posted by Wladimir Palant (AdBlock Plus developer)

Neither Adblock Plus nor NoScript are really security solutions, they will rarely be helpful when it comes to security. But this FireKeeper extension doesn't seem to make much sense either.

Quote:

Originally Posted by sukarof

Noscript does enhance my security enormously, or so I believe. When using it I never have to worry about any malware that might come from web pages. Simply because with Noscript they cant execute the scripts that brings malware. If that isnt security solution I dont know what is

Maybe I have misunderstood Noscript completely and something else (unknown to me) is preventing me from getting infected when I visit sites like those that are mentioned in the long thread about trojans on the loose or is it firefox itself that blocks malware by design, regardless of the ability to run java scripts?

Quote:

Originally Posted by tlu

I'm also interested why Noscript in Wladimir's opinion isn't a good measure against Javascript related security leaks - given that most FF leaks are somehow related to Javascript

(posting in the NoScript Mozillazine thread)
Giorgio, it would be very interesting to read your opinion about Wladimir Palant's remarks in this thread: http://www.wilderssecurity.com/showthread.php?t=168176

and so it happens...

Just not to stay totally off-topic, I'll add that I basically share Wladimir's POV about IDSs: the concept itself is #2 of The 6 dumbest ideas about computer security ("Enumerating Badness").

#1, "Default Permit", has many faces: one is "Overlooking NoScript"

[Mrkvonic]

Hello,
We got some heavy cannon on the loose here.... best to lurk and watch
Welcome, Wladimir and Giorgio, great work guys...
Mrk

[Wladimir Palant]

Giorgio, I did in fact use IE's zone policies five years ago with the same effect as NoScript today. I know lots of people still do.

Quote:

Originally Posted by Giorgio Maone

Only that lately, the mantra isn't just "Disable JavaScript" anymore: they rather suggest to use NoScript. Maybe because it's deemed an... hmm... usable solution?

I didn't deny that NoScript is more usable than IE's zone policies or the "Disable JavaScript" checkbox. However, the tendency on the web is that more web sites are using JavaScript - with a good reason, with JavaScript they can provide their users a far better web experience. Surfing without JavaScript sucked five years ago, it sucks even more today. I can imagine that it looks much like this: "What, why doesn't this stupid web site work? Well, lets try to disable NoScript." If this is really a common usage pattern (which I suspect) then you aren't surfing any safer than without NoScript.

For what is worse, this model stands and falls with the security of the trusted sites - this has always been critical about IE's zone model. A single XSS hole in one of them and NoScript is worthless. Like the 8 holes I recently discovered on Yahoo that you whitelist by default - it's a pity they have been fixed already, I should have kept quiet about them . But you don't have to go that far, finding vulnerabilities on Yahoo is comparably difficult. Good that you put Mozillazine on the default exceptions list, this site is ridden with XSS holes. I'll send you a link to my demo page with a mail.

Quote:

Let me repeat it once more (as it seems such an elusive concept): Firefox is safer with NoScript because "Default Permit" is the #1 dumbest idea in computer security

See above.

Quote:

PROS: It's cool. Hey, we can do almost all the same (computational) stuff server side, but it's not so cute, snappy and... hmm... flashy?

Well, then why don't you de-anonymize your email address on the server?
I wonder why Google needed JavaScript for their excellent web mail client? Maybe because without it it would be nowhere near excellent?

Quote:

OK, it's sandboxed, but sandboxes are meant to be evaded

Hm... Privilege escalation from JavaScript? Do you have any specific vulnerability in mind (one that wouldn't require ActiveX)?

Quote:

and many great entertainment numbers (e.g. playing with your authentication cookies, guessing your navigation history, spoofing the current web address) don't even require any privilege escalation.

Even more so - they don't even require JavaScript
Session Fixation works without JavaScript - so much about authentication cookies. Navigation history - see posts above. Spoofing the current web address - see http://sla.ckers.org/forum/read.php?3,4318.

Quote:

How does that fascist NoScript dare to censor the creativity of script authors, who now need users to (horror!) express their consent before being awarded with the honour of watching their fireworks?

LOL
In the end everybody decides for himself whether he should use NoScript.

Quote:

Internet is broken, but here we're talking about Her Majesty the Cosmic Perpetually Self-Gaping Great Breakage From Outer Space, no less.

MySpace is written by incompetents, no question. But the point was that you can steal a password even without JavaScript - through a simple XSS hole, of the kind that you find in almost every site that uses server-side scripting. Yay, server-side scripting is evil!

Quote:

Good night or good morning for now (5 AM here...)

We are in the same timezone