Firekeeper IDS for FireFox

I doubt that - but I am biased because I am the developer of Adblock Plus

 

Personally I think AdBlock is pretty good, so that´s why I wondered if it was true or not. Some people even say that AdBlock is only hiding ads, but I don´t think it´s true.

 

Adblock (the old one, without "Plus") does have an option to hide the ads instead of really blocking them and this option isn't exactly well-labeled so that it is easy to misconfigure. Adblock Plus always blocks ads so that they are not downloaded at all. So yes, Maxthon's statement above is pure non-sense.

 

I have Adblock Plus on both computers and the web pages load a LOT faster then with all the ads. Some seep through but I zap them haha.

 

Nah, they are referring to the built in CSS blocking method in firefox. That only hides.

 

Wladimir, I wonder if you still stick to that opinion. In your newest article you presented a link to this excellent article which is really a scaring reading. You presented links to XSS attacks in a previous posting here yourself, and well-known RSnake was quoted in above article by saying that most websites are vulnerable to XSS. This opinion is confirmed by the German magazine "PC Professionell" which publishes an article in their 5/2007 issue about the dangers of Web 2.0. They checked about 20 websites, and although this test was only sketchy they found XSS vulnerabilities in about 50% of those sites. And you know quite well that there have been hundreds of reported XSS attacks in the past, let alone the ones that have never been disclosed.

All in all, it's rather clear that this threat is not only theoretical but reality, and that we will have to live with it for a long time.

Now, with the new Noscript versions that have XSS counter-measures which seem to be rather effective - would you still talk about "another round of madness" as you did in your blog? If the XSS threat is becoming a growing problem, aren't these counter-measures absolutely legitimate and necessary? Especially since the side effects are relatively small in my experience (and Giorgio is still fine-tuning this new approach so further improvements can be expected).

Wladimir, I usually love to read your blog - but in this case I'm unable to reproduce the logic of your arguments.

 

Yes, my opinion on this didn't change. XSS is a very common problem, and I think that Jeremiah Grossman's statement about 80% of sites being vulnerable to XSS is correct. If anything, it is an understatement. So far XSS hasn't been exploited too much (except for a few XSS worms and phishing mail) but this problem will become more and more important in future.

So I don't say that you should not do anything about XSS. I just say that what NoScript is doing will not solve anything. I see statements on RSnake's forum like "I turned it off. I got too many errors with it." Mind you, these are security specialists. If they cannot stand this "protection", how are regular users supposed to use it?

Then, I got some confirmation about my assumption - most people who use NoScript will turn it off if it is seems to break something. This doesn't happen without a reason, NoScript breaks things far too often without a good reason, so people get conditioned to turn it off. And that means that you are no safer with NoScript than you are without.

Finally, NoScript doesn't solve the XSS problem and it doesn't even try. It attempts to prevent XSS'ing into whitelisted sites, which is a simple way to work around NoScript. Applying the same concept to the entire web would only result in people uninstalling NoScript - because it breaks the web.

Now to the real solutions. There have been a few changes in Firefox recently that make it harder to exploit XSS vulnerabilities. More are to follow, e.g. three of my patches are awaiting review and I was told that they are wanted for Firefox 2 as well. New features that will help web sites protect against XSS are planned for Firefox 3 and Firefox 4, and there seems to be much more discussion on that topic.

However, all this will only help sites which are aware of the problem and try to do something about it. Effective XSS protection is currently very hard because it is such a wide topic. You cannot expect every web developer to study all the different ways in which a site can be compromised. So if protecting against XSS can be made simpler many sites will be helped. But I don't believe that a site that doesn't validate user input in any way (still very common) can be helped. So to get rid of XSS browser vendors and web developers must work together - that's the only solution.

 

Agreed. I was only puzzled because you wrote in your blog that "it seems that NoScript is a solution in search of a problem". You might argue if Giorgio's XSS counter-measures are the right ones - but why is he "in search of a problem"

That's not my experience. Maybe I'm just going to the "wrong" sites . I just had some occurrences, and the examples presented in your blog are no longer a problem in the newest version since Giorgio did and is still doing some fine-tuning for this new technology.

Another thesis I don't support. For me, all sites work with Noscript if I want them to work. And if really most users turn it off after some time (I doubt that) - what does that prove? I'm one of the few posters here in this forum who advocates the use of a limited user account in Windows. But at least 95% of all other posters here don't follow me because they say: It's so complicated, it breaks many application, and so forth. Does that mean that using a user account is worthless from a security standpoint? Of course not. The same true for Noscript.

Nobody (including Giorgio) ever said that Noscript is the final solution for the XSS problem.

Indeed, and that's the only thing that can be expected. And I think it's doing well what it does - which doesn't mean that there is no room for improvement.

That's good to read! But:

Absolutely! But I'm afraid that it will take a long time until all web admins will be aware of this problem and will have the knowledge to circumvent it. And don't forget: Firefox is not the only browser in this world - are you sure that Microsoft is joining you on your trip (and the majority of websites is still optimized for IE!)? That's why I'm convinced that Noscript with its XSS counter-measures is still important. It might not be the right tool for everyone - these people have to bear the consequences.

 

The quote about issues with XSS countermeasures was about the newest version - there was a lot more complaining about the previous version of course that simply had a bug that sometimes prevented you from logging in on whitelisted sites.

No, I didn't mean that XSS countermeasures are a solution in search of a problem. They have a clearly defined problem: by using an XSS hole in one of the sites in the default whitelist any site can easily run JavaScript despite NoScript. I found an XSS hole in one of Giorgio's own sites as proof-of-concept (actually two but the second could not be exploited). That's what this XSS protection is meant to fix and nothing else. A solution in search of a problem however is NoScript itself. It tries to create this problem by suggesting that you are not safe if you run Firefox with JavaScript enabled. This is far from being true but some people believe this unfortunately. Of course you are somewhat more vulnerable with JavaScript but at the moment this stands in no proportion to the inconvenience of surfing without JavaScript.

I am ready to admit that there are some people who like you have no issues using NoScript - but I doubt that they are many. I also admit that I am one of those Windows users who use an administrator account. So far it seems that using a proper browser, updating the system whenever necessary, not forgetting about your firewall and being careful with what you download is already a sufficient security solution. I am confident that my system will not be compromised, but if it ever happens there will be not much difference whether it will be an admin account or a restricted account. At least not enough difference to justify some major inconveniences. So yes, unless using a restricted account on Windows will become significantly less problematic I don't see much value in this solution (note that I always use a restricted account on Linux).

Finally: sure, XSS is a relatively new problem and awareness comes slowly. Five years ago nobody knew about it and not even the security experts understood the implications. This is changing now. And all browser vendors will have to follow, even Microsoft. Firefox has had a head start but I definitely expect Microsoft to adopt most of these solutions as pressure rises. But that's off-topic anyway - or have you heard of plans to port NoScript to Internet Explorer?

Looking at your response again, you might have the misconception that disabling JavaScript gets rid of XSS. Yet despite the name there is more to XSS than scripting. We have already seen attackers injecting pure HTML without any JavaScript, mainly for phishing schemes at the moment. XSS can also be exploited for defacement, making web sites display manipulated information - again without any JavaScript.

 

Without having to read this whole thread.... What is the verdict on Firekeeper IDS for FireFox?

Use it or not?

Sorry, just too lazy to sift through this thread!

 

I was the only one criticizing the concept of Firekeeper, and I recognized that I misunderstood the idea after author's comments here. But Firekeeper is in very early alpha stages at the moment so that it isn't really useful for anything but testing the concept.

 

Thanks! Will keep an eye on it... And thanks for adblock plus by the way!

 

You will probably change your mind after reading XSS sample using Zone Alarm link.

In particular regarding these two posts

https://www.wilderssecurity.com/showpost.php?p=1002678&postcount=38

https://www.wilderssecurity.com/showpost.php?p=1002745&postcount=41 (My bold red)

Mike