Yet another round of extension [Firefox] recommendations

From the blog of the developer of Adblock Plus (4/16/2007):

http://adblockplus.org/blog/yet-another-round-of-extension-recommendations

 

Interesting thoughts...

A few of mine.

From the IE perspective (not talking about the extension itself in this case), IE Tab is as safe as the user makes it. IE Tab runs under the Internet Zone (one of IE security zones) and if one takes the time to make that zone safer, then running IE in IE Tab should not pose much of a risk. Of course, if the extension has it's own issues, that's a different story...

As for NoScript, to quote Mr Palant: "People occasionally bring up the argument that they use NoScript and didn’t have a single malware infestation — but they should thank Mozilla developers, NoScript had nothing to do with it." Let's just say I could not disagree more. NoScript does make a safer browser much safer. Apparently he has never seen the POC bugs that NoScript prevents from running (until the FF developers are able patch them.)

And finally, Tab control extensions. He says they are buggy and bloated. Then I must be lucky because I wouldn't want to be without them and I've never had the first issue...

 

I don't think that statement is factually correct. To quote Mr. Palant:

Anyway, what specific POC bugs are we talking about, were they patched, and how long did it take?

 

If one searches security forums, you will find exploits listed for FF that quite often have POC's for the exploit. In a fair number of them (note, not all), users running FF with NoScript do not suffer from the issue at hand. By the same token, users running FF with default script settings do have issues. (I won't take the time to do the searching myself (the examples are out there) but here is one from last year that's fleshed out pretty well. http://www.dslreports.com/forum/remark,15959842~days=9999 )

I would never deny that one can just globally turn off scripting but what a major pain that would be (in fact, post number 4 at the link I listed) even says that's what he/she does.)

Purhaps Mr. Palant may not be far off the mark (to what exact extent, I don't know) in that most of these POCs never end up translating to real world situations. And if he's more right than wrong, I may indeed be "paranoid" (to use his word.)

But I'll still stick with my opinion that running NoScript makes FF safer than without it...

 

There is no doubt that Noscript can provide more security. You're absolutely right. But is the minor amount of protection worth the major amount of hassle? That is what he's asking.

So, in light of the above, what specific reason(s) can justify using Noscript? Those 9 potential days? Possible unreported vulnerabilities?

 

My final goal is to ditch all security extensions of Firefox and see what happens during the day. It doesn't really matter, because my computer is clean after each reboot.
I want my browser back as it was and without crippled websites.

 

Hello,

HAN, there are no non-POC vulnerabilities that can own FF. None. I have asked for those a million times. No one is able to find them. Because there are none. And most advisories are for vulnerabilities that are usually fixed within moments of being published or already fixed.

Noscript is nice to have, because it cripples annoying websites and speeds up loading, first and foremost. Second, it is a nice security tool so to speak. Third, it allows tweaking and testing of websites, which is something I like.

But in this regard, Wladimir is right. There are no exploits that could have owned your FF - and you were saved because of FF. There has yet to be a first, if ever there's gonna be one.

As to the hassle, Noscript is not a hassle. Definitely 100 times less than any anti-virus or HIPS or any such.

Mrk

 

Can't he do something about his own program before whining about other ones work?. I for one don't like all those 'exception rules' that come with it, i think it's not the developers place to decide what gets through the filter or not, i decide what's gets 'white-listed'.

Lamehand

 

XSS?

• General information
• A 45 pages thread of full disclosures, with daily update fun
• The only available client-side countermeasures

Plus all the nice things you said, of course

 

I hope you'll forgive my nostalgic reference: I don't know if you were already a Firefox user (version 1.0.3) and therefore you remember or not, but I wrote first NoScript version in a hurry, while the Mozilla community was quite in panic, as a response to this one: http://www.frsirt.com/english/advisories/2005/0493*

The bug was patched quickly as usual, but it has been there for a long time: unknown to the good guys, but what about blackhats? Can anybody swear it had not been actually exploited to install a botnet?
Honestly, I don't think it had been, on large scale at least, just because it was not convenient at that time exploiting an obscure bug in a niche browser, if compared with both the availability of IE and its gaping holes.

But then what, should we hope that Firefox remains a niche browser so its own holes aren't researched and targeted?

Remember, when you say Firefox security flaws are patched quickly you're always assuming that Mozilla developers or whitehats are the first to discover them, and you're completely ruling out the very reasonable possibility they're discovered by evil hackers and kept hidden for profits.
And as much as Firefox usage grows, this possibility becomes more and more likely.

What I tried to offer with NoScript was just an usable mean to follow the standard advice attached to almost every browser-related security advisory (included the recent Quicktime/Java vulnerability) i.e. "disable JavaScript, disable Java, disable Plugins" while keeping the functionality where it's needed.

That said for browser vulnerabilities, I think I did give you 46 pages of web (browser-independent) vulnerabilities, easily exploitable and/or already exploited for phishing, identity thief and worse, which are all prevented by NoScript

*in case you're wondering, to "inject arbitrary JavaScript code in the context of chrome" means to effectively own your browser and your system.

[EDIT] I cannot see tayres' post I'm replying to anymore? has it been deleted? why?

 

I do something different entirely. I downloaded K-Meleon several months ago, set its default configuration to run no-scripts. When I am surfing in an area where I want no scripts - I just use K-Meleon, which is already the speediest browser available.

 

@ErikAlbert: Nothing will happen at all. My girlfriend knows almost nothing about computers. She is running Firefox with nothing but Adblock Plus installed. The browser is set up to update itself automatically. Nothing happened in over two years. Note that I installed Firefox on her computer after the second malware infestation with Internet Explorer within a month or so. And I have more examples. At the moment NoScript brings very little value if you look at security.

@Lamehand: I am doing something about my work. But if you cared to look at it you probably would know that Adblock Plus comes without any filters at all. If you had filters then they were either imported from your previous Adblock installation or you chose a subscription. As far as I know authors of all recommended subscriptions only use exception rules when absolutely necessarily - and I don't remember anybody having complaints in the last few months. Note that Filterset.G is not a recommended subscription. So unless you have something more concrete you want to tell us...

@Giorgio Maone: XSS is a threat but unfortunately you didn't solve this issue - as I already pointed out...

 

... as long as you've got the very same browser habits as Wladimir's girlfriend

I never told I "solved" this issue, which can obviously be "solved" only when every web developer in the world is able to provide 100% safe code or gives up with web applications and reverts back to web sites, both options l can't see happening any time soon.

NoScript just provides the only effective protection available to date on the web user side against XSS type 1, period.

 

As I said - I have more examples. I installed Firefox on computers of several unexperienced users and none of them had any issues ever since. And - yes, I am pretty sure that some of them are browsing porn sites. What about you, do you have examples where people got infected running latest Firefox version without clicking "Yes, run this program"?

It doesn't. All it does is training users to disable XSS protection or to whitelist sites. But that's an old discussion, no point in repeating all the arguments.

 

Yes, in facts there's no point in your repeating that users are too stupid to take advantage of NoScript.
That's why I gave up answering before, and why I'll give up this time too.
I'm resigned to keep my few paranoid hackers circle, and leave you those happy adblocking masses

 

I had second thoughts about the post you quoted (but not because of anything stated ) and deleted it to rewrite entirely. Too late now.

* Hidden Firefox Vulnerabilities - This is where a good case can be made for using Noscript for security purposes. Few will disagree. The disagreement is over whether this is a special case or not (i.e., "is it worth it" or "who should use it"). Do you see it differently?

 

As a former user of TBE and current user of TMP, Id like to know if theres a similar extension you would recommend, Wladimir.

 

I doubt that I can recommend you another extension, but at the very least I should know what your requirements are. Looking at the description of TMP, "undo closed tabs" and "crash recovery" functions are already part of Firefox (and way more reliable). Tab duplication doesn't sound like something particularly useful and the other two features listed are pretty vague.

 

As I said, if by "hidden" you mean "unknown yet by the good guys", they will grow in relevance as Firefox grows in popularity.

But at this moment I'm more interested in threats that don't need a specific browser vulnerability, just relying on the fact you keep JavaScript enabled by default.
I suppose you heard about this, right? Just the marketing tip of a tumultuous underground.

@WSFuser: I'm a TMP user too, if you had no problems so far I can't see any reason to switch (especially if you managed to find your way inside its junglesque options dialog). It may be not the "cleanest" extension, but it's probably the most flexible and proven tab enhancer around.

 

@Wladimir - I mostly use the undo close, close left/right tabs, and reload all tabs menu items. And the Events, Display, and Mouse sections of TMP are what I usually customize.

@Giorgio - I dont plan on switching, but I do keep an open mind on alternatives.

 

I'm surprised that nobody mentioned Customize Google and Zotero. They're probably the most useful tools in gathering info from the web.

 

Agree. Zotero is remarkable.

@Wladimir
@Giorgio

Dont squabble you guys ( although I guess a bit of tooing and froing is good for developing both your apps )

You have both written GREAT tools.
You both offer tremendous insights on your blogs and home pages.

That article from Computer world was riddled with conflicts of interest: just ridiculous. I doubt anyone here read the pages for content: just checking in case there were any new extensions that we may not have heard of.

Anything that makes a great tool (FF) even a little better is worth it.

Very happy with both tools.

Thanks

 

By the way, Giorgio - why don't you make browsing with NoScript a little safer? It would be very easy for you, simply remove maone.net, noscript.net, informaction.com, flashgot.net from the default whitelist. Nobody needs JavaScript on these sites anyway

 

Wladimir, if I rimember correctly you are the the anti-ads but pro-AdSense guy, so you certainly understand why my AdSense-sponsored sites (and NoScript development) do benefit from being in the default whitelist...
You also know well that there's absolutely no risk in having those sites in NoScript whitelist, because even if you found a reflective XSS there, it's neutered by NoScript's XSS protection itself, and since they don't feature any user-generated content, there's no ground for persistent XSS.

Last but not least, users can easily "Forbid maone.net" or anything else with one click, if they wish.

I would be much more scared of whitelisting adblockplus.org, since you run both a forum and a blog with open comments in that domain...

 

I don't mind the ads, but I mind hypocrisy. If you say that NoScript makes browsing safer then you have to be consistent - remove anything from the whitelist that isn't absolutely necessary. I am sure there are other ways to earn money, without forcing people to go to your homepage and without manipulating download counters.

Anything you put in the list by default tends to stay there. That was even the case with the example filters in Adblock Plus that were absolutely worthless (current versions no longer add them). Note that I don't add an exception for adblockplus.org (actually, I don't add exceptions for anything), and neither will I ever have ads there - either one would make me untrustworthy.