Firekeeper IDS for FireFox

Discussion in 'other anti-malware software' started by Longboard, Mar 10, 2007.

Thread Status:
Not open for further replies.
  1. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    I tend to agree with both, and both fail to see something, exactly because you're so immersed in this (you're developers).

    NoScript isn't the solution for everything, and it depends on the user, correct.
    But that really doesn't desqualify it as a security measure. Everything else also depends on the user, does that mean that firewalls (configuration depends on user) and Anti-Spyware (it isn't a solution for everything either) aren't security solutions?

    And Giorgio Maone, why do you think Opera's site preferences are a rip off?
    :D
    Is it not an obviously predictable feature in all browsers?

    (yes, i use Opera)
     
  2. tlu

    tlu Guest

    Exactly my thoughts. Using Noscript or any other extension/tool doesn't mean that the user can disable "brain.exe".
     
  3. Wladimir Palant

    Wladimir Palant Registered Member

    Joined:
    Mar 11, 2007
    Posts:
    25
    The difference to firewalls is the value/cost ratio.

    Firewalls: value is high, going without one will likely result in malware infections. Cost is low, most of the time the firewall is sitting in background silently and doesn't bother the user. Breakage by firewalls is comparably rare.

    NoScript: value is low for the reasons outlined above - users are conditioned to disable NoScript when something appears to be broken, the vulnerabilities NoScript protects you from are rarely critical and/or open long enough to be abused by somebody (great work on the side of Gecko developers here). Furthermore, I sent Giorgio a demo that works around NoScript quite trivially without requiring any user action - and that is a problem with the whole concept, I am looking forward to the answer. So the added security value is very low. The cost on the other hand is extremely high. Disabling JavaScript will break most web sites and make web surfing much less comfortable.

    Of course everybody decides for himself which value/cost ratio is still high enough for him. But promoting NoScript as the ultimate security solution is certainly wrong, it creates a false sense of security.
     
  4. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Ok, i'll wait for his response.
    But one note (granted, it's a choice of words):
    Not disabling NoScript, but allowing the site we want to work, temporarily or add to whitelist. With NoScript. Again, only words, but it's better this way:)
     
  5. tlu

    tlu Guest

    Wladimir, you're exaggerating. I agree that Noscript is no fool-proof solution (that's why I said that one shouldn't turn off brain.exe). But let's face reality: It's true that there are cases where "trustworty" sites, where you possibly would have enabled JS, had been hacked - Noscript wouldn't have been a protection against attacks in these cases. But they are extremely rare. On the other hand, Noscript is especially valuable for sites which I load the first time (e.g. via googleing around) - they are not trustworthy by definition, and I have the chance to deliberately decide what to do. Without Noscript I wouldn't have.

    Regarding comfort: I guess most of us surf the same sites 85% of their time. If you enable JS for these (trustworthy and hopefully not hacked) sites and just put Doubleclick, Googleanalytocs and the like on Noscript's blacklist you won't suffer any setback in comfort.


    So do I. If the demo really works, I hope that Giorgio will find a solution for this, too.
     
  6. Wladimir Palant

    Wladimir Palant Registered Member

    Joined:
    Mar 11, 2007
    Posts:
    25
    tlu, I am talking about XSS (Cross-Site Scripting) vulnerabilities and those are very common. Mozillazine is full with them, the admins there either don't know about XSS or don't consider it a threat. But you can find some on Yahoo (without much trouble) and Google (you have to search for a while) as well. If you don't publish the vulnerability chances are that you will be able to abuse it for a few months.

    I am discussing this with Giorgio on IRC right now. He has some ideas, I have some counter-arguments, we'll see what comes out of it.
     
  7. Giorgio Maone

    Giorgio Maone Developer

    Joined:
    Mar 13, 2007
    Posts:
    27
    BTW, just before starting my conversation with Wladimir, I was issuing an advisory to erase mozillazine.org from the whitelist. It works just fine with JS disabled, it was only a courtesy for their AdSense revenue.

    Back to Wladimir :)
     
  8. tlu

    tlu Guest

    Thanks - done.

    Yeah - if your collaboration ...aargh, cooperation :D will result in an even better Noscript, none of us users will complain :thumb: Good luck!
     
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Just keep up the good work guys. Browsing has never been safer, more productive and enjoyable than with Firefox + NoScript+ Adblock Plus.
    Thanks for the efforts.
     
  10. Giorgio Maone

    Giorgio Maone Developer

    Joined:
    Mar 13, 2007
    Posts:
    27
    Adblock Plus Vs NoScript, epilogue (?)

    As you already know, Wladimir and I had a pleasant and frank chat together this afternoon.
    Wladimir is going to blog about some of the topics we covered.
    I'd be very happy if I had time to start a blog (and I'm struggling to find it as soon as possible) but a short and hopefully objective report follows here:
    • Despite the title of this post (an homage to the general dramatic perception of this thread), we did not spend a word about AB+ because it is not and it doesn't want to be a security tool (it's not its purpose).
    • NoScript can't currently protect you against XSS attacks targeted to a whitelisted site.
      This is a well known issue of domain-based security models, but maybe the user base is not aware enough that if even just one of the sites in your whitelist is vulnerable to an XSS attack, NoScript protection is considerably weakened: specifically, the attacker can launch from its blacklisted site a script executed in the context of the vulnerable whitelisted site.
      Of course, the culprit is a security vulnerability of the target site, not a fault of NoScript neither of Firefox, but the effect is that any site aware of the website bug can take advantage of it, working around NoScript against users who trust the buggy site.
    • What should we do about that?
      According to Wladimir, NoScript is broken without hope: if its security advantage is lost as soon as a whitelisted site is compromised, it's not worth the effort.
      My opinion is obviously different, even if moving from the same premises: we should cut down our whitelists as much as possible, using Temporary Allow and only if scripts are strictly mandatory for operating a site you know.
      If the compromised site is not on your whitelist, XSS attacks will fail.
      That said, I'm also actively developing and testing prevention measures for notable XSS vectors, and I'll progressively implement them into NoScript, keeping you posted. These new features can't obviously surrogate the IT departments (or the billing departments, if you prefer) of the companies you decide to trust (and yes, it happened also to Google and Yahoo). Please sue them, if you've got problems from any XSS attack exploiting their bugs. I (and Wladimir, perhaps) will be glad to help for a modest fee ;)
    • We also talked about scriptless attacks, and specifically about scriptless port scanning. I won't dig into the technical details here yet, but we more or less agreed my solution can be satisfactory (at least until IPV6, as I anticipated in a previous post of mine).
    • In the end, Wladimir opinion seems to be "NoScript is better than nothing, if you can bear it" (but his blog post will obviously speak more authoritatively than my impression).
      I'm still convinced that NoScript makes Firefox safer, even if keeping brain.exe enabled (as tlu brilliantly put it) plays a greater role in NoScript's effectiveness than it's generally perceived.
    Back at work, now (and it's a lot, my friends!) :-*
     
  11. Wladimir Palant

    Wladimir Palant Registered Member

    Joined:
    Mar 11, 2007
    Posts:
    25
    Thanks, Giorgio, that's more or less it. Only two clarifications (just to be sure): your port scanning idea solves one part of the problem but we agreed that it is certainly better than nothing. And I stick to my opinion that there is little value added by disabling JavaScript even though removing the default whitelist in NoScript is a big improvement. But it is up to the user to decide whether this added value is enough justification for him.

    Also, there are ways to use Adblock Plus to improve security, especially once it gets a few new features that I am currently working on - but it isn't the usual usage patterns. I think I will write about that in my blog post and I should find time to create a proper documentation once these features are there.
     
  12. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    How about something for the desktop, not an extension?:p
    (i use Opera... sometimes FF...)
     
  13. IceDogg

    IceDogg Registered Member

    Joined:
    Mar 21, 2006
    Posts:
    26
    Location:
    Arkansas
    I have to say it was nice to see you both make your points, keep to the subject and not lower yourself to name calling or other childish junk. I hold both you in high regard because of the work you have done. I hope better things come out of your chatting and voicing of opinions.
     
  14. Wladimir Palant

    Wladimir Palant Registered Member

    Joined:
    Mar 11, 2007
    Posts:
    25
  15. tlu

    tlu Guest

    Wladimir, Giorgio,

    Thanks, guys, for this highly interesting and prolific discussion - I'm glad that I pointed Giorgio to this thread :)

    I guess, we are all eagerly awaiting the next Noscript version. It will probably prove that it makes a lot of sense that two of the most brilliant FF extension developers talk to each other from time to time.
     
  16. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Agreed ;)
     
  17. jwrobel

    jwrobel Registered Member

    Joined:
    Mar 18, 2007
    Posts:
    1
    Location:
    Krakow
    Hi,

    I've found your discussion on this forum and I would like to add few
    words in Firekeeper's defence. The main goal of Firekeeper is to
    detect and block malicious sites not to protect Firefox against
    unpatched vulnerabilities. Running IDS outside a browser is not so
    useful in protecting against such sites. Protection requires some user
    interaction, user should have an ability to decide what to do with
    suspicious site (block it or not). It is hard to achieve such
    interaction in a convenient way if IDS/IPS is not integrated within a
    browser. It is easy to bypass general purpose IDS by encrypting or
    compressing HTTP traffic. Firekeeper has access to decrypted and
    decompressed data.

    Now Firekeeper rules are detecting only some old attacks, but this is
    an alpha release and most efforts are focused on developing engine
    code not rules. Of course, not every attack is possible to be detected
    in this way, but some are. Javascript is a really flexible language but so
    are regular expressions used by Firekeeper and I think it makes
    Firekeeper quite a powerful tool (Take a look at short tutorial that
    shows how to detect attacks related to one of bugs discovered recently
    by Michal Zalewski: http://firekeeper.mozdev.org/rule_writing_howto.html)

    Let me cite 3 questions and answers from Firekeeper FAQ:

    "What is Firekeeper?
    Firekeeper is an Intrusion Detection and Prevention System integrated
    within Firefox. Its main goal is to detect and inform the user about
    malicious sites that are trying to use some known browsers
    vulnerabilities to get control over the user's machine or to do some
    other suspicious action."

    "What Firekeeper is not?
    Firekeeper is not an enhancement of Firefox patch process. Although,
    it can be useful to protect a browser against attacks utilising some
    newly found, not yet fixed browser bugs, but it is not its main and
    most useful application."

    and also "Why Firekeeper approach is useful?
    Today's common approach to protect browsers is just to patch them as
    soon as possible when new bug is found. When the user visits a
    malicious site she usually never learns about it, information about
    suspicious action is lost. In contrast, Firekeeper approach is to
    inform the user about every recognisable attack attempt even when
    user's browser is not vulnerable to this particular attack. It is
    important, because next time user visits the same malicious site, it
    can use different attack and this time user's system can be vulnerable
    to it. With Firekeeper user can block the site first time she visits
    it and never come back to it again."

    Cheers,
    Jan Wrobel
     
  18. Wladimir Palant

    Wladimir Palant Registered Member

    Joined:
    Mar 11, 2007
    Posts:
    25
    Thanks for this explanation, Jan. That makes sense. However, in that case the more general rules have to be removed - using document.domain is certainly not a sign of a malicious web site.
     
  19. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,227
    Location:
    Sydney, Australia
    This has been a great thread
    thanks to all three of you.
    Very illuminating discussions.

    There is a thread here: Must have FF extensions
    You both feature prominently. :)

    Already have the ABP and NoScript running: obvious improvements to MY benefit happening :Thanks Giorgio and Wladimir: the whole user base of FF owes you :D

    Jan: looking forward to seeing the development go on.

    Really wonderful efforts.
    Heh: Brain.exe = Wetware online.

    Respect.
     
  20. Giorgio Maone

    Giorgio Maone Developer

    Joined:
    Mar 13, 2007
    Posts:
    27
    Good news: Latest NoScript development version (a release candidate, actually) features effective anti-XSS countermeasures neutralizing reflective XSS attacks launched as a NoScript evasion attempt :)
     
  21. Wladimir Palant

    Wladimir Palant Registered Member

    Joined:
    Mar 11, 2007
    Posts:
    25
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,373
    Location:
    The Netherlands
    I have to say that NoScript is a great tool but I agree with the fact that it´s not really a bulletproof security solution. Because sometimes you have no other choice than to enable scripting because otherwise a site won´t work. This means that you can still get exploited, correct? But the new protection feature against XSS sounds really interesting. :)

    Btw, I have disabled scripting in all of my browsers (Maxthon, FF and Opera) not so much for security but more for speed. I´ve noticed that websites load like 10 times faster, amazing. That´s why a tool like NoScript is so cool, you can allow only a couple of your favorite sites to use script, and enjoy full surfing speed for all others. I really hate Javascript. :thumbd:
     
    Last edited: Mar 27, 2007
  23. Wladimir Palant

    Wladimir Palant Registered Member

    Joined:
    Mar 11, 2007
    Posts:
    25
    The increased speed is not because JavaScript is slow per se - it is because these scripts have to load from third-party servers. If you block the scripts in Adblock Plus you will see the same effect (and even more because you can block frames and images as well).
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,373
    Location:
    The Netherlands
    I really didn´t now this, but can´t browsers be improved to render javascript more quickly? Overall I still think that javascript is not needed most of the time, most sites would work just fine without these nonsense. It would be cool however if for example GreaseMonkey scripts could somehow still work with scripting disabled, but I guess I´m saying something stupid now, is this even possible?
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,373
    Location:
    The Netherlands
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.