Firekeeper IDS for FireFox

I tend to agree with both, and both fail to see something, exactly because you're so immersed in this (you're developers).

NoScript isn't the solution for everything, and it depends on the user, correct.
But that really doesn't desqualify it as a security measure. Everything else also depends on the user, does that mean that firewalls (configuration depends on user) and Anti-Spyware (it isn't a solution for everything either) aren't security solutions?

And Giorgio Maone, why do you think Opera's site preferences are a rip off?

Is it not an obviously predictable feature in all browsers?

(yes, i use Opera)

 

Exactly my thoughts. Using Noscript or any other extension/tool doesn't mean that the user can disable "brain.exe".

 

The difference to firewalls is the value/cost ratio.

Firewalls: value is high, going without one will likely result in malware infections. Cost is low, most of the time the firewall is sitting in background silently and doesn't bother the user. Breakage by firewalls is comparably rare.

NoScript: value is low for the reasons outlined above - users are conditioned to disable NoScript when something appears to be broken, the vulnerabilities NoScript protects you from are rarely critical and/or open long enough to be abused by somebody (great work on the side of Gecko developers here). Furthermore, I sent Giorgio a demo that works around NoScript quite trivially without requiring any user action - and that is a problem with the whole concept, I am looking forward to the answer. So the added security value is very low. The cost on the other hand is extremely high. Disabling JavaScript will break most web sites and make web surfing much less comfortable.

Of course everybody decides for himself which value/cost ratio is still high enough for him. But promoting NoScript as the ultimate security solution is certainly wrong, it creates a false sense of security.

 

Ok, i'll wait for his response.
But one note (granted, it's a choice of words):

Not disabling NoScript, but allowing the site we want to work, temporarily or add to whitelist. With NoScript. Again, only words, but it's better this way

 

Wladimir, you're exaggerating. I agree that Noscript is no fool-proof solution (that's why I said that one shouldn't turn off brain.exe). But let's face reality: It's true that there are cases where "trustworty" sites, where you possibly would have enabled JS, had been hacked - Noscript wouldn't have been a protection against attacks in these cases. But they are extremely rare. On the other hand, Noscript is especially valuable for sites which I load the first time (e.g. via googleing around) - they are not trustworthy by definition, and I have the chance to deliberately decide what to do. Without Noscript I wouldn't have.

Regarding comfort: I guess most of us surf the same sites 85% of their time. If you enable JS for these (trustworthy and hopefully not hacked) sites and just put Doubleclick, Googleanalytocs and the like on Noscript's blacklist you won't suffer any setback in comfort.

So do I. If the demo really works, I hope that Giorgio will find a solution for this, too.

 

tlu, I am talking about XSS (Cross-Site Scripting) vulnerabilities and those are very common. Mozillazine is full with them, the admins there either don't know about XSS or don't consider it a threat. But you can find some on Yahoo (without much trouble) and Google (you have to search for a while) as well. If you don't publish the vulnerability chances are that you will be able to abuse it for a few months.

I am discussing this with Giorgio on IRC right now. He has some ideas, I have some counter-arguments, we'll see what comes out of it.

 

BTW, just before starting my conversation with Wladimir, I was issuing an advisory to erase mozillazine.org from the whitelist. It works just fine with JS disabled, it was only a courtesy for their AdSense revenue.

Back to Wladimir

 

Thanks - done.

Yeah - if your collaboration ...aargh, cooperation will result in an even better Noscript, none of us users will complain Good luck!

 

Just keep up the good work guys. Browsing has never been safer, more productive and enjoyable than with Firefox + NoScript+ Adblock Plus.
Thanks for the efforts.

 

Adblock Plus Vs NoScript, epilogue (?)

As you already know, Wladimir and I had a pleasant and frank chat together this afternoon.
Wladimir is going to blog about some of the topics we covered.
I'd be very happy if I had time to start a blog (and I'm struggling to find it as soon as possible) but a short and hopefully objective report follows here:

• Despite the title of this post (an homage to the general dramatic perception of this thread), we did not spend a word about AB+ because it is not and it doesn't want to be a security tool (it's not its purpose).
• NoScript can't currently protect you against XSS attacks targeted to a whitelisted site.
  This is a well known issue of domain-based security models, but maybe the user base is not aware enough that if even just one of the sites in your whitelist is vulnerable to an XSS attack, NoScript protection is considerably weakened: specifically, the attacker can launch from its blacklisted site a script executed in the context of the vulnerable whitelisted site.
  Of course, the culprit is a security vulnerability of the target site, not a fault of NoScript neither of Firefox, but the effect is that any site aware of the website bug can take advantage of it, working around NoScript against users who trust the buggy site.
• What should we do about that?
  According to Wladimir, NoScript is broken without hope: if its security advantage is lost as soon as a whitelisted site is compromised, it's not worth the effort.
  My opinion is obviously different, even if moving from the same premises: we should cut down our whitelists as much as possible, using Temporary Allow and only if scripts are strictly mandatory for operating a site you know.
  If the compromised site is not on your whitelist, XSS attacks will fail.
  That said, I'm also actively developing and testing prevention measures for notable XSS vectors, and I'll progressively implement them into NoScript, keeping you posted. These new features can't obviously surrogate the IT departments (or the billing departments, if you prefer) of the companies you decide to trust (and yes, it happened also to Google and Yahoo). Please sue them, if you've got problems from any XSS attack exploiting their bugs. I (and Wladimir, perhaps) will be glad to help for a modest fee
• We also talked about scriptless attacks, and specifically about scriptless port scanning. I won't dig into the technical details here yet, but we more or less agreed my solution can be satisfactory (at least until IPV6, as I anticipated in a previous post of mine).
• In the end, Wladimir opinion seems to be "NoScript is better than nothing, if you can bear it" (but his blog post will obviously speak more authoritatively than my impression).
  I'm still convinced that NoScript makes Firefox safer, even if keeping brain.exe enabled (as tlu brilliantly put it) plays a greater role in NoScript's effectiveness than it's generally perceived.

Back at work, now (and it's a lot, my friends!)

 

Thanks, Giorgio, that's more or less it. Only two clarifications (just to be sure): your port scanning idea solves one part of the problem but we agreed that it is certainly better than nothing. And I stick to my opinion that there is little value added by disabling JavaScript even though removing the default whitelist in NoScript is a big improvement. But it is up to the user to decide whether this added value is enough justification for him.

Also, there are ways to use Adblock Plus to improve security, especially once it gets a few new features that I am currently working on - but it isn't the usual usage patterns. I think I will write about that in my blog post and I should find time to create a proper documentation once these features are there.

 

How about something for the desktop, not an extension?
(i use Opera... sometimes FF...)

 

I have to say it was nice to see you both make your points, keep to the subject and not lower yourself to name calling or other childish junk. I hold both you in high regard because of the work you have done. I hope better things come out of your chatting and voicing of opinions.

 

My blog post on this topic is now live: http://adblockplus.org/blog/blacklists-whitelists-and-security

 

Wladimir, Giorgio,

Thanks, guys, for this highly interesting and prolific discussion - I'm glad that I pointed Giorgio to this thread

I guess, we are all eagerly awaiting the next Noscript version. It will probably prove that it makes a lot of sense that two of the most brilliant FF extension developers talk to each other from time to time.

 

Agreed

 

Hi,

I've found your discussion on this forum and I would like to add few
words in Firekeeper's defence. The main goal of Firekeeper is to
detect and block malicious sites not to protect Firefox against
unpatched vulnerabilities. Running IDS outside a browser is not so
useful in protecting against such sites. Protection requires some user
interaction, user should have an ability to decide what to do with
suspicious site (block it or not). It is hard to achieve such
interaction in a convenient way if IDS/IPS is not integrated within a
browser. It is easy to bypass general purpose IDS by encrypting or
compressing HTTP traffic. Firekeeper has access to decrypted and
decompressed data.

Now Firekeeper rules are detecting only some old attacks, but this is
an alpha release and most efforts are focused on developing engine
code not rules. Of course, not every attack is possible to be detected
in this way, but some are. Javascript is a really flexible language but so
are regular expressions used by Firekeeper and I think it makes
Firekeeper quite a powerful tool (Take a look at short tutorial that
shows how to detect attacks related to one of bugs discovered recently
by Michal Zalewski: http://firekeeper.mozdev.org/rule_writing_howto.html)

Let me cite 3 questions and answers from Firekeeper FAQ:

"What is Firekeeper?
Firekeeper is an Intrusion Detection and Prevention System integrated
within Firefox. Its main goal is to detect and inform the user about
malicious sites that are trying to use some known browsers
vulnerabilities to get control over the user's machine or to do some
other suspicious action."

"What Firekeeper is not?
Firekeeper is not an enhancement of Firefox patch process. Although,
it can be useful to protect a browser against attacks utilising some
newly found, not yet fixed browser bugs, but it is not its main and
most useful application."

and also "Why Firekeeper approach is useful?
Today's common approach to protect browsers is just to patch them as
soon as possible when new bug is found. When the user visits a
malicious site she usually never learns about it, information about
suspicious action is lost. In contrast, Firekeeper approach is to
inform the user about every recognisable attack attempt even when
user's browser is not vulnerable to this particular attack. It is
important, because next time user visits the same malicious site, it
can use different attack and this time user's system can be vulnerable
to it. With Firekeeper user can block the site first time she visits
it and never come back to it again."

Cheers,
Jan Wrobel

 

Thanks for this explanation, Jan. That makes sense. However, in that case the more general rules have to be removed - using document.domain is certainly not a sign of a malicious web site.

 

This has been a great thread
thanks to all three of you.
Very illuminating discussions.

There is a thread here: Must have FF extensions
You both feature prominently.

Already have the ABP and NoScript running: obvious improvements to MY benefit happening :Thanks Giorgio and Wladimir: the whole user base of FF owes you

Jan: looking forward to seeing the development go on.

Really wonderful efforts.
Heh: Brain.exe = Wetware online.

Respect.

 

Good news: Latest NoScript development version (a release candidate, actually) features effective anti-XSS countermeasures neutralizing reflective XSS attacks launched as a NoScript evasion attempt

 

And my opinion on why it is a bad solution: http://adblockplus.org/blog/usability-vs-security

 

I have to say that NoScript is a great tool but I agree with the fact that it´s not really a bulletproof security solution. Because sometimes you have no other choice than to enable scripting because otherwise a site won´t work. This means that you can still get exploited, correct? But the new protection feature against XSS sounds really interesting.

Btw, I have disabled scripting in all of my browsers (Maxthon, FF and Opera) not so much for security but more for speed. I´ve noticed that websites load like 10 times faster, amazing. That´s why a tool like NoScript is so cool, you can allow only a couple of your favorite sites to use script, and enjoy full surfing speed for all others. I really hate Javascript.

 

The increased speed is not because JavaScript is slow per se - it is because these scripts have to load from third-party servers. If you block the scripts in Adblock Plus you will see the same effect (and even more because you can block frames and images as well).

 

I really didn´t now this, but can´t browsers be improved to render javascript more quickly? Overall I still think that javascript is not needed most of the time, most sites would work just fine without these nonsense. It would be cool however if for example GreaseMonkey scripts could somehow still work with scripting disabled, but I guess I´m saying something stupid now, is this even possible?

 

Oh and btw, is it true that the new Ad Hunter in Maxthon v2 is actually better in blocking ads than AdBlock Plus? I was very disappointed with the new system which could not instantly block objects, but luckily this has been fixed now with the new "FloatButton".

http://forum.maxthon.com/index.php?showtopic=52606
http://www.softpedia.com/get/Internet/Browsers/Maxthon-Combo.shtml