Avast WEBforum
Other => General Topics => Topic started by: polonus on December 20, 2008, 11:32:39 PM
-
Hi malware fighters,
The maker of the popular Firefox plugin NoScript next year will launch a module that will function as kind of an internal firewall inside the opensource browser. Application Boundaries Enforcer (ABE) module is a "firewall-like component" that sets and checks boundaries for important web applications for users, like Internet banking and webmail. NoScript already can put a halt to a variety of problems like cross-site scripting, CSRF and ClickJacking all being caused by a lack of isolation on web application level.
Read about the project here: http://www.nlnet.nl/project/noscriptabe/
And that is a fundamental problem, according to NoScript-developer Giorgio Maone. "The web has never been invented as an application platform, it therefore lacks important modules to regulate application security. There is no definition of what a "web application" is, or set up boundaries when they run within various domains, a scenario that is quite common through "mash-ups" and "social media."
Just like as with a firewall the rules that ABE handles can be changed quite easily. For the most popular web applications there will be rules available that can be installed automatically. Maone expects his Firefox firewall to be launched during the first quarter of the year 2009: http://hackademix.net/2008/12/20/introducing-abe/
-
Very interesting. I'm looking forward to this addition. :)
If it's as good as the no-script plug in for FF, they'll have another winner.
-
Hi bob3160,
Yes you make the right observation here. Personally I think ABE will be a step in the right direction where the security of Internet transactions is concerned. It is a good idea to tackle security at the application (process) level, and put full emphasis on checking the integrity of various sources.
These are no half measures, and if this can be combined with a decent identity authentication, one could realize quite an advancement in in-browser security, and that is what this is all about,
polonus
-
I look forward to checking this out next year.
For the most popular web applications there will be rules available that can be installed automatically.
This feature will be the big plus that could lead to mass adoption.
-
Hi alanrf,
This project is specifically focused on developing a new web browser component called ABE, aimed to mitigate or defeat Cross Site Request Forgery (CSRF) attacks against sensitive web applications. This component will be built on the existing request interception, tracing and blocking framework of NoScript, and it will be integrated in NoScript's broader web security infrastructure, together with whitelist-based scripting, active content execution policies, anti-XSS filters, ClearClick anti-ClickJacking protection and HTTPS/Secure Cookies enhancements. After a working ABE implementation as a NoScript component gets completed, a refactoring and repackaging activity to deploy it as a separate “ABE Firefox Add-On” will be done. At the moment there are some 2.000.000 users of NoScript,
polonus
-
I wonder how the number of active users (as opposed to downloads) is tracked - do you know?
-
Hi alanrf,
Well this info was found here: http://www.nlnet.nl/project/noscriptabe/ so you should address your question there as how they reached that number or what their source was to reach that number of active users?
As servers record the status of the browser with the NoScript extension running, I think it is actually not too difficult to make a fair estimate. As almost every click of a browser lands into a click-stream somewhere, then also browser configurations must not be too difficult to analyze. So the actual number might be slightly more, considering the number of users with Tor, proxified browsers etc. We live in the era of the transparent user, you know,
polonus
-
I wonder how the number of active users (as opposed to downloads) is tracked - do you know?
When you install NoScript, you are connected to a congratulations page at NoScript.net with information about your new and previous version of NoScript. Clever. Maybe this has something to do with it. Didn't you notice?
-
I wonder how the number of active users (as opposed to downloads) is tracked - do you know?
When you install NoScript, you are connected to a congratulations page at NoScript.net with information about your new and previous version of NoScript. Clever. Maybe this has something to do with it. Didn't you notice?
How could he notice that if he doesn't use NoScript ?
-
How could he notice that if he doesn't use NoScript ?
True. But in that case, he has no good reason not to use it since he never tried it. ;)
-
He did try as far as i've been able to tell from his posts it's just that i guess he feels like me in this case. Which is it's not worth the hassle. I am sorry but for many of us NoScript is just too big of a pain to use. With the amount of websites i go to it's a real pain to have to allow every one of them. And i have to allow them since those scripts are there for a reason aren't they and without them the functionality of the site breaks. Besides how are you supposed to tell which script is bad or is not bad other than by reviewing it yourself which is quite a time consumer not to mention you have to be a coder to understand it. And how are you supposed to tell that one of your favorite sites which you put on the whitelist isn't infected aswell ? How will NoScript protect you then ? See my point ? NoScript is useless for the average Joe in my opinion and i wouldn't recommend it to a non-geek user.
EDIT: I think i might have mistakenly mixed up the posts of alanrf and FWF in my mind, i know FWF doesn't use NoScript but i am not sure about alanrf. Sorry alanrf if you do actually use NoScript and my post is not correct ... :)
-
Which is it's not worth the hassle. I am sorry but for many of us NoScript is just too big of a pain to use.
Did you think that security comes free without any effort? In that case your time on this forum has been wasted.
Maybe other forums about reckless downloading are more suitable for you?
-
Which is it's not worth the hassle. I am sorry but for many of us NoScript is just too big of a pain to use.
Did you think that security comes free without any effort? In that case your time on this forum has been wasted.
Maybe other forums about reckless downloading are more suitable for you?
What does reckless downloading have to do with NoScript and my opinion on it ?
How do you know what i have learned here or that my time has been wasted ?
What makes you think that NoScript is the savior of the planet ?
Who are you to tell me where i should spend my time ?
-
What are you chickening out *again* ? C'mon let's hear you answer the questions from both of my posts. Don't know the answers do you ?
BTW you guys that use NoScript could once in a while mention that NoScript does protect you from XSS and Clickjacking attacks even if you have the all scripts allowed globally setting turned on.
-
C'mon let's hear you answer the questions from both of my posts.
Who are you to suggest how I should use my time? 8)
-
And just how exactly is my post suggesting how you should spend your time ?
-
C'mon guys we do not need this very personal sparring in the forum.
Both of you have good points to make ... let's make these discussions - and debates about technical issues - just that and do our best to refrain from letting it become personal comments.
(Else you will have to end up - if you have any decency and just as I had to do the other day - apologizing).
-
alanrf what good points did he make ? I fail to see them ... And it was not me who started it on a personal level just read the whole thread please. He keeps going on a personal level in almost every post he makes btw if you haven't noticed. Enough is enough, i've been holding myself back but not anymore. Sorry it's just the way it is.
And i have no problem apologizing and never have but in this case i most certainly won't because i have nothing to apologize for and quite frankly even your suggestion that i apologize is ridiciouls to me. I do appreciate your effort in trying to smooth things out though. :)
-
darth_mikey,
I do not want to be rude but you are over reacting ... and yes, I can understand why you are.
To be honest, I think you are probably right about the "who started it" questions ... but if you take a deep breath does "who started it" matter? It takes two to slide into a personal level in this forum even if it only takes one to start it. Heavens above I know how difficult it is to just turn the other cheek, but sometimes maybe we just need to not let such things provoke a response in kind.
TheSpirit was clearly posting from ignorance where you, keeping up with the forum, were aware that I had posted previously (more than once) about the NoScript add-on for Firefox. You were also quite right in my assessment that this is feature that I have described elsewhere as a non-starter, going nowhere offering for the average user of Firefox. The average user is not going to deal with the hassle of training an add-on and the ongoing forever pain of responding to every new site they visit on the Web. Anyone who thinks this is a winner does not work with ordinary users day in day out.
Let me also say that I give great credit for the work the NoScript developers are doing ... I hope that (though I cannot easily see how) they could make this something along the lines of the very successful AdBlock Plus add-on with a pretty much (I know I am a pain about this - but it is vital to the success of security - and why products like avast succeed) "set it and forget it" approach.
Finally to return to the main thrust of your last post ... I was not trying in my "oil on troubled waters" post to compare your responses with those TheSpirit in this particular thread. I was suggesting that you both bring value to this forum. TheSpirit is newer here ... I hope that he will also get used to the forums and be better able to deal with the interplay.
At last, I did not suggest that either of you apologize ... I did suggest that if you continued down this avoidable path you might end up needing to do so. I hope that things will work out so you do not.
-
alanrf, i've clearly stated in my post about NoScript that what i said is only my personal opinion, now why he had to take things on a personal level and "diss" my opinion is beyond me. Like i said this is not the first time he did that(not to me to others) and i am sorry but if someone disrespects me like that you can't expect me to stay quiet. Enough said about this, i won't discuss it anymore as it's pointless ...
Back on topic ... Yes i too have great respect for mr. Maone and the work he puts into NoScript but like i said i don't believe that this extension is usable for the average user however after doing a bit of research i've changed my mind. Like i mentioned in one of my posts, NoScript does offer some additional protection(XSS and ClickJacking) even if you allow all scripts globally so perhaps it's still a good idea to install it, set it to allow scripts globally(if you're like me and are annoyed by that) and i believe i will do just that. It's been a long long time since i've had it installed(when Polonus first introduced it to us yrs ago) and i see the tool has been greatly improved since then so i think it's time again i play with it and try to find out a bit more about it.
-
Hi darth_mikey, alanrf and The Spirit,
Let us shove emotions aside and let us look at the facts as they are presented to us. Browser security can be adopted in two ways by settings and automatically so using specific knowledge about what threats there are around the corner, when you use this insecure tool by default on the Internet.
The developers of these tools have been making tools with a lot of features, but security came into the bargain at a very late onset, so to say. Concluding the contents of this thread and listening to and knowing the lines of his contemplation, I think this is the line in which darth-mikey would operate to establish browser security. That is the model that suits him best.
On the other hand this is not the model that can be used for the average user. They lack the insight to take security measures on the OS level into their own hands (limited rights, checks for what is allowed to run (ActiveX, BHO's, toolbars, handling of messages etc. etc.) and here the use of NoScript and/or Abe can be helpful, where in the old days we had things like Privoxy and other external filtering systems, limiting of insecure redirects etc. can enhance security. This is another model alltogether and if that could be achieved on the fly and in the background like for instance an extention like Firekeeper does it, it could help a lot of users. It is a pity I tell this only for a fraction of the general user community, because the larger part of them are not aware and have the opinion a browser is only for fun and security should be provided by others. I think therefore as you listen here carefully to what is being told, there really aren't that many conflicts only the methods to achieve this secure situation may differ, but they can also enhance each other,
polonus
-
@alanrf
these numbers (likely estimated by defect) come from the analysis of the update pings to Mozilla's update service (which is performed only by active non-disabled add-ons) and of the web server logs for the "thanks for updating" release note page on noscript.net,
polonus
-
For the most popular web applications there will be rules available that can be installed automatically.
This feature will be the big plus that could lead to mass adoption.
If NoScript had a blacklist/whitelist I would use it. It is too many decisions for the average user.
-
Go Pack Go,
My policy with NoScript actually is deadly simple, I block all with default settings, yes all, and only temporarily allow where I am in need of some functionality to run, in practice that is when I use web applications like webmail or a known page asks to run javascript, and for video etc. A double click on the NoScript logo is just fine. Anyone can do this, it is just the nuisance of the extra click if that is holding one back. On the other hand I do not know now how many times NoScript must have saved me, and actually NoScript has a blacklist/whitelist for what you permanently allow/disallow..
polonus
-
I too have it set to block all and for the most part that is fine and I only ever have to interact an either temporarily allow or allow a site (one I will regularly visit) if it doesn't display properly, e.g. uses javascript.
So for me it isn't so much of a hassle, however, besides the whitelisting (remainder blacklisted by default) there is a means of 'importing' and exporting a whitelist, which could make that a little less onerous, if you already have a list of domains you trust.
-
polonus.
these numbers (likely estimated by defect) come from the analysis of the update pings to Mozilla's update service
Thanks for the update. I picked this up too from one of the NoScript threads in the Mozillazine forum. Pretty obvious really, it should have occurred to me before.
-
Go Pack Go,
My policy with NoScript actually is deadly simple, I block all with default settings, yes all, and only temporarily allow where I am in need of some functionality to run, in practice that is when I use web applications like webmail or a known page asks to run javascript, and for video etc. A double click on the NoScript logo is just fine. Anyone can do this, it is just the nuisance of the extra click if that is holding one back. On the other hand I do not know now how many times NoScript must have saved me, and actually NoScript has a blacklist/whitelist for what you permanently allow/disallow..
polonus
Yeah, if I remember correctly, if you allow a page, it has to reload the webpage doesn't it? On dialup it is a real pain in the @$$.
-
I'm on dial-up, I haven't found that too much of a pain in the rear, I guess my patience threshold is fairly high ;D ;D
If you have a whitelist in some other software, perhaps you could export that, edit those not applicable to the functionality NoScript is looking after and import that list.