Author Topic: The limitations of script blocking and the implications for your fading privacy.  (Read 2532 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31666
  • malware fighter
L.S.

While it is one of the best methods for protection developed so far for ordinairy end-users, the insecure state of the Internet and the lack of trust existing (somebody may be watching you right now or dragnet all of your data, like that could be the NSA and other 5-eyes spy agencies ::) could make script blocking not be full-proof under all known circumstances.

Extensions like NoScript and uMatrix may sometimes give you a false sense of security. An allowed script in from a trusted source could be easily be updated to do something nasty in the coming future.

NoScript will not run any checksums or hashes to detect if the allowed script has been changed, nor if the allowed script running has to be retired or is vulnerable.

That is why your avast forum friend, polonus, whenever in doubt, will always check with retire.insecurity.today/#  and https://sritest.io/  or https://observatory.mozilla.org/ etc. (what seems as an appropriate scan action at the time).

In the mean time you may know, what Eddy and Polonus for instance are doing in the virus and worms sector, when the two present scan results of insecure websites.

And there is room for impovement on about 80% of Internet websites generally speaking. (DNS, Cloaking, Inline Scripting, Retirable script libraries, left code, DOM-XSS sources and sinks, certification installed as root on the server, wrong encryption cypher implementation, insertion of malscript, phishing, SRI-hashes not generated, server and nameserver info proliferation, clickjacking and cookie insecurity etc. etc. etc.).

Google code equals spy code, because of the core business, that Corporation is into, so Google Chrome extensions are limited due to the extension API, which could make blocking javascript work out in a way that unstable blocked scripts can get through and inline scripts will not get blocked. This all because Google is also running an ad service, remember. So there is room for justified paranoia (read at www.prism-break.org). Most other browsers searching is enabled by Google, so there isn't any escape from this situation really, even Duck Duck Go has results improved by Google.

HTTPS Everywhere may give a false sense of security. SSL can be insecure, based on you trusting the website that is using it and the SSL certificate's authority judgement. Is HSTS implemented, FFS implemented, often best policies are not implemented.

Pageleaf through the HTTPS Everywhere Atlas to get various examples of non-secure sites. I have mentioned insecure example sites regularly,

polonus (volunteer website security analyst and website error-hunter)
« Last Edit: July 17, 2017, 06:55:59 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31666
  • malware fighter
Protection against canvas fingerprinting, a way of precise fingerprinting your browser, can be had with

this extension: https://chrome.google.com/webstore/detail/canvas-defender/obdbgnebcljmgkoljcdddaopadkifnpm/related

Not interfering with API javascript: So it seems to be binary. After you install it, you have a new fingerprint. If you disable it, you have your old one back. If you enable it again, you have the same altered one that you had before. Also, if you remove and reinstall it, you still get the same altered fingerprint. So the change isn't exactly "random".  So manually clicking on it at browser bootup should cover the "random" loophole. Brave browser comes with inbuilt protection against this. Brave a very nice browser, especially for Android.

On canvas fingerprinting: https://www.ghacks.net/2014/07/21/companies-use-canvas-fingerprinting-track-online/

Here I was warned against a fingerprint attempt from: https://browserleaks.com/canvas

Info source: Wilders Security Forums.

polonus
« Last Edit: July 17, 2017, 11:18:09 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31666
  • malware fighter
Another extension, which offers http request and response filtering for advanced users "on the fly" and
I think it is a good follow-up for Request Policy is: https://silentorbit.com/negotiator/

Then we have the jQuery libary code that should come retired, because it has bugs, errors, is outdated or even is left code.
So what you require, you should also eventually retire:

Vuln, javascript libraries: angular.js; backbone.js; dojo; DOM Purify: DWR; easy XDM; ember; flowplayer; handlebar.js; iPlayer; jQuery-migrate; jQuery-mobile, jQuery-in-dialog; jQuery-ui-tooltip;  jQuery pretty Photo; moment.js; mustache.js; p/upload; prototype.js; seesvars; swfobject; tinyMCE; YUI.

You can check a particular site for retirable javascript libraries at: http://retire.insecurity.today/#

What we can do is to counter obfuscated counter malcode for instance:
1. Diagnosis - Use Google Diagnostic Aid, Webmaster Consoles, Blocklist Doctor.
2. Treatment -patch vulnerable applications and clean up database.
3. Prevention - through web application security and writing secure code.

Let us give a scenario of what we may come to look into here, and what I do on a daily basis actually, enhancing your "feel" for javascript and all that can go wrong there. If this is not your piece of cake or "over your head" do not read further, for others it might be "mighty interesting".

We had a resource that failed to reload for a particular webpage and went over the source code with a javascript unpacker/error detector
(important here if code execution will be longer than expected, then something can be not as it all should be  ;D ).

 
Quote
- regex:undefined tmn search.js:135
htxp: // code.jquery.com/jquery-latest.min.js      net: ERR_BLOCKED_BY_CLIENT
Uncaught Reference Error: $is not defined
net: ERR_BLOCKED_BY_CLIENT  hxtp://www.google_analytics.com/ga.js
htxps://ajax.googleapis.com/ajaz/libs/jquery/1.6.2/jquery.min.js
Uncaught SyntaxError: Unexpected end of JSON input (we could do a scan here for the DOM: https://urlscan.io )
at JSON.parse (anonymous@)
at XMLHttpRequest.xhr..onreadystatechange (app.js: 21)
Syntax error@ "Chrome Blockscript": JSHINT Output
expressin on line:15 missing semi-colon line 15 (that is so often that we will find some error like this?!?).
regex undifined
Replacing Social widget for Facebooklike
regex undifined
Blocked a frame with origin "hxtp://xandernieuws.punt.nl"from accessing a cross-origin-frame
at HTMLiFrame Element.get (as contentWindow) (<anonymous>i:1452)
at Object.HandleMessage  ,,
Failed: hxtp//ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js
All links in code broken by me hxtp(s) etc.

Now you see the whole scenario (with the missing semi-colon error) displayed exactly as it was explained in the first posting of this thread where I pointed at "Google Chrome extensions are limited due to the extension API, which could make blocking javascript work out in a way that unstable blocked scripts can get through and inline scripts will not get blocked". Here you saw a perfect example of that curving the code-bends for ad-launching purposes.

Consider here: http://retire.insecurity.today/#!/scan/0b4f82a93e1993b2d92840d4e07def1b1a9cc14a37842bcf54c7e301f91594f8

That is why checking code constantly is so important to enhance website security, as you now will understand, I hope.

polonus (volunteer website security analyst and website error-hunter)
« Last Edit: July 18, 2017, 01:24:44 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!