Jump to content
Not connected, Your IP: 3.142.40.195
InactiveUser

"The NoScript Misnomer"

Recommended Posts

I consider The NoScript Misnomer to be a very important article.

By "exploiting" an entry on NoScript's whitelist, the author shines light on several pitfalls that not every NoScript user might be fully aware of:

  • NoScript comes with a default, enabled whitelist.
  • whitelists are inherently flawed, even more so if you don't even maintain them yourself
  • if you use a security tool without fully understanding its operation and configuration, you lull yourself into a false sense of security
  • blocking all malicious scripts is unrealistic - you will need to think about defense in depth and sandboxing

I personally use NoScript in combination with uBlock Origin in its advanced dynamic filtering mode. I also sandbox applications like Firefox, Thunderbird, Pidgin using Firejail, a small application that provides a convenient interface to built-in Linux kernel features (seccomp, namespaces, caps).

 

Ideally, I would be using Qubes OS for better isolation, but it's not like hypervisors are somehow magically flawless, either.


all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

Thank you for the link to the blog. Wasn't aware of the whitelist containing sites that doesn't exist. When I install NoScript, I always delete all (deletable) entries.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Totally true. This whitelist wasn't there a few years ago when NoScript was small, efficient and not commercial

But as it became popular, with some distros pushing it by default, they started to find ways to make profits.

This is almost the same way Adblock did.

 

That whitelist can be divided in 3 groups:

1) Companies that paid (those CDNs)

2) Users that were too much complaining about sites that were broken (yahoo and friends)

3) Author's personal preferece (like maone.net and others)


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

The noScript defaults are pretty weak. Its kind of sad people just install it and assume everything's kosher.

 

The JS Switch addon is also really nice. It just adds a little button in the browser that disables js completely.

 

The settings I use:

My whitelist only has a few sites I actually work with. Everything else was deleted.

UifZy5o3.jpg oz6Zlmqs.jpg FXNvzdRQ.jpg xFSfAspU.jpg WpsgMF5b.jpg 3ixB1Zfj.jpg 9r6oYmgh.jpg

Share this post


Link to post

But the JS Switch does not protect against Clickjacking and XSS.

 

(Sent via Tapatalk - this generally means I'm not sitting in front of my PC)


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

But the JS Switch does not protect against Clickjacking and XSS.

 

 

If the jacking attempt was done via js and js was disabled via JS Switch then one could say it does.

 

Everyone's surfing habits are different, and mine rarely require js. But when its needed I just press js switch then allow whats needed in noScript.

Share this post


Link to post

As a JS security researcher I also have a small disagreement with @giganerd.

With 3d party block of JS, whether using NoScript (meh) or uBlock Origin (good), you have a total control of your

JS Same-Domain-Origin-Policy, or shortly SOP.

Today with modern HTML5 and JS, Browsers slowly gave up those agreed policies with all the fancy compatibility things.

When you are aware of the domain you are currently focused on, in other words, the active tab, and you use uBlock with 3d

party JS disabled, you have zero risk of clickjacking (UI redressing attack) and XSS.

Both above attacks require you to run 3d party scripts that will either send the contents of your current domain cookies or DOM

data to 3d parties. While blocking 3d party domains JS, you break those exploitation attemts.

The only successful way to exploit it in this case, would be planting JS code in the content of the same domain. But in this case,

it gives the attacker much more privileges, rendering client-side attacks less effective.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

ya uBlock is amazing.   ty for posting this thread, had no idea of its existence

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...