Usability vs. Security

Posted

Disclamer: This post is only about using NoScript as a security solution, not as a way to block annoyances.

It seems that me pointing out the fundamental flaw in NoScript only inspired another round of madness — that’s the only name I can find for it. Giorgio Maone has developed a solution that will effectively stop untrusted sites from injecting JavaScript through XSS holes in whitelisted sites. He is currently testing it with a development build and from what I can tell it mostly holds what it promises. Is that an achievement? Giorgio has obviously put much thought into this feature but I still have to say: no.

There is an easy and very reliable solution that will put a stop on all vulnerabilities that can be exploited through your browser — restrict your browser to localhost, only allow it to show your own web pages. Will it solve the problem? Yes, certainly. Is it a good solution? No, not really.

Unfortunately, NoScript tends to cripple your browser in a similar way, so that you will not enjoy the additional security. Surfing without JavaScript already isn’t fun, but the XSS protection makes it even worse. It will change requests from non-trusted to whitelisted sites to make sure no “dangerous” characters are passed. After I pointed out that many sites use Google as site search Giorgio implemented an exception for Google’s and Yahoo’s web search requests, but there is more to Google and Yahoo than just web search. Which means that in future NoScript will warn you when following this link — spaces are evil and have to be removed (ok, I think this is a bug that will be fixed). Neither will this link work — parentheses are bad and backslashes are really pure evil. No, you should not follow Russian search links. Russians are evil hackers. No, German words will not work either, who needs these umlauts anyway?

That’s only a few obvious examples, NoScript’s filtering is not restricted to links. So whenever one site will try to use a service from another that is on your NoScript whitelist, be it by linking or by embedding elements of it, there is a high probability that it won’t work. The question is: is it worth it? Do we surf safer if we endure all this? I think to answer this question we should look at the dangers lurking on the Internet. As far as I tell the dangers have been of very theoretical nature so far — there have been only a few attempts to exploit older, already patched vulnerabilities in Firefox. Even though Firefox’ popularity makes it very noticeable already (e.g. all statistics agree that the market share is more than 30% in Germany), with critical vulnerabilities being patched within a few days and an efficient update mechanism Firefox is not an easy target. Given that Internet Explorer is much slower at fixing vulnerabilities (some critical holes stay around for months and others are even redeclared as features) and the patches don’t even reach many users, it is not surprising that malware authors prefer targeting Internet Explorer. At least I have never heard of a malware infection through Firefox (with the exception of the user downloading and running some “great” tool) but I had to fix quite a few of those on computers of Internet Explorer users.

So it seems that NoScript is a solution in search of a problem. And this problem cannot even be worms in social networks like MySpace — any frequent MySpace user is guaranteed to have it in his whitelist. Was there ever some successful attack on Firefox users that NoScript could have prevented? I cannot think of any, and as long as nobody can show me a real world problem that NoScript solves I will stick with my opinion that this extension is only really something for the most paranoid users.

Don’t take me wrong, I am all for a second line of defense just in case Mozilla developers don’t manage to bring out a patch for some serious issue in time. But I didn’t switch from Internet Explorer to throw away all the new browsing comfort (and even more) because of a hypothetical problem. So I largely prefer Firekeeper’s approach — it will warn you if you are on a site that tries to exploit known vulnerabilities so that you can leave and never come back (thanks to Jan Wrobel for clarification, originally I misunderstood the idea of this extension). But ideally I will never notice that this extension is installed until it becomes necessary.

Finally, a few words about another issue with NoScript. The more sites it breaks, the more it conditions users to allow scripts when something doesn’t seem to be working. If every second site doesn’t work with NoScript, a malicious site that fakes useful content not working properly because of NoScript will have no problems making users allow scripts on it (even temporarily, it is sufficient). Yes, it is a social engineering problem, but this attack can only succeed because false positives with NoScript are the rule and not an exception. So while Giorgio Maone seems to believe that breaking some sites isn’t his problem as long as it is for the “greater good”, I disagree: breaking sites makes NoScript absolutely worthless.

Categories:

Comments

  1. Tim

    Some very interesting points, ones I hadn’t considered.

    I consider myself a real power user, but you’re right, often when a site isn’t working I reach for the “temporary whitelist” option. I hadn’t thought of your “Fake broken site” scenario.

    That being said though, I’ve never really used noscript because I thought it was protecting me from Net Nasties. I use it to help stop the tracker scripts, flashy animation and all other matter of crap that’s on the web these days.

    For that, noscript is great.

    I think as long as claims of “making your browsing safer” etc are toned down, noscript is still very good at making the web a “cleaner” place.

    Tim

    Reply from Wladimir Palant:

    Exactly my point – it is useful, but not to ensure your security.

  2. insignificant

    I love it when someone challenges my long-held beliefs! Mr. Palant, your reasoning is strong, and you make many good points.

    I have been using NoScript for a long time, and it is a constant annoyance. It breaks a great many sites—I wager most of the sites I visit—and can cause true hassles, if one is (as one example) in the middle of an online purchase, and only then discovers that JavaScript is required to complete the transaction.

    I’ve also been recommending NoScript for everyone who looks to me for “computer help”. But really, as Mr. Palant points out, what is the point? If they visit a site that is broken—even if it has nothing to do with NoScript—what are they going to do? They are going to either temporarily or permanently allow that site via NoScript. And thus, the entire point is shot to hell.

    This particular idea isn’t new to me, and I have thought of it many times before. But having it reinforced and validated here by a real professional is refreshing.

    Thank you.

  3. insignificant

    I thought of something after posting the above, and messing with NoScript a bit more…

    What if the “Temporarily allow top-level sites by default” option is enabled, and the whitelist is kept as empty as possible? Wouldn’t this allow most sites to work correctly (because JavaScript and local active content would be enabled), but defeat XSS attacks (because the script on the other site would be blocked)?

    Reply from Wladimir Palant:

    NoScript only protects against XSS if a site that isn’t in your whitelist requests another that is. So if your whitelist is empty the XSS protection is effectively off.

  4. insignificant

    Thank you for the response. I’ve removed NoScript.

    I find it funny how the author touts NoScript as offering “usability” on the noscript.net home page. It is anything but “usable”. What is his definition of “usable”, I wonder? Lots of people manage to “use” it, without breaking down and weeping at the keyboard? Or that it is merely possible to “use” it, even if it makes your browsing life miserable?

    Removing NoScript is, to me, like removing a ball and chain.

    Thank you again.

  5. spencer

    this is great

  6. shane

    I like NoScript. Yes, it breaks sites, but, if it does, I have the choice whether to allow the site in question to do what it wants or not – I don’t get that choice without it…

  7. Aravin

    I really do not mind the balls and chains, if it gives me the freedom to choose, what i want to view in my browser..

  8. Anthony Ashton

    It’s funny, my site is validated by W3 and has no scripting what-so-ever in my HTML code. And yet, noscript blocks my site for what I can only assume as scripting.

    How can this be?

    Additionally, if you got Steve Gibson’s grc.com who is very much against java script, noscript flags his site as well !?

    What the hell is noscript up to?

  9. alan

    Nothing ensures security. But some things can enhance security. A little common sense will tell you whether to add a site to your NoScript whitelist. The more obscure the site, or the more dicey its content, the less likely I will allow it to run scripts.

  10. anonymous

    Wait, I don’t understand. Are you saying that NoScript is pointless? Does this mean that I should immediately remove it or just leave it? After installing it, I thought it was a pretty good add-on because a lot of ads, and other junk was blocked, but I have Adblock Plus for that…

    Reply from Wladimir Palant:

    Yes, that’s exactly what I am saying. It is also very annoying (can compete with the ads that it disables) which is why I never kept it on my computer.

  11. Fred

    If I disable/uninstall noscript, I find that the commercial breaks on the TV shows I watch online ACTUALLY PLAY commercials…. and I don’t want that.

    If it weren’t for this I would probably uninstall it.

    Oh and yes, I do have ABP

  12. Erick

    It is painful to see this ignorance perpetrated all over the web. NoScript is an idiotic solution to a problem. Get AdBlock Plus and keep your rules updated through Filterset.G.

    AdBlock Plus blocks everything you wish it to block: scripts, Flash, little trinkets of code. Just specify the rule you wish blocked, it even takes sophisticated regular expressions (regexp).

    Best of all — people much more dedicated than you or I are blocking new ad sites that keep cropping up every day, and AdBlock.FiltersetG brings us that goodness EVERY WEEK without any extra effort on our part. It’s totally automated.

    NoScript is not only functionality-challenged, it is also a big annoyance because everytime you visit a website you need to whitelist elements of it when it’s broken, which it is most of the time. NoScript is overkill for almost every modern surfer to the extent that it is stupid. It’s like browsing with cookie informants—a new cookie info popping up for EVERY cookie! If you like this anal style of surfing and throwing “baby with the bathwater” then go for it.

    The rest of us will continue to use AdBlock Plus which doesn’t hurt any good functionality at all, blocks ALL the ad networks and malicious spyware thanks to my rules, and does so without being a performance hog.

    Reply from Wladimir Palant:

    This is all great but are you really talking about dedication and weekly updates in context of Filterset.G? Filterset.G is abandoned, last update was in March and forums are full of unanswered false positive reports. See http://adblockplus.org/en/faq_project#filterset.g

  13. Erick

    Well in that case, just AdBlock’s own subscriptions should be alright. But it’s better than the silly NoScript — that was my point. Thanks.

  14. M. Smith

    At first I loved NoScript. Now its so restrictive I hate it. I nuked it yesterday.

    It’s become such a bloated POS that its not practical. Even when you “allow all this page”, the NoScript Nazi-Control crap keeps blocking the page.

    I will not fiddle with this garbage any more. NoScript is JUNK!!!

    Use AdBlock Plus and don’t waste your time with NoScript bloatware.

  15. Sam

    I can’t help but notice all the disdain for ads even if they are unintrusive. I work with web publishers that rely on a few ad clicks here and there to pay for hosting and what not, just to share articles and information on topics they love.

    It’s pretty rude actually. All publishers aren’t trying to scam you or get rich with ads; just offset some of the costs of sharing thier work and information. Please think about this and be kind in the future. Blocking all ad networks witll eventually leave nothing worthwhile to look at for free on the net. Everything will be pay per view.

  16. Cb

    I know that ads can be annoying and security is also important, but like Sam said, ads help keep content up on certain sites.

    Here is what I do – I “try-out” a site by disabling ad-block on it, especially those I frequent often. Then, I leave the ads that don’t bother me, allowing some advertising opportunities to keep the site going. This trial period accomplishes several things for me:

    - I have the chance to click on anything that looks good

    - I look for products/services sites offer to give support

    - I can award the sites that are real good to me

    It may not work for everyone, but I think it offers a fair balance. As far as noscript for security, I think phishing and other filtering through a DNS server, good hw/sw firewalls, dns server filtering, a good anti-malware app and a couple of additional things can help keep you safe enough without it. Just a reflection of my own simple setup!

  17. Matt P

    The main thing I use it for is to prevent accidental clicks of links that lead to insecure and malicious websites. If i click on a link that, in the search engine/site/whatever says “Economic Tax Policy”, and get several pictures of naked people and (without NoScript), my AntiVirus screaming at me, then I am rather pissed off and have to run Virus scans and clean up any mess it may have dumped on my computer.

    With auto-blocking everything other than what I allow, I don’t get this and upon seeing naked folks, i move on with my research.

    This is, by far, the largest benefit noscript has for me.

  18. memet

    NoScript is quite usable for me. It is very useful when I rarely need javascript. I’m even able to visit multiple webpages with ready-to-start videos simultaneously (which would normally freeze the browser on my old computer), and only have to click an “S” icon to start what I want to start. For the people describe surfing without javascript as annoying, I advise you to re-think the name (no script!) of the extension.

    I just wanted to search an adblock vs. noscript comparison and have seen that abp has declared war against noscript; trying to make people blacklist noscript. I think the problems between Giorgio and Wladimir are their problem and not should not be a subject for propaganda.

  19. Sebastian

    @insignificant

    “I love it when someone challenges my long-held beliefs! Mr. Palant, your reasoning is strong, and you make many good points.”

    +1000

    @memet

    “I’m even able to visit multiple webpages with ready-to-start videos simultaneously (which would normally freeze the browser on my old computer), and only have to click an “S” icon to start what I want to start.”

    - It is not different if you open page by page, only the page that you are going to be watching.

    Or you can use the addon StopAutoplay.

Commenting has expired for this article.

← Older Newer →