Nothing succeeds like XSS
Unless you use NoScript, that is
Sysadmin blog Most users think the web works like a television. They go to a website and are presented with images, text and multimedia. What they don’t know is that, unlike a television, some of what they see executes on the server, and some on our own computers, and any time an application runs on our computers there is the potential for a vulnerability that could lead to the loss of our personal information or infection by malware.
Among other things, scripts that run on our local computers collect information such as location or configuration and report it back to websites to tailor our experience. Scripts can perform tasks such as spell checking or ensuring that you have typed your password and its confirmation identically. They can launch programs such as Adobe Flash or Reader. Depending on the level of permissions you have configured, scripts can read files from your computer, save files to your computer and even execute untrusted programs. Scripts can do almost anything your computer can do - if they have the permissions to do so.
Cross site scripting (XSS) is a vulnerability where a website contains calls to load and run scripts that are not located on its own domain. Compromised websites can be configured to load scripts from third-party websites that contain malware, or may compromise your privacy. Perhaps the best known legitimate example of this practice is Facebook. Though Facebook is located at facebook.com, it loads content and scripts from the Facebook Content Delivery Network, fbcdn.net.
The challenge of dealing with XSS is knowing when a website’s XSS is legitimate, and when it is a threat. It’s easy to use Flashblock to prevent all flash on a website loading and then simply allow individual flash objects to load by clicking on them. It is another thing entirely to convince users they should block all scripts from executing on their system by default, and allow only those from sites they trust permission to run.
The excellent Firefox plug-in NoScript allows us to do this. Unlike other security and privacy browser extensions that are fairly unobtrusive NoScript is, by its nature, an extension that breaks websites. When you arrive at a website filled with rich content provided by scripts, or calls to external programs such as Adobe Flash or Adobe Reader, NoScript prevents any or all of the potential vulnerabilities from running on your computer. A gaudy beige bar appears at the bottom of your web browser and helpfully informs you exactly how many items it stopped. If you wish to use all the features of a website, you enable them one at a time. When you examine the list of objects that are loading, you often discover that many of them are trying to load from other websites. Unlike other security and privacy extensions such as an adblock, there is no preset “whitelist” of domains. Each user of NoScript has the difficult task of learning and understanding how the web is constructed, so as to make informed judgments about what bits of it have access to run programs.
This seems frightening, frustrating and needlessly time consuming to the average Joe. Indeed I know many a sysadmin who doesn’t see the value in NoScript. They would rather trade security for the convenience of having the websites they visit “just work” without any further thought. The inherent laziness of people who should know better wins out over security and privacy. We need to do better. NoScript is the best defence we currently have against dangerous scripting attacks, many of which can affect you regardless of which operating system you use. Considering I use the web for important activities such as banking and paying bills, I consider it to be absolutely vital. ®
COMMENTS
Amen
Been using this plugin for well over a year, now. It is fantastic. I am far happier on the web knowing to who and how I allow my data to be accessed.
@Colin Millar
...with the bank? The technology exists to make online banking secure. It is used by some banks on this earth. Yet for some reason i can't work down to my bank and get secure cards that generate a set of one time keys for authentication, use a combination of biometrics and passwords or any of a dozen more secure methods of accessing my accounts than the crap we have today.
In fact, the banks have introduced a “secure” new chip-and-pin system that they have managed to get legally enshrined as somehow “uncrackable.” It isn’t, and the only reason they’ve spent billions on it was to ensure that when people DO have their identities stolen/accounts jacked/etc. that they aren’t liable for it.
If I had the option, I wouldn’t be relying on a bank where I had to worry about things like NoScript. I am a user too, you know. I want my banking to be just like a TV. Turn it on, pick up the remote and it works. The part that frustrates me is that because I am a sysadmin I know the technology exists to do a better job, but all of the banks available in Canada absolutely and completely refuse to not suck.
Quite easy to make it less annoying...
Options>General>TICK Temporarily allow top-level sites by default (base 2nd level domains)
This allows scripts to run on sites that you visit - but not those from other domains.
I'm assuming that if you have decided to visit, say theregsiter.co.uk, and you want it to work properly, then you want to allow scripts from that site but not any third party sites.
This will allow most sites to run without user interaction. I think its a fair balance between security and convenience.
IT infrastructure monitoring strategies
What you need to know about cloud backup
Enabling efficient data center monitoring
Agentless Backup is Not a Myth
Top 10 SIEM Implementer’s Checklist
