Linked by Thom Holwerda on Thu 23rd Sep 2010 21:36 UTC, submitted by google_ninja
Internet & Networking Now this is a subject sure to cause some discussion among all of you. LifeHacker's Adam Pash is arguing that Chrome has overtaken Firefox as the browser of choice for what he calls 'power users'; polls among LifeHacker's readership indeed seem to confirm just that. He also gives a number of reasons as to why this is the case.
Thread beginning with comment 442705
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[8]: I need NoScript
by wirespot on Sat 25th Sep 2010 16:57 UTC in reply to "RE[7]: I need NoScript"
wirespot
Member since:
2006-06-21

CRSF has nothing to do with JavaScript or cookies. It's about website actions that do not check that you have actually requested that action. Example: a link that deletes something. Someone can feed you that link under false pretexts (look at this cute puppy image!).

CSRF protection is 99% the responsability of the website. There are ways to do that but, once again, nothing to do with JS or cookies (POST instead of GET, intermediate confirmation page, secret tokens in the link etc.)

Now, about XSS. I have only about 50 sites in my NoScript whitelist. I've assembled them over many years and they are not some of the most obvious (ie. Google is not on it). See, the idea is to whitelist sites that actually genuinely need JS all the time to work, and those sites are extremely few. Second, often XSS code comes from third-party sites, not from the one you're on, so whitelisting that site is not a problem.

Granted, an XSS vulnerability can still exist on a site I whitelist. But the overall risk is a lot lower, precisely because I use NoScript.

Reply Parent Score: 2

RE[9]: I need NoScript
by google_ninja on Sat 25th Sep 2010 17:36 in reply to "RE[8]: I need NoScript"
google_ninja Member since:
2006-02-05

If you don't keep yourself logged in, and the site with the delete link has any sort of authentication, click on the cute puppy link will drop you on a login page.

The really scary stuff with CSRF (where noscript would have any effect) is where someone does an ajax request from an XSS attack on a different site. For example, you XSS flickr, and add some javascript that deletes a persons OSNews account. You send me the cute puppy link, and I actually see the cute puppy, but the malicious javascript on flickr does a post to the osnews delete account url. I don't know it happened, and I never am able to find out it was the puppy picture that did it.

There are two ways to stop that. Block all js on flickr (restricting to domain only isn't enough, an ajax post is plenty small enough to just inline). It kind of sucks to block all js on flickr though, you end up with a relatively bad experience. The alternative that works equally well is to just not let sites auto-authenticate you. That will work 100% of the time whether you whitelist the site or not, and you don't need to break every site with javascript to do it.

WRT the external javascript file in xss attacks, if noscript ever gets popular enough to actually hamper these attacks, it is easy enough to get around it. If the site has jquery (which most do), you just do $('tag-you-want-to-replace').load('external-site-with-your-fake-con tent');, which is totally small enough to inline pretty much anywhere.

I am not saying it is completely useless. What I am saying is that the benefit is very small, while blocking all javascript by default basically rolls the internet back about 10 years. Best case, all you are losing is small effects that make the site nicer. More often, you just lose features you never even realized were available.

Small things (like avoiding auth cookies), combined with larger ones (not using/limiting the use of browser plugins, using browsers with good security like chrome, etc) will have a much greater impact on your security, while much less of an impact on your actual security. For example, adobe reader plugin will have a much greater impact on your security then noscript, but the degredation in experience means you will download your pdfs instead of reading in browser. Not a big deal, but really a substantial benefit. Same with flashblock, flash running in your browser is probably the worst thing that can happen when it comes to security, much much worse then javascript.

Finally, you actually know what you are talking about, most people who use noscript don't. The common usage of it is that you whitelist your common sites (amazon, facebook, google, etc), and block everything from more transient sites you visit once or twice but never again.

Reply Parent Score: 2