Basil Chupin wrote:
Mozilla’s script blocker add-on could be putting malware sites on the whitelist.
Security researchers have discovered a major flaw with Mozilla’s popular NoScript security add-on. NoScript is supposed to create an environment where JavaScript, Java, and other executable content can only run in scripts that come from a trusted domain.
It isn’t clear whether attackers are already using this technique. The discovery challenges the prestige of the Mozilla NoScript plugin, which bills itself as “The best security you can get in a web browser!”
--- NoScript is good, but really needs to integrate the functionality of "RequestPolicy" Reason: a white list alone isn't enough. You need context. For example, I may want to list google's api's as a white-listed component -- but that still means they can be called from a black-listed site. NoScript doesn't create an environment -- and that's the problem. It creates a white list of of "commands". I.e. it lets you white list libraries which may include the equivalent of an 'rm' command. A "good site" may use those libs to remove tmp files when it is done -- but a "bad site" can use 'rm --no-preserve-root -fr /'. The scripts themselves are "agnostic" -- it depends on how the scripts are called (parameters, and context). RequestPolicy is far far from perfect, but I haven't found anything better that monitors inter-domain calls. RqPlcy doesn't go far enough into detail about what should be allowed or not (like NoScript does -- but Noscript doesn't let you limit the calls by caller. I've heard rumors that RequestPolicy may not work on latest FF's. I'm using PaleMoon 25 (which is a x64 build of an earlier FF release before some major FF UI overhall which 'incompats' most extensions). There's a ton of security framework -- maybe 100-150 behaviors that can(could?) be controlled through "capability.policy.<polname>.<object>.<feature>" settings. (http://www-archive.mozilla.org/projects/security/components/ConfigPolicy.htm...) Normally you can't see them, as they are filtered out (https://bugzilla.mozilla.org/show_bug.cgi?id=284673). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org