Script-blocking in Internet Explorer

25 Sep

So, what does Microsoft’s browser offer to those who want to put active web pages on hold?

In a nutshell: quite a bit, but it’s designed for someone managing a standard configuration for hundreds of computers, so it can be cumbersome if what you want is to heavily customise one or two.

The security settings in Internet Explorer revolve around the idea of security zones. This is a fairly good approach, because if you think about it, there are really only a few categories of sites: trusted sites, sites that you definitely don’t trust, and sites that you don’t know or haven’t decided about yet. NoScript has a similar idea.

So, by default, pretty much everything is in the Internet zone, which defaults to a moderate level of security. To improve on this, you can go to Tools-Internet Options-Security, then choose the Internet zone and either just crank it up to High security, or else go into the extensive list of customisation options (more details in future post(s)). You can disable JavaScript, ActiveX objects, and plugins from here, among other things.

When you want to whitelist a site, things are slower than NoScript. You’ll need to copy the site’s address, go back to your Security options, choose the Trusted Sites zone, and add a new entry for the site. You can also decide which permissions the Trusted Sites zone will have, just as you did for the Internet zone.

The Restricted Sites zone is similar in concept to NoScript’s Untrusted list. It defaults to High Security, with active content blocked. If you use restrictive settings for the Internet zone, you probably won’t need it, but it’s there if you really want to lock down a particular site.

There are also two special zones that Internet Explorer can control: Local Intranet and My Computer.

The Local Intranet zone is for sites on your local network. How much you trust them depends on the type of network that you’re in; if you have two computers at home, they probably trust each other, whereas if you’re on a public Wi-Fi network, then raise the security for this zone to maximum!

The last zone, My Computer, is hidden from you by default. It controls the permissions given to active content saved on your hard drive. Depending on how paranoid you are, you might not need to activate and change this zone, but if you want to know what it’s doing, or if you really want to lock things down, then instructions are in the Microsoft Knowledge Base:

http://support.microsoft.com/kb/315933

For an individual user, using a high security level in Internet Explorer will be more cumbersome than Firefox + NoScript or Chrome/Chromium. Where Internet Explorer shines is the ability to define standard security policies and apply them to all machines on a network. The administrator can even tell Windows to prevent users from changing those policies. So it’s probably better suited to your workplace than your home network.

How do you find the security zone settings in Internet Explorer? Do you love the number of options, or loathe the number of steps needed to change anything? Either way, it’s worth getting to know more about the built-in browser for the world’s most popular operating system.

Script-blocking in Chromium

3 Aug

So, if you like the idea of NoScript – taking control of what your browser downloads and executes – but instead of Firefox, you prefer the fast and clean interface of the Chromium browser (or Google Chrome, which is based on it), what does it have to offer?

The answer is: not as much as NoScript, but you can still do a lot.

First off, unlike Firefox, Chromium out-of-the-box allows you to block JavaScript and plugins (Flash, Java, etc) by default, similarly to the basic feature of NoScript. Choose the settings wrench – Settings – Under the Bonnet – Content Settings, then select ‘Do not allow any site to run JavaScript’, and under Plugins, select ‘Click to play’. You can then allow specific sites to run JavaScript and/or plugins via an icon on the address bar, and Flash videos etc will have a placeholder until you click on them.

There’s not as much control as NoScript, eg you can’t block third-party scripts, or temporarily allow sites, or  choose between allowing base domains (example.com), full domains (www.example.com), or full addresses (http://www.example.com:80). But doing this will go a long way to keep you safe from the most common threats.

To get more control, your second option is to recruit one of Chrome’s addons. At this point, probably the most advanced script-blocking addon for Chromium is the ScriptNo addon. Despite the name, it’s not related to NoScript, but does take some inspiration from it, to give you an interface for permanently or temporarily allowing scripts, plugins, and even images from the various domains included in the page.

ScriptNo is still under active development, as Chrome adds support for more advanced control over web requests, but it doesn’t have NoScript’s advanced features – cross-site scripting filters, HTTPS enforcement, clickjacking protection, and particularly the Application Boundary Enforcer. Still, at what it does provide, it probably does a reasonable job.

And Giorgio is working to bring NoScript itself to Chromium as soon as the browser is ready.

NoScript configuration

26 Jun

NoScript is a complex piece of software, with lots of settings visible (and even more hidden away for geek eyes only). Most of the time, the defaults do a good job, but for those who are interested, here’s a summary of what you’ll find in the options dialog.

General tab:

  • Temporarily allow top-level sites by default: This tells NoScript to automatically trust sites that you visit (but not third-party sites). This reduces your security, but also reduces the amount of work needed to fix sites that are broken. You can also specify how strict to be, eg if you visit https://www.google.com, can it automatically run scripts from http://translate.google.com (since they’re both google.com), or does it have to be an exact match?
    I like maximum security, so I leave this off. But if you really want more convenience, then this setting may be for you.
  • Open permissions menu when mouse hovers over NoScript’s icon: This is fairly self-explanatory. Personally I turn this off too, so that I don’t accidentally open the menu, but it’s switched on by default and it does make things faster.
  • Left clicking on NoScript toolbar button toggles permissions for current top-level site: This is another feature aimed at speeding up menu access. With this switched on, you can tell NoScript to trust the site that you’re at (but not third parties) just by clicking on the NoScript icon, without even using the menu. Again, you can decide how strict to be.
  • Automatically reload affected pages when permissions change: When you trust a site (or revoke that trust), nothing changes until you reload the page. This setting tells NoScript to do it automatically, which makes sense. It’s enabled by default.
  • Allow sites opened through bookmarks: For those who usually use bookmarks to access their favorite sites, this is a way of managing your permissions. If you visit a site via a bookmark, this tells NoScript to trust it. Personally I haven’t had much use for it, because if I had used a site for long enough to bookmark it, I would probably have allowed it already. But some people might work differently.
  • Scripts Globally Allowed (dangerous): This tells NoScript to trust every site. It’s almost the same as switching NoScript off, but there are still some protections that apply even on trusted sites. It’s marked dangerous for a reason, although it’s worth noting that this is still safer than the regular situation without NoScript. Remember the restaurant story?

Whitelist tab: As per the description at the top of this tab, it lists all of the sites that you have chosen to trust. You can also add and remove entries, or export the whole list to a file (and import it again).

Embeddings tab:

  • Additional restrictions for untrusted sites: NoScript always blocks scripting languages (such as JavaScript and VBScript) on untrusted sites, but it can also block other objects like Flash movies and Java applets, because they can be a security risk too. I block everything listed here.
  • Apply these restrictions to whitelisted sites too: By default, this is off. If you enable it, then objects like Flash and Java will be blocked even on trusted sites. You can still play them by clicking on the placeholder that NoScript gives you. This setting is useful in two situations: either you want to trust all sites, but block objects until you click on them (like the FlashBlock addon), or else you’re paranoid and want to stay in control at all times. I usually enable it :).

The remaining options are for trusted sites only.

  • Block every object coming from a site marked as untrusted. This is mostly relevant if you haven’t already blocked every kind of object on untrusted sites. Let’s say that you haven’t checked the box to block Flash, so Flash is allowed even on untrusted sites. If a trusted site tries to include a Flash movie from an untrusted site, this is considered to be an extra risk. So, this setting allows you to block it in that situation.
  • Forbid WebGL: WebGL technology has been found to be a security risk if sites are allowed to run JavaScript. This makes it harmless on untrusted sites (where JavaScript is blocked), but theoretically, a trusted site could use it to attack  you. If you’re the paranoid type, and don’t really trust even the sites that you trust, then you can block it.
  • No placeholder for objects coming from sites marked as untrusted: This is cosmetic, for if you want your pages to look cleaner (with less placeholders for blocked objects). I don’t bother with it myself.
  • Ask for confirmation before temporarily unblocking an object: When you click on a placeholder, you get a dialog box asking you to confirm it. This is useful if you think you might click on one by accident, or if a site tries to tamper with your mouse and make you click on things you didn’t intend. However, if the dialog box bothers you, you can turn it off.
  • Collapse blocked objects: This hides blocked objects, to make the page cleaner (but it means that you won’t be able to click on the placeholders).
  • ClearClick protection on pages: This is a very valuable protection that works even if you trust every site. It warns you when you click on something invisible or obscured, which could mean that the site you’re on is trying to trick you.

Appearance tab: This allows you to choose which icons and menu items will appear. Of particular note is the ability to control how strict the menu items will be (eg allowing just http://www.google.com vs allowing everything from google.com).

Notifications tab: This allows you to choose which alerts you’ll see from NoScript’s various activities. Of particular note is Display the release notes on updates, which opens the NoScript homepage each time NoScript is updated. Since NoScript is very actively maintained and updated frequently, many people want to turn this off.

For details of the Advanced tab, your best source is the NoScript website.

Firefox addon #1: NoScript

20 Jun

If you run Mozilla Firefox, or a related browser like SeaMonkey or Pale Moon, you should seriously consider installing the NoScript addon, by Giorgio Maone. If you don’t use a Firefox-related browser, then you should seriously consider doing so at least part-time, just to get the benefits of this great extension. NoScript single-handedly keeps me on Firefox.

Imagine this: You decide to eat out tonight, so you drive down the road to a restaurant. As soon as you walk in the door, a waiter ushers you to your seat, vanishes into the kitchen, and starts bringing out plates and trays of food. Before you can interrupt him and ask for a menu, he’s piled the table high. “Bon appetit!”

“But…I didn’t order any of this!” you start to say.

“Of course not. You came to us, so we served you what we think you want. Don’t worry about a thing; our kitchen has a strict hygiene policy, and the scanner at the door already charged everything to your credit card.”

You leave and try another restaurant. The same thing happens. And another. Pretty soon, you’re pushing your credit limit. Things go from bad to worse when at one restaurant, the waiter pulls a blackjack, taps you behind the ear, and you wake up missing a kidney.

If it sounds like a crazy story, it is. But it’s also similar to how your web browser normally works. You go to a site, and the site then tells your browser to download anything the site pleases; music, images, videos, or half a dozen different types of programming code. And your browser will meekly obey. Not only does this hammer your bandwidth and allow advertisers to track your movements, it even means that malicious sites can tell your browser to download and install viruses, keyloggers, and so forth. Theoretically your browser should refuse these last requests, but all it takes is a loophole in the browser, or the Flash plugin, or the Adobe Reader plugin, or the Silverlight plugin, or the Java plugin…and those vulnerabilities crop up all the time. Somehow, we’ve become accustomed to websites – even ones that we’ve never seen before – owning our browsers.

Enter NoScript.

The premise of NoScript is simple, effective, but for those who are accustomed to letting websites take control, it can be painful. It simply blocks all of the active content on all sites – handcuffing the waiter – until you’ve had a chance to look around and decide whether you want to place an order. You’ll see just static pages – text, images, stylesheets – unless and until you choose to trust the scripts, applets, videos, timers, etc, that would otherwise be running.

“But that will break practically every site that exists!” Yes and no. If you just want to read a site, you have no need for overlays that demand you click to close them before you can view the page text. You have no need for ‘hit the monkey’ advertisements. You don’t even need the page to look exactly as it was intended. You can fill in forms, complete searches, and so on, without anything active on the page. Google works fine this way; it doesn’t jump ahead and suggest keywords for you, but it will fulfil your searches without any trouble. Yes, blocking active content will alter the behavior of practically every website that exists, but depending on why you were visiting the site, that may or may not ‘break’ it.

“I tried turning off JavaScript before, and it wasn’t practical.” This much is true. Turning off JavaScript completely will break most sites where you log in to an account and do things. Likewise, disabling your Flash plugin, or your Java plugin, may give you trouble. But you see, NoScript isn’t all-or-nothing. The point of it is that you choose which sites to trust, either temporarily until you close the browser, or permanently if you know you’ll be back often. Once you’ve permanently trusted your usual sites – webmail, banking, social networking – NoScript won’t touch them any more. It’s when you’re browsing around to new, unknown places that NoScript will be blocking everything, and that’s exactly when you need that protection. That’s when you might end up somewhere unsafe, and you want to handcuff the waiter before you find out that he was carrying a weapon.

Since its initial release in 2005, NoScript has grown in size and capabilities, but stayed firmly with its basic premise. What has largely been added, apart from bug fixes, is an impressive list of protections against threats that you may or may not know about. Cross-site scripting, clickjacking, cross-site request forgery, cross-zone attacks…you might not know about them (more to come in future posts), but that’s all to the advantage of those who use them. NoScript can detect and block them.

The most common complaint about NoScript is that it blocks too much. Too paranoid, too restrictive, too much work. Those who use it regularly don’t usually feel that way. However, NoScript accommodates even those who are unready, unwilling, or unable to sign up for its full protection. It can be configured to automatically trust the exact site that you visit, while still distrusting any third-party sites (like Doubleclick) that the site might try to connect to. It can be used in a click-to-play mode, blocking only Flash movies and so forth, and allowing you to download and play them by clicking on a placeholder. It can even allow all active content – which almost switches it off – while still giving the abovementioned protections against clickjacking etc. So anyone can benefit from it, from novices to experts.

NoScript is very actively maintained by Giorgio, with bug fixes and enhancements almost weekly, and an efficient support forum at forums.informaction.com. If you’re curious about it, struggling with it, or excited about it and want to improve it, your input is welcome there.

Have you ever tried NoScript? What did you think about it?

Knowledge is Power

19 Jun

The first step in any effort to secure your browser is to know your browser. Different browsers have different strengths when it comes to security, and whichever one you choose, you need to know how to use it effectively.

If you’re using Internet Explorer, then you’ll need to work with its Security Zones. Each site is assigned to one of four zones – Internet (default), Trusted, Restricted, or Local Intranet – which will determine its privileges.  You should become familiar with the long list of security options that can be switched on and off in each zone (more on these in future posts), and ensure that you’ve set things the way you want them. In particular, pay close attention to the privileges that you give to the default Internet zone. Ordinarily this zone is quite permissive, but if you’re concerned about security, you’ll want to crank it up. Bear in mind that the higher the default security, the more often you’ll need to add sites to the Trusted zone before they will work. If you’re not sure about visiting a site, or you suspect that it’s dangerous, then you can add it to the Restricted zone before you go there. Make sure that each zone has the right level of security for the sites that belong there.

If you’re using Mozilla Firefox, or a related browser like SeaMonkey or Pale Moon, then you should focus on your extensions. Firefox addons can drastically change your browser’s behavior, adding layers of defence that no browser has out-of-the-box. For this reason, Firefox is my personal choice, with a long list of addons installed (RequestPolicy, Adblock Plus, Certificate Patrol, Perspectives, HTTPS Finder, VTZilla, Host Permissions, RefControl, Safe, and various others). In particular, I cannot recommend the NoScript extension highly enough. This little gem, by Giorgio Maone, will give you back control of your browsing – just make sure that you read the documentation first, so that you know what you’re getting in for! It’s a whole different world wide web with NoScript. More to come in my next post.

If you use Google Chrome, or the related Chromium browsers, then you have a more limited selection of addons available, and those that exist don’t always work as well as Firefox addons. Chrome does, however, have strong protections against websites trying to install viruses on your computer, and if one tab crashes, the rest of the browser should theoretically keep going. It also has some useful features that you can turn on, like controlling which sites can run JavaScript; somewhat like NoScript, but much more limited.

Which browser do you use? Which security features or addons are you using? If you don’t know what’s available, it’s worth taking a few minutes to take a look.

Hello world!

19 Jun

Welcome to Safe Browsering, your source of advice for keeping your web browsing experience safe from malware, scams, and devious schemes to steal your time, your money, and even your identity. Here you’ll find reviews and advice to help you dodge the pitfalls, ward off the nasties, and enjoy smooth surfing every day :).

Let’s get started!

Follow

Get every new post delivered to your Inbox.