Interview With the Mind Behind NoScript

ss0 So what type of questions would you have for the mind behind NoScript?  I recently got to chat with Giorgio Maone, the creator of possibly the most popular security related extension for Firefox.

Why would the random Firefox user off the street be using NoScript?

Firefox is an extremely safe browser, because it can take advantage of an open and agile development process, a very security-minded core development team and a multi-vendor security coordination group, including people from major Linux distributions and IT integrators, which I’m also a member of. This ensures that many experts with different backgrounds and points of view are steadily discussing about making Firefox safer and stronger, and that discussion quickly translates in bug fixing and enhancement code.

That said, no modern browser can be said 100% safe:

  • The code base is very complex and articulate, including a network stack, multiple parsers, renderers, codecs for images/video/audio, a scripting engine and many other components. This code will never be 100% bug free, because of its continuous evolution, even if the mandatory regression tests which are dictated by the current Mozilla development policy do help a lot. Incidentally, the piece which over the time proved to be the most vulnerable to security-sensitive bugs is JavaScript, and the bad guys start or prepare their attacks using this scripting language because it’s extremely powerful, ubiquitous, easy to obfuscate and often a soft-spot itself. That’s the main rationale behind NoScript blocking JavaScript on every unknown site, until the user explicitly decides to trust it.
  • Even if the Mozilla code was absolutely clean, nowadays web content rendering requires a number of 3rd party plugins (Java, Flash, Silverlight, Quicktime, just to name the most popular) which have proven to be all but invulnerable. Most recent remote execution exploits, indeed, leverage intrinsic features of these plugins (e.g. the fact they implement virtual machines and JIT compilation, and therefore they need write access on executable memory) to bypass the additional protections put up by latest OSes and browsers. That’s why NoScript blocks Java, Flash and all the other plugins on sites you don’t trust.
  • Even if both the browser and its plugins did not expose any attack surface, today the web itself is fundamentally broken from a security perspective. The HTTP protocol and the HTML markup, the building blocks of the WWW, had been originally developed with the intent of representing and making navigable a network of interrelated (hyperlinked) documents. They were not designed to support applications, i.e. full fledged programs, often in charge of sensitive databases. Years later, many of our daily web destinations (Google Search, GMail, our online banking site, our customized feed-laden home page) are read/write applications, and securing them requires a great development effort because their foundation is so fragile. In facts, most of them are vulnerable, especially to attacks caused by the lack of isolation: a malicious site can read sensible data or push transactions on a different web application on behalf of the current user. This kind of attacks, the most relevant and widespread of which are Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF), are made possible by very common programming errors or deficiencies on the web application side; therefore, for a long time, browser vendors did not feel the responsibility of mitigating their nefarious effects. Fortunately something is changing, and I like to believe a relevant cause has been the pioneering role of NoScript, which dispelled the myth that nothing could be done about XSS and CSRF on the client side: IE8, for instance, will contain an Anti-XSS filter which is pretty much a copy of the one introduced by NoScript, albeit less effective than the original ;)

I believe the reasons above are more than enough for “the random Firefox user” to embrace NoScript, because a web browser alone, even if its the safest like Firefox, could never be as safe as Firefox with NoScript.

For those people out there who don’t read descriptions or reviews before trying out an add-on, has anybody ever complained about scripts being blocked after installing?

Yes, I admit it used to happen all the time, even if there are a lot of sites out there (most blogs and news sites, including Slashdot) which work perfectly fine with scripts blocked.

But now NoScript, after first install or upgrades, redirects its users to a “Release Notes” page which incorporates also a quick tour through its features, hoping to convey the message that allowing scripting on a trusted site is just one click away from the NoScript icon, that your trust judgment will be remembered and therefore the training burden will get always lighter and lighter.

The training phase can enjoy a further speed up if you enable the “Allow sites opened through bookmark” preference.

Finally, if you don’t feel ready yet for a whitelist approach, you may want switch to the less safe “Scripts Globally Allowed” mode: Anti-XSS protection is still fully enforced, and you will be able to selectively blacklist the sites you don’t want to run scripts and plugins.

What was the main inspiration for developing NoScript?

More than 3 years ago (early May 2005), some months after releasing my first Firefox add-on called FlashGot, a crisis situation hit Mozilla because a serious, unpatched vulnerability was publicly disclosed, which allowed attackers to perform remote code execution against any Firefox user visiting a malicious site enabled to run JavaScript.

I felt concerned for my own security in the first place, and began to investigate previous known browser vulnerabilities, discovering that, across all major browsers, the culprit or the main vessel of exploitation was almost always JavaScript. Actually, in the overwhelming majority of the browser-related security advisories, the suggested work-around is still “Disable JavaScript”.

So I asked myself, what about disabling JavaScript as they suggest, but keeping it enabled on sites I trust and I need it to work on, like my webmail or my bank? Or should I give up online banking “until the bug is patched”? And what about the bugs which have not been disclosed yet? Am I sure bad guys don’t already know how to exploit them?

3 days after, NoScript 1.0 was ready and published on the Mozilla add-ons web site.

Short of your own add-on, what other security measures or tips to you suggest people take advantage of?

From a strict browser security stand-point, NoScript is almost all you need, because it covers active content permissions, XSS and, to a certain extent, CSRF too. The Anti-CSRF capabilities of NoScript are being dramatically augmented in the current development cycle eventually leading to NoScript 2.0, which introduces an innovative feature called “Application Boundaries Enforcement” (ABE), a sort of in-browser firewall greatly mitigating this class of vulnerabilities. In the meanwhile, some additional security on this front might be provided by RequestRodeo or LocalRodeo, but I’m not sure if they’ve been updated to work with Firefox 3. The same goes for SafeHistory and SafeCache, two privacy-related add-ons, whose Firefox 3 compatibility status is not very clear at this moment and whose functionality will be likely absorbed by a future NoScript release. On the privacy side, other 2 add-ons I personally use with satisfaction are RefControl, which hides or forges your referrer header depending on the site you visit, and CS Lite, to manage your cookie permissions with an user interface apparently inspired by NoScript, but if you’re after real anonymity you definitely need Tor. Another nice complement to NoScript is WOT, which provides real-time security and privacy community-driven advices about each site you visit: this can help a lot to judge the accountability of a site you’re landing on for the first time, so you can better decide if it’s safe to allow in NoScript.

Out of the browser, I encourage using a limited user account for everyday activity (that should sound obvious if you’re on Linux or Mac OS X, but some Microsoft customers still need to be educated in that direction). If you’re not behind a corporate or home firewall, keeping a personal firewall enabled and correctly configured is mandatory too.

Then, especially if you’re a Windows user, you already know an anti-virus product can save your back sometimes, even if using a secure browser (Firefox+NoScript) and a secure mail client (Thunderbird) is much more important as a first line prevention strategy: after all, an anti-virus can block only the threats it already knows, so unless you practice safe browsing and mailing you’re still very exposed to 0 day attacks.

Where should people go to learn more about NoScript and your development of the add-on?

The NoScript web site contains a “features” page, which turned into a quick user manual over the time, and a quite extensive FAQ section.  I’d also love people to come and share their views about security, Mozilla and other “hackerish” topics on my blog, Hackademix.

, , , , , ,

Comments are closed.