November 2008 (2)
October 2008 (2)
September 2008 (1)
August 2008 (5)
July 2008 (3)
June 2008 (1)
May 2008 (5)
April 2008 (8)
March 2008 (3)
February 2008 (1)
January 2008 (2)
December 2007 (2)
November 2007 (4)
October 2007 (17)
September 2007 (9)
2008-08-19 15:27:08
Update: for commenter Rob, the presentation that sparked this post centred on a demonstration of beef.
At work the other day an ex-employee who specialises in security gave us a presentation which could be summarised thus: if you want a safe, normal web-browsing experience, you are doomed. Your browser will be compromised, your secret details stolen, and your PC turned into a zombie. This is not merely possible, but likely, and ultimately inevitable.
The slightly longer summary could be turned into bullet points like this:
This is… disappointing. Much of the fun and even some of the utility of the modern web relies on the execution of Javascript. Is there any alternative to turning off Javascript?
There are some.
1. Use Firefox with the NoScript extension. This is probably ok for people who have the time and skill to evaluate scripts and decide for themselves whether they are safe to run.
2. Whenever you use a site to do secret stuff, close all browser sessions first. Then open a fresh one. As soon as you have finished what you are doing, close your browser again. This is a painful, error-prone practise to keep up; a stop-gap measure.
3. Use Prism, and only Prism, to run things that you care about. Prism is a standalone browser based on Firefox but with no menus, no location bar, and no tool bar. When you launch a Prism-hosted application, it will run in its own browser process, unconnected to any other browser sessions. So you install Prism and configure a launcher for your online banking, a launcher for your webmail, a launcher for your sharebroker, and so on. Your session can’t be hijacked unless an attacker has compromised the actual server hosting your application.
From Brenda on 2008-08-19 16:41:44
p.s. this site looks awful on a small (eeepc) screen – the actual content column is tiny skinny while the menu and adverts have heaps of spaceFrom stephen on 2008-08-19 17:20:35
I will apply some css-fu when I have a moment – this layout was ripped-off from someone else.
From Rob Coup on 2008-08-19 17:39:31
Second, there are plenty of things that you do care about in your brower’s memory (like your online banking session) which are totally accessible from within the sandbox.
any time you run a browser with Javascript on, and you visit a site with injected Javascript … It will cough up details of any existing secure sessions …
There is a bit of FUD creeping in there…
Lets say bazombo.com has a flaw where Evil Javascript can be embedded in its page. The Evil code can:
– grab the cookies for bazombo.com, including session & authentication/authorization cookies
– change the content of the current page, including where forms submit to
– load more script from any URL. It has to be valid script though, not any old content.
– perform a GET request to any URL, but not access the content
– perform any request (POST/GET/etc) to bazombo.com on the same port via XMLHTTPRequest
– pass data to any URL (by adding it as parameters to a script/image/etc request)
Now, that sounds pretty bad, and it is. But it’s limited to bazombo.com. The Evil code can’t transfer money from your bank account, change your passwords, or send email messages on your behalf, unless the target site is coded incompetently (where GET requests have side effects like transferring money). But if the target site is that badly coded then the same issues are exploitable with just images enabled, and don’t require Javascript at all.
There’s no access to your online banking session in a way that data can actually be read. The Evil code doesn’t have access to read your bank session cookies (your authorization) and can’t access the results of requests (GET only) that it sends to your bank. So no money being transferred, or balances or account numbers being harvested.
Of course, if your browser has exploits and you don’t keep up to date with the security upgrades – yes, you are vulnerable to more serious attacks. But that equally applies to operating system updates and other software security updates too. If MS Word gets exploited, then it can do anything on your machine.
From Stephen on 2008-08-19 18:44:13
Rob – I’m not at work any more, so I can’t get at the details, but here’s an outline:
JS has access to the whole DOM, and hence your browser history. Therefore, I can remotely phone home with your history when I see something interesting.
In IE, I can log key strokes via the DOM. So direct stealing of passwords is also a possibility. Of course many people use the same password across lots of sites…
If I own the DOM, I can serve you a simulated browser window. I know which one to serve you because I know your browser history.
I can rewrite the DOM in a hijacked page with my own forms in it, thus potentially getting you to POST to another site. I can rewrite all the links. I can rewrite the embedded Google search box.
Basically, combine XSS with cross-site request forgery.
Until I can get back in the morning this slideshow outlines some similar approaches (including abuse of the IMG tag for fun).
You’re right that the JS malware can’t directly read your cookies from another site – it can only exploit the fact that they’re there, and I’ll correct that.
Tags: security
Rendered at 2008-12-04 14:56:52
Stephen on Title here ⋅ Shiny on I do not think that means what you think it means ⋅ Stephen on Protecting your goodies on the web is hard ⋅ Rob Coup on Protecting your goodies on the web is hard ⋅ stephen on Protecting your goodies on the web is hard ⋅ Brenda on Protecting your goodies on the web is hard ⋅ Brenda on Protecting your goodies on the web is hard ⋅ Brenda on One the one hand, on the other hand ⋅ stephen on Unexpected success ⋅ paul on Unexpected success
From Brenda on 2008-08-19 16:40:46
i’ve been running with javascript (and other frilly bits) turned off for years – at first because some machocistic need to check out the accesibility of websites i built and how other sites handles their supposed “graceful degredation”… but sites abound that work mostly without javascript, and then suddenly there is one form amongst a hundred that only submits on change (such as flickr’s recent activity page, that’s the only bit i can’t use without javascript when there’s no really need for it). Firefox now has some extensions to pick and choose what javascript you run… I’ve used opera for almost 15 years now, and it’s has, for as long as i can remember, let me enabled script (and plugins and java etc) on a per domain basis. generally i runs with script off, and enable it on a couple domains, but when i hit a site that claims is _NEEDS_ it, i’ll alt tab over to firefox. If it’s gonna steal cookies / memory, it’ll only find what i’ve got in firefox, and that isn’t much.. still it’s something and i’ve be horribly pissed off to lose them. So many sites, with nothing really special going on, that use javascript just to submit a form! it’s just plain stupid and shows they don’t understand the inherent risk of that javascript.