Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Q: What does NS have (or will have) that uBo+uM don't #319

Closed
Thorin-Oakenpants opened this issue Dec 25, 2017 · 88 comments
Closed

Q: What does NS have (or will have) that uBo+uM don't #319

Thorin-Oakenpants opened this issue Dec 25, 2017 · 88 comments

Comments

@Thorin-Oakenpants
Copy link
Contributor

Question: I still do not fully understand what NS offers that uBo+uM don't.

  • Something about XSS (isn't that covered or is this some special NS thing)
  • Something about ABE
  • Something about ClearClick
  • inclusion type checking?

People have suggested (eg reddit, and here) that you can use NS in global allow mode but leave those four items above as active. Personally I never got an XSS warning from NS (maybe one a year), and the new WebExt version (not sure where they are at) I do not really want to touch with a barge pole (yet, if ever)

Aren't these things in uBo/uM - if not, why not?

@gorhill @Atavic excuse my ignorance, ELI5

@Atavic
Copy link

Atavic commented Dec 26, 2017

uMatrix - NoScript
Related: gorhill/uMatrix#297
NoScript info in italian.

@Thorin-Oakenpants
Copy link
Contributor Author

XSS

To answer earthlng's q in the other thread - https://noscript.net/features#xss & also https://noscript.net/faq#qa4_1 . This is obviously the legacy version. I tend to just use XSS as a term to cover all third party scripts and I control it by default denying 3rd parties in uBo etc, and with uM.

In all my years of NS (which always got the requests first before uBo etc), I have only ever had a couple of warnings for this XSS

ClearClicking

https://noscript.net/faq#qa7_1

ABE

https://noscript.net/faq#qa8_1

@Thorin-Oakenpants
Copy link
Contributor Author

A lot of this info is old. AFAIK clickjacking is nigh impossible now?

@claustromaniac
Copy link
Contributor

claustromaniac commented Dec 26, 2017

I think you don't have to worry much about clickjacking if you deny third-party frames (and/or javascript, of course).

EDIT: IIRC it was also tackled at browser-level at some point. Now I just have to remember where I read that...

EDIT 2: Well, yes and no. What I read was about the X-Frame-Options HTTP header which has been around for about 8 years (according to Wikipedia). Firefox did adopt this header, but it's only a server-side solution.

@Thorin-Oakenpants
Copy link
Contributor Author

EDIT: IIRC it was also tackled at browser-level at some point

Yeah, I remember reading a couple of bugzillas that covered this. As for denying 3rd party iframes - that's just the first level of defence .. some sites you may need to allow those which means you are at risk (you cannot trust any site is my motto - its not IF but WHEN they get hacked)

@theWalkingDuck
Copy link

theWalkingDuck commented Dec 26, 2017

Sorry, I haven't used Noscript for a long time but are there any Noscripts ABE rules which can not be handled using uMatrix ?

for example the following is the default, may be the only and mostly used, ABE rule in Noscript.

# Noscript
# Prevent Internet sites from requesting LAN resources.

Site LOCAL
Accept from LOCAL
Deny

We can rewrite it easily in the uMatrix way:

[Source]              * -> any external resource 
[Destination] 127.0.0.1 -> which tries to access the localhost or local resources
[Content]             * -> whatever the request or the requested content is ..
[action]          block -> should be BLOCKED
# uMatrix
# Prevent Internet sites from requesting LAN resources.

* 127.0.0.1 * block
* localhost * block    
* [::1]     * block       // block access to ipv6 localhost
* 192.168   * block       // block access to LAN 192.168.x.x

The best practice is to use a separate browser for accessing local resources or using a temporary allow if needed ... but for those who need it permanently

# uMatrix
# Accept from LOCAL

127.0.0.1 127.0.0.1 * allow
localhost localhost * allow
[::1]     [::1]     * allow
192.168   192.168   * allow

btw, don't forget to remove the matrix-off: localhost true rule.

@gorhill
Copy link

gorhill commented Dec 26, 2017

don't forget to remove the matrix-off: localhost true rule

I have no idea why I added this built-in rule. I will remove it.

@Atavic
Copy link

Atavic commented Dec 26, 2017

Look for types of XSS here. OWASP has many info about it, mainly server-side.
Look at this PDF on page 24 for info about ABE Rules.

@Atavic
Copy link

Atavic commented Dec 26, 2017

Also here for OWASP info.

@Thorin-Oakenpants
Copy link
Contributor Author

56743 .. warning! 17 years old 😁 - bit of a moot ticket for uM users => * * frame block

@Thorin-Oakenpants
Copy link
Contributor Author

OK, this is good: http://vojtechruzicka.com/preventing-clickjacking/

@claustromaniac
Copy link
Contributor

@Thorin-Oakenpants very nice, thanks!

@Thorin-Oakenpants
Copy link
Contributor Author

FYI: what does uM have that NS doesn't? rhetorical question

add ability to block web workers on a per-site basis

@Thorin-Oakenpants
Copy link
Contributor Author

FYI: note, I can't link to the individual review/reply (its on AMO's NS reviews page), so here's a cropped screenie

screenie

HOWEVER, if you're after security, you cannot rely on uMatrix over NoScript. For instance, even if you're blocking scripts with uMatrix on a site you don't trust, it can execute JavaScript by exploiting cross-site request vulnerabilities on a site you trust. This is prevented by NoScript's anti-XSS filter.

I still fail to see what NS's so called anti-XSS offers that uMatrix (with all 3p blocked by default) doesn't. It is some special XSS type attack detection to block sh*t even when you allow it by default (I have no idea what NS's defaults are, but I would assume little breakage and not in a hard mode)

@gorhill
Copy link

gorhill commented Jan 2, 2018

I believe the scenario he has in mind is:

  1. site X is suffering from an XSS vulnerability
  2. victim allows script execution on site X
  3. an attacker knows about this vulnerability
  4. attacker controls site Y
  5. victim visits site Y
  6. attacker sends victim to vulnerable site X along with a malicious js payload which will be injected somehow by triggering the vulnerability
  7. malicious javascript payload can then observe all what victim does on site X, including stealing victim's credentials if any

(in step 5-6, the victim could be simply given a specially crafted URL by the attacker, or by an innocent intermediate -- see https://excess-xss.com/).

So the way I understand, this requires to examine 3rd-party POST requests for main document (like when submitting a form).

I have collated cases regarding how blindly allowing 3rd-party frames is a security issue: https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-Benefits-of-blocking-3rd-party-iframe-tags#malware-protection. By no mean complete, these are just all cases for which I confirmed blocking 3rd-party frames would have foiled the attack (there is a case in there I emailed the author to confirm whether the attack was iframe-based, this was not clear from the article). There are more cases reported in the media I left out which required that 3rd-party scripts be blocked (that wasn't the topic of the wiki page).

The fact that he describes the blocking of 3rd-party scripts/frames as "disabl[ing] annoying stuff" means he is trying to belittle uMatrix -- there is no way to sensibly describe malvertising as "annoying" -- I don't think he is helping himself by describing the real actual ongoing threat of malvertising (again see list of actual cases above) as merely "annoying".

Now what I long for is such a list of real, actual documented cases where specifically only NoScript's XSS would have protected its users. Whatever threat someone wants to be protected against, an important factor is for users to be able to assess the likelihood of it happening. Surely such a list of actual, real documented cases would be the best way to convince users of how the importance of the feature relative to other threats (3rd-party frames, scripts, etc.)

On my side, I will read more about all this and see what could be sensibly added to uMatrix.

@Atavic
Copy link

Atavic commented Jan 2, 2018

👍 Malvertising could be more appropriate.

An example of such "annoying stuff" could be file-hosting sites like that old one, rapidshare.

@Thorin-Oakenpants
Copy link
Contributor Author

From this thread: https://www.ghacks.net/2017/12/30/noscript-webextension-update-improves-user-interface/#comment-4325925

surrogate scripts ...

Essentially mirroring a library, or a modified version of a given library (e.g. mootools, or jquery). uBlock used to have this.

Decentraleyes does this, but that still doesn't stop the JS from executing


Now what I long for is such a list of real, actual documented cases where specifically only NoScript's XSS would have protected its users

As per Atavic's link, the last couple of comments from @berrythesoftwarecodeprogrammar (they're at the end) - gorhill/uMatrix#297

The two XSS examples are hopefully still up and running, and maybe someone can work out what they are doing that NS picks up on and blocks

@overdodactyl
Copy link
Contributor

Essentially mirroring a library, or a modified version of a given library (e.g. mootools, or jquery).

Decentraleyes does this, but that still doesn't stop the JS from executing

For what it's worth, Decentreleyes does have the option to block scripts when the necessary CDN resource aren't available.

Ultimately, you can make Decentraleyes block requests for any missing CDN resources, too. GitHub page

In settings, there's the option to "Block requests for missing resources - Cancel intercepted request if the required resource is not locally available."

uBlock used to have this.

As far as I'm aware, uBO still uses some local, neutered versions of some commons scripts, doesn't it?

@gorhill
Copy link

gorhill commented Jan 3, 2018

uBO used to have an experimental feature called "local mirroring" a long time ago. In the end I canned it, this is best left to a dedicated extension.

The current neutered scripts feature is really just scriplets served through redirection to local data: URIs, and it apply only to blocked requests, never to non-blocked requests.

@overdodactyl
Copy link
Contributor

Thanks for the clarification @gorhill! I wasn't aware of the local mirroring feature

If you don't mind the follow up question, do you use Decentraleyes + uBO via the method mentioned on the Decentraleyes wiki page then? (set up noop rules, then enable the block requests for missing resources option)

@Thorin-Oakenpants
Copy link
Contributor Author

Decentraleyes does this, but that still doesn't stop the JS from executing

Sorry, by that I meant if the user lets it thru

@Atavic
Copy link

Atavic commented Jan 3, 2018

The XSS tests are gone.

@gorhill
Copy link

gorhill commented Jan 3, 2018

do you use Decentraleyes + uBO via the method mentioned on the Decentraleyes wiki page then?

I currently use uMatrix and Decentraleyes, no other extension. I didn't read the wiki, I understand how it works. Personally I do not unblock any specific domain except to unbreak sites, and in that case I am happy whenever Decentraleyes catches something.

@overdodactyl
Copy link
Contributor

Makes sense, thanks for the help!

I currently use uMatrix and Decentraleyes, no other extension

Was that a recent switch? I thought I had seen you mention only using uBO in the past

@gorhill
Copy link

gorhill commented Jan 3, 2018

Was that a recent switch?

I switched when I started to work more on it lately -- it helps to use what you work on to see what needs most attention. It has its advantages, like the quick overview of what goes on in a web page, the lower overhead. The overhead can be lowered in uBO too though when disabling generic cosmetic filtering. For now I am in my uMatrix phase.

@overdodactyl
Copy link
Contributor

Good to know, thanks!

I haven't used uMatrix in a while, but I might have to venture back and give that a try for a little while

@Thorin-Oakenpants
Copy link
Contributor Author

Thorin-Oakenpants commented Jan 6, 2018

I'll just throw this in here: https://www.schneier.com/blog/archives/2018/01/detecting_adblo.html - I haven't read the paper or even found out what this adblocker ext in chrome is yet. The numbers are interesting - 30% of top 10K alexa sites use anti-adblocking (and of these 90% have no visible reactions to adblockers). These are staggering numbers - 30% .. holy cow

Edit: https://arstechnica.com/science/2018/01/academic-researchers-fire-latest-shots-in-ad-blocking-arms-race/ < more detailed

An alternative approach they tried was somewhat more precise. Since they could identify the condition that was being tested for, they could modify the variables used by the site so that the condition would always evaluate as if an adblocker was not present. This only requires a browser extension. And, in the 15 websites it was tested on, it worked every time. (emphasis mine)

Worked every time! Cool. But I don't even want to connect to these 3rd party scripts. I'm intirgued but default-deny is working well for me. I never see an anti-adblcoker message TBH

@ghost
Copy link

ghost commented Feb 3, 2018

So what is the final answer - is there any additional benefit in using NS when one uses uMatrix or not?

@Atavic
Copy link

Atavic commented Feb 3, 2018

You can use both.

@Remu-rin
Copy link

Remu-rin commented Mar 4, 2018

How can I test a BTS favicon? I'm a bit worried about matrix-off: behind-the-scene true now - I'm beginning to feel like I have a naked behind

Open uM logger, then go to debian.org link from my previous comment for example (ideally in Private Window, so favicon won't come from cache if you visited site before), you should see BTS request(s) for favicon. Also you can click on BTS icon in the second column to open matrix popup and see what rules you have in force for BTS-scope and what requests uM had allowed/blocked in current session.
With matrix-off: behind-the-scene true (default) everything would be allowed. If it's false, then BTS-scope should inherit your other rules for 3rd-party (allowed images+css in my case).

@crssi
Copy link

crssi commented Mar 4, 2018

What is the conclusion?
Should be matrix-off: behind-the-scene true or matrix-off: behind-the-scene false ?
Are there any other general uM preferences needing "special care"?

Oh, @Thorin-Oakenpants is there a special reason you have blocked media in upper screenshot?

@ghost
Copy link

ghost commented Mar 4, 2018

In my uBO rules I have:

behind-the-scene cello.client-channel.google.com * block
behind-the-scene facebook.com * block
behind-the-scene plus.google.com * block
behind-the-scene twimg.com * block
behind-the-scene twitter.com * block
behind-the-scene youtube.com * block

because earlier I have noticed background connections to these hosts happening in Chromium.

@ganego
Copy link

ganego commented May 6, 2018

@crssi regarding this post of yours: #319 (comment) - You forgot to add the * localhost * block rule in your list. Please edit it in in case anyone wants to copy/paste the list (as I did and discovered this :))

EDIT: In case anyone was interested - those rules also work when you enter the IP as decimal. For example 127.0.0.1 can also be written as 2130706433.

EDIT2: And one more thing: NS (old one with ABE) can block access to my router with default ABE rules. The router is accessed via DNS in this case (meaning http://router.box). uM cannot block access if I do not specify all the DNS names for the router. This ABE stuff is the only reason why I still use NS.

@crssi
Copy link

crssi commented May 6, 2018

@ganego
Thank you but I haven't forgot, I have only not updated the list here, since here is just a debate... more is on wiki, but completeness was not accepted.
Just recently I have published my uM config here https://github.com/crssi/Firefox/blob/master/Config-uMatrix.txt
There are also a few allowed resources covered for Decetraleyes.
If you have something to add or remove, just open an issue on upper link and I will be happy so do so, if applicable.

Thank you and cheers
p.s. I will now update the comment you have mentioned, but I am not sure that will be maintained in the future... that should wiki page be for.

@Thorin-Oakenpants
Copy link
Contributor Author

Good read on clickjacking etc here - https://blog.innerht.ml/google-yolo/

@gorhill
Copy link

gorhill commented May 11, 2018

Good read on clickjacking etc here - https://blog.innerht.ml/google-yolo/

a

@crssi
Copy link

crssi commented May 13, 2018

I have taken a bit different approach... over uBO like: ||$third-party,subdocument
This way I can allow for example only google captcha: @@||google.*/recaptcha/$third-party,subdocument
without allowing whole google domain.
The other benefit is, that I have filterlist and if for example my mother gets a breakage, she let me know... I just update a list and she learned how to purge/refresh uBO list in case she needs it fast.

@vertigo220
Copy link

I'm confused about the rules for blocking sites' access to local LAN resources discussed here and in wiki section 4.2.3. uMatrix rules are all a single line, but @theWalkingDuck's description shows it as multiple lines, and it's not clear which part is supposed to be entered into uM, or how. Could someone please clarify this?

Also, I've been using the default setup for uM which allows everything for 1st-party, for four reasons:

  1. if I'm at the site, I likely trust it for the most part, so it seems reasonable to allow it to do its thing (with some caveats, such as going to a malicious site, but then points 2 & 4 still apply);
  2. it's been explained to me that just because you block JS, etc, doesn't mean a site can't still run code and do things without your knowledge, specifically with php pages, which you won't necessarily know you're on;
  3. even without JS, etc, the site can still figure out a lot about you, since you're connecting to it; and
  4. many people, including (supposedly) @gorhill himself, don't even bother with uM and only use uBO, and I see uM as more of an extension of uBO which allows more granular tweaking, so it seems the additional "risk" of allowing all first-party content shouldn't be that great.

After seeing @Thorin-Oakenpants' setup above, I decided to try it, and it didn't take long to realize this will cause a lot more breakage and, therefore, a lot more time spent fixing sites to make them usable. I'm curious what everyone's thoughts are considering all this, and if it's really worth the extra hassle for, what seems to me to be, little added protection.

And on a related note, I've also always used the default of allowing all css and images, which seemed perfectly safe, as those are (or so I thought) very low risk things, whereas blocking them breaks a lot. After seeing that Pants and others change this behavior, I looked a bit into it and see that CSS at least can be used for tracking (and I assume images can as well?). So again, I'm interested in what everyone thinks about this. Like most thinks, it's a balance between security/privacy and usability, and everyone is going to draw that line in a different place, but I'm just wondering if the default settings, and how I've been using it, is really a big hole in my setup, or if it's a minor thing that only the most gung-ho, looking to squeeze out every bit of potential protection regardless of the cost in effort, should bother with. IOW, what's the ROI of making these changes?

@2glops
Copy link

2glops commented May 15, 2018

My actual usage is uBo for static filtering and uM for dynamic filtering.
uBo, I only have to toggle large media or remote fonts.
uM, I've been playing with several strategies, now only allowing css + images for 1st party on global scope.
New visited sites often breaks, partially (still legible) or totally. But, to unbreak these sites, if I decide to unbreak, it takes few seconds with the awesome matrix. As I used to unbreak sites, I've learn a lot to do that quickly.
When I visit a new site, I always look to the matrix, it is very interesting.

I don't know if the above add little or more protection, but I'm satisfied with the usability of my browsing.

@ghost
Copy link

ghost commented May 15, 2018

A side note: Speaking of tracking, perhaps the new Privacy Badger's feature is also worth looking into:

https://www.eff.org/deeplinks/2018/05/privacy-badger-rolls-out-new-ways-fight-facebook-tracking

Any experiences with that extension?

@earthlng
Copy link
Contributor

@vertigo220 wrote:

I'm confused about the rules for blocking sites' access to local LAN resources discussed here and in wiki section 4.2.3. uMatrix rules are all a single line, but @theWalkingDuck's description shows it as multiple lines, and it's not clear which part is supposed to be entered into uM, or how. Could someone please clarify this?

https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.3-uMatrix - better now?

You can just copy-paste the full

# uMatrix
# Prevent Internet sites from requesting LAN resources.

block into your uMatrix rules. uMatrix will automatically remove the comments

@vertigo220
Copy link

@2glops wrote:

My actual usage is uBo for static filtering and uM for dynamic filtering.
uBo, I only have to toggle large media or remote fonts.

That's interesting, because I find most of my tweaking has to be done in uBO (of course, now that I've changed uM's setup, I expect I'll have to do a lot of tweaking in both. But I can't even use uBO in easy mode, because the static filtering blocks necessary stuff, which requires dynamic filtering to allow it. So ironically, "easy" mode is actually harder than medium mode. I guess it's meant to just whitelist sites if the static filters break them, and probably not meant to be used with very many filters (I use most of them), so that's probably my problem. I've been using the two for a few years now and am still learning.

@AnChEv said:

A side note: Speaking of tracking, perhaps the new Privacy Badger's feature is also worth looking into:
https://www.eff.org/deeplinks/2018/05/privacy-badger-rolls-out-new-ways-fight-facebook-tracking
Any experiences with that extension?

I use PB, and you can see my comment here regarding my opinion of its benefits even when using uBO/uM/NS/etc, though I'm going to try changing how I use uBO a bit (globally block facebook, google, yahoo, etc, then locally noop them on their own domains), so it won't be as important, but still a good second line of defense. As for that new feature, I question its usefulness. It seems to do what extensions like ClearURLs and Neat URL do, but limited to specific sites. I've found that NS does an excellent job of cleaning google links, uBO prevents much of the tracking by simply blocking the requests (see this issue for more on this), and ClearURLs is good to have for anything not covered by those two. I question whether PB would add anything more to the mix.

@earthlng - Thanks. Updated my rules with it.

@gorhill
Copy link

gorhill commented May 15, 2018

But I can't even use uBO in easy mode, because the static filtering blocks necessary stuff

That is for filter list maintainers to fix, just report these false positives.

@Thorin-Oakenpants
Copy link
Contributor Author

Thorin-Oakenpants commented Jul 26, 2018

FYI: https://scotthelme.co.uk/xss-on-etherscan-io/ - interesting read - if I read it right, then disqus as third party (recipe) would have allowed this. The question is would ABP have stopped it, as it so often claims? - @gorhill

@gorhill
Copy link

gorhill commented Jul 26, 2018

would ABP have stopped it

I'm sure you meant NoScript? NoScript dev is best to answer this, without the test case itself (which has been fixed), difficult for outsiders to answer.

@Thorin-Oakenpants
Copy link
Contributor Author

I'm sure you meant NoScript?

Yeah, sorry. I just wondered (because it's all greek to me) if that meant anything to you. Because our defense is to block all 3rd party, but NS (well at least for the legacy extension) claimed some special XSS protections, and here was a case that could have been tested (I know it was fixed but the info on how it did it was there, I think, and you code wizards love building PoCs). Anyway, nvm.

I still don't think NS (web ext) offers anything that uM doesn't

@gorhill
Copy link

gorhill commented Jul 26, 2018

My understanding of that case is that the alert box would have been shown with uBO/medium mode, because the code was executed as inline javascript in the site's context, i.e. as 1st-party code.

uBO/medium mode would have prevented the inline javascript payload from successfully loading javascript or embedded documents from a remote 3rd party under control of the attacker.

However, for example, theoretically the payload could install an event listener for keypresses, and send that information to a remote 3rd party server under control of the attacker. This scenario would be foiled however with uBO/hard mode, not with uBO/medium mode.

My understanding is that the site was injecting Disqus stuff directly in their DOM without sanitizing, because they assumed it was already sanitized by Disqus. So theoretically maybe someone can recreate the case and find out what was possible and what could have foiled the threat.

@crssi
Copy link

crssi commented Aug 8, 2018

Guys, something is puzzling me about uBO dynamic filters.
If I use the rule * 192.168.2.129 * block then I can not browse to 192.168.2.129, which is expected.
But if I generalize to the whole 192.168 network with the rule * 192.168 * block, I can still browse to 192.168.2.129, which is not expected.
Wasn't this already fixed once in uBO?

@gorhill
Copy link

gorhill commented Aug 8, 2018

I can not browse to 192.168.2.129

You should be able to browse to, dynamic filtering block-rules never block whole document, just secondary resources.

@earthlng
Copy link
Contributor

earthlng commented Aug 8, 2018

@crssi FYI * 192.168 * block in uMatrix blocks access to the main document as well

@crssi
Copy link

crssi commented Aug 8, 2018

@gorhill and @earthlng: lol, you both must be a mindreaders... this is the answer to the next question I had in mind, but didn't ask yet. Thank you. 👍

But still, shouldn't rule * 192.168 * block prevent secondary resources when visit 192.168.x.y (x,y=any address)?

@gorhill
Copy link

gorhill commented Aug 8, 2018

But still, shouldn't rule * 192.168 * block prevent secondary resources when visit 192.168.x.y

I thought this was supported in uBO but I just looked and I don't see code for this -- despite that I claimed I saw code for this here. Looks like I was confused back in that issue, I confirmed this is not implemented in uBO.

@Thorin-Oakenpants
Copy link
Contributor Author

...aaaaand it's now fixed in the next release - gorhill/uBlock@8f1b4b5

@Thorin-Oakenpants
Copy link
Contributor Author

Closing this. IMO, NS adds nothing that can't be covered by uM. I call NS's claims about some XSS protection exclusivity, a pile of marketing BS to talk the product up. I'll say the same can go for ClearClick and ABE - but do feel free to PROVE otherwise.

Should anyone ever be able to provide definitive proof, please let gorhill know in a new topic (at https://github.com/uBlockOrigin/uMatrix-issues )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests