-
Notifications
You must be signed in to change notification settings - Fork 517
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Q: What does NS have (or will have) that uBo+uM don't #319
Comments
uMatrix - NoScript |
XSSTo answer earthlng's q in the other thread - https://noscript.net/features#xss & also https://noscript.net/faq#qa4_1 . This is obviously the legacy version. I tend to just use XSS as a term to cover all third party scripts and I control it by default denying 3rd parties in uBo etc, and with uM. In all my years of NS (which always got the requests first before uBo etc), I have only ever had a couple of warnings for this XSS ClearClickinghttps://noscript.net/faq#qa7_1 ABE |
A lot of this info is old. AFAIK clickjacking is nigh impossible now? |
I think you don't have to worry much about clickjacking if you deny third-party frames (and/or javascript, of course). EDIT: IIRC it was also tackled at browser-level at some point. Now I just have to remember where I read that... EDIT 2: Well, yes and no. What I read was about the |
Yeah, I remember reading a couple of bugzillas that covered this. As for denying 3rd party iframes - that's just the first level of defence .. some sites you may need to allow those which means you are at risk (you cannot trust any site is my motto - its not IF but WHEN they get hacked) |
Sorry, I haven't used Noscript for a long time but are there any Noscripts ABE rules which can not be handled using uMatrix ? for example the following is the default, may be the only and mostly used, ABE rule in Noscript.
We can rewrite it easily in the uMatrix way:
The best practice is to use a separate browser for accessing local resources or using a temporary allow if needed ... but for those who need it permanently
btw, don't forget to remove the |
I have no idea why I added this built-in rule. I will remove it. |
Also here for OWASP info. |
56743 .. warning! 17 years old 😁 - bit of a moot ticket for uM users => |
OK, this is good: http://vojtechruzicka.com/preventing-clickjacking/ |
@Thorin-Oakenpants very nice, thanks! |
FYI: what does uM have that NS doesn't? rhetorical question
|
FYI: note, I can't link to the individual review/reply (its on AMO's NS reviews page), so here's a cropped screenie
I still fail to see what NS's so called anti-XSS offers that uMatrix (with all 3p blocked by default) doesn't. It is some special XSS type attack detection to block sh*t even when you allow it by default (I have no idea what NS's defaults are, but I would assume little breakage and not in a hard mode) |
I believe the scenario he has in mind is:
(in step 5-6, the victim could be simply given a specially crafted URL by the attacker, or by an innocent intermediate -- see https://excess-xss.com/). So the way I understand, this requires to examine 3rd-party I have collated cases regarding how blindly allowing 3rd-party frames is a security issue: https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-Benefits-of-blocking-3rd-party-iframe-tags#malware-protection. By no mean complete, these are just all cases for which I confirmed blocking 3rd-party frames would have foiled the attack (there is a case in there I emailed the author to confirm whether the attack was iframe-based, this was not clear from the article). There are more cases reported in the media I left out which required that 3rd-party scripts be blocked (that wasn't the topic of the wiki page). The fact that he describes the blocking of 3rd-party scripts/frames as "disabl[ing] annoying stuff" means he is trying to belittle uMatrix -- there is no way to sensibly describe malvertising as "annoying" -- I don't think he is helping himself by describing the real actual ongoing threat of malvertising (again see list of actual cases above) as merely "annoying". Now what I long for is such a list of real, actual documented cases where specifically only NoScript's XSS would have protected its users. Whatever threat someone wants to be protected against, an important factor is for users to be able to assess the likelihood of it happening. Surely such a list of actual, real documented cases would be the best way to convince users of how the importance of the feature relative to other threats (3rd-party frames, scripts, etc.) On my side, I will read more about all this and see what could be sensibly added to uMatrix. |
👍 Malvertising could be more appropriate. An example of such "annoying stuff" could be file-hosting sites like that old one, rapidshare. |
From this thread: https://www.ghacks.net/2017/12/30/noscript-webextension-update-improves-user-interface/#comment-4325925 surrogate scripts ...
Decentraleyes does this, but that still doesn't stop the JS from executing
As per Atavic's link, the last couple of comments from @berrythesoftwarecodeprogrammar (they're at the end) - gorhill/uMatrix#297 The two XSS examples are hopefully still up and running, and maybe someone can work out what they are doing that NS picks up on and blocks |
For what it's worth, Decentreleyes does have the option to block scripts when the necessary CDN resource aren't available.
In settings, there's the option to "Block requests for missing resources - Cancel intercepted request if the required resource is not locally available."
As far as I'm aware, uBO still uses some local, neutered versions of some commons scripts, doesn't it? |
uBO used to have an experimental feature called "local mirroring" a long time ago. In the end I canned it, this is best left to a dedicated extension. The current neutered scripts feature is really just scriplets served through redirection to local data: URIs, and it apply only to blocked requests, never to non-blocked requests. |
Thanks for the clarification @gorhill! I wasn't aware of the local mirroring feature If you don't mind the follow up question, do you use Decentraleyes + uBO via the method mentioned on the Decentraleyes wiki page then? (set up noop rules, then enable the block requests for missing resources option) |
Sorry, by that I meant if the user lets it thru |
The XSS tests are gone. |
I currently use uMatrix and Decentraleyes, no other extension. I didn't read the wiki, I understand how it works. Personally I do not unblock any specific domain except to unbreak sites, and in that case I am happy whenever Decentraleyes catches something. |
Makes sense, thanks for the help!
Was that a recent switch? I thought I had seen you mention only using uBO in the past |
I switched when I started to work more on it lately -- it helps to use what you work on to see what needs most attention. It has its advantages, like the quick overview of what goes on in a web page, the lower overhead. The overhead can be lowered in uBO too though when disabling generic cosmetic filtering. For now I am in my uMatrix phase. |
Good to know, thanks! I haven't used uMatrix in a while, but I might have to venture back and give that a try for a little while |
I'll just throw this in here: https://www.schneier.com/blog/archives/2018/01/detecting_adblo.html - I haven't read the paper or even found out what this adblocker ext in chrome is yet. The numbers are interesting - 30% of top 10K alexa sites use anti-adblocking (and of these 90% have no visible reactions to adblockers). These are staggering numbers - 30% .. holy cow Edit: https://arstechnica.com/science/2018/01/academic-researchers-fire-latest-shots-in-ad-blocking-arms-race/ < more detailed
Worked every time! Cool. But I don't even want to connect to these 3rd party scripts. I'm intirgued but default-deny is working well for me. I never see an anti-adblcoker message TBH |
So what is the final answer - is there any additional benefit in using NS when one uses uMatrix or not? |
You can use both. |
Open uM logger, then go to debian.org link from my previous comment for example (ideally in Private Window, so favicon won't come from cache if you visited site before), you should see BTS request(s) for favicon. Also you can click on BTS icon in the second column to open matrix popup and see what rules you have in force for BTS-scope and what requests uM had allowed/blocked in current session. |
What is the conclusion? Oh, @Thorin-Oakenpants is there a special reason you have blocked |
In my uBO rules I have:
because earlier I have noticed background connections to these hosts happening in Chromium. |
@crssi regarding this post of yours: #319 (comment) - You forgot to add the EDIT: In case anyone was interested - those rules also work when you enter the IP as decimal. For example 127.0.0.1 can also be written as 2130706433. EDIT2: And one more thing: NS (old one with ABE) can block access to my router with default ABE rules. The router is accessed via DNS in this case (meaning http://router.box). uM cannot block access if I do not specify all the DNS names for the router. This ABE stuff is the only reason why I still use NS. |
@ganego Thank you and cheers |
Good read on clickjacking etc here - https://blog.innerht.ml/google-yolo/ |
|
I have taken a bit different approach... over uBO like: |
I'm confused about the rules for blocking sites' access to local LAN resources discussed here and in wiki section 4.2.3. uMatrix rules are all a single line, but @theWalkingDuck's description shows it as multiple lines, and it's not clear which part is supposed to be entered into uM, or how. Could someone please clarify this? Also, I've been using the default setup for uM which allows everything for 1st-party, for four reasons:
After seeing @Thorin-Oakenpants' setup above, I decided to try it, and it didn't take long to realize this will cause a lot more breakage and, therefore, a lot more time spent fixing sites to make them usable. I'm curious what everyone's thoughts are considering all this, and if it's really worth the extra hassle for, what seems to me to be, little added protection. And on a related note, I've also always used the default of allowing all css and images, which seemed perfectly safe, as those are (or so I thought) very low risk things, whereas blocking them breaks a lot. After seeing that Pants and others change this behavior, I looked a bit into it and see that CSS at least can be used for tracking (and I assume images can as well?). So again, I'm interested in what everyone thinks about this. Like most thinks, it's a balance between security/privacy and usability, and everyone is going to draw that line in a different place, but I'm just wondering if the default settings, and how I've been using it, is really a big hole in my setup, or if it's a minor thing that only the most gung-ho, looking to squeeze out every bit of potential protection regardless of the cost in effort, should bother with. IOW, what's the ROI of making these changes? |
My actual usage is uBo for static filtering and uM for dynamic filtering. I don't know if the above add little or more protection, but I'm satisfied with the usability of my browsing. |
A side note: Speaking of tracking, perhaps the new Privacy Badger's feature is also worth looking into: https://www.eff.org/deeplinks/2018/05/privacy-badger-rolls-out-new-ways-fight-facebook-tracking Any experiences with that extension? |
@vertigo220 wrote:
https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.3-uMatrix - better now? You can just copy-paste the full
block into your uMatrix rules. uMatrix will automatically remove the comments |
@2glops wrote:
That's interesting, because I find most of my tweaking has to be done in uBO (of course, now that I've changed uM's setup, I expect I'll have to do a lot of tweaking in both. But I can't even use uBO in easy mode, because the static filtering blocks necessary stuff, which requires dynamic filtering to allow it. So ironically, "easy" mode is actually harder than medium mode. I guess it's meant to just whitelist sites if the static filters break them, and probably not meant to be used with very many filters (I use most of them), so that's probably my problem. I've been using the two for a few years now and am still learning. @AnChEv said:
I use PB, and you can see my comment here regarding my opinion of its benefits even when using uBO/uM/NS/etc, though I'm going to try changing how I use uBO a bit (globally block facebook, google, yahoo, etc, then locally noop them on their own domains), so it won't be as important, but still a good second line of defense. As for that new feature, I question its usefulness. It seems to do what extensions like ClearURLs and Neat URL do, but limited to specific sites. I've found that NS does an excellent job of cleaning google links, uBO prevents much of the tracking by simply blocking the requests (see this issue for more on this), and ClearURLs is good to have for anything not covered by those two. I question whether PB would add anything more to the mix. @earthlng - Thanks. Updated my rules with it. |
That is for filter list maintainers to fix, just report these false positives. |
FYI: https://scotthelme.co.uk/xss-on-etherscan-io/ - interesting read - if I read it right, then disqus as third party (recipe) would have allowed this. The question is would ABP have stopped it, as it so often claims? - @gorhill |
I'm sure you meant NoScript? NoScript dev is best to answer this, without the test case itself (which has been fixed), difficult for outsiders to answer. |
Yeah, sorry. I just wondered (because it's all greek to me) if that meant anything to you. Because our defense is to block all 3rd party, but NS (well at least for the legacy extension) claimed some special XSS protections, and here was a case that could have been tested (I know it was fixed but the info on how it did it was there, I think, and you code wizards love building PoCs). Anyway, nvm. I still don't think NS (web ext) offers anything that uM doesn't |
My understanding of that case is that the alert box would have been shown with uBO/medium mode, because the code was executed as inline javascript in the site's context, i.e. as 1st-party code. uBO/medium mode would have prevented the inline javascript payload from successfully loading javascript or embedded documents from a remote 3rd party under control of the attacker. However, for example, theoretically the payload could install an event listener for keypresses, and send that information to a remote 3rd party server under control of the attacker. This scenario would be foiled however with uBO/hard mode, not with uBO/medium mode. My understanding is that the site was injecting Disqus stuff directly in their DOM without sanitizing, because they assumed it was already sanitized by Disqus. So theoretically maybe someone can recreate the case and find out what was possible and what could have foiled the threat. |
Guys, something is puzzling me about uBO dynamic filters. |
You should be able to browse to, dynamic filtering block-rules never block whole document, just secondary resources. |
@crssi FYI |
I thought this was supported in uBO but I just looked and I don't see code for this -- despite that I claimed I saw code for this here. Looks like I was confused back in that issue, I confirmed this is not implemented in uBO. |
...aaaaand it's now fixed in the next release - gorhill/uBlock@8f1b4b5 |
Closing this. IMO, NS adds nothing that can't be covered by uM. I call NS's claims about some XSS protection exclusivity, a pile of marketing BS to talk the product up. I'll say the same can go for ClearClick and ABE - but do feel free to PROVE otherwise. Should anyone ever be able to provide definitive proof, please let gorhill know in a new topic (at https://github.com/uBlockOrigin/uMatrix-issues ) |
Question: I still do not fully understand what NS offers that uBo+uM don't.
People have suggested (eg reddit, and here) that you can use NS in global allow mode but leave those four items above as active. Personally I never got an XSS warning from NS (maybe one a year), and the new WebExt version (not sure where they are at) I do not really want to touch with a barge pole (yet, if ever)
Aren't these things in uBo/uM - if not, why not?
@gorhill @Atavic excuse my ignorance, ELI5
The text was updated successfully, but these errors were encountered: