Apr 1, 2009
Add-ons make surfing with Mozilla Firefox more secure
Imagine visiting a website and being told first to download and run a program from that site to “enhance your viewing experience”. This should set your teeth on edge – why would you hand over complete control of your PC to an untrusted party? If your teeth are not affected, please read the computer security recommendations again at http://cern.ch/security.
The only thing preventing full-blown infection of our machines by random websites is that these languages tend to be executed in a restricted environment, the so-called “sandbox”. However, implementing a truly secure sandbox is very hard – witness the constant flurry of browser updates – and frequently “usability” conflicts directly with “security”. Scripts are also notorious for causing accessibility problems – a screen reader (for the blind) will usually not be able to cope with them, and user preferences (e.g. for large fonts with high-contrast colours) may be ignored.
In some cases the additional functionality is beneficial to the user. For example, large Web applications have become far more responsive since they don’t need to reload a Web page on every minor change from the user, to the point where complete “Office” suites are now feasible as a Web service.
On the other hand, a lot of the scripts simply provide visual fluff, serve the more annoying type of advertising or are being employed to track user behaviour. In the worst case, scripts will actively attack, for example by trying to exploit known vulnerabilities in the browser or media viewers (“drive-by download” – no user interaction required), or by stealing or re-using the user’s Web credentials. Some attacks are known as “cross-site-scripting” (or XSS), where scripts from one website exploit a programming error on a different site to attack the users there. More specialized attacks go by “cross-site request forgery” (known as XSRF), where an ongoing authenticated Web session is being (ab)used by a third party (think Google getting you to buy books via Amazons’ one-click system, without you noticing).
Different browsers have different defence mechanisms against such attacks and this article concentrates on the Mozilla Firefox browser, which is the default browser on Scientific Linux CERN. Internet Explorer will be featured in the next CNL, in June.
Within the browser
Extensions to the rescue!
Firefox “extensions” are small add-on programs that add new functionality to Firefox. They are usually stored in the user’s Firefox directory and are available for free from the Web. While “downloading and running programs from the Web” to solve the problem of “downloading and running programs from the Web” sounds weird, please remember that ultimately the whole of Firefox is distributed this way and the issue here is trust. The extensions discussed here are widely used (and reviewed), are distributed from the official Mozilla website and have well-known authors. Please do not take this article as a general invitation to install whatever extension you find on some shady website!
NoScript – selective whitelisting
This rather popular extension implements the missing functionality for allowing scripts from just some “trusted” sites and not from others. It also tries to prevent various attacks even between these trusted sites.
NoScript is under active development to address new attacks, and hence is frequently being updated (something that Firefox will propose to do automatically). Some settings are required for CERN websites, these are documented under http://cern.ch/twiki/bin/view/LinuxSupport/NoScriptProblems.
Adblock Plus – no more “ads” (less malware too)
However if general advertisements are considered harmful, wouldn’t we all be blind by now from traditional text media ads? In fact, the security problem associated with Web advertising is not the visual offences committed to attract our attention, or the occasional inappropriate content on otherwise harmless sites, or the privacy-violating tracking of users across the Web, but rather that the Web advertising industry breaks the “trust” relationship between a user and the website.
The key problem is “syndicated advertising”: websites sell off a part of their Web page to other companies, who then sell it off again etc. and all of this via automated placement tools. This means that the website owner may have no idea who provides the publicity currently displayed on their site and the user will not be able to tell either. This mechanism has been abused in the past to quickly infect thousands of visitors to otherwise reputable sites, including high-profile sites such as MySpace, NHL.com, Canada.com and The Economist. In conclusion, browsing only to “safe” websites to avoid getting exposed to malware is an illusion.
The Firefox “Adblock Plus” extension implements blacklist-based filters even for non-scripted content such as images, and as such it is the natural complement to NoScript. Known advertising content is filtered (unless the user explicitly allows it, e.g. to support a particular site), this cuts down on the exposure to malicious content. As a positive side effect, pages typically load quicker and become much more readable.
A downside is that a lot of free Web content is being financed by advertising, and such filtering eventually might harm revenues to a point that some sites will have to shut down. At least at work, CERN users should not be a major contributor to such revenue, but the decision whether to be subjected to these adverts is with the user.
Default at CERN? Why not?
The user needs to be much more aware of what they are doing on the Web, and constantly take decisions on whom to trust. As such, these extensions are a potential support nightmare – the CERN helpdesk would not be able to cope with questions for every non-working website.
Another point is that these extensions tend to get updated quickly, and in bursts – this would not fit well in the standard IT update cycle (and take a lot of manpower). A centrally maintained extension installed on a machine prevents users from installing a more recent version themselves.
Lastly, the decision on whether to trust a site depends on the impact of an infection for a particular user. Taking these decisions centrally will lead to a bad compromise: too open for the truly security-conscious, too restricted for the people who’d just like “to get their job done”. As an example, for technical reasons often a complete domain has to be trusted, even if only a single website merits that trust.
Altogether, this means that we will not be able to make this the default browsing environment. However, we would like to strongly encourage knowledgeable users to take advantage of the additional protection outlined above.
About the author
Jan Iven, IT-FIO