Imagine visiting a website and being told first to download and run a program from that site to “enhance your viewing experience”. This should set your teeth on edge – why would you hand over complete control of your PC to an untrusted party? If your teeth are not affected, please read the computer security recommendations again at http://cern.ch/security.

Unfortunately, for most of us this is a daily experience – even if your browser typically hides this. Modern websites make extensive use of “scripting” – small programs that are provided by the originating site. Common examples are JavaScript (technically this is ECMAscript which has nothing to do with Java the programming-language, it’s simply a clever marketing ploy), Active-X (Microsoft-only), Java applets, Silverlight, etc. Even supposedly harmless media content such as “Flash” or “PDF” are in fact full-blown programming languages.

The only thing preventing full-blown infection of our machines by random websites is that these languages tend to be executed in a restricted environment, the so-called “sandbox”. However, implementing a truly secure sandbox is very hard – witness the constant flurry of browser updates – and frequently “usability” conflicts directly with “security”. Scripts are also notorious for causing accessibility problems – a screen reader (for the blind) will usually not be able to cope with them, and user preferences (e.g. for large fonts with high-contrast colours) may be ignored.

In some cases the additional functionality is beneficial to the user. For example, large Web applications have become far more responsive since they don’t need to reload a Web page on every minor change from the user, to the point where complete “Office” suites are now feasible as a Web service.

On the other hand, a lot of the scripts simply provide visual fluff, serve the more annoying type of advertising or are being employed to track user behaviour. In the worst case, scripts will actively attack, for example by trying to exploit known vulnerabilities in the browser or media viewers (“drive-by download” – no user interaction required), or by stealing or re-using the user’s Web credentials. Some attacks are known as “cross-site-scripting” (or XSS), where scripts from one website exploit a programming error on a different site to attack the users there. More specialized attacks go by “cross-site request forgery” (known as XSRF), where an ongoing authenticated Web session is being (ab)used by a third party (think Google getting you to buy books via Amazons’ one-click system, without you noticing).

Lastly, the JavaScript in question might not come from the original page owner: user-supplied-content sites (blogs, forums, comments) often do not properly sanitize the provided material, and a swarm of website programming errors mean that often the owners of a website have no idea about the offending code they are propagating.

Different browsers have different defence mechanisms against such attacks and this article concentrates on the Mozilla Firefox browser, which is the default browser on Scientific Linux CERN. Internet Explorer will be featured in the next CNL, in June.

Within the browser

Obviously, the sandbox mechanism ought to contain malicious software. However, Firefox has a particular problem since the browser’s user interface itself is written largely in JavaScript. This means it needs to make a clear separation between browser code (with the privileges of a normal application, i.e. read and write files, connect to remote machines or launch other executables) and the scripts coming in from remote websites. Historically, a lot of Firefox “exploits” were aimed at the boundary between the two.

Firefox has the ability to turn off JavaScript and Java applets (Edit–Preferences–Content), and will not understand other languages such as Flash or PDF, at least not without the help of a plugin (which can be turned off). However, this “all-or-nothing” solution is not very satisfactory as some sites might be “trusted”, some sites are simply unusable without their scripts, and Firefox itself does not provide a more fine-grained mechanism.

Extensions to the rescue!

Firefox “extensions” are small add-on programs that add new functionality to Firefox. They are usually stored in the user’s Firefox directory and are available for free from the Web. While “downloading and running programs from the Web” to solve the problem of “downloading and running programs from the Web” sounds weird, please remember that ultimately the whole of Firefox is distributed this way and the issue here is trust. The extensions discussed here are widely used (and reviewed), are distributed from the official Mozilla website and have well-known authors. Please do not take this article as a general invitation to install whatever extension you find on some shady website!

NoScript – selective whitelisting

This rather popular extension implements the missing functionality for allowing scripts from just some “trusted” sites and not from others. It also tries to prevent various attacks even between these trusted sites.

The extension is unobtrusive: a corner icon informs the user whether a website contains scripts, or whether all or some of them are allowed or all are blocked. The extension deals with JavaScript, as well as dangerous (since programmatic) media types. Allowing a website either temporarily or permanently takes a single mouse-click. At the same time, the extension has various powerful whitelisting options for more advanced cases.

NoScript is under active development to address new attacks, and hence is frequently being updated (something that Firefox will propose to do automatically). Some settings are required for CERN websites, these are documented under http://cern.ch/twiki/bin/view/LinuxSupport/NoScriptProblems.

Adblock Plus – no more “ads” (less malware too)

However if general advertisements are considered harmful, wouldn’t we all be blind by now from traditional text media ads? In fact, the security problem associated with Web advertising is not the visual offences committed to attract our attention, or the occasional inappropriate content on otherwise harmless sites, or the privacy-violating tracking of users across the Web, but rather that the Web advertising industry breaks the “trust” relationship between a user and the website.

The key problem is “syndicated advertising”: websites sell off a part of their Web page to other companies, who then sell it off again etc. and all of this via automated placement tools. This means that the website owner may have no idea who provides the publicity currently displayed on their site and the user will not be able to tell either. This mechanism has been abused in the past to quickly infect thousands of visitors to otherwise reputable sites, including high-profile sites such as MySpace, NHL.com, Canada.com and The Economist. In conclusion, browsing only to “safe” websites to avoid getting exposed to malware is an illusion.

The Firefox “Adblock Plus” extension implements blacklist-based filters even for non-scripted content such as images, and as such it is the natural complement to NoScript. Known advertising content is filtered (unless the user explicitly allows it, e.g. to support a particular site), this cuts down on the exposure to malicious content. As a positive side effect, pages typically load quicker and become much more readable.

A downside is that a lot of free Web content is being financed by advertising, and such filtering eventually might harm revenues to a point that some sites will have to shut down. At least at work, CERN users should not be a major contributor to such revenue, but the decision whether to be subjected to these adverts is with the user.

Default at CERN? Why not?

One major drawback is that while these extensions do make Web surfing safer, they tend to break things. A lot. And in sometimes not-so-obvious ways, and at inconvenient times. For example imagine filling out a longish Web form, only to discover that the final Submit button requires JavaScript, and that a reload will wipe your input.

The user needs to be much more aware of what they are doing on the Web, and constantly take decisions on whom to trust. As such, these extensions are a potential support nightmare – the CERN helpdesk would not be able to cope with questions for every non-working website.

Another point is that these extensions tend to get updated quickly, and in bursts – this would not fit well in the standard IT update cycle (and take a lot of manpower). A centrally maintained extension installed on a machine prevents users from installing a more recent version themselves.

Lastly, the decision on whether to trust a site depends on the impact of an infection for a particular user. Taking these decisions centrally will lead to a bad compromise: too open for the truly security-conscious, too restricted for the people who’d just like “to get their job done”. As an example, for technical reasons often a complete domain has to be trusted, even if only a single website merits that trust.

Altogether, this means that we will not be able to make this the default browsing environment. However, we would like to strongly encourage knowledgeable users to take advantage of the additional protection outlined above.

Useful links

Mozilla Firefox Add-ons: http://addons.mozilla.org
Computer Security: http://cern.ch/security