Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 25 Nov 2017, 00:25
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Firefox addons sandboxing
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 2 [22 Posts]   Goto page: 1, 2 Next
Author Message
labbe5

Joined: 13 Nov 2013
Posts: 1024
Location: Canada

PostPosted: Wed 19 Jul 2017, 14:44    Post subject:  Firefox addons sandboxing
Subject description: Firefox add-ons open millions to new attack
 

https://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/

NoScript, Firebug, and other popular Firefox add-on extensions are opening millions of end users to a new type of attack that can surreptitiously execute malicious code and steal sensitive data, a team of researchers reported.

The answer to that threat from Mozilla :

Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative—our project to introduce multi-process architecture to Firefox later this year—we will start to sandbox Firefox extensions so that they cannot share code.

NoScript is among popular addons that could be vulnerable to attack, but which is also one of the best addons, security-wise.

Here is a review of NoScript addon for Firefox :
https://www.revolvy.com/main/index.php?s=NoScript&item_type=topic&nojs=1
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1305

PostPosted: Thu 20 Jul 2017, 05:18    Post subject: Re: Firefox addons sandboxing
Subject description: Firefox add-ons open millions to new attack
 

labbe5 wrote:
https://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/

NoScript, Firebug, and other popular Firefox add-on extensions are opening millions of end users to a new type of attack that can surreptitiously execute malicious code and steal sensitive data, a team of researchers reported.

NoScript is among popular addons that could be vulnerable to attack, but which is also one of the best addons, security-wise.

Here is a review of NoScript addon for Firefox :
https://www.revolvy.com/main/index.php?s=NoScript&item_type=topic&nojs=1



Ok, I apologize for this following rant in advice. That said, here goes:

I have been saying this for years (as Belham and Belham2) on murga (and elsewhere on the Net), about browser security add-ons in general-----especially about "NoScript". As usual on here, I got belittled, batted & smacked down by the ostrich-minded NoScript believers who blindly believed that nothing could be wrong with their believed use of their perceptions. They blindly (and still do) believe they are "more" protected with browser-add-ons.

I will say it again---ABSOLUTELY TRUST NO BROWSER ADD-ON IN ANY BROWSER, WHATSOEVER---when it comes to doing your online sensitive data & sensitive financial transactions. And furthermore, ABSOLUTELY use a browser that allows you to deeply config the settings of that browser (bang on Firefox all you want, but there's a reason it is considered the best browser that can be "hardened").

There's been a few of us lone voices on murga here (8GEEE being another) trying to get users to wake up about "add-ons" and about "configuring/hardening" your browser. Honestly, if you blindly used add-ons, whatever they are, from blockers to things like NoScript, and if you someday get pawnd, data and/or financially-otherwise, and it is/was a result of "add-ons, you've got no one to blame but yourself.

Take this to heart: for general web browsing, sure, those full-of-holes browser add-ons are fine (and sometimes needed for general browsing reasons given the WildWest mentality of javascript on many web sites). But for the stuff that is mucho important, like sensitive data & especially fin'l info, stay the he!! away from them completely. Furthermore, modify (which means "HARDEN"), Firefox's settings to what many of us have posted repeatedly in this forum (and is also posted on other forums like Wilder's Security and Redditt). You can make Firefox stripped down and damn secure, and there's no reason not to have this version profile on your pristine system OS, an OS btw that is used solely to access sensitive stuff on the web and not used for anything else. Doing this, Firefox pretty much becomes the common-mans version of a hardened Tor-like browser that instead of focusing on secrecy, it focus on being impenetrable via being tightly wound & having no loose ends (read; 3rd party add-ons) to come in through.


NoScript developers (and other add-on developers), if any of you are reading this, you've known this (the holes your programs open up in browsers) for years now...we've repeatedly pointed them out to you and you chose to ignore them. Why? is it because of the ongoing chase of advert dollars through the obfuscation of what your product actually does in any browser? Damn, just disgusting....all add-ons have a motive, friends, they're not doing stuff just for free and for the betterment of humankind on the Net. Even EFF struggles with this, trying to gather data from browsers that, even when users opt-out-of not wanting to provide, still gets tracked/logged and thus opens up too many holes in the browser.
Back to top
View user's profile Send private message 
souleau


Joined: 23 Oct 2016
Posts: 112

PostPosted: Thu 20 Jul 2017, 13:48    Post subject:  

Yes here we go again indeed.

I will stick with NoScript.

Why?! Well, because, first of all, it makes browsing the web a bearable experience.

And secondly, as the article clearly points out, those vonurabilities everyone goes on about, can only be exploited when end users download and install a malicious add-on in their browser.

My only add-on is NoScript.

So I'm fine.
Back to top
View user's profile Send private message 
Smithy


Joined: 12 Dec 2011
Posts: 795

PostPosted: Thu 20 Jul 2017, 15:53    Post subject:  

Belham, sorry if this comes across as a bit rude, but instead of banging on about it, why not provide a hardened firefox with the about:configs done. Then we could try it out and see if it blocks crappy ads etc.

I mean OscarTalks for instance just gets on with it and delivers Tor Browsers amongs others, and,.. most importantly, provides all the tech info, caveats, tweak suggestions, for those who wondered what the heck Tor was. It has No Script in it, but one can't seem to just allow scripts individually, it is either all or nowt.

Remember, MikeB is probably still whizzing along on Firefox 3 on his sailboat somewhere in the world and he never had as much as a sniff of a malicious puff.

Only the most geeky could put up with Links browser, and No Script does make the net bearable, as souleau mentions above.

Oi, Labbe 5, we used to have a postfs on Puppy who just posted things without comments who was purported to be a bot.
But I think we managed to get the bot to talk lol,
what's your take on it? What do you use?
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 1024
Location: Canada

PostPosted: Fri 21 Jul 2017, 16:10    Post subject: firejail  

I will repeat myself here, but with Firejail, you can go a long way security-wise using Firefox.

First of all, when used as it is intended to be, there are no addons, so belham2 has a point here, it is better not having any addons when you deal with sensitive data

How to have a pristine copy of Firefox without addons using Firejail :

add -no-remote, such as in this example :

firejail --private --dns=84.200.69.80 --dns=84.200.70.40 --caps.drop=all firefox -no-remote

dns resolvers are from DNS.Watch for privacy.

I don't even use Ublock, or NoScript, because i have confidence Firejail is acting behind the scene to keep me secure on the Web with profiles (each new version of Firejail adds new profiles for more apps).

But i always use VPNbook with Firejail, for an extra layer of security.

I hope i don't look like a bot anymore answering your question.
Back to top
View user's profile Send private message 
Sylvander

Joined: 15 Dec 2008
Posts: 4297
Location: West Lothian, Scotland, UK

PostPosted: Sat 22 Jul 2017, 08:42    Post subject:  

Who to listen to?
What to do?

I'm no expert...just an ordinary user.
70-year-old and getting less able with every year.
I have "Adblock Plus" and "NoScript" installed, and don't know how to uninstall them even if I wanted to.
Back to top
View user's profile Send private message 
Smithy


Joined: 12 Dec 2011
Posts: 795

PostPosted: Sat 22 Jul 2017, 11:55    Post subject:  

Thanks for the reply Labbe 5, no you certainly don't look like a bot anymore.
Never even heard of the firejail till now, very interesting. You run an extremely tight setup. I get where Belham is coming from as regards protecting user space.

Sylvander, you might be best to drop in a fresh pristine firefox if you wanted to be rid of addons, I think they manifest themselves in the profile and other places. Not so sure that remove does always remove..
1.png
 Description   
 Filesize   26.52 KB
 Viewed   304 Time(s)

1.png

Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2164

PostPosted: Sat 22 Jul 2017, 17:59    Post subject:  

I mostly run Debian as my primary boot, Puppy is more of a admin boot choice for me. I run a restricted userid as my main (auto login) session, so even
cd ..
typed into a terminal results in
rbash: cd: restricted

In that session firefox has noscript installed, purely to prevent annoying pops/ads. I find that a good /etc/host file content is as good as ublock (making ublock unnecessary) and I believe most/all pups include creating such a host file content under Menu, Internet (usually the last choice in that menu layer is something like Puppy Adblock or something like that).

Much like a sandbox. Running (as root) lsof -i and the only internet traffic that shows as root is dhclient (I have very few ports/services open anyway).

For other stuff I just Ctrl-Alt-Fn swap to another terminal session and login either as root (if doing command line level admin tasks) or as user into a gui session .. which is a more normal userid with su ability etc. ... but where I don't access the internet using that userid ... excepting for loading up a pristine browser with no addons for online banking purposes (direct to the banks web site, nowhere else before or after, and then delete the ~/.cache/mozilla and ~/.mozilla folders afterwards).

After trying out the browser in Tahr being set to run as spot ... found that its ok'ish, but not there yet (if you upgrade the browser for instance it falls back to running as root again). Firejail is pretty good and I liked it when I used it for a while, but with my setup I don't really have a need for it.
Back to top
View user's profile Send private message 
Sylvander

Joined: 15 Dec 2008
Posts: 4297
Location: West Lothian, Scotland, UK

PostPosted: Sat 22 Jul 2017, 18:00    Post subject:  

Smithy wrote:
Sylvander, you might be best to drop in a fresh pristine firefox...

Thanks for the reply, BUT...
Is that what they call a "Metaphor"?
How do I "drop in" something I cannot hold in my hand?
Would I be correct in guessing that I need to:
Uninstall the existing Firefox? [No Firefox listed in the PPM]
OR...
Delete all of the files for Firefox?
Then install some new improved Firefox?

I'm running Slacko-5.7.0-PAE, and have:
Firefox 54.0.1
Palemoon 24.7.1
Vivaldi 1.4.589.41
slimjet-15.0.3.0-i686.sfs wouldn't run on this old OS.
So...
And because Firefox will not update to the latest on this old Slacko...
I tried to make a "live" CD-RW of Slacko-6.3.2, but...
Pburn wouldn't burn the iso image to my chosen [used/functional] CD-RW Confused [never normally see this problem happen].

I have 6 other Puppies on CD-RW that are all older than Slacko-5.7.0 [the various pupsave files are all in various suitably-named folders in a partition on the internal HDD], and...
A number of Puppies [newer than Slacko-5.7.0] on Flash Drives, but my preferred OS is Slacko, so I'm attempting to update it.
Back to top
View user's profile Send private message 
Smithy


Joined: 12 Dec 2011
Posts: 795

PostPosted: Sun 23 Jul 2017, 12:04    Post subject:  

Well bloated firefox isn't an improvement in my opinion, it all started to go a bit crappy a good while ago..but...
If they haven't changed things, then firefox has these places in puppy:
root .cache
root .mozilla
usr/lib mozilla (where the plugins live)
usr/lib firefox.

Those are the folders to delete.
Then run (or drop in) the firefox you want, set it up how you want and remaster or
save file it.
Hope this helps with whatever you are trying to achieve.
Back to top
View user's profile Send private message 
Sylvander

Joined: 15 Dec 2008
Posts: 4297
Location: West Lothian, Scotland, UK

PostPosted: Mon 24 Jul 2017, 03:18    Post subject:  

Sylvander wrote:
Pburn wouldn't burn the iso image...

My mistake.
Did it ok using "burniso2cd" in another one of my Puppies.
Why doesn't Slacko-5.7.0 have "burniso2cd" installed I wonder?
It isn't offered in the PPM.

Thanks for your help Smithy, I'll do as you suggest at some point.
Back to top
View user's profile Send private message 
OscarTalks


Joined: 05 Feb 2012
Posts: 1640
Location: London, England

PostPosted: Mon 24 Jul 2017, 06:01    Post subject:  

Sylvander wrote:
Why doesn't Slacko-5.7.0 have "burniso2cd" installed I wonder?

Hello Sylvander,

Slacko 5.7.0 does have burniso2cd but the menu entry has been disabled for some reason.

You can still call burniso2cd from terminal.

The burniso2cd .desktop file in /usr/share/applications has the line "NoDisplay=true"
To restore the menu entry, change this to "NoDisplay=false" or delete the line.
Then run fixmenus followed by jwm -reload

_________________
Oscar in England

Back to top
View user's profile Send private message 
Sylvander

Joined: 15 Dec 2008
Posts: 4297
Location: West Lothian, Scotland, UK

PostPosted: Mon 24 Jul 2017, 07:22    Post subject:  

Thanks OscarTalks, all done and Burniso2cd is now in Menu->Multimedia, and it starts when I click on the entry.
Back to top
View user's profile Send private message 
bark_bark_bark

Joined: 05 Jun 2012
Posts: 1931
Location: Wisconsin USA

PostPosted: Tue 25 Jul 2017, 16:33    Post subject:  

souleau wrote:
And secondly, as the article clearly points out, those vonurabilities everyone goes on about, can only be exploited when end users download and install a malicious add-on in their browser.


Agreed, but sadly the shills for chrome-style add-ons won't admit that simple fact.

_________________
....
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2164

PostPosted: Tue 25 Jul 2017, 20:51    Post subject:  

souleau wrote:
Yes here we go again indeed.

I will stick with NoScript.

Why?! Well, because, first of all, it makes browsing the web a bearable experience.

Ditto. And my firefox runs in a restricted shell user account with file/folder permissions also wrapped around that. Annoying at first that you can't even cd, but you soon get used to Ctrl-Alt-Fn into a more priviledged userid/session.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 2 [22 Posts]   Goto page: 1, 2 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0747s ][ Queries: 14 (0.0071s) ][ GZIP on ]