The maker of the popular Firefox plugin NoScript next year will launch a module that will function as kind of an internal firewall inside the opensource browser. Application Boundaries Enforcer (ABE) module is a “firewall-like component” that sets and checks boundaries for important web applications for users, like Internet banking and webmail. NoScript already can put a halt to a variety of problems like cross-site scripting, CSRF and ClickJacking all being caused by a lack of isolation on web application level.
Read about the project here: http://www.nlnet.nl/project/noscriptabe/
And that is a fundamental problem, according to NoScript-developer Giorgio Maone. "The web has never been invented as an application platform, it therefore lacks important modules to regulate application security. There is no definition of what a “web application” is, or set up boundaries when they run within various domains, a scenario that is quite common through “mash-ups” and “social media.”
Just like as with a firewall the rules that ABE handles can be changed quite easily. For the most popular web applications there will be rules available that can be installed automatically. Maone expects his Firefox firewall to be launched during the first quarter of the year 2009: http://hackademix.net/2008/12/20/introducing-abe/
Yes you make the right observation here. Personally I think ABE will be a step in the right direction where the security of Internet transactions is concerned. It is a good idea to tackle security at the application (process) level, and put full emphasis on checking the integrity of various sources.
These are no half measures, and if this can be combined with a decent identity authentication, one could realize quite an advancement in in-browser security, and that is what this is all about,
This project is specifically focused on developing a new web browser component called ABE, aimed to mitigate or defeat Cross Site Request Forgery (CSRF) attacks against sensitive web applications. This component will be built on the existing request interception, tracing and blocking framework of NoScript, and it will be integrated in NoScript’s broader web security infrastructure, together with whitelist-based scripting, active content execution policies, anti-XSS filters, ClearClick anti-ClickJacking protection and HTTPS/Secure Cookies enhancements. After a working ABE implementation as a NoScript component gets completed, a refactoring and repackaging activity to deploy it as a separate “ABE Firefox Add-On” will be done. At the moment there are some 2.000.000 users of NoScript,
Well this info was found here: http://www.nlnet.nl/project/noscriptabe/ so you should address your question there as how they reached that number or what their source was to reach that number of active users?
As servers record the status of the browser with the NoScript extension running, I think it is actually not too difficult to make a fair estimate. As almost every click of a browser lands into a click-stream somewhere, then also browser configurations must not be too difficult to analyze. So the actual number might be slightly more, considering the number of users with Tor, proxified browsers etc. We live in the era of the transparent user, you know,
When you install NoScript, you are connected to a congratulations page at NoScript.net with information about your new and previous version of NoScript. Clever. Maybe this has something to do with it. Didn’t you notice?
He did try as far as i’ve been able to tell from his posts it’s just that i guess he feels like me in this case. Which is it’s not worth the hassle. I am sorry but for many of us NoScript is just too big of a pain to use. With the amount of websites i go to it’s a real pain to have to allow every one of them. And i have to allow them since those scripts are there for a reason aren’t they and without them the functionality of the site breaks. Besides how are you supposed to tell which script is bad or is not bad other than by reviewing it yourself which is quite a time consumer not to mention you have to be a coder to understand it. And how are you supposed to tell that one of your favorite sites which you put on the whitelist isn’t infected aswell ? How will NoScript protect you then ? See my point ? NoScript is useless for the average Joe in my opinion and i wouldn’t recommend it to a non-geek user.
EDIT: I think i might have mistakenly mixed up the posts of alanrf and FWF in my mind, i know FWF doesn’t use NoScript but i am not sure about alanrf. Sorry alanrf if you do actually use NoScript and my post is not correct …
What does reckless downloading have to do with NoScript and my opinion on it ?
How do you know what i have learned here or that my time has been wasted ?
What makes you think that NoScript is the savior of the planet ?
Who are you to tell me where i should spend my time ?
What are you chickening out again ? C’mon let’s hear you answer the questions from both of my posts. Don’t know the answers do you ?
BTW you guys that use NoScript could once in a while mention that NoScript does protect you from XSS and Clickjacking attacks even if you have the all scripts allowed globally setting turned on.
C’mon guys we do not need this very personal sparring in the forum.
Both of you have good points to make … let’s make these discussions - and debates about technical issues - just that and do our best to refrain from letting it become personal comments.
(Else you will have to end up - if you have any decency and just as I had to do the other day - apologizing).
alanrf what good points did he make ? I fail to see them … And it was not me who started it on a personal level just read the whole thread please. He keeps going on a personal level in almost every post he makes btw if you haven’t noticed. Enough is enough, i’ve been holding myself back but not anymore. Sorry it’s just the way it is.
And i have no problem apologizing and never have but in this case i most certainly won’t because i have nothing to apologize for and quite frankly even your suggestion that i apologize is ridiciouls to me. I do appreciate your effort in trying to smooth things out though.
I do not want to be rude but you are over reacting … and yes, I can understand why you are.
To be honest, I think you are probably right about the “who started it” questions … but if you take a deep breath does “who started it” matter? It takes two to slide into a personal level in this forum even if it only takes one to start it. Heavens above I know how difficult it is to just turn the other cheek, but sometimes maybe we just need to not let such things provoke a response in kind.
TheSpirit was clearly posting from ignorance where you, keeping up with the forum, were aware that I had posted previously (more than once) about the NoScript add-on for Firefox. You were also quite right in my assessment that this is feature that I have described elsewhere as a non-starter, going nowhere offering for the average user of Firefox. The average user is not going to deal with the hassle of training an add-on and the ongoing forever pain of responding to every new site they visit on the Web. Anyone who thinks this is a winner does not work with ordinary users day in day out.
Let me also say that I give great credit for the work the NoScript developers are doing … I hope that (though I cannot easily see how) they could make this something along the lines of the very successful AdBlock Plus add-on with a pretty much (I know I am a pain about this - but it is vital to the success of security - and why products like avast succeed) “set it and forget it” approach.
Finally to return to the main thrust of your last post … I was not trying in my “oil on troubled waters” post to compare your responses with those TheSpirit in this particular thread. I was suggesting that you both bring value to this forum. TheSpirit is newer here … I hope that he will also get used to the forums and be better able to deal with the interplay.
At last, I did not suggest that either of you apologize … I did suggest that if you continued down this avoidable path you might end up needing to do so. I hope that things will work out so you do not.
alanrf, i’ve clearly stated in my post about NoScript that what i said is only my personal opinion, now why he had to take things on a personal level and “diss” my opinion is beyond me. Like i said this is not the first time he did that(not to me to others) and i am sorry but if someone disrespects me like that you can’t expect me to stay quiet. Enough said about this, i won’t discuss it anymore as it’s pointless …
Back on topic … Yes i too have great respect for mr. Maone and the work he puts into NoScript but like i said i don’t believe that this extension is usable for the average user however after doing a bit of research i’ve changed my mind. Like i mentioned in one of my posts, NoScript does offer some additional protection(XSS and ClickJacking) even if you allow all scripts globally so perhaps it’s still a good idea to install it, set it to allow scripts globally(if you’re like me and are annoyed by that) and i believe i will do just that. It’s been a long long time since i’ve had it installed(when Polonus first introduced it to us yrs ago) and i see the tool has been greatly improved since then so i think it’s time again i play with it and try to find out a bit more about it.
