Frank Goossens' Twitterless twaddle
Archive for the ‘security’ category
Being “the computer guy” in the family might be a pain in the ass sometimes, but trying to help out users that are not tech savvy can be very revealing. Yesterday my father-in-law asked me to take a look at his computer, there was something about the browser that was not right. Turned out he let Google lure him into downloading Chrome and making it the default browser. What bothered him most about Chrome was the lack of menu’s (file|edit|…|help), while a lot of the us (the in-crowd) consider the minimal use of chrome a plus. Usability is not only about clean, simple UI’s, but also about not breaking novice users’ expectations of how your application looks and behaves.
Anyway, I showed him IE8 and Firefox 3.5 (both were installed as well) and he recognized Firefox as the browser he was most familiar with. So I uninstalled Chrome, hid IE8, upgraded him to FF 3.6 and also installed the “Vacuum Places improved” and NoScript add-ons.
“Vacuum Places improved” cleans up the places sqlite database where Firefox stores bookmarks and history and which can become very big over time. When tweaking the options (“hide icon” and “auto-vacuum every 20 browser starts”) it was a great way to invisibly tune browser performance, but it turns out Firefox 3.6 vacuums places.sqlite automatically (when idle, every 1 to 2 months). So Pierre, if you ever read this; remind me to uninstall “Vacuum Places improved” next time! 
NoScript is a whole other beast; it is a add-on for the security-conscious tech-head, which by default disables javascript, flash, java, … It’s a great add-on, but it is very disruptive and as such totally unfit for novice users. Unless you change the configuration off course, because modifying these options makes NoScript a must-have addon for both you and your grandma;
- General: check “Scripts Globally Allowed (dangerous)”
- Embeddings: uncheck the 8 “Forbid” options, check both “untrusted” and “trusted” for Clearclick protection
- Appearance: uncheck “Status bar icon”, “Status bar label” and “Contextual menu”
- Advanced/XSS: check “Sanitize cross-site suspicious requests”
Although the first option specifically claims it is dangerous to do so, these changes render NoScript into an add-on that provides a lot of extra security (protecting against clickjacking, cross-site scripting and implementing support for x-frame-options and Strict Transport Security) without bothering users with new UI-elements containing incomprehensible questions, messages or options.
Because web security is not only about protecting against threats, but also about not breaking novice users’ expectations of how your secured browser (and the web) looks and behaves.
When looking at my blog’s performance in Google Webmaster Tools I saw Google complained of multiple dns-lookups. I knew about stats.wordpress.com, google-analytics.com (well, yeah …) and gravatar.com, but one domain in the list didn’t make sense to me at all; media6degrees.com, so I started to investigate a bit. Grepping the wordpress-, theme- and plugin-code on my server didn’t reveal anything, so I went into Firebug to see what was happening in javascript.
Apparently the AddToAny Wordpress-plugin was initiating the call:
- add-to-any requests http://static.addtoany.com/menu/page.js (which is rather big but gzipped & cache-able)
- page.js in turn contains tracking (near the end of the file), by requesting an 1X1 pixel image at http://map.media6degrees.com/orbserv/hbpix?pixId=2869&curl=<encoded URL of page>
- media6degrees then sends the pixel and … sets multiple cookies in the process
And what’s media6degrees business you ask? Maybe they’re just providing the add-to-any author with statistics? Well, not exactly. This is what media6degrees writes on their website: “We deliver scalable custom audiences to major marketers by utilizing the online connections of their consumers.” So by using AddToAny, you’re providing media6degrees with data about your site’s visitors, which they can use to sell targeted communication to their customers.
If visitors of small-time blogs like mine would be the only ones affected by this, the damage would be limited. But AddToAny is also implemented on large local news-outlets such as deredactie.be or De Standaard Online and no doubt on some big international sites as well. Somehow I doubt those organizations know they’re feeding their visitors to media6degrees and I bet some of them would even strongly disagree.
I’m not happy about this, that much is clear. AddToAny offers great functionality, but:
- it adds unneeded requests to my page, causing the page to finish loading later (dns-request + http-request)
- it enrolls my site visitors in a targeted communication platform without anyone knowing (or agreeing)
- none of this is communicated on the AddToAny website or on the AddToAny Wordpress plugin page
I mailed the author about this earlier this week (when i didn’t even know about media6degrees tracking cookies yet), but got no feedback up until now and I logged an issue on the wordpress.org support forum as well. And I decided to pull the plug on AddToAny off course, replacing it with sociable, making my blog render yet another millisecond faster, while at the same time protecting my visitors from this sneaky behavioral tracking by AddToAny and media6degrees.
Given the concerns about the enormous amount of data Google continuously collects about its users and because of the fact that their CEO seems to have a poor understanding of privacy (Schmidt stated “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place”) and despite Google’s Jonathan Rosenberg recent manifesto on openness I decided to move some of my online activities away from the all-seeing eye of Google. After switching to scroogle.org for normal search, I now found an alternative for Google Reader as well in Tiny Tiny RSS.
Tiny Tiny RSS (or “tt-rss” for short) is an open source web application written in PHP with a PostgreSQL or MySQL database. The webapp is AJAX-based, multi-user and is offline-enabled using Google Gears (you can check out a demo here). There’s also a mobile version, a (deprecated) XML-RPC API and a brand new experimental JSON-API, which I’m playing around with, using XUI to write a minimal mobile version of my own.
For those who are not able to install and configure tt-rss or who don’t want to burden their server with it, developer Andrew Dolgov put up a hosted version (thanks Andrew!) where currently 8 more users can register.
After having switched about a week ago, I find I barely miss Google Reader, although tt-rss still feels a little rough around the edges at times. The only real limitation is that shared items (‘published’ in tt-rss) off course aren’t automagically shared with your Google friends. I now automatically import my tt-rss published articles and manually share those every few days in Reader. Because I wouldn’t want to disappoint my Google friends, now would I?
It might not be obvious to the inexperienced eye, but right now you are looking at content from a pornographic site. Or at least, that’s what McAfee SmartFilter claimed last week. When going to the admin-section of my blog at work last Friday, our beloved content-filtering corporate proxy denied me access to everything on blog.futtta.be, telling me;
Access to this page is denied because it is referenced in a central directory of offending pages and sites and has been categorised as “Pornography”.
This ruthless diagnosis was confirmed by the online SmartFilter query application so I mailed sites@mcafee.com to warn them about the obvious mis-categorization. Kyoko from the McAfee Customer Response Team replied less then half a day later, confirming the categorization as porn was a mistake and that this blog would be reallocated to the (slightly more boring) “Technical/Business Forums”-category which, one would presume, will stand a much better chance of not being blocked by concerned corporate security officers.
Problem solved! But this does bring about some important questions about SmartFilter and similar content-filtering software (FortiGuard, ContentWatch, …);
- How does a site get tagged as porn when it clearly isn’t?
- What process is in place for categorization? Is there some kind of quality control?
- As (mis-)categorization can have a huge impact on visits to a website (and so in some cases on money earned) , shouldn’t McAfee (and others) give the owners of those sites a heads-up one way or the other?
Mozilla’s Asa Dotzler recently rocked the boat when telling readers to use Bing instead of Google because of a shortsighted statement on privacy by Eric Schmidt, Google’s CEO. The discussion that followed Asa’s blogpost was interesting on occasion, but harsh and even rude at times.
While we’re all Google fanboys one way or the other and while the idea of switching from “Do no Evil Google” to “Monopolist-Micro$oft” can be a little bit unnerving, there is in my opinion reason to be concerned with Schmidts’ quote. My main problem is with this claim;
If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.
I don’t know about you, but to me Schmidt seems to imply that if I require privacy, that must mean that I have something to hide which is at least unpleasant and probably even outright illegal. If one accepts this premise, requiring (or enforcing, by means of encryption or anonymizers) privacy in itself is an indication of guilt?
Given that Google has too much data about me (being the avid Google-user I am) and given the flawed reasoning of Google’s CEO regarding respect for my privacy, I cannot but agree with Asa Dotzler. It is time to rethink my use of Google applications, although I’m not switching to Microsoft alternatives just yet. The general idea is simple: stop putting all my eggs in one basket, instead fragmenting my information across multiple independent organizations, hoping that privacy-breaching data-mining will be a bit less efficient that way.
I’m still looking into alternatives for most Google web applications (Serge is right off course; “with microsoft it’s easy, you can switch to apple or linux – the problem with google is that their stuff just works“), but for search I’ve decided to switch to scroogle.org. Scroogle is a not-for-profit secure (as in https) cookie-less search that uses Google (the irony). The site is operated by Daniel Brandt, the almost anonymous weirdo who’s also behind google-watch and wikipedia-watch.
To make sure my Google-friendly browser doesn’t accidentally direct me to Google search, I changed the following things in Firefox:
- On my “bookmarks toolbar” replace the Google bookmark with a Scroogle one
- Add “Scroogle SSL” from the Mycroft search engine plugin site and move it to the top of the “search engines” list
- And finally to make sure searches from the “awesome bar” don’t direct me to Google either, in about:config I changed the value of “keyword.URL” into “https://ssl.scroogle.org/cgi-bin/nbbwssl.cgi?q=”
So what Google property should I replace next and more importantly, what with? Any suggestions?
With a notoriously bad reputation for security (or the lack thereof) in Internet Explorer, Microsoft claims to have invested a lot in IE8 security in general and specifically in browser enforced website security. Indeed, according to the product site, IE8:
[...] helps protect you from today’s threats, including malware and phishing, as well as emerging threats that can compromise your computer without your knowledge. Other browsers either don’t offer you this level of protection or require you to download and configure third-party add-ons to get it, but with Internet Explorer 8 you get it right out of the box, and turned on by default.
And in August Microsoft proudly pointed to results of a (MS commissioned) study by NSSLabs, which stated that IE8 blocked 81% of malware download attempts vs. 27% for FF3 (and even less for other browsers) and 83% of phishing attacks vs. 80% for FF3 (and 54% for Opera 10 and less for Chrome and Safari).
So there you have it, IE8 is the safest browser around, no? Well, that would be jumping to conclusions; IE8 still has it’s fair share of browser security issues (but don’t they all) and the dreaded security-hole called ActiveX is still supported as well. Let’s just focus at how IE8 tries to protect you from malicious websites and compare that functionality with what the competition has to offer.
Smartscreen Filter
Smartscreen filter is the name for the Microsoft technology that uses an “in-the-cloud reputation database” which is contacted by the browser to assess the trustworthiness of a URL. Using that information, access to dangerous sites and downloads of malware can be blocked. The system is very similar to Google Safe Browsing that is implemented in Firefox, Chrome and Safari, but Smartscreen seems to be better in stopping malware from being downloaded. On the other hand the 2nd NSSlabs-study deemed both as effective when it comes to blocking access to phishing sites. Based on these (MS sponsored) results one could conclude that IE8 might have an advantage over the competition, but I for one would be very interested in an updated version of these tests with cooperation from the other browser-makers.
XSS-filter
IE8’s XSS-filter offers protection against type1 cross-site scripting attacks. Although it offers no protection against (less common) type0 and type2 xss-attacks, the mere fact that IE8 does offer out of the box XSS-protection is a big thing. Except … except apperantly there’s a serious bug in IE8’s XSS-filter, that can be abused to do cross-site scripting. Microsoft has not yet confirmed or fixed the bug, leading some sites (e.g. Google) to disable the XSS-filter by adding “X-XSS-Protection: 0” to the http response header. Now isn’t that ironic?
Clickjacking defense
Microsoft also included clickjacking defense in IE8, by letting website owners define whether or not their pages are allowed to be included in (i)frames. This can be done by simply adding “x-frame-options” to the http response header with values “deny” to deny a page from being shown in any frame and “sameorigin” to limit framing to pages from the same domain. x-frame-options however does not protect against clickjacking with flash or other embeds.
But where’s the competition?
So what’s available in Firefox, Chrome and Safari apart from the Google Safe Browsing implementation? Nothing much up until now, I’m afraid …
At Mozilla smart guys are working on “Content security policy“. CSP is a declarative server-driven anti-XSS framework, with policies being pushed through HTTP headers. Although the policy may require non-trivial website changes because inline scripts will be disallowed by default, it certainly has potential (to the extend Microsoft is said to be interested). But CSP is not there yet, now is it?
Over at Google, engineers are including (type1) XSS-protection and support for the Strict Transport Security spec (forcing a browser to load a site only over HTTPS by issuing an http response header) in the dev-channel builds of Chrome 4. As some may have noticed while looking for Google Talk’s chatback badge last week, x-frame-options (as anti-clickjacking measure) has already been implemented in Safari4 and Chrome3 as well. So especially Google is trying to make some serious progress, but Chrome 4 can hardly be considered granny-ready, can it?
That leaves us Firefox with the NoScript extension, but I’ll come back to that combination in a minute.
IE8 the safest browser?
OK, this might hurt, but let’s give credit where credit is due; IE8 indeed seems to offer the best out of the box protection against malicious websites. It is the only browser to come with good phishing- and malware-blocking (Smartscreen) combined with (limited and currently broken) protection against some types of XSS and clickjacking-attacks. So thank you Redmond for setting the example!
The only alternative: Firefox + NoScript
Firefox does not offer the out of the box protection IE8 does, but when combined with the NoScript extension, it really is the only readily available alternative (Lynx not withstanding). NoScript offers superior protection against XSS, clickjacking and a host of other threats.
Even if you’re only vaguely security-conscious, installing Firefox and NoScript should really be your first choice. Depending on the level of protection you want, you can use the default but disruptive whitelist configuration (which blocks all javascript and flash) or switch to the less secure “Allow scripts globally” mode. But whatever configuration you choose, anti-XSS and clickjacking protection are always enabled.
It really is beyond me why NoScript’s Clearclick and anti-xss aren’t in Firefox by default, especially since they seem complementary to CSP, as they’re barely disruptive for a novice user and (last but not least) as Mozilla could easily one-up Microsoft this way? Anyone?
Disaster has struck e-civilization; Google Talk chatback badges (as seen in the right column on this very blog) are broken! The small iframe remains grey in Firefox, but with some scrolling the following message can be seen:
This content cannot be displayed in a frame
To protect your security, the publisher of this content does
not allow it to be displayed in a frame.
Click here to open this content in a new window
Googling that error-message brings up a blogpost that explains what is going on: the http response-header of the page in the iframe includes “x-frame-options: sameorigin“. And that directive tells most modern browsers not to display the page in the iframe (because it is not embedded in a page of the same origin), to protecting you from possible clickjacking.
x-frame-options was introduced by Microsoft in IE8’s and seems to be implemented in Safari 4 and Chrome 3 as well. Firefox on the other hand hasn’t included this feature (yet?), but I got the error message thanks to the great Firefox NoScript security-extension which -somewhat reluctantly- provides “bullet parity” with IE8’s security features this way (you can stop NoScript from doing this by setting “noscript.frameOptions.enabled” to “false” in about:config).
But back to the root of this problem: Google is breaking their own Talk chatback badge by adding “x-frame-options: sameorigin” to the response headers. Weird huh?
