DOCSLIB.ORG

Most Websites Don't Need to Vibrate: a Cost–Benefit Approach To

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Most Websites Don’t Need to Vibrate: A Cost–Benefit Approach to Improving Browser Security Peter Snyder Cynthia Taylor Chris Kanich University Of Illinois at Chicago University Of Illinois at Chicago University Of Illinois at Chicago [email protected] [email protected] [email protected] ABSTRACT Firefox OS, have expanded the Web API tremendously. Modern Modern web browsers have accrued an incredibly broad set of browsers have, for example, gained the ability to detect changes features since being invented for hypermedia dissemination in in ambient light levels [58], perform complex audio synthesis [14], 1990. Many of these features benefit users by enabling new types enforce digital rights management systems [25], cause vibrations of web applications. However, some features also bring risk to in enabled devices [36], and create peer to peer networks [11]. users’ privacy and security, whether through implementation error, While the web has picked up new capabilities, the security model unexpected composition, or unintended use. Currently there is underlying the Web API has remained largely unchanged. All web- no general methodology for weighing these costs and benefits. sites have access to nearly all browser capabilities. Unintended in- Restricting access to only the features which are necessary for formation leaks caused by these capabilities have been leveraged by delivering desired functionality on a given website would allow attackers in several ways: for instance, WebGL and Canvas allowed users to enforce the principle of lease privilege on use of the myriad Cao et al. to construct resilient cross-browser fingerprints [21], and APIs present in the modern web browser. Gras et al. were able to defeat ASLR in the browser [30] using the 1 However, security benefits gained by increasing restrictions must Web Workers and High Resolution Timing APIs. One purported be balanced against the risk of breaking existing websites. This benefit of deploying applications via JavaScript in the browser is work addresses this problem with a methodology for weighing that the runtime is sandboxed, so that websites can execute any the costs and benefits of giving websites default access toeach code it likes, even if the user had never visited that site before. The browser feature. We model the benefit as the number of websites above attacks, and many more, have subverted that assumption to that require the feature for some user-visible benefit, and the cost great effect. as the number of CVEs, lines of code, and academic attacks related These attacks notwithstanding, allowing websites to quickly pro- to the functionality. We then apply this methodology to 74 Web vide new experiences is a killer feature that enables rapid delivery API standards implemented in modern browsers. We find that al- of innovative new applications. Even though some sites take ad- lowing websites default access to large parts of the Web API poses vantage of these capabilities to deliver novel applications, a large significant security and privacy risks, with little corresponding portion of the web still provides its primary value through rich me- benefit. dia content dissemination. We show in this work that most websites We also introduce a configurable browser extension that allows can deliver their beneficial functionality to users with only a limited users to selectively restrict access to low-benefit, high-risk features number of JavaScript APIs. Additionally, when websites need ac- on a per site basis. We evaluated our extension with two hardened cess to less common functionality, we demonstrate a mechanism to browser configurations, and found that blocking 15 of the 74stan- enable fine-grained access to JavaScript features on a case-by-case dards avoids 52.0% of code paths related to previous CVEs, and basis. 50.0% of implementation code identified by our metric, without An understanding of the benefits and risks of each JavaScript affecting the functionality of 94.7% of measured websites. feature is necessary to make sound decisions about which features need to be enabled by default to create the modern web experience. KEYWORDS With this knowledge, a set of highly beneficial features can be exposed by default to all websites, while only trusted sites that arXiv:1708.08510v2 [cs.CR] 5 Sep 2017 Network security, Software security, Web security and privacy need additional features are given the ability to access the full set ACM Reference format: of capabilities in the browser, thus enforcing the principle of least Peter Snyder, Cynthia Taylor, and Chris Kanich. 2017. Most Websites Don’t privilege on the Web API. Need to Vibrate: A Cost–Benefit Approach to Improving Browser Secu- This work applies a systematic cost-benefit analysis to the por- rity. In Proceedings of ACM Conference, Washington, DC, USA, July 2017 tions of the Web API implemented in all popular browsers. We (Conference’17), 16 pages. present a method to quantitatively evaluate both the cost of a fea- https://doi.org/10.1145/nnnnnnn.nnnnnnn ture (the added security risk of making a feature available) and the benefit of a feature (the number of websites that require the 1 INTRODUCTION feature to function properly). We then build a browser extension which blocks selected JavaScript functions to generate the results Since its beginnings as a hypermedia dissemination platform, the discussed in this paper. In this work we specifically consider the web has evolved extensively and impressively, becoming part com- munication medium and part software distribution platform. More 1We present a more extensive overview of academic attacks and the JavaScript APIs recently, the move from browser plugins to native HTML5 capa- that enable them in Section 5.2.1, and further enumerate the attack to enabling feature bilities, along with efforts like Chrome OS and the now defunct mapping in Table 4 in the Appendix. open web accessed via a desktop browser, but the same approach number of previously reported CVEs in a feature, on the intuition could be expanded to any website viewed via any browser. that features which are difficult to code correctly are more likely to Using these cost-benefit measurements, we create two hardened have further undiscovered vulnerabilities. browser configurations by identifying high-cost standards that Second, we model security cost as the number of attacks intro- could be blocked in the browser without affecting the browsing duced in academic papers which have been enabled by each Web experience on most websites. We present a browser extension that API standard. enforces these hardened browser configurations, and compare the Third, we model security cost as a function of code complex- usability of these hardened browser configurations against other ity. We attribute entry points in the browser’s C++ codebase to popular browser-security tools, NoScript and the Tor Browser Bun- JavaScript exposed features, and then quantify complexity as the dle (TBB). We find that our hardened browser configurations offer number of lines of code used solely to implement access to each substantial security benefits for users, while breaking fewer web- feature. sites than either NoScript or the default configuration of the TBB during our evaluation on both the 200 most popular sites in the 2 RELATED WORK Alexa 10k, and a random sampling of the rest of the Alexa 10k. Our browser-hardening extension is highly configurable, allow- In this section we discuss the current state of browser features, as ing functionality to be blocked or allowed on a per-site basis. The well as existing user level security defenses. set of standards blocked can be updated to reflect changes in the popularity or security costs of each standard. 2.1 Browser Feature Inclusion This work presents the following technical contributions: Browsers compete on performance, security, and compatibility. This final point introduces two security related challenges: first, ven- • ES6 Proxy based feature firewall. (Section 3) We lever- dors are very wary of removing features from the browser, even if age the ES6 proxy object to build a feature firewall which they are used by a very small fraction of all websites [5, 8]. Second, dynamically disables JavaScript API features without break- because the web is evolving and even competing with native appli- ing most code that expects those features to exist. cations (especially on mobile devices), browser vendors are incen- • Code complexity as cost. (Section 4.5.2) We perform a tivized to continue to add new features to the web browser and not static analysis of the Firefox codebase to identify and count remove old features. Browsers using the same code base across all lines of code exclusively used to enable each web standard. devices, including mobile, browser OS devices (e.g., Google Chrome- We find a moderate, statistically significant relationship books), and traditional PCs also increases the amount of code in between this code complexity metric and previously dis- the browser. The addition of support for this variety of devices covered vulnerabilities attributed to these standards. means that JavaScript features that support hardware features (we- • Contextual protection extension. (Section 7) We pack- bcams, rotation sensors, vibration motors, or ambient light sensors, age the feature firewall in an open source browser exten- etc. [36, 37, 39, 58]) are included in the browser for all devices, re- sion that allows the deployment of pre-defined conserva- gardless of whether they include such hardware.
Recommended publications
  • A Generic Data Exchange System for F2F Networks

    A Generic Data Exchange System for F2F Networks

    The Retroshare project The GXS system Decentralize your app! A Generic Data Exchange System for F2F Networks Cyril Soler C.Soler The GXS System 03 Feb. 2018 1 / 19 The Retroshare project The GXS system Decentralize your app! Outline I Overview of Retroshare I The GXS system I Decentralize your app! C.Soler The GXS System 03 Feb. 2018 2 / 19 The Retroshare project The GXS system Decentralize your app! The Retroshare Project I Mesh computers using signed TLS over TCP/UDP/Tor/I2P; I anonymous end-to-end encrypted FT with swarming; I mail, IRC chat, forums, channels; I available on Mac OS, Linux, Windows, (+ Android). C.Soler The GXS System 03 Feb. 2018 3 / 19 The Retroshare project The GXS system Decentralize your app! The Retroshare Project I Mesh computers using signed TLS over TCP/UDP/Tor/I2P; I anonymous end-to-end encrypted FT with swarming; I mail, IRC chat, forums, channels; I available on Mac OS, Linux, Windows. C.Soler The GXS System 03 Feb. 2018 3 / 19 The Retroshare project The GXS system Decentralize your app! The Retroshare Project I Mesh computers using signed TLS over TCP/UDP/Tor/I2P; I anonymous end-to-end encrypted FT with swarming; I mail, IRC chat, forums, channels; I available on Mac OS, Linux, Windows. C.Soler The GXS System 03 Feb. 2018 3 / 19 The Retroshare project The GXS system Decentralize your app! The Retroshare Project I Mesh computers using signed TLS over TCP/UDP/Tor/I2P; I anonymous end-to-end encrypted FT with swarming; I mail, IRC chat, forums, channels; I available on Mac OS, Linux, Windows.
  • Anonymous Rate Limiting with Direct Anonymous Attestation

    Anonymous Rate Limiting with Direct Anonymous Attestation

    Anonymous rate limiting with Direct Anonymous Attestation Alex Catarineu Philipp Claßen Cliqz GmbH, Munich Konark Modi Josep M. Pujol 25.09.18 Crypto and Privacy Village 2018 Data is essential to build services 25.09.18 Crypto and Privacy Village 2018 Problems with Data Collection IP UA Timestamp Message Payload Cookie Type 195.202.XX.XX FF.. 2018-07-09 QueryLog [face, facebook.com] Cookie=966347bfd 14:01 1e550 195.202.XX.XX Chrome.. 2018-07-09 Page https://analytics.twitter.com/user/konark Cookie=966347bfd 14:06 modi 1e55040434abe… 195.202.XX.XX Chrome.. 2018-07-09 QueryLog [face, facebook.com] Cookie=966347bfd 14:10 1e55040434abe… 195.202.XX.XX Chrome.. 2018-07-09 Page https://booking.com/hotels/barcelona Cookie=966347bfd 16:15 1e55040434abe… 195.202.XX.XX Chrome.. 2018-07-09 QueryLog [face, facebook.com] Cookie=966347bfd 14:10 1e55040434abe… 195.202.XX.XX FF.. 2018-07-09 Page https://shop.flixbus.de/user/resetting/res Cookie=966347bfd 18:40 et/hi7KTb1Pxa4lXqKMcwLXC0XzN- 1e55040434abe… 47Tt0Q 25.09.18 Crypto and Privacy Village 2018 Anonymous data collection Timestamp Message Type Payload 2018-07-09 14 Querylog [face, facebook.com] 2018-07-09 14 Querylog [boo, booking.com] 2018-07-09 14 Page https://booking.com/hotels/barcelona 2018-07-09 14 Telemetry [‘engagement’: 0 page loads last week, 5023 page loads last month] More details: https://gist.github.com/solso/423a1104a9e3c1e3b8d7c9ca14e885e5 http://josepmpujol.net/public/papers/big_green_tracker.pdf 25.09.18 Crypto and Privacy Village 2018 Motivation: Preventing attacks on anonymous data collection Timestamp Message Type Payload 2018-07-09 14 querylog [book, booking.com] 2018-07-09 14 querylog [fac, facebook.com] … ….
  • Firefox Quantum Remove Recommended by Pocket From

    Firefox Quantum Remove Recommended by Pocket From

    Firefox Quantum Remove Recommended By Pocket From Lamellar Gary restitutes: he ligatured his recognisance bearishly and dully. Desireless Redford suburbanized very monotonously while Silvester remains dysteleological and unconfined. Skin-deep Algernon never dislodged so westerly or stanchion any floppiness war. Stack traces are now shown for exceptions inside your console. Press to restore system options as which process starts it'll remove by the jailbreak. It is enabled by default in development versions of Firefox, but average in release versions. We have always bear the result in scratchpad and by pocket. Earn an issue that ff is by firefox quantum. You for tweetdeck, or login to network failures due to open source ip address bar at your activity. Ask a question and give support. Who cares about the features? 2012 after Mozilla detected a security flaw and recommended downgrading to. Access the feature for android firefox remove by now called extensions available for recommended by ad blockers work unencumbered by ad is a set to. This will open large number of your browser extensions that pisses me of money if you can either automatically updated their next app integrated into detail of. Dec 01 2017 Firefox Quantum's interface is still extremely customizable thanks to. Where is the back latch on Firefox? Mozilla Firefox or simply Firefox is that free quote open-source web browser developed by the. It will not collect data in private browser windows, and when Mozilla shares the results of its research, it will do so in a way that minimizes the risk of users being identified, Boyd said.
  • Private Browsing

    Private Browsing

    Away From Prying Eyes: Analyzing Usage and Understanding of Private Browsing Hana Habib, Jessica Colnago, Vidya Gopalakrishnan, Sarah Pearman, Jeremy Thomas, Alessandro Acquisti, Nicolas Christin, and Lorrie Faith Cranor, Carnegie Mellon University https://www.usenix.org/conference/soups2018/presentation/habib-prying This paper is included in the Proceedings of the Fourteenth Symposium on Usable Privacy and Security. August 12–14, 2018 • Baltimore, MD, USA ISBN 978-1-939133-10-6 Open access to the Proceedings of the Fourteenth Symposium on Usable Privacy and Security is sponsored by USENIX. Away From Prying Eyes: Analyzing Usage and Understanding of Private Browsing Hana Habib, Jessica Colnago, Vidya Gopalakrishnan, Sarah Pearman, Jeremy Thomas, Alessandro Acquisti, Nicolas Christin, Lorrie Faith Cranor Carnegie Mellon University {htq, jcolnago, vidyag, spearman, thomasjm, acquisti, nicolasc, lorrie}@andrew.cmu.edu ABSTRACT Prior user studies have examined different aspects of private Previous research has suggested that people use the private browsing, including contexts for using private browsing [4, browsing mode of their web browsers to conduct privacy- 10, 16, 28, 41], general misconceptions of how private brows- sensitive activities online, but have misconceptions about ing technically functions and the protections it offers [10,16], how it works and are likely to overestimate the protections and usability issues with private browsing interfaces [41,44]. it provides. To better understand how private browsing is A major limitation of much prior work is that it is based used and whether users are at risk, we analyzed browsing on self-reported survey data, which may not always be reli- data collected from over 450 participants of the Security able.
  • E Cost of Ad Blocking Pagefair and Adobe 2015 Ad Blocking Report

    E Cost of Ad Blocking Pagefair and Adobe 2015 Ad Blocking Report

    !e cost of ad blocking PageFair and Adobe 2015 Ad Blocking Report Introduction In the third annual ad blocking report, PageFair, with the help of Adobe, provides updated data on the scale and growth of ad blocking so"ware usage and highlights the global and regional economic impact associated with it. Additionally, this report explores the early indications surrounding the impact of ad blocking within the mobile advertising space and how mobile will change the ad blocking landscape. Table of Contents 3. Key insights 8. Effect of ad blocking by industry 13. A"erword 4. Global ad blocking growth 9. Google Chrome still the main driver of ad 14. Background 5. Usage of ad blocking so"ware in the United block growth 15. Methodology States 10. Mobile is yet to be a factor in ad blocking 16. Tables 6. Usage of ad blocking so"ware in Europe growth 17. Tables 7. !e cost of blocking ads 11. Mobile will facilitate future ad blocking growth 12. Reasons to start using an ad blocker PAGEFAIR AND ADOBE | 2015 Ad Blocking Report 2 Key Insights More consumers block ads, continuing the strong growth rates seen during 2013 and 2014. 41% YoY global growth Q2 2014 - Q2 2015 !e "ndings • Globally, the number of people using ad blocking so"ware grew by 41% year over year. • 16% of the US online population blocked ads during Q2 2015. • Ad block usage in the United States grew 48% during the past year, increasing to 45 million monthly active 45 million users (MAUs) during Q2 2015. Average MAUs in the United • Ad block usage in Europe grew by 35% during the past year, increasing to 77 million monthly active users States Q2 2015 during Q2 2015.
  • The Impact of Ad-Blockers on Online Consumer Behavior

    The Impact of Ad-Blockers on Online Consumer Behavior

    Marketing Science Institute Working Paper Series 2021 Report No. 21-119 The Impact of Ad-blockers on Online Consumer Behavior Vilma Todri “The Impact of Ad-blockers on Online Consumer Behavior” © 2021 Vilma Todri MSI Working Papers are Distributed for the benefit of MSI corporate and academic members and the general public. Reports are not to be reproduced or published in any form or by any means, electronic or mechanical, without written permission. Marketing Science Institute Working Paper Series The Impact of Ad-blockers on Online Consumer Behavior Vilma Todri Goizueta Business School, Emory University, Atlanta, GA 30322 [email protected] Digital advertising is on track to become the dominant form of advertising but ad-blocking technologies have recently emerged posing a potential threat to the online advertising ecosystem. A significant and increasing fraction of Internet users has indeed already started employing ad-blockers. However, surprisingly little is known yet about the effects of ad-blockers on consumers. This paper investigates the impact of ad- blockers on online search and purchasing behaviors by empirically analyzing a consumer-level panel dataset. Interestingly, the analyses reveal that ad-blockers have a significant effect on online purchasing behavior: online consumer spending decreases due to ad-blockers by approximately $14:2 billion a year in total. In examining the underlying mechanism of the ad-blocker effects, I find that ad-blockers significantly decrease spending for brands consumers have not experienced before, partially shifting spending towards brands they have experienced in the past. I also find that ad-blockers spur additional unintended consequences as they reduce consumers' search activities across information channels.
  • DARK WEB INVESTIGATION GUIDE Contents 1

    DARK WEB INVESTIGATION GUIDE Contents 1

    DARK WEB INVESTIGATION GUIDE Contents 1. Introduction 3 2. Setting up Chrome for Dark Web Access 5 3. Setting up Virtual Machines for Dark Web Access 9 4. Starting Points for Tor Investigations 20 5. Technical Clues for De-Anonymizing Hidden Services 22 5.1 Censys.io SSL Certificates 23 5.2 Searching Shodan for Hidden Services 24 5.3 Checking an IP Address for Tor Usage 24 5.4 Additional Resources 25 6. Conclusion 26 2 Dark Web Investigation Guide 1 1. Introduction 3 Introduction 1 There is a lot of confusion about what the dark web is vs. the deep web. The dark web is part of the Internet that is not accessible through traditional means. It requires that you use a technology like Tor (The Onion Router) or I2P (Invisible Internet Project) in order to access websites, email or other services. The deep web is slightly different. The deep web is made of all the webpages or entire websites that have not been crawled by a search engine. This could be because they are hidden behind paywalls or require a username and password to access. We are going to be setting up access to the dark web with a focus on the Tor network. We are going to accomplish this in two different ways. The first way is to use the Tor Browser to get Google Chrome connected to the the Tor network. This is the less private and secure option, but it is the easiest to set up and use and is sufficient for accessing material on the dark web.
  • Tr 126 907 V14.0.0 (2017-04)

    Tr 126 907 V14.0.0 (2017-04)

    ETSI TR 126 907 V14.0.0 (2017-04) TECHNICAL REPORT Universal Mobile Telecommunications System (UMTS); LTE; HTML5 for a new presentation layer in 3GPP services (3GPP TR 26.907 version 14.0.0 Release 14) 3GPP TR 26.907 version 14.0.0 Release 14 1 ETSI TR 126 907 V14.0.0 (2017-04) Reference RTR/TSGS-0426907ve00 Keywords LTE,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice The present document can be downloaded from: http://www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https://portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI.
  • Amazon Silk Developer Guide Amazon Silk Developer Guide

    Amazon Silk Developer Guide Amazon Silk Developer Guide

    Amazon Silk Developer Guide Amazon Silk Developer Guide Amazon Silk: Developer Guide Copyright © 2015 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. The following are trademarks of Amazon Web Services, Inc.: Amazon, Amazon Web Services Design, AWS, Amazon CloudFront, AWS CloudTrail, AWS CodeDeploy, Amazon Cognito, Amazon DevPay, DynamoDB, ElastiCache, Amazon EC2, Amazon Elastic Compute Cloud, Amazon Glacier, Amazon Kinesis, Kindle, Kindle Fire, AWS Marketplace Design, Mechanical Turk, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon VPC, and Amazon WorkDocs. In addition, Amazon.com graphics, logos, page headers, button icons, scripts, and service names are trademarks, or trade dress of Amazon in the U.S. and/or other countries. Amazon©s trademarks and trade dress may not be used in connection with any product or service that is not Amazon©s, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. AWS documentation posted on the Alpha server is for internal testing and review purposes only. It is not intended for external customers. Amazon Silk Developer Guide Table of Contents What Is Amazon Silk? .................................................................................................................... 1 Split Browser Architecture ......................................................................................................
  • Will Ad Blocking Break the Internet?

    Will Ad Blocking Break the Internet?

    NBER WORKING PAPER SERIES WILL AD BLOCKING BREAK THE INTERNET? Ben Shiller Joel Waldfogel Johnny Ryan Working Paper 23058 http://www.nber.org/papers/w23058 NATIONAL BUREAU OF ECONOMIC RESEARCH 1050 Massachusetts Avenue Cambridge, MA 02138 January 2017 Johnny Ryan is an employee of PageFair, a firm that measures the extent of ad blocking and offers ad-recovery technologies that enable publishers to display ads in a manner that adblockers cannot block. Neither Shiller nor Waldfogel has received any compensation for the research in the paper. PageFair was allowed to review the paper for accuracy but did not have control over the paper's findings nor conclusions. The views expressed herein are those of the authors and do not necessarily reflect the views of the National Bureau of Economic Research. NBER working papers are circulated for discussion and comment purposes. They have not been peer-reviewed or been subject to the review by the NBER Board of Directors that accompanies official NBER publications. © 2017 by Ben Shiller, Joel Waldfogel, and Johnny Ryan. All rights reserved. Short sections of text, not to exceed two paragraphs, may be quoted without explicit permission provided that full credit, including © notice, is given to the source. Will Ad Blocking Break the Internet? Ben Shiller, Joel Waldfogel, and Johnny Ryan NBER Working Paper No. 23058 January 2017 JEL No. L81,L82 ABSTRACT Ad blockers allow Internet users to obtain information without generating ad revenue for site owners; and by 2016 they were used by roughly a quarter of site visitors. Given the ad-supported nature of much of the web, ad blocking poses a threat to site revenue and, if revenue losses undermine investment, a possible threat to consumers' access to appealing content.
  • Draft Clearclick: Effective Client-Side Protection Against UI

    Draft Clearclick: Effective Client-Side Protection Against UI

    Draft ClearClick: Effective Client-Side Protection Against UI Redressing Attacks Giorgio Maone <giorgio at maone.net> Rev. 2, May 3, 2012 Abstract “User Interface Redressing”, popularized in 2008 as “Clickjacking”, designates a class of attacks, leveraging ambient authority and the coexistence in modern user agents of multiple browsing contexts, which trick an authorized human into interacting with UI elements that actually belong to the targeted web application, but have been obscured or decontextualized by attacker-provided content. This interaction induces unintended application state changes on behalf of the victim – similarly to Cross Site Request Forgery – but defeats traditional CSRF protections, such as form tokens, by exploiting the legitimate web application UI itself, which those countermeasures are meant to validate. The main defense currently adopted by mainstream browsers requires a server- side opt-in signal and prohibits legitimate, widespread use cases such as cross-site subdocument embedding. Another countermeasure immune to these limitations (enabled by default, entirely client-side and designed to allow cross-domain embedding) is the ClearClick module, included in the NoScript add-on for Mozilla Firefox just days after the first Clickjacking announcement. This document describes the rationale behind it and the way it works. Keywords: clickjacking, anti-clickjacking, UI redressing, ClearClick, X-Frame-Options. 1. Introduction In September 2008, Jeremiah Grossman and Robert “RSnake” Hansen canceled a previously announced
  • Finding and Installing Firefox Extensions SURF’S UP

    Finding and Installing Firefox Extensions SURF’S UP

    LINUXUSER DeskTOPia: Firefox Add-ons Finding and installing Firefox extensions SURF’S UP If you look around the Internet, you’ll find a number of useful add-ons for Mozilla Firefox. BY ANDREAS KNEIB he Mozilla Firefox browser is de- most useful modules for the new Firefox the module is available. Then just re- signed to easily accommodate ex- 1.5. launch the web browser to enable the Ttensions, and the Firefox commu- tools. nity has responded with a rich assort- Getting Started If Firefox fails to locate working exten- ment of add-on modules. If you’re inter- If your Linux distribution doesn’t have sions, the old extensions will stay dis- ested in higher performance, or even if the latest version of Firefox, you can abled until an update becomes available you just want to check the weather, download it from the Firefox homepage or until you remove the extensions man- you’ll find a Firefox add-on to meet your at [1]. Once you have installed the latest ually. If you still encounter problems, needs. We took a look at some of the version, you can open the Firefox Exten- such as the program crashing because sion Manager (Figure 1) by selecting the browser has stumbled over an in- Tools | Extensions. The Extension Man- compatible or broken module, you can ager is a central tool for plug-in manage- try starting the program in safe mode ment. using the following parameters in the If your Firefox 1.0 version already has command line: firefox -safe-mode. a number of extensions installed before In safe mode, all extensions and you upgrade to Firefox 1.5, the browser themes [4] are disabled, and you can should now show you if the modules are run the Extension Manager to remove compatible with the new version.