Predictable whitelists strike again · 2007-11-05 17:18 by Wladimir Palant
A little more than half a year ago I wrote an article on how security solutions using whitelists are better than those using blacklists. At the same time I noted that even using whitelists is not always enough — for example when your whitelist is predictable and the attacker can make sure the whitelisting rule applies to him. NoScript extension was the example I used, and its author reacted by adding “XSS protection” assuming that this would invalidate my claims.
Now RSnake was in a much better situation than the majority of NoScript users. He did not only notice the attack that executed in background, he probably didn’t even have a single entry in his NoScript whitelist to be exploited. Too bad that 99% of the users never configure anything — meaning that they still use the default whitelisting entries that NoScript comes with and that I warned against a while ago. Instead of cutting this list down to the bare minimum (ideally: zero), the author kept four (!) of his domains on the default whitelist — and Google ads, just to make sure he still gets money from people forced to visit on each NoScript update (which happens approximately once per week).
To reiterate what I already stated before: if Firefox users ever come under attack (hardly ever happened so far, at least if you run the latest Firefox version) — for the vast majority of users NoScript will not be a help. It tends to stop lots of harmless (meaning useful) stuff but cannot be relied on when it comes to the attacks it is supposed to stop.
Commenting is closed for this article.