Canopic JarThe recent disclosure by pdp of the jar: protocol bug originally discovered and responsibly reported by Jesse Ruderman in February, and its redirect variant discovered and popularized by Beford with a nice Google-targeted proof of concept, spawned some interesting 3rd party coverage.
Interesting, because very few 3rd party reporters and commenters seem to truly understand how this vulnerability works, and -- worse -- because of the quite nonsensical advices given to protect users.

How the Vulnerability Works

The jar: protocol is used internally by Mozilla browsers to resolve and address resources stuffed inside optionally compressed archives in Zip format called JARs (Java ARchives).

A JAR URL looks like this:

jar:http://someserver.com/some/path/somearchive.jar!/some/internal/path/resource.jpg

As you can see, after the

jar:

scheme we've got a regular http: URL (

http://someserver.com/some/path/somearchive.jar

), followed by an exclamation mark separator and the internal path to find the actual resource inside the archive.

When a Mozilla browser is asked to open a jar: URL, it first downloads the whole JAR file from the server using a regular HTTP GET request (for

http://someserver.com/some/path/somearchive.jar

, in our example), then extracts the required resource (

resource.jpg

, in our example) from the archive on the client side.

All good and handy, but here's the problem: the jar: protocol currently assumes any nested URL following the jar: scheme actually points to a JAR, no matter what the actual content-type header or any other file type hint (e.g. the file extension) suggests.
This means that I can stuff a malicious HTML page of mine inside a Zip file, rename it as "ma1.jpg" and upload it as my avatar on a message board.
Then trick some user to open my malicious page directly through a jar: URL like

jar:http://someforum.com/images/avatars/ma1.jpg!my_evil_page.html

Worse, my page's JavaScript code will run in the same domain as the hosting site, i.e.

someforum.com

, hence I'm cross-site scripting the message board.
To make it even more nightmarish, I don't actually need the target website to be a message board allowing file uploads: I just need an open redirect, which can be found on Google and many other "safe" places, because my disguised JAR file will inherit the security context of my victim's redirector even if it's hosted on a website of mine. That's how Beford's proof of concept works.
Did you say "Universal XSS”?

What Firefox Users Can Do

At least until a Firefox patch is released, Firefox users should install latest NoScript stable release, or even better help us testing latest development version.
NoScript will prevent remote JAR resources from being loaded as documents, neutralizing the XSS dangers of the jar: protocol while keeping its functionality. See this FAQ for more details.
It should be noted that this specific protection is completely independent from JavaScript blocking: this means that you're protected on every site, no matter if there you've set NoScript to allow JavaScript or not.
Strangely enough, even if this is the only advice which works (other than switching to a different browser), it has been give only by the US Cert advisory (together with another less effective one, see below).

Bogus Advices

Firefox users should avoid follow untrusted “jar:” links on suspicious Web sites.
(Ryan Naraine's Zero Day)

There are several ways for a browser to open an URL automatically without your consent: JavaScript, an IFrame, a Meta Refresh, a redirect...
If this vulnerability is exploited in the wild, you won't see any "

jar:

link" coming.

Poor Ryan has probably been misled by reading the following:

Do not follow untrusted "jar:" links or browse untrusted websites.
(Secunia Advisory)

Admittedly, the "don't browse untrusted websites" clause adds some correctness to this advice, but also makes it practically useless.
Furthermore, Ryan quotes the US Cert advisory as well, hence he's got no excuses for omitting the NoScript work-around.
As we said, US Cert correctly referenced NoScript's JAR protection, but also gave a bogus advice of its own:

Using proxy servers or application firewalls to block URIs that contain jar: may mitigate this vulnerability.

If you read how this issue works carefully, you should have noticed that all the jar: protocol resolution happens inside the browser: the only request which is sent, possibly hitting proxy servers or application firewalls, is the regular nested HTTP request. Are you going to block every image together with my innocent looking

http://someforum.com/images/avatars/ma1.jpg

? At any rate, your network devices are very unlikely to ever see mythological beasts like "URIs that contain jar:"...

No matter how nonsensical the advices above are, someone decided to endorse them all:

No patch is available through there are a number of workarounds (such as blocking URIs that contain "jar:" using a reverse proxy or application firewall). For home users, Secunia advises users to avoid following untrusted "jar:" links or visiting untrusted websites.
(The Register)

What a pity they left out the only one which does work ;)

Update:

PC World and ComputerWorld finally joined the fun:

application firewalls and proxy servers can be used to block Windows Universal Resource Identifiers (URIs) that contain the JAR protocol

They actually reference NoScript, but in a quite misleading way:

Users can download a NoScript add-on for Firefox to block JavaScript and executable content from untrusted Web sites, and can secure their Google accounts by remaining signed out whenever possible.
IBRS security consultant James Turner, who has used the NoScript add-on, said protection against these vulnerabilities can be a trade-off between security and a rich online experience.
"The add-on works fine but it is a trade-off between reducing your online experience by blocking JavaScript and protecting yourself against the exploit," Turner said.

As I said, NoScript's JAR protection has nothing to do with JavaScript blocking and it works no matter what the content of your whitelist is: in other words, there's no trade-off at all because you keep JavaScript enabled where you need it! Oh, "security expertize"...
In the meanwhile, Ryan Naraine wrote a follow-up honestly reporting my criticism (notice that I had privately emailed both him and The Register's John Layden with no answer, before deciding to write this post of mine).
Thanks Ryan.

27 Responses to “A Jar of Misleading Advices”

  1. #1 Gareth Heyes says:

    Giorgio great write up!

    I often read Ryan Naraine’s Zero Day when I need to go to sleep or need some unintentional light hearted humor. Install noscript everyone or use lynx!

  2. #2 Marco Ramilli says:

    I agree with Gareth,
    thanks Giorgio for the your great brief !
    NoScript it's really useful but see (control) what you are browsing maybe is better :-D !

  3. #3 Awesome AnDrEw says:

    Awesome write up, Giorgio. The whole JAR issue is pretty interesting though I can't say I would necessarily get a huge use out of it.

  4. #4 Nuevo Fallo En Firefox Amenaza A Gmail (2) | La Web de Stuckerboy says:

    [...] que ahora se entienda mejor, pero si todavía quedan dudas os recomiendo la explicación de Sergio Maone (autor de NoScript) y un vistazo a este ejemplo sobre cómo utilizar la redirección de Google para [...]

  5. #5 Nicolas says:

    It's amazing how many sites have open redirects. Or other problems...
    http://www.atlassian.com/software/Download.jspa?file=javascript:alert%28%22XSS%22%29

  6. #6 Fallo en Firefox Amenasa a GMAIL. « Celciuz’s Weblog says:

    [...] que ahora se entienda mejor, pero si todavía quedan dudas os recomiendo la explicación de Sergio Maone (autor de NoScript) y un vistazo a este ejemplo sobre cómo utilizar la redirección de Google para [...]

  7. #7 ICMPECHO » Blog Archive » Firefox JAR: vulnerability - quick summary says:

    [...] Now, instead of copying others work which they have probably spent hours or more on to explain the issue in full, I’ll give you a short recap of the happenings and more and more exposing blog posts: 2007-02-08 - Jesse Ruderman logs the bug in the Mozilla bugzilla tracker. It remains unpatched and not widely known until…2007-11-07 - Researcher pdp discusses the issue and potential impact at GNUCitizen. This opens this bug up to a whole new audience and…2007-11-10 - Beford illustrates the seriousness of this issue and issues in the same family by targeting Google and Gmail and posts a new bug entry.2007-11-10 - And then Mario posts at GNUCitizen about other attack vectors including malware- and exploit-hosting. During these last days we have also seen some very strange recommendations from leading scurity experts at ZDNet, Secunia and US Cert (and one at The register as well) as the most excellent Giorgio over at the Hackademix blog. [...]

  8. #8 pirlouy says:

    Even if I don't use (and I don't like NoScript inflated publicity), nice explanation. :-)
    Chances to occur ? And what can user have in the worst scenario ?

  9. #9 Ryan Naraine’s Zero Day mobile edition says:

    [...] see Giorgio Maone’s detailed description of this issue, which includes a criticism of my previous mitigation advice and Maone’s own [...]

  10. #10 Giorgio says:

    @pirlouy:
    thanks for your frankness. And nice to know you're exploitable ;)

    Chances to occur?

    I cannot know, I don't collect exploitation statistics like some antivirus vendors do.
    Furthermore, while there are observatories about the prevalence of XSS vulnerabilities (e.g. xssed.org), I don't think we'll ever see aggregated data of XSS exploitation incidents, since that would be disruptive for the reputation of attacked sites, especially if they're financial institutions, but the evidence (if any) could be found only in their HTTP logs.
    We can only speculate from the ease of the attack (high) and the payoff (high, see below).

    And what can user have in the worst scenario ?

    Full digital identity theft. Her social networks exposed, her email account made public, her money stolen.
    Exactly as I can read GMail's contacts (Beford's PoC), I could move funds on Paypal in your name or dispose a wire transfer from your bank account.
    In other words, all the nasties that usually depend on a specific XSS vulnerability exposed by the target web site (Paypal, GMail, Bank Of America), thanks to this jar: trap become feasible no matter how good the web developers have been at closing their XSS holes.

  11. #11 pirlouy says:

    I'm sorry to disturb you again with my poor knowledge.
    At the beginning, NoScript aim was to forbid javascript, in order to be protected from extended possibilities of this language. The problem is the fact it breaks a lot of pages/forum, which makes NoScript unusable for normal people (I hope you're conscious that some people accuse webmaster when they can't insert a smiley in a forum, when clicking on it). That's why I don't like it.
    Now, NoScript is able to protect from XSS or JAR things. Is it impossible for you to create an extension (with very little settings) which could allow more security without ruining web pages (i.e. block javascript) ? I mean, an extension which does not block javascript, but can detect possible malicious code, an extension which proposes security fixes before official firefox releases, an extension which would be recognized by official developers. I mean an extension for everybody and not only advanced users...

  12. #12 Giorgio says:

    @pirlouy:
    No disturb.
    The reason why NoScript blocks script code by default on unknown sites is that the very nature of the JavaScript language makes really hard, if not impossible, to tell in advance if a certain piece of code is dangerous or not. That's why NoScript doesn't uses a default permit policy, neither tries to identify "malicious scripts", but rather moves the focus on the trust you put in the website originating the scripts, and ultimately in the person or organization behind it: quite obviously, you cannot trust someone you still don't know...
    Effectiveness of any XSS or CSRF protection is greatly lowered if every malicious website is free to run its own scripts, e.g. to send obfuscated POST requests to your home banking forms; hence shipping these features without JavaScript whitelisting and calling them "security enhancements" would be almost a scam.
    That said, you're free to check NoScript Options|General|Temporary allow top-level sites by default, if you consider choosing who you trust an unbearable effort but you still want to keep some of the extra security provided by NoScript. However, I'd never do that for myself and I prefer giving users a chance to get conscious control of their browsers, rather than bowing to their supposed ignorance.
    BTW, excuse my ignorance, but what does "recognized by official developers" mean?

  13. #13 pirlouy says:

    __what does "recognized by official developers" mean? __
    It's possible I'm exaggerating a bit. :P
    I mean, for now, you're extension is not in "recommended addons section", and I don't think Mozilla principal developers consider your extension interesting.

    About "default permit, a dumbest idea", I've already see this, but this article does not consider usability. If your solution to death on road is to forbid cars, I don't consider this as the right solution. Car is very practical in lots of situations.
    If your solution to avoid stolen cookies is to disable javascript, I don't consider this as a usable solution. Javascript allows beautiful and practical things.

    I find your battle for security very interesting, but you should not forget one thing: your solution should not bother users, else you can't consider this as a good solution (if Mozilla disabled javascript in options, you can be sure they would lose a large number of users).

    Mmm... It's time to watch Italia lose against Scotland. :-)

  14. #14 Giorgio says:

    @pirlouy:

    you're extension is not in "€œrecommended addons section"

    I can't imagine it being there any time soon, and I'm fine with that :)
    NoScript is not the kind of extension you can install being unaware of it, and it doesn't aim to be.
    If you install it just "because it's recommended by Mozilla", you know nothing about web security and you didn't bother to check how easy is allowing scripts on sites you trust, you may end to think "Internet looks weird with Firefox" and switch to a different browser. It's not something Mozilla Corporation can afford, but it's not like they pretend NoScript is useless either...

    I don’t think Mozilla principal developers consider your extension interesting

    Even though I can't call myself "a principal developer", I did contribute some code and ideas to the project -- yes, you're unwillingly running some stuff of mine ;) -- and I do know some "principal developers" who are also NoScript users.

    If your solution to death on road is to forbid cars, I don'€™t consider this as the right solution.

    Even if this is a misplaced metaphor, you actually forbid cars by default, unless the guy wanting one demonstrates he can drive by taking a driver license, at least here in Italy...
    A better metaphor may be about home doors. You don't leave your door open at night, and you don't open it to anyone knocking by default. You open to people you know and trust, double checking from the peephole if you don't recognize the voice. Otherwise you're a fool asking for troubles.
    Oh, BTW, NoScript is not just about "stolen cookies" -- there's a lot more bad guys can do inside your browser...

    NoScript disables scripts on untrusted sites: it's clearly not the same as "if Mozilla disabled JavaScript in options", even if NoScript detractors keep suggesting it to reinforce their weak arguments.
    Allowing JavaScript to do its "beautiful and practical things" on sites you trust, either temporarily or permanently, is just matter of one click.
    From this standpoint, NoScript is very usable: personal firewalls are ten times more annoying, they block your workflow with cryptic questions and you usually have no idea of what they're talking about -- Comodo Firewall sudden popup: "svchost.exe is trying to connect to the Internet. What would I do? (IP: 207.46.209-126; Port 80)". How the hell is Average Joe supposed to know this is Windows Update?

    Frankly, I'm fed up with all those Web 2.0 Ajax mantras: requiring JavaScript for your website being usable is bad practice, rude, and even illegal under Italian accessibility regulations.
    Actually, I've got no more than 20 sites in my whitelist. I go everywhere and nothing is blocking me with alert boxes.
    But again, if I needed and wanted to, I could allow a site in one second: that's what I call usable security...

    Italy-Scotland 2-1 -- yes, I waited for the last minute goal to hit Submit ;)

  15. #15 pirlouy says:

    and I do know some “principal developers” who are also NoScript users

    Does that mean they don't trust Firefox security ? Shame on them ! :-P

    NoScript disables scripts on untrusted sites: it’s clearly not the same as “if Mozilla disabled JavaScript in options”, even if NoScript detractors keep suggesting it to reinforce their weak arguments."

    Bah. You play with words. Javascript is disable for 99,999999999 % web sites with Noscript.

    About firewalls ? Yes it's complicated, and for this reason, I don't advise firewalls (and more, their usefulness _for normal people_ has to be proved).

    I go everywhere and nothing is blocking me with alert boxes.
    But again, if I needed and wanted to, I could allow a site in one second: that’s what I call usable security…

    Yes but... How can you be sure you haven't missed several important things. You haven't seen the web site with javascript. Maybe it's much more usable.
    For whitelist, imagine I have allowed a site I use everyday, but it has security holes, I am in danger like everybody. So it's a wrong impression of security.

    Bah, it must be like italians in football, I'm of bad faith. :P
    I'll try once again to use Noscript and forbid all scripts, but I'm quite sure it won't be long before I renounce...
    Once again, thanks for your answers.

  16. #16 Giorgio says:

    @pirlouy:

    Does that mean they don’t trust Firefox security ? Shame on them ! :-P

    It means they know there are dangers on the web that no built-in browser security can stop, simply because they don't depend on a browser vulnerability but on website flaws (like XSS or CSRF).
    They also know well that no software is perfect including the one they works on every day, and enabling JavaScript only where it's required reduces the attack surface, which is one of the most fundamental security principles.
    On the other hand, unless all the browsers (especially IE) suddenly embraced the default deny policy for JavaScript, there's no way Firefox can do it without becoming very hard to market.
    Hence a solution like NoScript (as well as the much less usable and effective IE's "Zones" or Opera's "Site Preferences") can only be an opt-in feature.

    Bah. You play with words. Javascript is disable for 99,999999999 % web sites with Noscript

    You play with words. NoScript is about control: user decides where JavaScript (or Java, Flash, other plugins...) is enabled, i.e. which sites she trusts to execute active content in her browser, and she allows them on the fly with one click.
    This could be 1%, or 20%, or even 100% of the sites she regularly visits, if she feels so.
    Of course, a random web site she never heard of before, maybe sneakily loaded inside a hidden IFRAME or casually opened following a link on MySpace, will be disabled by default (until she changes her mind).
    I can only see this as obvious minimal caution, from a security standpoint.

    You haven’t seen the web site with javascript. Maybe it’s much more usable.

    Or maybe it would just track some more behavioral statistics about my eyeballs, or try to exploit my bank account.
    If you, as a webmaster, really need JavaScript to make your site more usable, please

    1. explain me the great features I'm missing;
    2. convince me I can trust you (e.g. tell me who I'm gonna sue if something goes wrong with your security).

    For whitelist, imagine I have allowed a site I use everyday, but it has security holes, I am in danger like everybody. So it’s a wrong impression of security.

    Fundamentally flawed logic or just plain misinformation?

    1. Depending on the kind of security holes, NoScript users are much less in danger than any other people even if the vulnerable website is allowed. Think about the many Google vulnerabilities discovered during the past months: NoScript did protect you against all the disclosed exploits if you had google.com in your whitelist (if you didn't, you did not need the extra protection either).
    2. If it's a site you use every day and you trust it so much that you permanently added it to you whitelist, you should at least know who's behind it, and possibly sue them if their security hole causes you some financial damage. Of course this is much harder if you trust every porn site out there, or every obscure torrent tracker, or every casual link from a search result page, but who would be that foolish?... ooops ;)
    3. At any rate, on the remaining "99,999999999% web sites", as you said, you're still safer than any non-NoScript user :P

    Bah, it must be like italians in football, I’m of bad faith. :P

    On the contrary, as you trusted almost everybody on the web so far :D

    I’ll try once again to use Noscript and forbid all scripts

    Wise of you, just keep in mind it doesn't need to be "all or nothing", and you don't need to be a techie for choosing trustworthy sites for your whitelist -- just a bit of common sense.

    Once again, thanks for your answers.

    Thanks for this chance to put some facts straight.

  17. #17 pirlouy says:

    Example of nice javascript: gmail (It's not perfect, but some features are nice), google docs, rating system of youtube (move mouse on stars to chose mark), etc.
    And if I had never allowed javascript, I'll never know these nice things.

    I read all your FAQ, but I don't find why there are all these websites in whitelist (all your websites, googlesyndication !, google, etc.). I suppose it's because you want to get a bit of money, but you should write it in your FAQ (it will be a bit complicated to explain why googlesyndication can be a trusted site). By the way, is it possible to allow publicity script for a site, and forbid this same script for another site ?

    ps: if you prefer to answer on mozillazine, you can.

  18. #18 Giorgio says:

    @pirlouy:
    GMail and Google are in the default whitelist, so even if you're a beginner you won't miss anything.
    Youtube tells you it needs JavaScript in big red letters every time you try to watch a movie, you'll surely notice that.

    Regarding the other questions, I've just integrated FAQ 1.5, which was already about the default whitelist, to address your concerns more precisely.

  19. #19 Alan Baxter says:

    Regarding the other questions, I’ve just integrated FAQ 1.5, which was already about the default whitelist, to address your concerns more precisely.

    Thank you for updating the NoScript docs. I appreciate its thorough documentation.

  20. #20 BlogZilla » Falla "JAR:" per Firefox, XSS per Gmail says:

    [...] da questi e da molti altri simili attacchi utilizzando su Firefox la popolare plug-in NoScript. Come spiegato da Giorgio Maone, autore della potente estensione, NoScript è in grado di impedire alle risorse remote JAR di [...]

  21. #21 Rafa Minuesa says:

    Great work Giorgio.
    We've been using your No-Script Add-on since over a year now and can testify to the amount of dedication you are putting into this project, proved by the constant updates always addressing the latest vulnerabilities.
    What's really amazing in this case is how NO ONE of them security "experts" could correctly identify the danger it represents, neither provide valid advice on how to protect from it.

  22. #22 receiptbill » Falla "JAR:" per Firefox, XSS per Gmail says:

    [...] da questi e da molti altri simili attacchi utilizzando su Firefox la popolare plug-in NoScript. Come spiegato da Giorgio Maone, autore della potente estensione, NoScript è in grado di impedire alle risorse remote JAR di [...]

  23. #23 Ian says:

    I'm NoScript user anyway, Mozilla Firefox 2.0.10 is out an this .jar URI bug is solved if you look at the changelog :).

    NoScript isn't a trade off, if you wanna view a site with javascript and all that just click Allow hackademix.net for example, easy as that, or Allow temporarily. And if you're one of the idiots only use Internet for searching some information and using MSN don't use it if you don't want to have more security.

    Greetings, Ian.

  24. #24 Onyx says:

    First of all thank you so much for your script. I have been using ffx since 1.(something) and noscript just shortly after i discovered ffx. I love the plug-in. It has been pretty straight forward from the beginning. I feel bad for pirlouy. I remember almost a decade ago when I started programming in javascript. It was a very fun and powerful language. I think a lot of people miss that. You could do almost anything with javascript before the days of css and dhtml and xss. I miss it too pirlouy but I still block it. Ironicly right under this text box is a grey no script box, lol I wonder what i am missing. I wont find out because I dont trust hackademix that much ;)

    BTW I notice you also said you dont use a firewall and advise people against them. That is also a very very bad idea. To go back to your car analogy, that is like driving around with no cops, speed limits and road laws. Sure you might make it to get groceries or to work. Hell, you might make it a month with no problems but eventually you will get hit by a drunk driver or a speeder out of control. You can not by default trust everyone to make the same nice decisions. More importantly you cant trust them to be able to foresee every vulnerability in their systems.

    Think of it as a condom for your browser, allowing ffx to truly browse safer.

    PS I take it all back... I almost fell off my chair when i discovered i had to allow jscript just to comment to your site buddy... wtf... cant you find a better way? like your own captcha rather than a offsite? this sux

  25. #25 Giorgio says:

    @Onyx:
    ReCaptcha is one of the most reliable and socially useful captchas around, and it's got its proper fallback when scripts are not allowed.
    The most likely reason why you couldn't see it is that you either have NoScript Options|Advanced|Untrusted|Hide <NOSCRIPT> elements checked or IFRAMEs blocked and no placeholders.
    That said, as soon as I've got time I'll implement my own self-hosted captcha.

  26. #26 Richard says:

    May the comment concerning the application firewall be one of those content analysing types that will rewrite the HTML for you as it comes down? The kind of thing that Slashdotters tend to call "Evil"?

    They wouldn't work for SSL, but may mitigate for normal browsing.

  27. #27 Dagorath says:

    Good discussion, pirlouy and Giorgio. You both play on words when you play with metaphors. I like word play, btw :)

    Giorgio's message = with some effort you can have better protection. It isn't ultimate invulnerability, it's just better, take it or leave it.

    Pirlouy's message = I am a hopeless addict to all the things on the 'Net, I don't have the strength/courage/ability to be any better than a hopeless addict, I don't have the strength/courage/ability to use the protection Giorgio offers, puh-leeze all you software devs see my plight and fix the damn 'Net so I can continue to do whatever I want, anytime I want, wherever I want yet be completely invulnerable, happy and safe, why can't you make the 'Net the utopia it's supposed to be.

    Now I must admit that I am no better than pirlouy. I like the idea of being able to surf wherever I want and I throw caution to the wind more often than I should. I also like banking online and sending/receiving money via PayPal. Realizing...

    1) legislators are not willing to pass the laws that would seriously reduce hacking/scamming on the 'Net (i.e. death to all hackers, scammers, phishers, not a quick death but rather a slow, painful death ) and the devs cannot do the job without standards legislated into place

    2) the biggest scammer asshole, Bill Gates, remains at large rather in a coffin where he should be

    3) NoSript is a good thing but some day my human frailty and a well executed temptation from a people-savvy hacker/phisher/asshole will lure me into putting his scam site on NoScript's whitelist thereby revealing my bank account number and PIN or other useful personal info

    ... I have 2 computers on a wired (no WiFi) LAN with hardware NAT router, KVM switch and 1 monitor, Avast! anti-virus on both machines, as follows:

    1) my unsecure machine: my newer, faster machine, used for games (on and offline), surfing porn sites, MSN, torrent, hotmail, i.e. all the dangerous stuff, it does not block Javascript from any site, never used for online banking or any activity that reveals anything about me that a hacker might find useful, all[/b] user info typed on this machine (name, location, birth date, sex, etc.) is bogus, the only truthful info I give on that machine is my timezone and I frequently lie about that too. The strategy is... if there is nothing on this machine but lies and useless personal info then I can surf wherever I want safely and the hackers can have fun trying to use the bogus info they steal from me.

    2) my secure machine: my old, slower machine, I run Simply Accounting and other business related software on this machine, use it to access my primary email account (via SMTP and POP3, not HTTP), my online banking and PayPal, absolutely no other sites, no exceptions, it does not share directories with my unsecure machine, no MSN/Yahoo Messenger, no torrents, no games, just Simply Accounting, Avast! anti-virus, a few trusted business softwares, and FireFox with NoScript set to allow Javascript only from my online bank account and PayPal.

    I suppose a hacker could trick me into downloading and installing software onto my unsecure machine that would defeat whatever security mechanisms are in place to access the disk on my secure machine and steal valuable info but I don't know what else I can do. NoScript is adequate if you know who you can trust but I don't think I can ever know that in every case.

Bad Behavior has blocked 3062 access attempts in the last 7 days.