Archive for September 29th, 2008

During the past few days I've been repeatedly asked the same question:

Is there anything that users of IE, Chrome and other browsers (who cannot use NoScript) can do to protect themselves from clickjacking?

If you read my previous post about it, you already know that currently the only way to protect yourself is disabling JavaScript, plugins/ActiveX and IFRAMEs.
NoScript is the most elegant and usable solution to do it for browsers based on Mozilla technology (like Firefox), because it gives you a quick one-click way to enable the missing technologies on sites you trust and remembers your choices in a whitelist, becoming almost unnoticeable after some "training" about your surfing habits.

Unfortunately, this is not as easy, bearable or even feasible if you use a browser not supported by NoScript (other than Linx or Elinks).
Let's see what you can do with IE, Safari, Chrome and Opera:

  • Internet Explorer

    IE's security settingsOpen Internet Options|Security, select the "Internet" zone and set the "Security level for this zone" control to "High".
    Bad news: there's no apparent way to disable IFRAMEs in IE: you can just disable "Launching programs and files in IFRAME", which is definitely not enough to prevent clickjacking.
    Furthermore, while Microsoft's "Internet Zones" can allow individual sites for scripting or active content, their usability is extremely poor if compared to NoScript, requiring several clicks and typing to build a whitelist. So, to recap: MSIE can't be secured 100% against clickjacking, and the protection you can get comes with a big usability cost.

  • Safari

    Safari's security settingsApple's browser has a central place to disable active content in its Preferences|Security tab.
    Bad news here are two: there's no mean to enable features selectively (per site), and IFRAMEs cannot be disabled in any apparent way (Mac users, please let me know if I'm missing something1). Therefore Safari can't be secured 100% against clickjacking, and the protection you can get comes with an enormous usability cost.

  • Chrome

    If you're a Chrome user, you're really out of luck: the only apparent way to disable active content is starting the browser with the following command line:

    chrome.exe -disable-javascript -disable-java -disable-plugins
    

    Of course, you cannot enable back any of these features until you restart your browser with different command line arguments. Even worse, there's no "-disable-iframe" option. So Chrome can't be secured 100% against clickjacking, and the protection you can get comes with the worst usability cost.

  • Opera

    Opera has the best built-in security user interface among browsers, very similar to NoScript's concepts: you can set restrictive defaults if you want, and relax some restrictions on selected sites you trust, using Site Preferences and Quick Preferences. It's just slightly less usable than NoScript, and it can be configured to prevent clickjacking: you need to disable everything you can see in Preferences|Advanced|Content, then enter opera:config in your address bar, click the "Extensions" handle and uncheck the "IFrames" line.

Final note: current NoScript development versions (1.8.1.7 and above) provide protection against IFRAME-based clickjacking even without disabling IFRAMEs. This is a further usability/security advantage over any other solution, and it's being tested by Sirdarckcat (a pioneer of malicious CSS overlays) with a final stable released planned for the end of this week. Therefore, if you can choose, your best usability+security choice is still Firefox+NoScript.

Bad Behavior has blocked 786 access attempts in the last 7 days.