Clickjacking and Other Browsers (IE, Safari, Chrome, Opera)
Posted by: Giorgio in IE, Clickjacking, Google, Mozilla, Security, NoScriptDuring the past few days I've been repeatedly asked the same question:
Is there anything that users of IE, Chrome and other browsers (who cannot use NoScript) can do to protect themselves from clickjacking?
If you read my previous post about it, you already know that currently the only way to protect yourself is disabling JavaScript, plugins/ActiveX and IFRAMEs.
NoScript is the most elegant and usable solution to do it for browsers based on Mozilla technology (like Firefox), because it gives you a quick one-click way to enable the missing technologies on sites you trust and remembers your choices in a whitelist, becoming almost unnoticeable after some "training" about your surfing habits.
Unfortunately, this is not as easy, bearable or even feasible if you use a browser not supported by NoScript (other than Linx or Elinks).
Let's see what you can do with IE, Safari, Chrome and Opera:
-
Internet Explorer
Open Internet Options|Security, select the "Internet" zone and set the "Security level for this zone" control to "High".
Bad news: there's no apparent way to disable IFRAMEs in IE: you can just disable "Launching programs and files in IFRAME", which is definitely not enough to prevent clickjacking.
Furthermore, while Microsoft's "Internet Zones" can allow individual sites for scripting or active content, their usability is extremely poor if compared to NoScript, requiring several clicks and typing to build a whitelist. So, to recap: MSIE can't be secured 100% against clickjacking, and the protection you can get comes with a big usability cost. -
Safari
Apple's browser has a central place to disable active content in its Preferences|Security tab.
Bad news here are two: there's no mean to enable features selectively (per site), and IFRAMEs cannot be disabled in any apparent way (Mac users, please let me know if I'm missing something1). Therefore Safari can't be secured 100% against clickjacking, and the protection you can get comes with an enormous usability cost. -
Chrome
If you're a Chrome user, you're really out of luck: the only apparent way to disable active content is starting the browser with the following command line:
chrome.exe -disable-javascript -disable-java -disable-plugins
Of course, you cannot enable back any of these features until you restart your browser with different command line arguments. Even worse, there's no "-disable-iframe" option. So Chrome can't be secured 100% against clickjacking, and the protection you can get comes with the worst usability cost.
-
Opera
Opera has the best built-in security user interface among browsers, very similar to NoScript's concepts: you can set restrictive defaults if you want, and relax some restrictions on selected sites you trust, using Site Preferences and Quick Preferences. It's just slightly less usable than NoScript, and it can be configured to prevent clickjacking: you need to disable everything you can see in Preferences|Advanced|Content, then enter opera:config in your address bar, click the "Extensions" handle and uncheck the "IFrames" line.
Final note: current NoScript development versions (1.8.1.7 and above) provide protection against IFRAME-based clickjacking even without disabling IFRAMEs. This is a further usability/security advantage over any other solution, and it's being tested by Sirdarckcat (a pioneer of malicious CSS overlays) with a final stable released planned for the end of this week. Therefore, if you can choose, your best usability+security choice is still Firefox+NoScript.
September 30th, 2008 at 12:46 am
The paranoia police send their regards
September 30th, 2008 at 5:39 am
do you have any idea of telling this to google so they can do something about it??
also, i thought that chrome will be the most secured browser.. :P
pls comment on this!!
September 30th, 2008 at 7:05 am
BTW: There is a browser using WebKit (on OSX) which allows to disable iframes: OmniWeb (from the good old Omni Group :)
Most people haven't ever heart of this one I guess ...
September 30th, 2008 at 8:55 am
Pioneer? I dont think you realise how old this attack is.
September 30th, 2008 at 12:49 pm
hackademix.net » Clickjacking and Other Browsers (IE, Safari, Chrome, Opera)
Opera has the best built-in security user interface among browsers ... and it can be configured to prevent clickjacking
October 2nd, 2008 at 4:13 pm
To disable iframes in Safari you could just add `iframe { display:none !important; }` to your user style sheet (which can be added via Safari's Advanced Preferences). `display:none;` prevents any iframe from being interactive and disabling JavaScript (which you've already mentioned) will prevent any JavaScript in the iframe from running.
October 3rd, 2008 at 1:15 am
[...] Clickjacking and Other Browsers (Hackademix) [...]
October 4th, 2008 at 2:02 am
[...] como la madre de todas las vulnerabilidades en navegadores, hoy Giorgio Maone nos explica cómo protegernos frente a la amenaza… si es que [...]
October 7th, 2008 at 8:28 pm
[...] A continuación dejo una guía para protegerse o disminuir los riesgos de ataques del tipo ClickJacking en cada navegador. Adaptado de Clickjacking and Other Browsers (IE, Safari, Chrome, Opera). [...]
October 9th, 2008 at 6:01 pm
[...] vulnerabilities in Microsoft’s Internet Explorer and how to fix them. Here’s a pretty good article that will tell you what, if anything, you can do to protect yourself from clickjacking if you use [...]
October 20th, 2008 at 2:48 am
[...] for other browsers Giorgio Maone published “Clickjacking and Other Browsers (IE, Safari, Chrome, and Opera)” on his Hackademix.net web site, where he explained what if anything can be done to prevent [...]
October 20th, 2008 at 7:22 am
Chrome is not the horse to bet on: watch the Iron fork of Chromium or wait for a security minded fork.
October 26th, 2008 at 6:30 pm
[...] Regarding protection, if you’re a Firefox/NoScript user you should already know about ClearClick. If you’re not, I feel a bit sorry for you. [...]
November 14th, 2008 at 4:16 am
[...] Clickjacking and Other Browsers [...]
November 21st, 2008 at 9:01 pm
[...] Clickjacking y como protegernos - Clickjacking and Other Browsers (IE, Safari, Chrome, Opera) [...]
November 27th, 2008 at 12:40 am
[...] possibly the least obtrusive method of protecting yourself from clickjacking, and although you can address that in Opera, it [...]
February 2nd, 2009 at 6:54 pm
[...] If you do not want to use another browser, here are ways to mitigate your Clickjacking risk with other browsers. [...]
May 20th, 2009 at 2:00 am
Thank you.It's wonderfull
June 17th, 2009 at 11:35 pm
[...] para Firefox, NoScript, podía dar una protección completa, incluso su creador aconseja cómo configurar otros navegadores para lograr el mismo nivel de protección en estos (siendo Opera el único que permite [...]