Finally NoScript 1.8.2.1 is out, featuring the announced new anti-clickjacking countermeasures enabled by default, independent from IFRAME and plugin content blocking settings.
The most specific and ambitious is called ClearClick: whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals you the real thing in “clear”. At that point you can evaluate if the click target was actually the intended one, and decide if keeping it locked or unlock it for free interaction. This comes quite handy now that more dangerous usages of clickjacking are being disclosed, such as enabling your microphone or your webcam behind your back to spy you through the interwebs.
As you already know if you read my first clickjacking article, an old and benign clickjacking example is NoScript’s “Install Now” orange button, which overlays the green one on addons.mozilla.org to work-around the installation security warning. If you click it with ClearClick enabled, now you get warned about something sneaky going on.
I do not need to change my button yet, because NoScript 1.8.2.1 ships with ClearClick enabled on untrusted (non whitelisted) parent pages only, while the whitelist status of the embedding is irrelevant. This gives a good balance between effectiveness and usability, since the attacker in a clickjacking attack is always the parent. If you want to get the warning on noscript.net and on the other sites you trust, you need to flag the second checkbox on NoScript Options|Plugins|ClearClick protection on pages… [x] untrusted [x] trusted. I recommend to flag it anyway and report any usability issue, because this feature so far seems quiet and unobtrusive enough to justify my temptation of enabling everywhere (trusted + untrusted) by default on next stable release, but it must get a lot of testing from you first.
Update
NoScript 1.8.4 and above ship with ClearClick enabled on both untrusted and trusted sites. It works everywhere, even if you’ve got scripts globally allowed. And yes, at that point I had to change noscript.net install button, therefore if you want a PoC you need to look elsewhere.
Other clickjacking-related features included in this release are:
- Opaque embedded objects: plugin content and frames are forcibly made opaque and get styled with “overflow: auto” (i.e. get scrollbars if their inner size exceed their viewport) on untrusted pages.
- Frame Break Emulation: if a framed page which is not allowed to run JavaScript contains a “frame busting” script similar to
<script>if (top != self) top.location = location</script>, the intention of the page author is honored by NoScript, i.e. the page replaces the topmost document. You can control this feature toggling the noscript.emulateFrameBreak about:config preference. - Some usability and effectiveness improvements in frame management, making the Forbid IFRAMEs option more suitable for general usage.
I hope to find some time during this week to write another post, diving through the technical details behind my ClearClick implementation: a fairy tale about a very simple and hopeful idea (unconventional <canvas> usage) fighting against an army of quirks and mundane details. In the meanwhile, many thanks to Sirdarckcat, RSnake, Michal Zalewski and Matt Mastracci for discussion, testing and inspiration.
s/beetween/between/ in the dialog.
@Nick:
thanks, it’s not the only typo in this release. Translators notified some more, they are all fixed in current trunk.
I just want to thank you very much for creating NoScript.
It’s the only add-on I installed in Firefox, and it’s probably in my top 5 of free software I’m using. Thank you!
Hi,
I noticed a problem with clearclick enabled for trusted sites.
The map on the left side of
http://www.call-a-pizza.de/bestellen/deutschland
is no longer clickable with ClearClick enabled for trusted sites (the site is temp. trusted by me)
Thank you from an MVP who prefers Firefox with NoScript. ;)
NoScript is awesomely useful as ever, but I’ve found a case where ClearClick gets in the way of normal use: Gmane! (yes, I have toggled on apply to trusted sites)
Try putting the focus in the message pane to scroll, ClearClick alerts you.
http://thread.gmane.org/gmane.comp.php.devel/47609
I notice that the default setting for NoScript’s ClearClick feature only activates it for untrusted sites. Since I’ve had my own site hacked by Chineese hackers who put iframes on it, I think it might be best to also activate it for trusted sites, which is an option.
There’s an incompatibility between ClearClick and NewsFox (as version 1.0.3.1 with NoScript up-to-date). It detects when you clic on a website inside de feed reader as a clickjacking. I didn’t know where to put bug reports, so here it is.
I just installed 1.8.2.2, and decided to test it on the example you gave. If I click on the left side of the button, it shows just the download count, and white space if I toggle it. If I click on the right side of the button, it shows a wide area including the download count and the left side of the green download button, and just the left side of your button if I toggle it.
I’m on XPSP2 with Win2K-style windows; don’t know if that has any bearing on the issue.
I also notice that ReCaptcha gives me several clickjacking warnings when I click on it. And I had to copy text to a textbox to use it.
Thanks for this!
So what exactly does the "Keep this element locked" option do? The NoScript FAQ page and this completely fail to describe that option. For the record, I have NoScript applying its rules to trusted sites as well as untrusted ones, and I got this warning while trying to create a new tab (Ctrl-T) while using the Brief rss reader plugin.
In addition, the reCAPTCHA block in the reply submission form gets blocked with my default NoScript settings. Manually loading it gives some message about a JavaScript-free version. Clicking on that panel generates a clickjacking warning.
@David Smith et al:
“Keep this element locked” does what it says, i.e. prevents free interaction with the element whose sight is “unclear”. If you uncheck that option, you can interact freely with that element.
Some false positive triggered either by extensions which, like Brief, mix chrome and content in frames have already been fixed in latest versions.
I’m currently analyzing the ReCaptcha issue, which seems caused by a rendering glitch (the images differ for the thickness of a couple lines only). The good thing of ClearClick, BTW, is that you can actually compare the top and the bottom of your click area by yourself (clicking on the image shown in the dialog) and decide if it’s a false positive or something you should be scared of with no need for specific technical knowledge.
Very impressive.
Hi, thx, clearClick triggered lots of warnings using Evernote, but seems to work ok now, thx!
=)
Giorgio:
the current version 1.8.2.8 slightly degrades the acid3 test score, why?
I am using the Firefox 3.1 beta version available here: http://tinyurl.com/4rz2fn (win32 installer) that normally scores a 97 on acid3 with no script disabled or using earlier noscript versions from a week or so ago.
acid3 problem is FIXED on version 1.8.3 woohoo!
thanks, man
you’re the best!
Great extension. I have only one complain.
Stop updating every day. It is annoying !!!
Gather all fixes and/or futures an do it every 15-30 days.
Gee men…!!!
Every day that i open my browser NoScript is asking to Update.
#47 Nessus
Each update is an improvement. And when it comes to security, I’m grateful for these numerous AND FAST improvements. The more the better.
I have used No-Script since Firefox, and love it…great to see improvement in an already excellent product.
Video of presentation of ClickJacking at Owasp:
http://video.google.com/videoplay?docid=-5747622209791380934&hl=en
Whitepaper about clickjacking:
http://www.sectheory.com/clickjacking.htm
Techniques on how to make effective clickjacking attacks:
http://sirdarckcat.blogspot.com/2008/10/about-css-attacks.html
Greetz!!
Yes, I just got that update!
loved it and blogged it!!!
http://ajabgajab.blogspot.com/2008/11/smarter-no-script-goodbye-clickjacking.html
Thanks. NoScript is a wonderful addon.
Could I get some more explanation of what is actually going on? I sometimes get clickjacking warnings on a site I often visit. Where can I get more information on what is going on and what the hijacked link is, so that I can make the decision whether to allow or not based on facts rather than on my hunch that the site is bona fide or that if NoScript says it’s bad, it probably is.
@Andrè Engels:
The simplest thing you can do is comparing the two images taken by NoScript (the one obstructed and the one “revealed”) by clicking on the green-bordered box on the warning.
If that seems a false positive, please try to install latest development build, and if the problem persists let me know where it happens.
@Giorgio
Thanks for the comment on my recent post about a possible false positive. I’ve posted the information to the forum with the screenshots. Please let me know if you need any other information.
help…
possible false positive???
http://i38.tinypic.com/29kvyog.png
Thanks to NoScript it blocked clickjacking attempts from maps.google.com.
It also blocked XSS attacks.
whats going on? it’s blocked
What kind of douchey word is "interwebs"?