I'm pleased to announce that ABE, the Application Boundaries Enforcer meant to fight CSRF and related web attacks, has finally been included in a stable NoScript release: version 1.9.5, available here.
It's been quite a long development journey since my first announcement, made possible by NLNet's foresight, and it required more than one month of beta testing: among the thousands of
testers victims I inflicted twenty builds upon, I must especially thank therube, GÂµÃ¥rÃÃ¯Ã¥Ã±, Tom T., Alan Baxter, dhown and the other friends at the NoScript forum, who devoted their time to aid debugging and optimization. A special thanks goes also to Edoardo "Sirdarckcat" Vela, talented hacker and loyal NoScript fan, who offered many useful suggestions to model the threats which ABE can counter react.
Great but.. now that I've got ABE, what can it do for me?
If you've got latest NoScript version installed on Firefox 3.0.11 or another compatible Gecko >= 1.9 browser, you'll notice a new "ABE" tab in NoScript Options|Advanced. There you can find a list of the loaded "Rulesets", i.e. groups of firewall-like rules (syntax specification PDF).
Rulesets can be:
- Built-in like the "SYSTEM" ruleset, shipping with ABE and meant to provide automatic protection against "general" threats; you don't want to edit them unless you know exactly what you're doing.
- User-defined like the "USER" ruleset, which is empty for you to customize according to your needs.
- Subscription-provided, coming from a centralized location which delivers "trusted" rules (not supported yet).
- Site-specific, created and made automatically available by site developers or administrators to protect their own web applications.
All these rulesets (built-in, yours, centralized and site-specific) cooperate to properly insulate your most sensitive web applications and prevent them from being abused by unrelated malicious web sites.
Drop-in LocalRodeo replacement
The "SYSTEM" built-in ruleset currently contains just one rule definition:
Site LOCAL Accept from LOCAL Deny
This simple rule protects your local network from CSRF attacks coming from outside, for instance from a malicious web page trying to hack your router. If this scenario does not sound new to you, maybe you've heard of LocalRodeo, an experimental Firefox extension which was meant to defeat exactly this kind of internet-to-intranet threats. In facts, the default ABE configuration shipping with NoScript 1.9.5 and above is as effective as LocalRodeo at least, but more performant, especially when DNS queries are involved, and much more flexible, since it's not limited to this specific attack scenario: if you're using both NoScript and LocalRodeo, it's time to uninstall the latter.
ABE for web authors
While centralized subscriptions aimed to protect the most popular web applications have been planned but are not implemented yet, you as a web author can already start experimenting how to protect your own web application by enforcing your own rules.
Just deploy your
file at the root of your HTTPS site and be sure to check Allow sites to push their own rules in the ABE options panel. This preference is initially disabled in 1.9.5, but this default will be likely inverted in next stable iteration, as soon as it gets enough testing.
More details here.