Archive for January, 2010

Just read about it, and nominations close today, so hurry up and show your love:
2010 Reader's Choice Awards: Best Privacy/Security Add-On.
Who you gonna call?

P.S.: bring your nest :)

Interesting idea by Samy (yes, that Samy):

Here is a proof of concept in what I'm calling NAT Pinning ("hacking gibsons" was already taken). The idea is an attacker lures a victim to a web page. The web page forces the user's router or firewall, unbeknownst to them, to port forward any port number back to the user's machine. If the user had FTP/ssh/etc open but it was blocked from the router, it can now be forwarded for anyone to access (read: attack) from the outside world. No XSS or CSRF required.

In short, he exploits a smart mechanism in modern network equipment, which graciously and "magically" NATs on the fly arbitrary ports when certain handshake patterns are detected in outbound traffic, allowing (usually older) protocols which require a "call back" connection (like FTP, IRC or SIP) to work properly.

Good news is that ABE can prevent exploitation without hampering the useful functionality. If you're concerned about this issue, you just need to open NoScript Options|Advanced|ABE and edit the "USER" ruleset, adding the following rule:

# NAT Pinning blockage (blocks outbound HTTP traffic to unlikely ports)
Site ^https?://[^/]+:[0-35-7]

Bad news is that Java, Flash, Silverlight and maybe other plugins can open raw sockets bypassing any browser control, including ABE. Just another reason to keep them at bay.

Thanks to Thoughtcrime for bringing this to my attention, and to Samy for the chat we had this afternoon.

Pop-under windows are a popular alternative to their pop-up precursors in the advertising industry, officially because the former pretend to be less intrusive than the latter, but more likely because pop-up blockers (such as Firefox's built-in) are not exceedingly effective against them.

NoScript users should not be overwhelmed by these annoyances, especially when they're delivered through external scripts provided by 3rd party advertising agencies, whose hosts are blocked by default.

However an increasing number of web sites, especially adult-oriented ones, uses Javascript code embedded in the page itself to produce pop-unders: therefore, if user is forced by other means to enable page Javascript (e.g. by requiring scripting to decode image URLs on the fly, like happens on, the pop-under will unavoidably succeed. Well, almost unavoidably.

For some time now NoScript has been providing a page-level script surrogate to kill's pop-unders. Actually, since most recent NoScript versions execute page-level script surrogates also on script-disabled pages, you could even use a surrogate to decode images, yet keeping Javascript disabled (such a feature this will probably included in next NoScript release).

However the just released NoScript enhances and generalizes the previously imagefap-specific surrogate, making it effective against much wider range of web sites: certainly all those hosting AWEmpire's ads, but potentially many many more.

The noscript.surrogate.popunder.sources about:config preference, listing the URL patterns where this surrogate applies, currently looks like this:

@* * * *

Theoretically you should add there the sites requiring Javascript and spawning pop-unders (are you sure they're worth your whitelist, though?)
However, since running this surrogate does not add more than one millisecond to your page loading and should not have any notable side effect, if you feel adventurous you can change the preference above into


meaning that all the HTTP unencrypted web sites will enjoy pop-under immunity. If you experience problems with this setting (especially links which don't react to your clicks even if Javascript is enabled) and they're fixed by restoring the default, or just find a web site where pop-unders survive, please let me know.


After quite extensive testing, this Anti-Pop-under surrogate seems unlikely to break anything. Therefore, NoScript turns it on by default for every HTTP unencrypted web site. If you want you can tweak it by editing either the noscript.popunder.source or the noscript.popunder.exceptions about:config preferences.

Bad Behavior has blocked 926 access attempts in the last 7 days.