Congratulations to David Baron and the others involved for this well thought out fix :)
Archive for March, 2010Congratulations to David Baron and the others involved for this well thought out fix :) Time to revisit putting SSL in perspectives, since you can't even trust CAs themselves. I took a cursory look at Perspectives add-on’s code, and it cries for a compatibility & performance rewrite (oh, if I could just find the time!), but it's still the best patch we can currently throw at this problem. As you may already know, now that Mozilla has fixed the recent Firefox 3.6's "0-day" at light speed and vulnerability details are public, the feature protecting NoScript's users against this by default was Forbid @font-face. ![]() The @font-face CSS rule allows web authors to download online typefaces (so called "web fonts") on the fly, enhancing the rendering of their pages' text:
![]() If you're wondering why NoScript -- for a long time now -- has been treating web fonts the same way as other "active" embeddings, such as plugin content and HTML 5 media elements, here's an excerpt of an email which Mike Perry (Mr. Torbutton) sent me past year, eloquently advocating this treatment:
Don't panic. Bürger-CERT ("German's official cyber-security response team") is warning users against using Firefox until version 3.6.2 (scheduled on March the 30th) is out, on the assumption that Secunia SA38608 needs to be considered a 0-day threat, but:
* in its default configuration, and even better in its full content blocking mode. Update 2010-03-23In the meanwhile, Mozilla decided to go through the effort of anticipating Firefox 3.6.2 by one whole week for the greater good, so if you haven't seen the "Available update" message yet, just use Help|Check for updates now. Now that vulnerability details are not embargoed anymore, I can add that exploitation required the browser to load a specially crafted web font. The relevant NoScript feature protecting against this is NoScript Options|Embeddings|Forbid @font-face, which is checked by default. |
Bad Behavior has blocked 2535 access attempts in the last 7 days.