Tuesday, April 28, 2009

Firefox and NoScript, and Clickjack Alerts

Surfing the web, with all of the potential dangers in surfing to any web site known and unknown, is an adventure. Some of us use Firefox with NoScript, which improves the odds in our favour ever so slightly, and helps us to enjoy the adventure. NoScript epitomises the Unix security principle "Deny by default, Permit by exception", and explicitly requires you to designate each newly surfed web site as trusted. If you're a Firefox / NoScript user, you may have recently noted a new feature in NoScript - "Clickjack Alerts" - which accentuates the adventure occasionally.

Some folks may have even seen a Clickjack Alert pop up when logging in to Blogger. Obviously, this doesn't provide us with a feeling of ease as we login. So, the question
Should I keep the "lock item" box checked, as NoScript recommends?
is to be expected.

I think the decision to leave locked, or to unlock, any script that we use often should be made on two bases.
  • Convenience.
  • Security.


Obviously, unlocking any frequently used script, such as the Blogger login, is better convenience. If you trust any often used script, you'll want to unlock it, or end up verifying each time you use it. As long as there's no chance that you're being lured to an imposter web site (which leaves very little chance that you'll be logging in to Blogger), unlock the scripts that you run repeatedly, such as the Blogger login.

Unlocking any frequently used script is better security too. If you leave any frequently used script locked, you'll get used to clicking "Accept" over and over, routinely. One day, when you surf to a dodgy web site and are given the clickjack alert, you'll click "Accept" there too. If you intentionally enable trusted scripts, when you surf to a dodgy web site and get a clickjack alert, it will stand out in your mind and you'll be less likely to Accept a genuine clickjack exploit.

So unlocking frequently used scripts, even though NoScript may consider them potential clickjack exploits, is good for both convenience and security. If you trust the script, unlock it. And when you get a clickjack alert, don't accept it unless you explicitly know that the web site is trustable.

>> Top

1 comment:

bytehead said...

I've had issues where merely clicking on a blank space to get focus back on the window has raised a ClickJack alert. I've been clickjacked exactly once (before they even had this in NoScript), and because of the "false positives", I've turned it off. I also yelled about it in a forum, but I don't recall any response to it. I haven't been clickjacked since either.