[Cryptography] defaults, black boxes, APIs, and other engineering thoughts

Jonathan Thornburg jthorn at astro.indiana.edu
Mon Jan 6 01:18:30 EST 2014


On Sun, 5 Jan 2014, Paul Ferguson wrote:
> One small contribution to this discussion, although somewhat adjunct, is
> that browsers can be made much "more armored" or resistant to
> exploitation with only a simple plug-in (or two).
> 
> For example, my Firefox 24.2.0 + NoScript 2.6.8.10 is *much* more
> resistant to almost any in-browser exploitation, when properly
> configured and used. But there's the rub. It ain't for everyone.

I emaphatically agree.  NoScript offers a lot of protection, but its
cost in usability is pretty high.  Many websites work fine without
javascript, but alas a fair number of (badly designed) websites fail,
often in unobvious ways.

When the failure mode is "I can't login" that's at least a
fail-safe system.  But when the failure mode is "I'm trying to do
$very_important_transaction and have entered all my credit-card and
other information and clicked the "make it so" button, then the
website hangs (endlessly showing a spinner animated-gif) with no
indication of whether or not my transaction went through", well,
that's a more serious problem.  Alas, it's one that occurs fairly
often with NoScript, so much so that I tend to disable NoScript
before doing $very_important_transaction on any website where I
haven't successfully used NoScript before.

I think the root of the problem is that many websites use 3rd-party
processors for some functionality, and the 3rd-party website must
be whitelisted (to allow its javascript to run) BEFORE the transaction
starts in order for things to function properly.  Alas, there's often
no way to find out just which 3rd-parties need to be whitelisted
(leaving aside the issue of whether or not they're trustworthy)
ahead of time. :(

It would be nice if NoScript had a "temporary disable" feature,
i.e., a "allow scripts globally, but only for {the next 10 minutes,
the lifetime of this browser tab, or some other short time}.
But so far as I can tell, this feature doesn't exist.

-- 
-- "Jonathan Thornburg [remove -animal to reply]" <jthorn at astro.indiana-zebra.edu>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   "There was of course no way of knowing whether you were being watched
    at any given moment.  How often, or on what system, the Thought Police
    plugged in on any individual wire was guesswork.  It was even conceivable
    that they watched everybody all the time."  -- George Orwell, "1984"


More information about the cryptography mailing list