Local Rodeo Protects Firefox From JavaScript Malware
Keeping up with all the different attack vectors is like the protagonist of Cervante's famous novel Don Quixote. New threats are emerging on a daily basis while protections seem to remain stagnant at best. Users could opt for a radical solution by choosing to turn off scripts using NoScript and uninstalling scripting languages like Java and Flash content.
That would make most of the Internet unusable and produce some bad looking websites with reduced functionality while some would stop working completely.
Local Rodeo is a Firefox extension that protects Firefox against two types of JavaScript malware. The two types are Intranet Exploration and Anti DNS-Pinning.
Intranet Exploration (i.e. JavaScript portscanning and fingerprinting): The extension classifies all network locations to be either local or external, with local locations being part of the intranet. All http requests that have an external origin (i.e. were generated within the execution context of an external webpage) and a local target (i.e. an intranet resource) are canceled by LocalRodeo.
Anti DNS-Pinning: LocalRodeo detects this attack method by monitoring DNS answers. The switch of a given domain from external to local (or vice versa) is a clear indication of an anti-pinning attack. If such a switch is detected, all further requests from or to the malicious domain are prohibbited.
A detailed explanation of Anti DNS-Pinning can be found at the blog of Christian Matthies. The extension was updated to be compatible with Firefox 3 today.
Update: The blog does not seem to be available anymore, but the research paper is still available at the Blackhat website.
AdvertisementDNS pinning was introduced by web browsers to avoid DNS-spoofing attacks facilitated by client-side code execution. A number of factors including incomplete implementation, browser plug-in vulnerability, plug-in integration, and proxy servers have allowed for successful anti-DNS pinning attacks. Using client-side code, such as JavaScript, an internet-based attacker can turn a browser into a proxy server, directing arbitraty attacks at internal servers
A lot of people don’t realise that NoScript has an ‘Allow Scripts Globally’ mode, where it *doesn’t* block JavaScript or plugins by default.
But in that mode, it still provides the same protection as LocalRodeo, plus protections against clickjacking, cross-site scripting, and miscellaneous other, and you have the option to blacklist scripting on individual websites at any time.
Give it a try (http://noscript.net)! The internet is a safer place with NoScript.
I find having NoScript very useful. You don’t need to have it on all the time, and you can add all the sites you go to do a list of sites to allow script on (Or just do it as you go to them) – it’s really not that hard. However, as said, it can’t filter what scripts can and can’t do.
I use this in combination with AdBlock Plus and Greasemonkey to block any ad what what not that I want. Going to install this and see how it is though (Already got it in, just waiting for an FF restart), looks like it will be good though.
Transcontinental: Never had a problem with NoScript, AdBlock or Greasemonkey slowing my webpage loading down – just saying.
Thanks.
LocalRodeo was just upgraded to version 0.8.5.5
Works well. Thank you
OK Martin, that’s what I thought as well. And, in fine, this is almost a philosophical approach, I think life is essentially conducted throughout filtering attitudes, somewhere between the gullibility of accepting all and the paranoia of refusing all …
Transcontintenal: Noscript either blocks or does not block scripts but there is no way to configure what scripts may or may not do as far as I know.
Martin, NoScript can block scripts, but can it filter them as Local Rodeo ?
1- I’ve just installed Local Rodeo, googled on the French Renaissance in order to call less obvious DNS requests (does that make any sense ?) and noticed no speed drawback
2- I really appreciate “set and go” security, not only because I’m lazy or snob, but because I am not aware of technical issues.
I’ll keep this Local Rodeo extension running and see how things evolve. I like to believe this is one more extra (and important as I’ve read) security measure.
Pietzki NoScript can block all scripts including Flash and Java. Basically everything that is loaded as a plugin into Firefox I assume.
Now this is most interesting, only drawback seems to be a possible noticeable slowdown. I’m giving it a try, thanks for this most valuable info, Martin
@Pietzki, I have no idea of NoScript’s range of features; I don’t use it myself as it seems to me exaggeratedly tedious to analyze every website for a go or not : man, I want to surf in security and peace, but no more.
wouldn’t noscript do the same though? Or does that not protect against java and flash content? (this is a serious question btw, I don’t know much about scripts)…