Tuesday, June 23, 2009

Mozilla Fights XSS With CSP

Mozilla FirefoxImage via Wikipedia

H-online reports that Mozilla is implementing a new Content Security Policy (CSP) to guard Firefox against cross-site scripting attacks (PDF link). Cross-site scripting attacks, also known as XSS attacks are a huge problem for today's web users. Basically XSS attacks take advantage of the fact that today's websites draw content from many different servers. You may be on one website but that website is displaying ads which run on Javascript code from an ad server run by another company. And that cute little widget that shows the time? It might also be running on code from yet another server owned by yet another company. And finally those embedded videos we love to watch on the web are all running with code from Youtube or some other large video website. Worse yet, each of those third-party servers may also be running third-party code themselves.

It all starts to sound like an AIDS awareness commercial from the '90s—when you browse on one website's server, you're browsing on every server that has been in contact with. And indeed is the result. A hacker can hack one website and spray malicious code all over the Internet, compromising millions of PCs with one attack.

While Firefox's NoScript extension includes protection against XSS attacks, it has plenty of problems of its own. For one thing, it has trouble telling bad third-party Javascript from good. Every time I click on the New Post link on my own blog, NoScript asks me to confirm because it thinks that it might be an XSS attack. Furthermore, the author of NoScript has been accused of whitelisting ad servers which place ads on the NoScript website and breaking extensions which try to block them anyway. While the author of NoScript has apologized for this behavior, it points to a potential problem with attempts to fight XSS attacks.

Mozilla's new policy also involves whitelisting known safe websites and probably holds the same potential for conflict of interest. But with the web becoming more interconnected all the time and with the rise of social networking, servers are swapping code all the time now and a system like the one which Mozilla is planning to implement will be necessary to stop malicious hackers using XSS to attack PCs.
Reblog this post [with Zemanta]

No comments: