Firefox + NoScript: Throw 'Clickjackers' Under The Bus
Is "clickjacking" the security risk some people make it out to be? Not if you're acquainted with one of my favorite Firefox browser extensions.
Is "clickjacking" the security risk some people make it out to be? Not if you're acquainted with one of my favorite Firefox browser extensions.Clickjacking is definitely the online security threat du jour. Most of this attention came courtesy of an Adobe Flash bug that could allow an attacker to play peek-a-boo with a victim's Webcam. A recent Flash security patch eliminated the problem, and most of the recent media coverage of clickjacking seems to have gone with it.
Even if this form of clickjacking hasn't yet appeared in the form of real-world exploits, it still poses a significant potential threat. For starters, it affects every browser and host operating system; if a browser supports even rudimentary Web standards, it could be vulnerable to clickjacking exploits.
Also, while future versions of these standards may fix the problems, they will take years to ratify and must still ensure backwards compatibility or risk breaking countless millions of Web pages. That means deep-rooted security issues such as clickjacking will be with us for years to come.
So, clickjacking is a creature we all know far too well: A shadowy, poorly-understood online security threat with no easy fix -- and with enormous mischief-making potential. What else is new?
Except this time there is an easy fix -- at least for Firefox users.
Better yet, however, the latest version of NoScript includes another new feature that all but eliminates any threat from clickjacking attacks. The new feature, which Maone calls ClearClick, will detect hidden embedded elements on a page and warn users if they click on one of these elements -- before they drop off the current page and drop through the black-hat rabbit hole.
Finally, NoScript will, by default, enable one particular kind of script that responsible Web developers can implement on their sites to detect and root out embedded, probably malicious rogue Web pages. These so-called "framebusting" scripts are an important weapon against clickjacking. Unfortunately, they only protect sites whose administrators are both willing and able to deploy them properly. (In other words, don't hold your breath.)
While a number of other Firefox extensions enhance a user's online security in one way or another, NoScript is, in my opinion, the single most important security-related Firefox extension. Don't take my word for it: The US-CERT guide to Web browser security includes extensive instructions for configuring NoScript as part of its Firefox security guidelines.