Firefox + NoScript: Throw 'Clickjackers' Under The Bus

Is "clickjacking" the security risk some people make it out to be? Not if you're acquainted with one of my favorite Firefox browser extensions.
Is "clickjacking" the security risk some people make it out to be? Not if you're acquainted with one of my favorite Firefox browser extensions.Clickjacking is definitely the online security threat du jour. Most of this attention came courtesy of an Adobe Flash bug that could allow an attacker to play peek-a-boo with a victim's Webcam. A recent Flash security patch eliminated the problem, and most of the recent media coverage of clickjacking seems to have gone with it.

But did the problem really go away? Not really, since clickjacking doesn't necessarily depend upon Adobe Flash or any other browser plugin technology. In fact, as developer Giorgio Maone stated in a recent blog post, clickjacking appears to be possible using nothing more than mainstream Web publishing standards such as DHTML, CSS, and (in particular) JavaScript.

Even if this form of clickjacking hasn't yet appeared in the form of real-world exploits, it still poses a significant potential threat. For starters, it affects every browser and host operating system; if a browser supports even rudimentary Web standards, it could be vulnerable to clickjacking exploits.

Also, while future versions of these standards may fix the problems, they will take years to ratify and must still ensure backwards compatibility or risk breaking countless millions of Web pages. That means deep-rooted security issues such as clickjacking will be with us for years to come.

So, clickjacking is a creature we all know far too well: A shadowy, poorly-understood online security threat with no easy fix -- and with enormous mischief-making potential. What else is new?

Except this time there is an easy fix -- at least for Firefox users.

NoScript has long been one of the most popular Firefox extensions. It will, by default, block both Java applets and JavaScript from executing on any Web page. Firefox users are then free to enable Java/JavaScript functionality only on sites they trust, on a case-by-case basis -- and even then, ideally, only when scripting support is absolutely necessary to do whatever they need to get done on a particular site.

As Maone points out in his blog post, blocking JavaScript will protect Firefox users from one of the most insidious clickjacking threats: The ability to keep a malicious link floating directly under a user's mouse, potentially ensnaring them the moment they click anything, anywhere on a compromised Web page.

Better yet, however, the latest version of NoScript includes another new feature that all but eliminates any threat from clickjacking attacks. The new feature, which Maone calls ClearClick, will detect hidden embedded elements on a page and warn users if they click on one of these elements -- before they drop off the current page and drop through the black-hat rabbit hole.

Finally, NoScript will, by default, enable one particular kind of script that responsible Web developers can implement on their sites to detect and root out embedded, probably malicious rogue Web pages. These so-called "framebusting" scripts are an important weapon against clickjacking. Unfortunately, they only protect sites whose administrators are both willing and able to deploy them properly. (In other words, don't hold your breath.)

Anyone using any mainstream Web browser can already disable JavaScript support. That will make you safer, but it will also make you miserable; too many Web sites today rely upon JavaScript to do anything useful. Besides whitelisting trusted sites while blocking scripts on all other sites, NoScript will impose additional security restrictions, such as blocking Java, Flash, Sliverlight, and other plugins (either on untrusted sites only or on all Web sites). NoScript will also forbid pages from rendering IFRAME tags (a favorite toy for online troublemakers), and it will even collapse blocked objects, making a rendered page appear as if the object had never existed in the first place. And this just scratches the surface of what NoScript can do to protect your security (and sanity!) online.

While a number of other Firefox extensions enhance a user's online security in one way or another, NoScript is, in my opinion, the single most important security-related Firefox extension. Don't take my word for it: The US-CERT guide to Web browser security includes extensive instructions for configuring NoScript as part of its Firefox security guidelines.