In my recent series of articles on Web browser security (see the special report), I indicated that browser add-ons (or plug-ins) could bring additional risk to a browser. One browser add-on provider, Giorgio Maone of Firefox's NoScript, wrote me to strongly disagree. Here's an edited excerpt of our e-mail discussion:
Giorgio: Hello Roger, I just read your "How secure is Firefox?" article, and I found it quite interesting and well written. Anyway you wrote, "Although add-ons such as NoScript, and plug-ins such as Adobe Flash, bring many useful capabilities to Firefox, at the same time they come with problems and security issues of their own."
Could you explain to me what security issues you've found in NoScript, requiring it to be disabled with per site granularity (which could be done, by the way)? Moreover, you're putting Adobe Flash (which is a commodity plug-in full of documented security holes) with NoScript, which is the very security tool providing that "per-site granularity" in disabling plug-ins like Flash that you're advocating (see http://noscript.net/features#contentblocking).
So, if you're kind enough to tell me about these NoScript security issues, I'll be happy to fix them in the next release (even today). However, I'd like you to rewrite that paragraph reflecting the distinction above, and if it's not possible since your article, as I can see, is syndicated on a plethora of IDG outlets, please write a new, more correct, article about NoScript. Thanks and best regards. Giorgio Maone.
Roger: Giorgio, I'm not aware of any particular issues, but no one has released bug-free code yet, and I'll bet my career that NoScript is no different. Every security protection product falls under the same security threats and problems as any other software, sometimes more so.
Giorgio: I appreciate you answering, but your answer sounds like a straw man. I never stated NoScript is immune from bugs (or security issues). On the other hand, you stated that NoScript "comes with security issues of its own" (notice you didn't even attenuate with a "might"), which can require users to disable it for security reasons. Therefore, you're the one who should have to prove that NoScript comes (or ever came, for the matter) with even one single security issue.
Roger: I'm not specifically faulting NoScript at all. I'm talking about all plug-ins. But to be sure, I don't pull NoScript out of it. And I'm not saying using NoScript increases the overall risk, just that it adds new risks, which are not under the control of Firefox.
Giorgio: To any reader with minimal textual competence, this means that NoScript (as other plug-ins) comes with security issues, and therefore, users need a means to disable it per-site (which, let me repeat, is a very misplaced claim if referred to NoScript, even more so since NoScript can actually be disabled with per-site granularity and is itself the easiest means to disabling risky plug-ins with per-site granularity).
If you really wanted to make a generic and factually correct statement, you should have chosen to say "add-ons such as GreaseMonkey" (or Firebug, or many others which actually came with documented security issues), rather than using one of the few about which you can't prove anything like that.
Roger: You seem to be arguing that NoScript likely has no serious security deficiencies. That seems to me to be a riskier statement than mine, which is that it most likely does have security issues. Essentially, this is what we are arguing.
Giorgio: You would never dare to say, "Mail servers and Web servers, such as qmail and IIS, which come with problems and security issues of their own."
Roger: Yes, I absolutely would. And they do and I have. Even qmail, which was found to contain a bug. But in this particular case, I'm referring to add-on products that extend the basic functionality of another product. I have yet to find, in my 23-year security career, an extension that did not bring issues of its own. That's my exact argument.
Giorgio: OK, let's put it in a different way. Should you pick one mail server as an exemplification in a statement like "Unsafe mail servers, such as...," would you pick qmail, which had one bug, or Sendmail, which had hundreds of security issues in the same lifespan?
That's my exact argument, and with my 24 years of coding I'd really love if your 23 years of security helped find one security bug in NoScript, because 24 hours later, 2 million users would just have one bug less ;-)
Roger: I'm a fan of your product. Why isn't it a built-in component of Firefox? What is stopping it? You or Mozilla?
Giorgio: NoScript is installed by default in the XeroBank browser, a product optimized for anonymous browsing, and a few of other security-oriented Firefox-derivatives. I received inquiries in the past by the developers of SeaMonkey (formerly Mozilla Suite) for including NoScript by default, but a legal requirement was changing the license from GPL to a more commercial-friendly tri-license (GPL/MPL/LGPL), and that was not something I was available to.
Regarding Firefox, there's recurrent discussion at Mozilla about implementing some NoScript functionality, and some of the countermeasures pioneered by Firefox (e.g., against cross-application attacks) have been incorporated in the Firefox core after I demonstrated their viability.
On the other hand, I'm not a fan of including NoScript as a whole abruptly -- not before a massive education campaign, at least. The main concern is that Firefox is a browser directly competing in the widest consumer market, and some sites look broken until you whitelist them. Therefore, this big fear: Less educated people would simply switch back to IE as soon as they stumble upon a broken site, instead of understanding what's going on and allowing it with one click, if trusted. An extension is less troublesome, because if you willingly install it you're supposed to know what you're doing, and even if you don't, you'll blame the last gadget you installed, rather than Firefox.
Security-savvy people will go for the safest option, the others... did I say I'm a die-hard Darwinist?
Furthermore, having NoScript built into Firefox would tie it to Firefox's own development cycle, jeopardizing that freedom of experimentation and reaction agility that are the main strengths (as I hope you understand after our brief exchange) of the NoScript project. Cheers. Giorgio
[End of edited transcript]
I can't help but love this guy and his product. I wish all add-on vendors shared his same commitment and passion for security.