Posted tagged ‘safari’

A New Clickjack Protection

September 20, 2011

Clickjacking has been a huge problem because it takes advantage of security problems inherent in the Internet’s basic structure. It’s really difficult to tell whether a link or video is pulling a fast one on you. For a long time, Internet users could rely on NoScript, an app that worked with Firefox. It’s a pretty useful app, but it’s hard to rely on a single source of protection. Plus, the problem with having a single form of protection is that you never create competition that encourages NoScript to improve its service.

Now that competition has started.

Zscaler is a new widget that blocks clickjacked objects from unleashing their attacks on you. Unlike NoScript, which only works with Firefox, Zscaler works with Firefox, Chrome, and Safari.

It’s uncertain whether Zscaler actually works better than NoScript.

Actually, whether it’s better is only part of the point.What’s really important is that NoScript now has some competition. It also means that Internet users now have two options to protect them from clickjackers.

There’s just one potential problem with this. The more tools we have to protect ourselves, the more open we are to social manipulation. We begin to think that the apps and widgets will protect us no matter what. But they won’t. Clickjackers are always one step away from figuring out how to bypass even the latest security. That means each person has to pay attention to what actions they take online.Even with all the security tools, it’s still up to you to make smart, informed decision when you’re online.

 

Advertisements

X-FRAME Denied

June 23, 2010

Facebook, Twitter, and many other popular websites claim that they protect users from clickjacking attacks by including the “X-FRAME-OPTIONS:DENY” tag that prevents browsers from hiding links in invisible frames. This sounds like a great step forward, but does it really help that much?

Including the tag is pretty much the best thing that a website can do to protect internet users from clickjack attacks, but it certainly does not protect everyone. This tag only works in conjunction with the latest browsers. If you’re using IE 8, Chrome 2, or Safari 4, then you’re probably in good shape. If you’re using an older version of these web browsers, then you are susceptible to clickjack attacks. Currently, the latest edition of Firefox does not even acknowledge the tag. Firefox does plan to improve security by recognizing the tag in future versions. Plus, Firefox has the optional NoScript plug-in that can help prevent clickjacks.

The point here isn’t that Facebook, Twitter, and other sites aren’t doing what is in their power to prevent clickjacks. The point is that it’s dangerous for them to make claims that aren’t true for many visitors. Including the “X-FRAME-OPTIONS:DENY” tag does qualify as improved security, but putting this at the center of your security-focused marketing encourages people to feel safer than they really are.

It’s not necessarily inaccurate. It’s not even necessarily disingenuous. But it is dangerous for the millions of people who use Firefox and older browsers. Many of them think that they are protected from clickjacking, but the truth is that they are victims in waiting.