Thursday, November 8th, 2007
If evil script gets onto a page from a good site, the evil script can access the server and there is no way that the server can see that it is talking to an evil script. The script also gets control of the screen, and the user is also unaware of that. This is known as the XSS attack.
If you happen to land on an evil page, script on that page can access servers that you have visited (such as your bank’s website), and again, the server cannot tell that it is talking to an evil script. This is known as the XSRF attack.
Fortunately, there is an extension to Firefox that can significantly reduce the dangers and annoyances to you. It is called No Script. No Script lets you set policies on what scripts you want to run. It can block scripts from evil sites. It can frustrate some XSS attacks. It can also frustrate some phishing exploits.
It creates an (S) icon on the bottom bar that gives you access to an easy-to-use policy editor. You must explicitly authorize scripts for each of the sites you usually visit. You can grant temporary authorization for sites you visit once. You might think that you would have to spend a lot of time managing the policy, but surprisingly, you don’t.
Posted by Dion Almaer at 11:32 am