I’ve been an avid listener of the Security Now podcast for a couple of years now, and learned a lot of interesting things concerning cryptography, possible avenues of attack on your home network, etc. But two recent episodes of SN showed me that the Internet is a dark and dangerous place, and that you need all the protection you can get. In this case, Firefox with the NoScript plug-in.
The first episode that peeked my interest was episode 166, “Cross-Site Request Forgery”. Steve does a much better job in explaining this, but in a nutshell it is the technique that one site uses your cookies for another site to issue a GET request on a form, by displaying an “image”. Much to my surprise, NoScript was mentioned as a plugin for Firefox to prevent this.
The second episode was even more sinister. Episode 168, “ClickJacking”, describes how a page can use an Iframe to display another page behind innocent looking content, and trick you into clicking on a button in the hidden page instead of on the displayed page. This can be used to activate your camera and microphone in Flash, or change your password on MySpace to something only the owner of the malicious website knows. Once again, NoScript was suggested as the way to prevent this from happening to you.
Unless, of course, you turn off the script protection, as both Steve Gibson and Leo LaPorte confessed to in the latest Q&A episode…. 🙂