First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.
Firefox extension blocks dangerous Web attack
- — 09 October, 2008 08:12
The new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the Web page. It then displays a warning message asking the user if they still want to click on it.
Maone said ClearClick will likely stop all clickjacking attempts. NoScript is only for the Firefox browser, so users of Microsoft's Internet Explorer -- the most-used browser in the world -- are vulnerable.
Web site owners, however, can take one step to prevent their users from falling victim, Maone said. Programmers can use a script on their Web sites that checks to see if a Web page is embedded in another page. If so, the script forces the good Web page in front, preventing clickjacking, Maone said.
The technique is called "framebusting." Ebay's online payments service, PayPal, which is frequently targeted by cybercriminals, has already implemented framebusting, Maone said. NoScript will allow a framebusting script to run, Maone said.
"The best thing that can happen is that Web site owners start to think more carefully about security," Maone said. "It is important that Web site owners spread the word that they should implement framebusting."
Clickjacking is a serious, potentially long-term problem for browser developers. Since the attack is enabled by a feature within HTML, it demands changes to the HTML specification.
Web standards groups are currently working on HTML 5, a specification that will incorporate new features into the programming language to accommodate future Web design. But the standards process moves slowly, and changes to HTML could break existing Web pages, Maone said.
"For the user, I'm afraid there's no fix but NoScript for the time being," he said.