annevk
commented
6 years ago That wouldn't work though, if the CSP directive was used outside banking browsers would just be encouraged to ignore it again to give users back control.
Open AliceWonderMiscreations opened 6 years ago
annevk
commented
6 years ago That wouldn't work though, if the CSP directive was used outside banking browsers would just be encouraged to ignore it again to give users back control.
dveditz
commented
6 years ago To the browser this malware is the user. The only way to stop it is to remove these features from users. The CSP directive you're asking about is essentially DRM for web-pages: "disable developer tools". This will create a speedbump for this kind of malware, but since it's installed on your computer it has other choices (could go back to the harder method of hooking the binaries, which they've done for years). Meanwhile tons of sites would jump at this to prevent user inspection and customization. Illusory benefits at a huge cost.
AliceWonderMiscreations
commented
6 years ago Hooks into the binary are more difficult when the end user does not have write permission w/o su or sudo, as is the case with many UNIX operating systems. I understand many operating systems don't have proper system-wide update utilities like many Linux distros have, which has resulted in browsers wanting to update themselves removing that protection, but I never liked that model.
As far as it being equivalent to DRM - as long as the CSP directive has to be set, it will likely only be set where it is important, such as banking websites.
What other defense is there?
https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/
It appears that attack is a novel type of script injection that tricks the browser into thinking the user edited the web page being displayed.
I'm hoping that a good CSP policy that forbids inline scripts would protect against it, I don't know and have no way to test, but if what this attack does is beyond the scope of the CSP script policy, do we need a policy to tell browser a user is not allowed to edit a page?
I know for accessibility, some browser extensions exist that let the users specify custom colors and contrast etc. - one such plugin was a benefit to me at a site I had to use. So I understand the need to sometimes allow scripts not served by the page to execute, but with banking they probably shouldn't hence why I think it might need a CSP directive.