Tech – for Everyone

Tech Tips and Tricks & Advice – written in plain English.

Block IFRAME For Added Protection

If you are interested in Tech, and visit Websites such as this one, it will not be very long before you read about Firefox. (In fact just this week I posted an article.) And, it won’t be long before you see NoScript mentioned. Odds are, you already have.

NoScript is a small program you download and add ‘into’ Firefox to enhance its functionality (these small programs are known variously as “add-ons”, “plug-ins”, and “extensions”– different words for the same concept.)

NoScript gets mentioned in the Tech media a lot because it is a security tool that automatically “blocks” (prevents from running) certain web page ‘elements’ (scripts) — Java, Flash, JavaScript, and XSS– from running unlesNSOptss you click the Option button and select “Allow”, or “Temporarily allow”.

Which puts you in control, and goes a long ways toward preventing “drive-by downloads“, and other malicious Internet attacks and activity from occurring should you happen to visit a Website which has been .
(I don’t mean to depress you, but the current state of the Internet is so insecure that this can be, literally, any Website.)

By default, NoScript is a powerful tool (to read the NoScript “About” page, ) and for many people is the primary reason they have made the switch to Firefox.
(I’ll let you in on a little secret; it is one way to measure a user’s “savvy”.. look for a Firefox icon.)

Tip of the day: Enhance your NoScript protection by turning on the IFRAME blocker feature.
IFRAMES are another dynamic Web element that cyber-criminals are now using as an “attack vector” (aka “method”) with great success. Like the scripts mentioned above, IFrame attacks can happen invisibly and automatically. Oh, the joys of Web 2.0!

1) In Firefox, click on “Tools”, then “Add-ons”
Add-ons 
2) Scroll ’till you find NoScript, and click the “Options” button. (If you have not yet installed NoScript, click the “Get Add-ons” icon in the upper-left.)
NoScript
3) Click on the Plugins tab. Place a check in the “Forbid <IFRAME>” checkbox.

That’s it. You’re done. Now when you visit a site that uses IFrames, you will have to approve them (aka “whitelist”) before they’ll appear.

[Note: the scripts and tools (Web 2.0 “features”) mentioned in this article are NOT in themselves bad or dangerous, and it is thanks to them that the Web is such a rich and interactive environment.. but, in the wrong hands they can — and are — being used with criminal intent.]

Today’s free link: One of the more disturbing (outright alarming, if you ask me) hacker uses of IFrame attacks is the alteration of Search Engine results (Yes, you can’t truly trust Google, Yahoo!, or MSN anymore) and Internet Security blogger Bill Mullins has posted an excellent article on this subject, Fake/Redirected Search Results – Consequences for You

* Firefox users: Update 3.0.3 available today.

Copyright © 2007-8 Tech Paul. All rights reserved.jaanix post to jaanix

Share this post :

September 27, 2008 - Posted by | advice, anti-spyware, browsers, computers, cyber crime, Firefox, hackers, how to, Internet, PC, security, software, tech, Web 2.0 | , , , , , , , , , , ,

17 Comments »

  1. Nice content but such horrible, example of most wrong colors, this site looks so depressing, scares people away ! I’m gonna leave without reading :-(

    Like

    Comment by Bourneigh | May 13, 2009 | Reply

    • Well I certainly don’t want to be scary

      Like

      Comment by techpaul | May 13, 2009 | Reply

  2. Ok, great! Block Javascript, IFrames, Flash and the like.

    Why not go ahead and block web sites from loading on browsers from now on? At some point you have to get real about web browsing. Yes, there are people who want to break your computers by loading malisious scripts or viruses, but where do you draw the line?

    99% of web sites these days rely on at least one of the technologies mentioned above to work properly! Taking them away will stop the sites working, and I’m pretty sure that only a handfull of sites have malisious content.

    What you are doing by spreading this so called information is causing panic, and making people scared to browse. The vast majority of web surfers out there are going to panic when they see a warning about some script trying to run, and they are going to stop it, even if it is only a menu item loading.

    If you have half decent anti everything, the real nasties will be blocked by them and the need for these add-ons won’t be there.

    This is not great news for web developers!!!

    Like

    Comment by Quinton | June 8, 2009 | Reply

    • Quinton,
      It has gotten so dangerous that there are advocates of text-only browsers.

      No, having the latest, fully updated malware tools will not protect you from a lot of web-based attacks. Not even the heuristic ones.

      And going to “safe”, well-known websites only will not protect you because of website poisoning.

      Yes. The cyber-criminals are killing the Web. Hence Bush’s, and now Obama’s statements and plans. Their goal is not to “break my machine”, but to steal my money and/or commit crime (fraud) in my name.

      What these blockers do is essential, as they prevent things from just running (with whatever permissions they can get) until the user okay’s them. (Unfortunately, nobody reads what they’re OK-ing, and are being conditioned to just click “OK”)

      Create a panic? Are you kidding? What percentage of “average computer users” have even heard of a keylogger installed via drive-by? Are botted and don’t know it?

      Flash is to serve me ads which I don’t want.
      Java is so I can fill in form which I don’t want to do — why should I have to give you an e-mail so I can view the page?

      Like

      Comment by techpaul | June 8, 2009 | Reply

  3. hi i cnnot iframes block on ie8 :S

    Like

    Comment by asdf | August 11, 2009 | Reply

  4. yes. iframe is such a dangerous tag.

    Most people are still not aware of its misuse.

    Many websites are being infected with iframe tag in their main pages.

    Now I am going to block web pages with iframes.

    Like

    Comment by venkatachalam | September 23, 2009 | Reply

    • Venkatachalam.
      * 77 percent of Web sites with malicious code are legitimate sites that have been compromised. (called “poisoned”)

      * 233 percent growth in the number of malicious sites in the last six months and a 671 percent growth during the last year.

      * 95 percent of comments to blogs, chat rooms and message boards are spam or malicious.

      * 57 percent of data-stealing attacks are conducted over the Web.

      * 85 percent of all unwanted emails in circulation contained links to spam sites and/or malicious Web sites.

      Like

      Comment by techpaul | September 23, 2009 | Reply

  5. and that was 2008-2009. now in 2011 it’s even worse.

    listen to techies!

    they know this stuff because they are amongst the ones that create them (paid by the marketroids).

    I saw this comming back in ’98 when I saw how dangerous javascript can be.

    now, it’s even worse. I would say block any ad anywhere. let the marketing guys know that this is not what web was created for.

    as long as there is money to be made from web sheep they will not stop.

    don’t be a sheep!

    reject all ads on the web. period!

    only this way you can fight back.

    I always disable javascript, flash, etc right after installing firefox (the only browser I can trust)

    I will then enable only a few sites (like youtube) for flash.

    i am happier this way. If I cannot see a page so be it. that means it was not there for me to see if I have to give out information to see it.

    because of this I also scale back on paying for internet. Instead of going down in price it’s going up for feeding more garbage down our throats.

    gave up cable TV long time ago because of same issue. never looked back. I’m happier now and spend more time on books and other things that are not distracting.

    the same will happen with the web. people will stop paying for crap once there is enough critical mass.

    you get the idea.

    Like

    Comment by future | March 5, 2011 | Reply

    • future,
      For the most part.. I agree.

      Like

      Comment by techpaul | March 5, 2011 | Reply

  6. NoScript is fake, not blocking all iframes.
    Some iframe by authority can detect IP address even if you’re using proxy.
    Put #IFRAME in adblockplus custom elements blocker, these true will block ALL IFRAME.

    Like

    Comment by Archon | December 15, 2014 | Reply

    • Archon,
      I have no idea if that’s true, and i don’t have time to look into it. But don’t worry: less than 1/1000th of 1% of webizens are savvy enough to have NoScript.

      Like

      Comment by techpaul | December 16, 2014 | Reply

  7. sir this article is really good one its very useful thank you sir.

    Like

    Comment by pankaj | December 15, 2014 | Reply

  8. Sir is there any trick to watch who are using my wifi connection on pc b’coz i am worried about my data usage i dought someone using my wifi connection.

    Like

    Comment by suraj | December 15, 2014 | Reply

    • suraj,
      A network ‘sniffer’ can often/usually detect machines on the network (and if you see one you don’t recognize, you have an intruder). But the key to keeping folks off of your WiFi is using the latest encryption methods (WPA2, typically), with a strong password, that you change occassionally. If that is insufficient to keep people out, you can set your router to limit the number of connections (to, say, 1).

      Like

      Comment by techpaul | December 16, 2014 | Reply

  9. sir,if i visit any site how can i see that site is safe or not b’coz there are so many sites who are already spam,viruses how can i safe site visiting.

    Like

    Comment by h.ali | December 15, 2014 | Reply

    • h.ali,
      There’s no such thing as “safe” on the Internet.
      But we can be safer on the Internet by avoiding obviously risky websites, using site “reputation” tools (browser pug-ins) like McAfee’s SiteAdviser, WoT, etc.), typing the URL as opposed to clicking links, and a good Internet Security Suite/firewall).

      Like

      Comment by techpaul | December 16, 2014 | Reply


Post your Comment/Question

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: