[Greasemonkey] Greasemonkey and Phishing
Nikolas Coukouma
lists at atrus.org
Fri May 13 14:15:19 EDT 2005
Premshree Pillai wrote:
>Hi,
>
>Is there a way to compare a page's original DOM and the one generated
>after a userscript is run?
>
>
>From Greasemonkey's end, yes. From a user script's, no, because there's
no way to guarantee ordering.
>To give more context, this is in relation to one of the comments [1]
>to a recent post of mine [2]. Quoting:
>
>"GreaseMonkey throws up an interesting issue: What if there are GM
>scripts that phish for information, and a user unwittingly installs an
>extension that acts as a phishing script? Should browsers start
>supporting a CRC/MD5 check logo (like the ssl lock icon) to certify
>that the client and server-side copies of a page are the same and
>unaltered? Just curious...."
>
>
90% of the point of Greasemonkey is to alter the page, unlike
extensions. Many extensions are supposed to just modify Mozilla, but
could do other things. In fact, extensions pretty much run free. User
scripts are at least limited to a security context, even if it is an
elevated one (they can't modify files or run arbitrary programs, etc.)
A small number of scripts might just create menu commands or log
messages, but most are going to do something. Exactly what they do is a
better question and one that is best answered by reading the source.
Again, extensions are usually larger, consist of one file, and are
compressed. All of that makes them very difficult to scrutinize, perhaps
even for those familiar with Mozilla (it's a jungle of code).
>Very valid possibility, isn't it? Is there some way to know if the DOM
>(or the content) of a page being displayed is exactly what is supposed
>to be displayed?
>
>
Yes. Disable Greasemonkey. This can be accomplished by hitting the
monkey icon in the 0.3.x versions. Earlier versions require you to open
the Manage menu.
>Thanks.
>
>[1] http://www.livejournal.com/users/premshree/71511.html
>[2] http://www.livejournal.com/users/premshree/71511.html?thread=642903#t642903
>
>--
>Premshree Pillai
>http://www.livejournal.com/users/premshree/
>
Of course, not everyone knows enough to examine scripts effectively.
Userscript.org should help with the problem of security for end-users.
It will have a per-script security rating and monitor scripts for
changes. As soon as a change is detected, the rating drops back to zero.
-Nikolas Coukouma
(atrustheotaku ;)
More information about the Greasemonkey
mailing list