- If the secure portion of the site has its own URL, then bookmark the URL of the secure site and use it directly, instead of going through the home page. Not only will this be faster, but because you don't need the unencrypted site at all, you can afford to crank up NoScript's security (eg ABE; see below).
. - Whenever possible, you should use encrypted (https) connections for sensitive sites. To help with this, you can tell NoScript to force encryption on all connections to a site; on the Options-Advanced-HTTPS-Behavior tab, add an entry to Force the following sites to use secure (HTTPS) connections. For example, if you were dealing with the Wells Fargo bank:
Note the leading dot, which tells NoScript to include the domain and all subdomains. All requests going to the banking portion of Wells Fargo will now use the encrypted https protocol, instead of plain http.
Code: Select all
.online.wellsfargo.com
You should also force cookies to be sent only via secure channels, so that they can't be stolen 'on the wire'. To do this, on the Options-Advanced-HTTPS-Cookies tab, check Enable Automatic Secure Cookies Management. You don't need to list specific sites here; all are covered by default. In the very unlikely event that this setting breaks a site, you can add an exception for it (and complain to the site administrator about their insecure cookies!).
As an extra precaution, if you really need to visit the unencrypted portion of the site, it's safest to log out of the encrypted site and restart your browser.
. - The most thorough defence is to add custom rules to the Application Boundary Enforcer module, on the Options-Advanced-ABE tab. You'll want to use the USER ruleset for this. Determining the right rules for a site can require some experimentation, but as an example, to protect Wells Fargo:
Again, note the leading dot. This rule tells ABE that wellsfargo.com, and all of its subdomains, should ignore any requests sent from any address except their own (same protocol, full domain, and port number). So, any requests sent to https://online.wellsfargo.com/send/money/ will be blocked unless they come from https://online.wellsfargo.com.
Code: Select all
# prevent CSRF on Wells Fargo Site .wellsfargo.com Accept from SELF Deny
You can also use ABE to ensure that the encrypted site cannot import any insecure resources (such as images or tracking scripts) from unencrypted sites:Note that these rules would prevent even www.wellsfargo.com from linking to the online banking portion of the site. This is where bookmarking the specific page comes in handy! If you still want to allow linking, you can do so, but bear in mind that every link has the potential to be abused, especially when it comes from an unencrypted site (which can be impersonated, especially on an insecure connection such as public WiFi). The code for this would be:Code: Select all
# prevent insecure resources on Wells Fargo Site ^http://.* Deny from .online.wellsfargo.com
Code: Select all
# prevent CSRF on Wells Fargo, but allow links; less secure Site .wellsfargo.com Accept from SELF Anon GET from www.wellsfargo.com Deny
For extra security beyond NoScript, you can read through this thread.
Further suggestions are welcome in the comments.