Do most people on Wilders still use a Script Blocker?

NoScript+Disconnect+uBlock+ HTTPS Everywhere+BetterPrivacy+

and...

uMatrix+Disconnect+uBlock+ HTTPS Everywhere+BetterPrivacy

Tried NS with RequestPolicy but found the combo too cumbersome. I've used NS for 1+ years & uMatrix for a few months - i didn't find either one very difficult to pickup - just browse the FAQs first. i have found uMatrix less likely to break a site, but takes longer to fix when it does... NS has XSS, clearclick, etc... For usability i could make an argument either way - for security, i don't know

 

The default install settings of uMatrix allow all 1st-party which makes it in general easier than NoScript on an unknown site with scripts. With NS you will have to whitelist more often.

I agree with your comment too about it taking longer to whitelist in uMatrix 3rd-party than NS. For 2 reasons. One is the blacklisting hosts files. And the other is the scope concept of uMatrix. NS whitelists the domains globally, so often the 3rd party is already whitelisted. It is possible to do also with uMatrix. But more natural to allow 3rd-party to a scope. uBlock Origin is much easier to whitelist globally than with uMatrix UI.

This as a wishlist feature to gorhill. The 3rd-party domain selectors in uMatrix could be divided into global and local whitelisting, they are wide and that concept could be easy understood. No idea how easy that would be to implement. When newcomers try to make global rules with the top left cell, they can often mess their uMatrix rules quite badly when not remembering to set it back to domain scopes.

Those are good rules to fall back that Brummelchen has in the post below. Except I would block plugins in Chrome with the 'Let me choose when to run plugin content' browser setting rather than with uMatrix. Easier that way in my opinion to allow what is just needed and no more. The third party plugins will still be blocked by uMatrix.

EDIT:
For security when running Firefox I would most likely use NoScript in allow mood to have the extra protection of those things you mentioned together with uMatrix or uBlock Origin in medium mode. However because of the rules restricted to first party scope, uMatrix is by default safer at least with privacy regard than NS. Plus you can block with it also 1st-party cookies.

 

I've never used a script blocker and probably never will. I've never felt the need to use one.

 

uBlock contains such control like RequestPolicy, same for Disconnect. and https everywhere i no guarantee for a save site, it only offers an ssl/tls connection if server offers. if you want ssl try https for the website directly no with tricks. most websites which offer ssl for purpose detours from http to https them-self. if you can use https adjust your bookmarks, any other is self-deception. if you want more granular control install uMatrix beside uBlock.
the major current problem for httpS is the ssl control within antivirus-software versus firefox. the injected cert from av-software is in most cases not valid. this issue is discussed more than once here and nearly all av-software is vulnerable, more vulnerable than firefox. and firefox broke with several free certs since its revised cert policy.

concerning NoScript/ABE and some other features - maybe effective but to complicated for real usage, far away from click and set.

ofc it does

maybe this results in a vs b extension but for true there are differences between those extension which can be measured. the major problem for adblock (plus) is the heavy waste of memory, ublock dont. the basic security from umatrix is much more than noscript whithout spending any click about as Jarmo also mentioned

@rm22 same advice for you drop Disconnect and get more familiar with the u-series.

i dont think so, for me it was easier to determine missing elements as with noscript - due the "matrix"
but for sure you can set defaults within uMatrix in the beginning

xhr = popups, other = misc content like video/audio in most cases.
for subdomains you can use "inherit"
(the block events are not really necessary because the general * * * block rule but it helps to understand)
if you you want to deny popups by default set xhr to block.

thee is one simple way to determine blocked content which is needed, see picture here
https://github.com/gorhill/uMatrix/wiki/Very-bare-walkthrough-for-first-time-users
if number is > 1 then its a needed content, any other is a one-time shot for ads or other crap
sometimes ajax.googleapis.com or apis.-google-com are needed - for eg drop down menus

blacklisted domains are found in the internal hosts file (in uMatrix and uBlock, enable in uMatrix, disable in uBlock if both installed)
https://en.wikipedia.org/wiki/Hosts_(file)

i had also some problems when using uMatrix the first time - although i knew it from my early chrome steps. meanwhile i am on a deny/allow policy and ofc this makes more work to me.

uBlock has some really nice new feature since its latest beta - it can block scripts by content - although other scripts are allowed. *awesome*
read here for infos
http://forums.mozillazine.org/viewtopic.php?p=14351075#p14351075

back to topic

my experience outside forums is complete different, the majority i know use some adblocker but no script blocker. i can understand that. at first it needs attention for some people its waste of time and the rest of their security concept is proper enough to catch failures. they dont care about exploit kits in memory. more extensions makes the browser more slowly, thats another fact.

but like the thread with installed security software you can read here that people have installed redundant extensions. but its like all security software: more does not protect more.
you can filter websites to death.

btw Disconnect and Ghostery are phoning home either you want or not. they collect anonymous data and sell it to 3rd party to optimize their technics and portfolio. this is the price for more "privacy".

Cheers

 

Same here, creating custom rules is just as bothersome as creating rules for a firewall, too much work, too little security in return. Just not worth it.

 

NoScript with top-level sites temporarily allowed, Origin uBlock, Cookie Controller, UA Control.

 

if you prefer wrong site creating
au contraire - changing the UA would point you out of the masses

 

Actually uMatrix isn't more difficult. You don't have to whitelist one cell after the other but you can use it similar to Noscript. It's explained on this HTTP Switchboard wiki site and it's still relevant to uMatrix.

 

I use it with the others to decrease the browser fingerprint following Panopticlick.

 

OK, thanks. I'll have to experiment.

 

Panopticlick is futile. most servers dont care about you, but some use other methods to determine who you are.
its not "i have something/nothing to hide", but UA changer is pretty pointless.

HTH

 

They don't care but will use other methods. That sounds like a contradiction to me.

 

Disconnect is completely superfluous as uBlock Origin also offers the Disconnect filterlists. Alternatively you can also manually add them to uMatrix:

Code:

https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_malware.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt

 

Read the whole thread and I am surprised at how it appears few use uBlock Origin itself to block scripts -- many report using uBlock Origin, but along NoScript (I have even seen ScriptSafe mentioned elsewhere). There is no need to go full uMatrix to control scripts on a page.

If someone was asking me an alternative to NoScript, my first recommendation would not be uMatrix but rather uBlock Origin in advanced user mode -- you immediately gain point-and-click per-scope script unblocking layered on top of a generic blocker (EasyList + EasyPrivacy).

Anyway, that's how I am currently blocking scripts, all 3rd-party scripts (and 3rd-party frame) are blocked by default.

 

Thanks for the reply gorhill. I was playing around with those settings earlier today.

 

idd. thats why i recommend umatrix for the more granular filtering - and it makes filtering for me more easy by clicking into the matrix.
i think its possible to block same granular in ublock, i never did in "my rules"

would that be possible in uBlock?

Code:

www.wilderssecurity.com google.com 3p-script block
www.wilderssecurity.com bing.com 3p-script allow

 

Yes it is possible to configure it that way.

 

I just basically mostly use local noop rules using the UI. But this tells different: https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-rule-syntax
The line:

 

You can use hostname based ruled explained on that page.

EDIT - you are right: for hostname based rules 3rd parameter is always *

 

No, it would have to be:

Code:

www.wilderssecurity.com google.com * block
www.wilderssecurity.com bing.com * noop

 

@Brummelchen I know uBlock Origin has simular functionalities as RequestPolicy, but I can never get used to the way uBlock works. Making it "default deny" is way easier on RP then UB. I tried uMatrix too and no matter what I did, it would always allow scripts and images, and I had to first enter a website so that I could then block what I wanted.

I use https mainly because of their observatory. The second reason is that it's easier to establish https connections to webistes that provide such.

 

yes.
I use ublock origin.

 

• * * * block
• * * cookie block
• * * css allow
• * * doc allow
• * * frame block
• * * image block
• * * script block
• * 1st-party * allow
• * 1st-party frame allow

The above settings are quite paranoid restrictive. Much of the practical usability of browsing is destroyed. To go that far why not remove also the global 1st-party frame allow rule.

If you want to allow 1st-party images, add * 1st-party image allow rule. And for scripts * 1st-party script allow.

For anyone reading this post, you can play with your settings in Sandboxie without messing your real install rules. They will be temporary and gone after the sandbox is deleted.

 

@Jarmo P Again, no matter what I did, it would always allow first (not mattering if it's first party or not) and then I'd have to block everything, piece by piece (having to obviously let uMatrix allow everything first). That's why I use RP nowadays, because it blocks everything by default (as long as you remove the "International" checkmark the first time RP starts).

 

With the above rules, you won't see any images or scripts allowed. No avatars for instance in wilders.