ScriptSafe former ScriptNo: Discussion

[Hungry Man]

I think it is fair to note that:

Quote:

XSS protection?
Clickjacking protecton?
CSRF protection and WAN-LAN boundary protection?
Ability to force HTTPS security on sites that should have it (your bank), but may carelessly send insecure cookies?

XSS and CSRF are built into Chrome by default. Thankfully the WebRequest API will take care of HTTPS forced requests and we'll see how clickjacking gets taken care of in the future if at all.

[jdd58]

The latest experimental version is working very well now. No more "aw snap" browser crashes on certain sites.

One thing I like is how all the options are on one page instead of tabs as in NoScript. Maybe the options page could be made wider to fit on a wide screen monitor.

[dw426]

Quote:

Originally Posted by guest

rofl.

As long as you don't attack SmartScreen, I agree.

You're not helping with that attitude, lol. Smartscreen isn't Gods' gift to security or anything magical, it's just software. It can succeed and it can fail, and has failed numerous times.

[vasa1]

Quote:

Originally Posted by ShirleyUGeste

...
care to comment, Sir or Madam? all ears here.... tnx

ShirleyUGeste sounds very much like Surely You Guessed (who I am) maybe after a couple of pints to get the slurry stuff right. Anyway, it's ironic to see an anonymous poster attack a software dev for not being known

[Hungry Man]

Oh, hm, I thought it was Surely you Jest because their post was hilarious.

[vasa1]

Quote:

Originally Posted by Hungry Man

Oh, hm, I thought it was Surely you Jest because their post was hilarious.

I went with the other one because posting with another id has been done on the AdBlock Plus forum in the past. There, they, the ABP guys, pointed it out with details.

[Hungry Man]

http://forums.informaction.com/viewtopic.php?f=8&t=7475

The creator put hours of work into his responses and we were PMing as well. I think lots of Wilders might be interested in reading our back and forth and I'm sure there will be more tomorrow.

Quote:

Originally Posted by dw426

It can succeed and it can fail, and has failed numerous times.

And has succeeded more times than failed, arguably.

@Hungry Man

Tom T isn't Noscript's creator. Giorgio Maone is the creator and Tom T is only a moderator/support team member/whatever name you give to a dedicated fanboy that works for free.

And I saw this on your last post: "I read this a lot - my hacker friends and my security researcher friends have very very different ideas about security haha I'm not always sure that this statement is quite right."

Elaborate, please.

[Hungry Man]

Agh, I'm very tired. I definitely know he's not a dev and is just a mod.

Quote:

"I read this a lot - my hacker friends and my security researcher friends have very very different ideas about security haha I'm not always sure that this statement is quite right."

My hacker friends look at a hack very differently than my researcher friends. They have different standards for what's legit and what isn't.

Having the know-how for attacking doesn't mean you're the best man to defend. Having the know-how for defending doesn't mean you're the best man to attack.

They're different games played on the same field.

And who succeeds more often?

[andryou]

Quote:

Originally Posted by ShirleyUGeste

noscript forum challenged ScriptNo. here's part:

Quote:

and more, there were links about the various features listed:

the whole thing is here:
http://forums.informaction.com/viewtopic.php?f=8&t=7475

care to comment, Sir or Madam? all ears here.... tnx

Hi,

In response to the quoted statement, attacking or degrading a developer who invests time and effort into creating and maintaining a project (for free with no guarantee of donations) based on his or her age does not help any cause and in fact lowers the morale of the developer. It is a form of discrimination (ageism), and the skills/qualities/integrity of a developer cannot be judged on age alone. I'm not attacking Georgio or NoScript by mentioning this (I truly respect the man) but can anyone remember "NoScript's Black Friday", the time where obfuscated code was inserted into a NoScript release in order to disable part of Adblock Plus' filtering capabilities? http://hackademix.net/2009/05/04/dea...lla-community/

I, for one, had forgiven Georgio right after I had read his apology a couple of years ago and believe he is an excellent developer and that NoScript is a great contribution to the Internet.

I've taken a deep breath and clicked on the link to read more, and here's what immediately follows Tom T.'s little blurb above (I've read through the rest of the topic and was glad that there were no more personal attacks):

Quote:

Originally Posted by Tom T.

(I prefer to keep my privacy because I'm not responsible for the coding or behavior of NoScript, and like the rest of the support team, am an unpaid volunteer. It's Giorgio's name and reputation on the line, and he's willing to put it there for the whole world. Why doesn't this recent college grad do the same? ... just a thought.)

I prefer to keep my privacy because while I am responsible for ScriptNo, I am cognizant of many different possibly scenarios if I did put my real name, e-mail address, address and telephone number out there. I can think of one based on some responses and reactions to the ScriptNo project so far => hate messages/mail.

I have put my best into ScriptNo, and I strongly believe in: transparency (hence why I put the entire source code for each new release available for scrutiny on Google Code), communication (timely and detailed), and service (why I created this topic and why I respond to questions via email, forums, or the webstore frequently).

As for the second question, ScriptNo is limited by Chrome's API (as we all know), and as mentioned, some of them are integrated in Chrome itself. I've been in touch with a Chrome developer who is directly involved with the WebRequest and ContentSettings APIs.

[vasa1]

Quote:

Originally Posted by andryou

Hi,
...
I have put my best into ScriptNo, and I strongly believe in: transparency (hence why I put the entire source code for each new release available for scrutiny on Google Code), communication (timely and detailed), and service (why I created this topic and why I respond to questions via email, forums, or the webstore frequently).
...

Hey, don't worry and don't get discouraged by some anonymous attacks. Your code is open and that's what matters. I don't understand the sharp reaction from these anonymous sources who obviously don't want competition from anyone even if it's for a browser that isn't covered by them.

[Daveski17]

@andryou

I think that you are probably wise in not revealing too much about your identity, exactly for the reasons you state.

I would also like to say that I admire your attempt at a NoScript type extension for Chrome. Although my knowledge of computers is a trifle basic, I am also aware of some of the problems of making an exact NoScript equivalent for Chrome.

Unfortunately ScriptNo didn't work for me when I tried it & eventually it crashed & burned Chrome. Because of that, I will admit to being guilty of calling it a few rude names at the time LOL! ...

However, I fully understand that it is in many respects experimental & I think eventually it could be pretty good, I liked the UI & overall look. I think it was an improvement on 'NotScripts' & I would consider trying ScriptNo again in the future after more development.

Good luck for the future.

Dave

[andryou]

Quote:

Originally Posted by Daveski17

Unfortunately ScriptNo didn't work for me when I tried it & eventually it crashed & burned Chrome. Because of that, I will admit to being guilty of calling it a few rude names at the time LOL! ...

Thanks vasa1 and Daveski.

@Daveski: ScriptNo not working for someone is the last thing I want to hear! What OS are you using and what symptoms occurred? And no worries.

[Daveski17]

Quote:

Originally Posted by andryou

Thanks vasa1 and Daveski.

@Daveski: ScriptNo not working for someone is the last thing I want to hear! What OS are you using and what symptoms occurred? And no worries.

I tried it on my Belnea o.book (Notebook) running Vista (32 bit). ScriptNo just didn't block any scripts, almost as if it was not working. I then uninstalled ScriptNo & re-installed after initiating Experimental Extension APIs in about:flags.

Then Chrome just kept crashing, in fact I had to make a clean install of Chrome. It didn't work on SRWare Iron either.

I had other extensions, if that is significant. ABP, Flashblock, Ghostery, Google Dictionary, IE Tab, Readability, WOT & Trust My Web.

I tried disabling these one by one & there was no effect on ScriptNo not working.

I am at a loss as to why it was such a problem.

[dw426]

Quote:

Originally Posted by Daveski17

I am at a loss as to why it was such a problem.

I'm not, your computer is always having some sort of issue. Yahoo kept you down a good long while Your system and mine are probably two of the pickiest systems on this big chunk of rock we call a planet (Just a note, I'm not having issues with ScriptNo myself, just having a little fun with Dave here)

[Daveski17]

Quote:

Originally Posted by dw426

I'm not, your computer is always having some sort of issue. Yahoo kept you down a good long while

Yeah, but everyone has problems with Yahoo!, that's nothing unusual.

Quote:

Originally Posted by dw426

Your system and mine are probably two of the pickiest systems on this big chunk of rock we call a planet (Just a note, I'm not having issues with ScriptNo myself, just having a little fun with Dave here)

Maybe we're jinxed in some way?

[EboO]

Quote:

Originally Posted by Hungry Man

I think it is fair to note that:



XSS and CSRF are built into Chrome by default. Thankfully the WebRequest API will take care of HTTPS forced requests and we'll see how clickjacking gets taken care of in the future if at all.

Which extensions offers this possibilities please ?

[Hungry Man]

They're built in. No extensions necessary for XSS and CSRF.

[Hungry Man]

Quote:

Originally Posted by guest

And who succeeds more often?

Most hackers don't become defense guys. Most defense guys don't become hackers.

Quote:

Originally Posted by andryou

I prefer to keep my privacy because while I am responsible for ScriptNo, I am cognizant of many different possibly scenarios if I did put my real name, e-mail address, address and telephone number out there. I can think of one based on some responses and reactions to the ScriptNo project so far => hate messages/mail.

And I think your privacy should be respected. That's what I told Tom as well - we can see your code and that's what's important. I don't see accountability as a security necessity, in my experience it doesn't work.

He later elaborated that his issue is that ScriptNo shares a very similar name to NoScript while not providing the full feature set and he thinks users might get confused.

[m00nbl00d]

Quote:

Originally Posted by Hungry Man

[...]
He later elaborated that his issue is that ScriptNo shares a very similar name to NoScript while not providing the full feature set and he thinks users might get confused.

Psychiatrists exist for a reason - to help people solve their issues.

That aside, I came to realize that a conversation between web developers can be quite cumbersome.

This would be a possible dialog:

Developer A: Do you think I should use noscript?
Developer B: Why not? It works great.
Developer B: It blocks scripts, Java and a few other stuff. It also forces https.
Developer A:
Developer B:
Developer A: Are you joking with me?
Developer B: No...
Developer A: I think you are...
Developer B: Well, I'm not. Noscript does all that. What's your doubt?
Developer A: I just didn't realize the noscript tag allowed all that.

So, who came up first with the term noscript?

[Hungry Man]

I suppose. But when most people see an extension called ScriptNo they don't think "oh it's like those tags" they think "oh it's like that other extension called NoScript." I can see his issue with it.

Still, like I told him the ScriptNo page makes no claims to provide all of the protections available to NoScript and it merely states that it borrows some concepts.

[vasa1]

Quote:

Originally Posted by m00nbl00d

...So, who came up first with the term noscript?

Don't know. Don't care. But we've all seen this:
http://www.w3schools.com/html/html_scripts.asp

[vasa1]

Quote:

Originally Posted by Hungry Man

...
He later elaborated that his issue is that ScriptNo shares a very similar name to NoScript while not providing the full feature set and he thinks users might get confused.

But there wasn't need for the ad hominem stuff.

[vasa1]

Quote:

Originally Posted by Daveski17

I tried it on my Belnea o.book (Notebook) running Vista (32 bit). ScriptNo just didn't block any scripts, almost as if it was not working. I then uninstalled ScriptNo & re-installed after initiating Experimental Extension APIs in about:flags.

Then Chrome just kept crashing, in fact I had to make a clean install of Chrome. It didn't work on SRWare Iron either.

I had other extensions, if that is significant. ABP, Flashblock, Ghostery, Google Dictionary, IE Tab, Readability, WOT & Trust My Web.

I tried disabling these one by one & there was no effect on ScriptNo not working.

I am at a loss as to why it was such a problem.

Just to give you company, I've put my beloved Privoxy aside and installed this much-maligned ScriptNo. And ... no crashes, no hangs so far. Though it must be said I have a poor record as far as browser instability goes. Fx and Chrome just can't be bothered troubling me.


Plus there's the stability of Linux gratuitous plug here When are you joining us on the dark side, Daveski