Browser scope security tab

http://www.browserscope.org/?category=security

Compares features, not strength

 

tkx

noscript enabled



noscript disabled

 

Doesn't work without JS? To all NoScript haters: it's still useful even if put into global allow...

 

does work without JS, is just the difference in the security score for FF, whilst Chrome does not have NoScript and scores higher

 

I can't run it with javascript blocked. I press the icon on the security test page, and nothing happens. I guess javascript is needed in order to run the test.

 

Well I tried with firefox and noscript (not whitelisted) and the tests don't work for me at all...

 

me bad - 1st screen noscript enabled (as add-on) and temp allowed that page = score 15/17, 2nd screen noscript disabled (as add-on) = score 12/17

 

Yes, you have to allow js for the site. The 15/17 score applies to the situation where scripts are globally allowed in Noscript. See also http://hackademix.net/2010/11/13/browserscope-update/

 

I am just opposing the nonsense the author tells at his website "Noscript makes the safest browser even more safe"

When you are happy with Noscript, stay happy an keep on using it. No problem, but remember what the author did some time ago http://www.neowin.net/news/war-between-adblock-plus-and-noscript-money-on-the-table when he was using the (now closed backdoor in FF) reason https://bugzilla.mozilla.org/show_bug.cgi?id=519357 and fix https://developer.mozilla.org/en/Migrating_raw_components_to_add-ons explanation http://blog.mozilla.com/security/2009/11/16/component-directory-lockdown-new-in-firefox-3-6/

 

concur. this drive by sample https://www.wilderssecurity.com/showthread.php?t=287120 happens even with NoScript. as long as the basic security concept of FF is not improved, such as sandboxing and thread isolation for tabs/add-ons, there is little NoScript can do. it tells a lot about a browser being in need of such add-on at all

 

That's just a link, has got nothing to do with JavaScript, it'll only prompt for download if you click the link, same happens with Chrome or any other browser.

 

Chrome would download it - true - that after a download confirmation box gets displayed, but in FF it would get executed (as shown in the screen shot there), if no proper countermeasure in place. Bet that a lot of FF users do not know about NoScript, giving up after a short while as too invasive to their browsing habits, trouble to fine grain all the NoScript options. Another point is that any site being white-listed in NoScript can become poisoned with malicious code, in which case NoScript renders useless.

 

The correct quote is "There's a browser safer than Firefox... ...it is Firefox, with NoScript!". I didn't find anything where he was saying Firefox was the safest browser. And even if he did, he'd surely only wrote that before Chrome was released.

I remember but I'm not unforgiving. Everyone screws up eventually. He made a big mistake but admitted it and since then he's continued to earn my and a lot of other user's trust again. Please read his full reply if you haven't:
http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/

This isn't a drive by, it's a Trojan. Executing that means you don't have the least clue of security and deserve everything you get. And exactly the same would happen in every other default browser configuration.
I agree that there's a need to improve the Firefox codebase. I'm pretty unhappy with mozilla's priorities:

However your judgment of what NoScript can do is blatant nonsense. Please check how many exploits (real browser exploits not Torjans) are stopped by NoScript vs how many exploits are there that don't require scripting or plugins. Regarding your last comment: Chrome got NotScripts, so?

 

and that would be the majority of the internet users today

download gets executed in FF without user interaction, it does not in Chrome or Opera. it even commences the download in FF without consent, not so in Chrome or Opera.

how many?

so what? bare Chrome is safer than FF with NoScript. for any white listed site in NoScript become infected NoScript would be useless. NotScript for Chrome might not live very long if the Chrome dev keeping up the pace of fixes and new security measures. And neither would NoScript for FF, if the dev of the latter would focus more on the core security of the browser.

 

No it won't, first it needs JavaScript, second there is a download prompt:

 

what is the point in that? any browser with JS off will not be downloading it.

disable flashget. then you will get a persistent JS box generated by the webpage, which will only go away when clicked ok to download (that is new, before the download would just commence when clicking the image - see also OP in the other thread) - so far all the same in any browser. now any other browser would ask download confirmation, but in FF does too with the exception that the download just commences (without user interaction - not pressed the SAVE FILE button) and it is even tried to open the file instead of saving

 

http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
only counting critical vulns since 3.6.4 we have 29 in total
19 would definitely be blocked by an enforced NoScript. Most likely quite a few more but that would require looking into it in more detail (for example "memory corruption" or "miscellaneous memory safety hazards" which doesn't tell me right away if it depends on plugins/JS).
The only vulns that are definitely not blocked nor mitigated by NoScript are the dll loading issue (thanks MS for sloppy coding^h^h^h backwards compatibility). I consider that one not so critical as it's more of a local/lan attack (remote code execution would need to be staged which minimses its effect, i.e. zip file containing dll and html, then the user needs to be tricked to open that html). Second vuln that caught my eye was a buffer overflow in libpng (=not mozilla's code and not the first of its kind). A sandbox is the best security against these kind of exploits but EMET should take care of it as well.

Opinions. Nothing more unless you give me something more.

Anyway apart from security No(t)Script has it's uses. For devs, malware research, privacy or simple to extend battery life...

 

You said:

It will start downloading in temp folder(that's the way FF works) but it won't open it unless you tell it to.

 

@ KATIO

you are making the point perfectly - if the FF dev would not be so sloppy about the browser security there would be no need for something like NoScript (security features). it is no use in the case described here and may plant a false sense of security or being hip by using FF with NoSrcipt. It is for the browser vendor to implement proper security in the first place.

the thread is about security not about whether No(t)Scripts benefits devs, malware research, privacy or simple to extend battery life...

 

that behavior allows the file to enter the system even prior consented (pressing the SAVE FILE button) by the user

 

IMO, Firefox extensions are the main reason why Mozilla developers won't implement serious security boundaries to Firefox. If users don't complaint, why should they bother?

For example, would it be so damn hard to provide the equivalent to IE Protected Mode?

The same way for Opera. For to long, stuff like it's the most secure really freaked me out. Let it be the main browser from night to day, and we'll all see how secure it really is.

 

I disabled Flashgot and I now get this:

When you press "Cancel", it'll be deleted.

 

until then the file is being delivered to your system

 

Neither should be sandboxing and tabs/extension isolation as in Chrome. But you are right, as long as the FF user believes to use a safe browser there will be no change. perhaps only a decline of the global user base would make them change focus, yet I do not see this going to happen

 

I don't know how you conduct the test but that's how it looks here with a fresh install of 3.6.12, no NoScript, no extensions
http://i55.tinypic.com/2hcgpqe.png
http://i56.tinypic.com/b9byq1.png
http://i54.tinypic.com/rbldu0.png
It won't be executed until you manually open the download folder and double click on the exe.

@vtol
You don't NEED NoScript in order to use Firefox safely.
Those security vulnerabilities offer a possible way to attack Firefox, "memory hazards" for example _may_ result in a buffer overflow but who says it will result in reliable code execution with ASLR, DEP and so on and not just crash the browser?
Do you know if any of said vulns were actually exploited as a 0day and not just privately reported by white hats?
You do know which vulns are the most exploited, right? It's Flash and Java (and of course those long patched IE6 ones). Chrome can't mitigate Java exploits at all and flash sandboxing is only 8 days old http://src.chromium.org/viewvc/chrome?view=rev&revision=66022
which hasn't landed in stable yet.

But the most common so called "drive bys" are Torjans as in our example. For ordinary user an AV will pick them up so they are safe again, sans sandboxing or scripting whitelist.

Do you suggest Firefox is insecure because of all the vulns that are fixed all the time?
Note how I defended Chrome here first: https://www.wilderssecurity.com/showthread.php?t=286831 The same goes for Firefox too, numbers != security.