Food for thought: safe browsing and blocking scripts

I also don't know how SK does it, but I noticed that it will never allow any scripts that are blocked by Ghostery, which is a good sign.

 

I never use script keeper in relaxed mode. I use normal mode which gives me pretty granular control of JS on the fly. I find it easier to use then noscript in this regard but it is pretty much the same. For ebay, I manually add the related domains to make it work after first allowing ebay.com and then seeing the list of what else is blocked.

 

It will extracts the three first characters of the domain name and tries to find a sequence of the three characters in the candidate hostnames. For example, "twe" out of "tweakers.com" will cause all hostnames with "twe" somewhere in their name to be whitelisted.

I believe it's a good approach for users who would otherwise not block scripts.

 

IIRC, uMatrix is default-allow mode by default so I can't understand why it bothers people, especially those Wilders guys.

 

The "Security Tests" of Opera + Scriptkeeper is poor in comparison with:

a) Chrome
b) Firefox + Noscript

http://www.browserscope.org/

 

On 1st-party only. Although I do agree it shouldn't bother anyone how it defaults, because it's very easy to configure to suit one's needs, ranging from very permissive to very strict. The feeling I get is some don't understand the difference between global permissions and per Domain permissions, and how setting these two categories up can make a huge difference in the trade-off between convenience and security.

on browserscope tests...

 

I agree. Every user should actually read the already mentioned old HTTPSB wiki page and the (unfortunately unfinished) "Very bare walkthrough for first time users". The uMatrix documentation is certainly incomplete as gorhill has been understandably very busy with uBlock in the past months. I'll see if I will find the time to add something ...

 

I had to have Scriptkeeper allow javascript for browserscope.org to run the security test. With it enabled it was 12/17. Since I couldn't run the test without bypassing Scriptkeeper, the results are not accurate and the same as having no script blocker. Testing it on www.browserleaks.com gives me great results. There is very little information that can be fished from Opera with Scriptkeepr in normal mode other than IP, OS and browser and Opera Presto allows me to fake that.

 

In relaxed mode, SK will break less sites, so you will have do to less white-listing, it's pretty cool. And let's say it will allow some unwanted script, then there is always Ghostery to block it.

 

Yes, that's what I figured, but it sometimes also allows other scripts which are clearly not related to the name of the website, so I wonder how it does that?

I will give some examples: on the first link it will allow google.com, and googlecode.com, but not api.google.com. On the second site it will allow yimg.com. On the third link it will allow vimg.net. On link 4, it will allow tigcdn.com and api.demandbase.com. On link 5, it will allow rackcdn.com. These sites are not on the standard white list. Can you find anything inside the code that explains this?

http://www.infoworld.com/article/2894522/security/10-security-startups-to-watch-in-2015.html
http://download.cnet.com/8301-2007_4-57621474-12/first-look-vivaldi-browser/
http://hollywoodlife.com/
http://www.vmware.com/nl
http://littlemix.wikia.com/wiki/Jade_Thirlwall

 

So it seems SK is allowing some content unpredictably? That doesn't look to be a good thing, does it Personally, when it comes to script filtering, I like the feeling of certainty. In my case it allows what it should, and it blocks what it should, according to its configuration.

 

I think it only applies to "relaxed mode". In normal mode, it is default deny. What I like about it most it that it has a widget that has the number of scripts blocked. For some sites, the number is frightening. And once you allow the top level domain, you get all the other domains whose scripts are called by the top domain's scripts. The information is as important as the blocking and you quickly know what sort of site you are dealing with.

 

I also don't really get it, but I do think there must be some logic behind it. But that's why I use it together with Ghostery. All trackers that are missed by SK are blocked by Ghostery. But like I said before, this always never happens, it's actually SK that's blocking most of the stuff, it seems to have a faster filter mechanism.

 

whatever SK allowed from those 5 links you posted, uMatrix blocked as expected because of the way it's configured. BTW, I globally block cookies, scripts, XHR, frames and Other on all domains, except on 1st-Party I allow cookies, Scripts, XHR. Most of the hosts filters are enabled. I have chromium's phishing and malware protection disabled, as well as the other Privacy options. After much experimentation, this is the configuration I've finally settled on that comes closest to offering me the balance of security and convenience I've sought. Also, I'm not suggestion it's better than SK, because I haven't used it, so there's no way I can compare it to anything else. All i know about it is based on your posts.

EDIT

of course I forgot to mention I use it in conjunction with HTTPS Everywhere.

 

Some criticism to your settings wat0114 and my thoughts:

When you now whitelist a 3rd party scope, you will not be whitelisting anything! With all those global block rules you have made it non existing feature to you. Leave them light red is my advice. With global rule: * * * block you will get the same protection but not that bother of needing to go to matrix all the time.

To me the sound idea to use uMatrix is quite the same as any other simpler blocker. If I whitelist a scope, I will allow most with that whitelist. That I still leave cookies and frames blocked is just my choice and an added protection that uMatrix offers over simpler blockers. Now if I whitelist a 3rd party scope I will allow to that domain plugin, script, xhr and other.
Whitelisting a domain is to me the the way to go.

My choice of blocking cookies is that they are seldom needed so that they would brake the site and frames also are not as common. Blocking them globally is to me only an added secondary security/privacy protection without too much bother.

 

To be honest, I haven't got enough knowledge about "first and third party" scripts, so at first I thought that SK was somehow able to recognize if scripts were loaded from the same server. Sounds a bit silly probably.

Yes correct.

 

It isn't about which one is better, uMatrix is probably more advanced, but I find SK easier to understand and to operate. And the reason why I called uMatrix "complex", is because I still don't really get the "scopes" feature. I personally like to make global rules, so if I white-list "apis.google.com", it should then be loaded on any site.

Another thing is, that I couldn't figure out how to make stuff work on certain sites. On the first link, I can't make the YouTube videos work. On the second link I don't get to see the content on the page. Even after white-listing stuff. Of course with SK's relaxed-mode there are no problems, and I don't have to white-list anything. I don't get it.

http://jetsetmagazine.net/jetset,mag/dorra-zarrouk.16.3037.html
http://www.rtlxl.nl/#!/gemist

 

It's working fine for me. I can whitelist whatever I need whether it be globally for 3rd party content required for several 1st party sites, or per domain when I want more granular control. My ruleset is, in fact, now at the point where I'm rarely having to whitelist anything.

 

You can yes make your own rules to the sites you regularly visit with that setting you are using too. And once you have made them, it no longer matters. Because it is a one time job. Your matrix based rules might look a bit more explicit or dirty, but that does not count I think for anything.

Where it matters is when not making permanent padlocked rules. When you need to make temporary rules each time you surf with your browser some unknown sites to make them work and how convenient unblocking them is. Browsing sandboxied you can't make permanent rules, except with maybe some possibly vulnerable special exception I will not make to SBIE. Also I don't think it is such a good idea to make permanent rules to every site you visit. But it is still a better idea than make permanent rules with NoScript, because uMatrix has a scoped rule structure.

Notice your all-button is either not working because of the global rules for each category. You have effectively disabled everything else except the matrix.

The setting tlu gave in the post #132 with the link Very bare walkthrough for first time users gives a much more flexible way to operate uMatrix.

 

This might help, with NoScript, allow.

For the first link: youtube.com, ytimg.com and jetsetmagazine.com.
For the second link: rtl.nl, rtlxl.nl and visualwebsiteoptimizer.com.

Bo

 

]

Any temp rules I create can either be undone with a click of the undo cell or enforced with the padlock cell. I use firejail sandbox which works differently than sbie, in that rules I create are kept when I close the sandboxed browser (Chromium).

Code:

Notice your all-button is either not working because of the global rules for each category. You have effectively disabled everything else except the matrix.

It works. I just chose to allow all scopes other than the hosts file blacklisted ones. Instead I use the content columns to enforce rules.

That could be and probably is the case, and I ran uMatrix it similarly a while back, but then I just settled on my current setup. It's comfortable for me. The beauty about this scrip blocker is one can tailor it for their needs/comfort level.

 

Yes

 

There is a few things I say what to do. And understand that we people using uMatrix are quite security conscious.
These are easy steps to use and not very secure or something we would follow:

After you have installed it with the default settings.
You allow all, there is a "button" for that. Some of the Bo's advices might work too and be enough, then again he is using a simpler blocker with some of his preset allowances in the fox. Whatever you will see in the matrix what is blocked.

Not even then working? There might be some frames blocked, you allow them too.

If not working it is the hosts files blockings. Then you need to uncheck some of them or their blacklisted sites or an easier solution you disable the matrix filtering for that domain you are surfing alltogether and so curious what to see in those pages. Thats it.

If you allowed all that you should see all the media you so much wanted. Even then you have allowed all the crap that site might contain from only that site. You go to another site and settings will be same default restrictive. The crap you allowed might or not do the damage.

Hosts files can be difficult at times. And uMatrix is certainly not for everyone whining this and that.

 

Yes, that is what I figured, but it didn't work, I forgot that uMatrix is also blocking frames and stuff. But guess what, even allowing frames didn't fix it.

The only way I could make stuff work on both pages, was indeed to allow everything, and that is exactly what you DON'T want to do. That's why I think SK's simple approach is better, but it's not for everyone, some people want even more control, and don't mind spending a lot of time having to fine tune stuff.

 

Opera 12.17 + Scriptweeder:



Firefox + Noscript: