Is Firefox Headed Towards A Massive Decline?

I don't think it will go into massive decline, I prefer to use Firefox and I will keep using it

 

Dont care honestly. I've used firefox for years and dont see myself changing anytime soon

 

I can't predict the future, but I hope for a continuous NO.

 

If it comes to browser security it's interesting what Giorgio Maone said about FF vs. Chrome here and here. You might argue that Giorgio is simply promoting Noscript but I think that his arguments are relevant.

 

Even if we ignore the glaring issue that he's the author of NoScript, to regard security from his point of view is incredibly stupid. There are much better ways to deal with such attacks than forcing the user to whitelist every piece of Javascript on the web.

I'll be honest and say outright that while I respect Giorgio for his technical skills, I have none whatsoever for his opinions. All he has said regarding security seems to have one ultimate motive in mind: stir up paranoia among the gullible and uninformed, and present NoScript as the only solution against threats that, though may have been technically described accurately, have also been greatly exaggerated in terms of widespreadness and potential impact, while dismissing other far more practical and viable solutions.

 

Eice, I knew for sure that you would answer that way

But even you should accept that most webattacks are somehow scripting/plugin based and that many (renowned) sites were/are affected by XSS vulnerabilities. Thus, controlling scripts/plugins and filtering XSS on the client side certainly makes sense.

And Giorgio is definitely not alone. If, e.g., somebody like Richard Stallman is critical about JS, security expert Joanna Rutkoska uses Noscript, the CIO of a bank recommends Noscript for online banking and "RSnake" Robert Hansen is also a convinced Noscript user, then these are examples of people who should know what they are talking about. Simply calling them paranoid is definitely too easy.

And as I've said very often, whitelisting your trusted sites once and forever is very easy (and you're still protected against 3rd party scripts and XSS). These are probably the 80% of sites you browse every day anyhow - and Noscript won't ever annoy you again. What's so difficult about that approach?

 

I agree tlu. You and MrBrian talk things I agree! Nice to see because Wilder usually I see bad bad post that I ignore. Why you no post more. And MrBrian too. I use noscript for many year no problem. Very nice. Ok?

 

Not really. It's more of a knee-jerk response. It may make sense for plugins, but Javascript is too ubiquitous to make that a sensible solution.

Richard Stallman is someone who labels Windows 7 and Mac OS X as "malicious". Joanna Rutkowska uses three different virtual machines simply for daily online activities. I don't really think they are good examples; again, while I certainly don't discount their technical savvy, they're even more ridiculous than Giorgio is by far.

Because trusting and whitelisting everything you use is not security.

 

that mean you say user limited with Applocker is not security. Now I go back ignore. tlu wont post again because you just try win argument when you know you wrong. So sad. Ok?

 

Not really. Without JS no XSS. Se here (which is IMHO the same as the Wikipedia article).

Not really. XSS is everywhere. Or see here.

Show me a better way. BTW: I don't whitelist everything I use, certainly not the sites I stumble uipon.

 

You right. It ok. You never win with Eice. It ok.

 

How does that relate to what I was saying?

Giorgio-style propaganda. XSS is here, but it's manageable, and it's nowhere near the pandemic that the NoScripters would have you believe.

That depends on how you define "better". If you define it strictly by security, then obviously nothing beats globally blocking Javascript. If you define it by usability, practicality, and scale it with the actual threat level we're seeing, then IE8 and WebKit present some pretty good solutions, much better than what Giorgio tries to foist people with.

Of the list of "hacked" sites you gave, I tried about 10 before I got bored and gave up. IE8 stopped them all, without the annoyance and intrusiveness of NoScript.

 

Very important for me. I had to whitelist my online banking site to gain full functionality and, despite that, still protected against these type of injections. Main browser (99% of time) is however Opera.

 

annoying to you good for us. In fact good for millions people. And I bored too. Ok? And thanks you for admit we more secure. We happy with more secure and happy browse every thing. noscript also make page load fast since block useless script. Thanks you.

 

Would you mind stepping out of a discussion you're adding not a damned thing to? If you're bored of reading replies and have no interest in hearing out anyone but those who agree with you, then move on. Personally I believe both Eice and Tlu. They both make very good points. Javascript/XSS and those types of attacks have been around for a while, they can be dangerous, and they do need to be watched for. But no, I don't think they are anywhere near "epidemic" proportions, and I don't think NoScript is the end all, be all prevention.

Does it work? Hell yes, and I have used it a long time and appreciate the power and control it can give me. Are there simpler ways to avoid these attacks? Yep, and it's basically all about the browser and its settings. Any good browser doesn't need added tools to make it work properly and securely. NoScript really only shows a weakness in Firefox, not a strength of Firefox.

At the end of the day, security tools are nothing but that, tools. Some work, some don't. Some like certain ones, some don't. But, they, like people, all have differences, and positives and negatives. And, I suggest if you ever want to learn anything, you listen to what others have to say, whether you agree with them or not.

 

Eice, if i may, try to be nicer. I think you got it in you!
I never read it being described as pandemic, or epidemic. What i know is that it still is overlooked by many, and concrete problems do emerge with important websites.
I too would prefer some sort of policy for javascript functions, and let those be whitelisted instead of the whole thing. But.. aside from perhaps Controle de Scripts and Prefswitch, i don't see an alternative, and those two don't exactly come with a comprehensive policy built in.
And i never saw them being really discussed or tested, so i'm left with the safest bet.
It's not that hard or intrusive to use really. Just awkward.

 

Not by other people, and for very good reason. It's hard to mistake Giorgio's tone each and every time he comments on web exploits, though, and his treatment for XSS is no different.

"It's silent and deadly, it's all over and out to get you, no one else can stop it, you need NoScript now now NOW!"

Granted, it's not like the threat of XSS is nonexistent, but his subtle exaggerations to hawk an unnecessary solution is distasteful.

 

Same go for many in this thread. we just state opinion. but as many way in life it "how" you say not "what" you say. It is bad to write rude just because you behind monitor and no one know who you are. Very sad. May be he having hard life then that ok. He can let out heat here ok?

If you read wilder enough then you think all is pandemic or epidemic. Many have many program to protect. noscript no even program but just addon. Relax ok?

 

when did this become a discussion thread about noscript's effectiveness?...

 

"If you read wilder enough then you think all is pandemic or epidemic."
If you read Wilder's enough, you learn what the experts pass along to you as knowledge, and you learn to ignore the few fear mongers.

 

Seriously, it took me quite a bit of self-control to not use your quotes of utter pwnage as my sig, and believe me, it's getting even more difficult every time you post.

 

XSS is highly overrated.

Cross site scripting is not a risk on its own. It is the user who is being spoofed/tricked into think he/she is still on the site they trust. The people who fall for XSS will also fall for click jacking, etc. [1]

I think it is illusive security to think you are protected when the biggest security risk, the user, [2] has to make the block/deny decisions in regard of whitelisting scripts on a per script basis(the advantage of Noscript above Chrome's per site implementation).

The average user can't protect himself [2] from himself [1], becasue the user knowledge is allways the same.

Noscript is good but only in the hands of knowledgeable people. For others simpler solutions like PrevX safe online are far more effective, as an organisational behavior law formulates (used in quality management, user interaction design, change management etc, so it is a proven formula).

Effectiveness = Quality x Correct usage

Discussing the merits of Noscript with all its details for general public usage is like discussing whether my mother of 75 will be at home faster driving a Ferrari testarossa than in her Renault Twingo (with 1.0 engine), during traffic jam peak time, come on get real

Liike Firzen said when did this thread become a Noscript effectiveness discussion?

Regards Kees

 

They really are on the right website you see... Did you understand what XSS is?

http://en.wikipedia.org/wiki/Cross_site_scripting
https://www.wilderssecurity.com/showpost.php?p=1002678&postcount=38

 

There are some things I don't like about FF, but as a lot of others have said, the add-ons and flexibility make it better than anything else I've tried. I've gotten so used to it I can't imagine switching anytime soon. One of the others would have to make the deal pretty sweet.

I've tried the other two seemingly popular ones (Chrome & Opera) and to me they're total crap. But this may eventually change.

 

Speaking of Chrome, I run it along with FF and have been watching it progress. I think it will be a good browser in the future. It is getting more and more like FF though. Their themes are minimal compared to FF's Personas and themes. I have been checking out the extensions too, and only a few interest me. But there are some that would interest other folks too. some are a little dumb. That can be said for some of the FF extensions also. But as I mentioned earlier, I'll favor FF as I watch Chrome grow.