No Script

It seems that many safe sites I visit require a couple of clicks to permit their use with No Script. It is a pain, and I am wondering if No Script is really necessary considering I use a good AV and MBAM Pro?

What are your thoughts on this?

Thanks,
Jerry

 

Hi Jerry, I am a huge believer in NoScript. In the little more than five years that I used NoScript, I haven't seen anything that looks tike malware attempting to run while browsing. Thats how good the addon is. And I wouldn't trade it for nothing (except Sandboxie).

Personally, I never felt using the program is a pain like many people say. For the sites that you constantly visit, you can add what you feel is required for the site to work properly to the whitelist, that way you wont have to be bother with them when you visit the site again. Or you can click "Temporarily allow all this page".

In my personal case, I don't use a whitelist and only allow whats really necessary like when I want to download something from a site like Rapidshare or if I like to attach something in a post or add an smiley or upload a file at Virus total. After using the program for a while, all things regarding NoScript start making sense, you just need to be patient a little.

Bo

 

That's the problem with no script, to view some (many) websites properly you need to allow something and if a good site or linked provider of ads is compromised serving adware/spyware/malware then you are done...

Malware developers are targeting good websites to serve malware... this was not happening often in the past but a common reality today.

So whats the point of running noscript if you need to disable it to view websites? Well... I never understood it. LOL
Best to use other means of control via sandbox, hips and the like...

 

Fax, when you allow a site, NoScript is not disabled, you are just allowing that particular site to run but Flash, other plugins, Java (if you use Java) is still blocked if you have chosen to do so. I do. NoScript also protects against clickjacking and cross site scripting. In my previous post I mentioned never seeing anything that looks lie malware attempting to run while using Firefox, that's a pretty powerful statement and its due to NoScript.
http://noscript.net/features

Bo

 

Go to settings and enable Temporarily allow top-level sites by default. Add ajax.googleapis.com, font.googleapis.com, cloudfront.com, google.com and yimg.com to whitelist and 90% of your clicks are gone.

 

NoScript is less painful if you have a following a routine. I frequent a lot of sites regularly, so I know exactly what to allow (bare minimum) to make these sites function properly. Personally, I prefer the inconvenience, because as others have stated, many legitimate sites are being used to distribute malicious agents or are being targeted. Not that I'm under any false illusions that my security couldn't be bypassed. One of my instructors provided an eye opening metaphor for how security is currently practices in the business world. I think is speaks volumes for why the only person responsible for your security and privacy is you.

There were two men walking across the Steppes when they stumbled across a lion that had not fed for some time. For the lion, diner had just come knocking. The two men ran for their lives. The slower of the two noticed that the other man was not running at full speed, but kept one step in front and appeared rather undisturbed by the ordeal of being chased by a hungry lion.

"What are you doing?" he asked his partner.

"I am fast," the other partner said, "but not faster than the lion. Still, I don't need to be faster than the lion, only faster than you, my friend."

The point of the metaphor is that these large corporations are content with doing the bare minimum to stay ahead of threats, while being productive. This erroneous logic presumes that attackers will focus predominately on the easier prey, but this doesn't always play out in the real-world. Sticking with this metaphor, lions will coordinate as a groups to go after more dangerous prey that poses a significant threat to their own well-being, such as hippos. It's no different for attackers in the real-world, as they realize you have to take big risks sometimes to get big rewards. Also, like the lions they are going to target larger crowds to increase the chances of success. Where better than twitter or any number of popular web-services. This is same reason why Windows, Java, Flash, etc. are heavily targeted. The interesting thing is that the hypothetical what-if doesn't always match the real-world experience. I know plenty of folks running far lighter setups without noscript that have managed to do as well as I have. More than likely your security setups address threats that are statically improbable and not likely to happen. You need to ask yourself whether or not its worth being prepared anyways. This isn't paranoia, just prudent planning imho. But best practices would also suggest running as light of a setup as possible, since each plug-in, application, etc. that helps to decrease your attack surface area, also increases it by adding new vulnerabilities that can be exploited, etc. It's really about finding the balance you need.

 

Thanks for the input. Even though it is inconvenient at times the majority opinion is that it is worth it.
Regards,
Jerry

 

I think the point is, you're potentially reducing your exposure to malicious scripts. Even if you enable top-level domains, you're still cutting down on the number of scripts being called and ran. You end up enabling only what you need to use each site. And even if sometimes you have to "give up" and temporarily enable all to get content to show, if you only do that for 1 out of 10 pages you're still running far fewer scripts.

 

I'm convinced NS is well worth whatever hassle it may cause.

I can't count the number of times I've went to a new site and saw it needed scripting. Thanks to NS, I was able to pass on executing any unknown code, say thanks but no thanks and no harm came to my PC.

It's not for everyone (as the subject of this thread is questioning) but its ability to protect a user is quite powerful.

 

I agree with bo elam. I trust No Script like nothing else. The first security measure I take after a re-install of Windows, reformatting Windows is installing NS in FF.

Same here.

 

RequestPolicy further increases one's ability to control scripts beyond NoScript by itself because RequestPolicy can control requests per site. I use RequestPolicy 1.0.0b3 in default-allow mode.

 

Actually I'm Using Firefox because of NoScript

 

Thanks, again. I am now convinced.
Regards,
Jerry

 

NoScript won't help you if a domain you trust is is serving you malicious scripts. Further the burden is on you to determine which scripts to trust and which not. You can't know if something is malicious unless you allow it in the first place. That's the downside of it all.

Aside from that you still profit from the XSS filter and other protection features of NoScript, even if you allow scripts. In addition to that I have experienced that many things still work without scripts, which is particularly important if you want to take a first look, or you are just looking for something specific. For example, if I use Google's picture search and navigate to the pages of the results, very often I don't have to allow anything on those websites in order to download the pictures.

The most important thing you have to consider though is the security of your browser and your system. Firefox does not use a multi process sandbox architecture like Chrome. If an attacker compromises the browser through javascript, he own's the entire browser and thus a process on your system which runs at medium integrity level. With Firefox it's a lot easier to compromise both the browser and the system. In Chrome the attacker would just own a tab, which runs at untrusted integrity level and has a lot of additional restrictions on it.

I wouldn't run Firefox because of NoScript. I'd rather say I would certainly refrain from using Firefox, if it weren't for NoScript (and RequestPolicy, Sandboxie etc.), because this browser definitely needs it.

 

To me it's not about security, but all about speed.

I thought that buying a new and fast PC would solve the problem of slow loading webpages, but boy was I wrong. Javascript trackers are truly horrible.

I'm using ScriptKeeper in Opera v12, it really makes quite a difference when it comes to speed.

Actually I'm using two different versions of Opera, one only with Ghostery (doesn't break sites) and the other with Ghostery combined with ScriptKeeper. If I sometimes don't want to deal with broken sites, I use only Ghostery.

 

I'm with Rasheed on this one. I use NoScript with Firefox and if you're surfing the web/researching a topic, you can tab open a lot of websites that are stripped of their scripts and all the other junk that websites carry these days and your computer functions a lot faster than if each of those tabbed websites had included the scripts and had downloaded all those other websites.

Plus, with a lot of webpages that you encounter when you're surfing/researching, all they require is for you to allow or temporarily allow javascript in order for those pages to display their content properly.

But like the OP said, it's only those few sites that you visit regularly that you have to click 'Temporarily allow all this page' several times. Plus, if you're not sandboxed, you could click 'Allow all this page' or 'allow' each item that makes the website function, and that would permanently allow that website to function.

Addtionally, if you're sandboxed and inadvertently allow an adware or maleware site to download, after you empty the sandbox, it will all be wiped away.

 

Actually, the OP(original poster) said many sites. My bad. Although with me, it's only a few sites.

 

Noscript (TH Giorgio) save from Drive-by-Download in 2 steps:

 

From its FAQ:

 

What's the reason for this option not being enabled by default?
Does it weaken your protection in any way by enabling this?

 

I think in general malwares on good sites (still a rare occurrence) are often served from within an iframe, and NoScript has a solution for this, were iframe can be blocked unconditionally, waiting from a click from the user to be unblocked.

It has been a while since I used NoScript... Doesn't support the import of 3rd-parties blacklists, so that even when a user allow all on a page, it will still block whatever is not trusted, i.w. in a blacklist?

 

With malicious and undesirable content being placed in the ads on pages, sites themselves being compromised, malicious or compromised DNS settings in compromised routers, modems, etc, there is no such thing as a site that can be totally trusted. Some form of control over scripts, content, plugins, etc is necessary, either as a browser extension like NoScript or a free-standing application such as Proxomitron. I haven't used NoScript in ages. I don't know how fine grained its whitelisting abilities are or whether individual items like iframes can be allowed once or whitelisted for a specific site or domain without allowing other potentially undesired content. With Java, Flash, iframes, etc, the simplest approach is to block them by default, allow when necessary. On my setup, Proxomitron converts iframes to links. The iframes aren't displayed until I click on them. It's the same with Flash and Java. Neither runs until I click on them.

If you're concerned with being tracked and datamined, those settings will allow 90% of it.

 

In my personal case, I have "ajax.googleapis.com" blacklisted, the only time that I have to allow it is when I upload a file at Virus total. In the case of "google.com", I don't blacklist it but I rarely have to allow it. I allow it when I am searching for something like in YouTube and I want to have suggestions being displayed as I search. For "yimg.com", pages from Yahoo requires it for pictures to be displayed.

Bo

 

Yes, I was shocked to see that some sites still load a bit sluggish even on a new PC.

But this also means that browsers still have difficulty processing lots of script at the same time. On my old PC I would get 100% of CPU usage on certain sites, now I only get 10% usage, still the browser freezes.

So it´s not only about a faster processor, more RAM and a fast HDD/SSD, it´s also about browser design. But don´t get me wrong, I´m not blaming it on the browser, I´m blaming it on webdesigers who are complete idiots.

 

It's far from pretty but you can add your own list by adding it to the Noscript:untrusted parameter in Firefox 'about:config'.