NoScript silently inserts ad whitelists into Adblock Plus

Turning on auto-updating in your browser and in adobe flash player are the single most important things to do, but the flash player checks a maximum of once every 7 days (and configuring that is annoying). There have been flash-based trojans (or are they considered viruses...?), so I would think a few days is too long to wait.

Using AdblockPlus + Flashblock is what I generally recommend to Firefox users to reduce their risks, with NosScript in place of Flashblock (or use Flashblock and turn off flash-control in Noscript) for those who don't mind regularly tweaking stuff while they surf.

Regarding the inappropriate meddling by NoScript, the author did apologize, which carries a lot of weight with me. That combined with my prior years of use of the plugin make me willing to give the author another chance.

 

Yes, NoScript can protect a browser or browser plug-in from being compromised by malware exploiting a zero-day or even a publicly unknown vulnerability. (But against known bugs you have patched, there is nothing for NoScript to do.)

Some people think disabling scripts and plug-ins by default is not worth the extra security against the zero-day and publicly unknown exploits that NoScript provides, since, for most home users who use a little bit of caution and regularly patch, the window of opportunity for encountering malware that exploits a zero-day or even publicly unknown 'drive-by' flaw in the browser or a browser plug-in is probably very narrow (i.e., if you don't open unsafe email attachments, you need to deliberately go to the malware through your browser to get infected).

Scenario A​

1) a legitimate site can be hacked (for how many hours or days?) with a
2) zero-day 'drive-by' flaw in a browser or browser plug-in that is not yet fixed (for days or even weeks),
3) both happening on the same day(s) on the same site​

The greater someone sees the chance of all three of the above occuring simultaneously (and the length of time it can happen), the greater they will see the need for disabling scripts and plug-ins for their security, IMO.​

Scenario B​

You want the option of visiting an unfamiliar site and leaving without enabling scripts and plug-ins because you suspect something could be amiss and accessing the information isn't that important to you in the first place.​

How often does someone visit a site, that exploits a (relatively rare) zero-day or publicly unknown drive-by vulnerability in a browser or browser plug-in, but not want to view the content if you need javascript or some plug-in enabled? To the extent you think that happens and you do this, is the extent to which you will find NoScript useful I think.​

Scenario C​

You don't need all the scripts or plug-ins on the site enabled in order to access the content.​

NoScript can protect you in this scenario, I agree. To me though, requiring the malicious script or vulnerable plug-in in order to access the content would be the thing to do if you really wanted to lure someone to a site and attack their system through a zero-day or publicly unknown bug, and for that NoScript can't help much.​

Giorgio and Vladimir have not been shy about their differences of opinion on the usefulness of NoScript for security, in addition to some of Giorgio's mercenary tendencies.

 

By itself, NoScript is a flawed implementation of security at best. In the context of the Firefox browser as a whole, however, there is unfortunately some justification for NoScript's existence, i.e. the non-stop security holes that NoScript claims to be able to plug, and the lack of a proper security mechanism such as Chrome's sandbox or IE's Protected Mode.

Until Mozilla can get its act together with regard to security, NoScript is likely to continue to be a necessary evil for many.

 

Hi Folks,

Nice explanation, Dogbiscuit. I use NoScript for B and C. If it is a marginal site (e.g. something from a google search that is only mediocre on my smell test .. say a gaming site that has a utility software referenced on Major Geeks) whether I can see it well or not, NoScript then seems to be very good .. I simply do not allow any of the scripts. If I miss a lot of the site, then I catch what I can .. and say goodbye. Also, those little extensions with preview pics can be of some help as well to get a feel for a site ahead of times, right now I don't have any loaded though.

Granted, as you point out, all this does not help on zero-day exploits on trusted sights, for that you have good tools like disk imaging and XP reinstall . And sandboxes and rollbacks and such for those who like that stuff.

Similarly with WebOfTrust I have to go through some hoops to get to the button to allow, and sometimes they red-code sites I feel are safe for my purposes. So I have a few seconds of contemplation while I try to work the override. (The button ends up under some toolbar so I end up going F11.) So personal tweaking of NoScript or Web of Trust usage is par for the course.

Overall, I think that Vladimir, on this topic of comparative security, was only looking for the negatives, and was reluctant to allow that NoScript is, even today, serving certain functions well.

However, Giorgio had so many far superior attempts. Private discussions about his EasyList problems, a public webpage describing his frustrations with EasyList and by extension AdBlock. And then an opt-in to override Ad-block for his sites. (I am still unclear as to whether it is right to say that AdBlock's code was overwritten, or its Easylist-sourced blocklist. There is a distinction.) Giorgio's model of ad-revenue always puts him in an awkward spot and he took some of the worst paths.

One irony in all this is the lack of discussion about the ads in general, which was my emphasis with Giorgio. Can you do something about the junque scam-ads ? And he was generally quite helpful and responsive (I would feed him a bunch of urls and he would try the google-block and even send me back the current list and wait for any more.) Thus I tend to be sympathetic some, as I know Giorgio cares, with action, about ad quality more than most who have ads. So I tend to take a wait-and-see on all this.

(Giorgio was also level-headed helpful when I raised the issue at Mozillazine, when some others were going haywire, since Mozillazine already had a block implementation. One or two gave me flack, Giorgio was simply helpful, and then I wrote him about the google-ads on his site. And Mozillazine mods then encouraged the actions more properly.)

Oh, another purpose of NoScript is you see who is ad-stat-whatever-script-crazy. It is interesting to see one site with just one script and then the next site has scripts from eight different kludges.

Shalom,
Steven Avery

 

Having read Giorgio's post, i'm satisfied. He knows he did wrong, he explained how he got there, and said it won't happen again. We're all human.

I'm not removing one or the other, and keep using them as always. In ABP's case, i've never subscribed to any lists, so whatever.

 

Sigh. Another example of your unsubstantiated statements about FF.

1. Protected mode is only available in Vista and above. If you want it for FF it can be easily implemented. There are numerous how-tos available.
2. Since I'm using LUA/SRP (which is still the best method to make Windows secure) I don't care if FF has Protected Mode or not.

And regarding Noscript: It's a matter of fact that most security issues in all browsers have been related to Javascript/Jscript/ActiveX but also to leaks in various plugins (Java, Flash etc.). That's why it makes very much sense to block them by default. Whitelisting your trusted sites is a breeze - it will be remembered by Noscript till eternity.

 

Nothing unsubstantiated about it. I was simply talking about the situation at present that continue to lead users into consider NoScript as necessary. The constant security holes and lack of general awareness of Vista's ACL function allow NoScript's scare tactic campaign to continue.

That is, until you consider that Chrome and IE8 have found much more user-friendly ways of implementing security than to blacklist the entire Internet by default. But I suppose NoScript is the "best" option Firefox users will get for the time being...

 

I was so focussed on what Giorgio was doing/had done I missed this little tidbit:
from the Reg:

http://www.theregister.co.uk/2009/05/04/firefox_extension_wars/

Not sure who started it, but impressed with GM's apologies and rapido eccellente rejig of No Script.
I think he is well aware of how he has damaged the cloak of integrity @mozilla and alienated many users.

 

I agree. Giorgio's very long and detailed post where he apologizes again can be found here.

 

Hi guys,

I've written my own 66 cents on the subject, if anyone is interested:
http://www.dedoimedo.com/computers/adblock-noscript.html

Cheers,
Mrk

 

Very good synopsis, Mrk. I fully agree with you

 

I think we should offer Giorgio some gold medal for being so euhm, open.

 

Somewhat abrasive and slightly unkind viewpoint re ..hhmm..many many issues:
Pocket protectors at 20 paces gentleman.
Wait till you see the whites of their eyes..FIRE.
Stereotype city..
http://www.theregister.co.uk/2009/05/11/dziuba_firefox_extensions/

If I had written some utility that had 50 mill dls: I'd prolly be quite pleased and wish for 1$ per
The author of that article lives here:
http://milo.com/
NoScript and AdBlock "interfere" with general biz of that page. LOL.