What is your security setup these days?

Let me add something about NoScript, Safeguy. I have been using both programs, NoScript and SBIE for the same amount of time. One came before the other, a few days or a couple of weeks, something like that. Ever since I have been using both programs, I have never seen anything with an strange name attempting to run while running a sandboxed Firefox. In other words, NoScript is blocking the hell out of all the bad potential stuff in all the sites that I visit. That credit belongs to NoScript, not SBIE.

Bo

 

....and quietly.

Bo

 

Really nice image of Giorgio Maone by the way. So that is where he pictures himself.

Your evidence dating back from 2008 is so impressive. I am afraid I am not going to win this discussion with you, so no use arguing any further on this topic either.

 

Oh crap. I wasn't expecting such a tone in a reply, least from you WS. I wasn't even arguing...merely pointing out something that I thought you might have missed. Does it matter if it's from 2008 or 2014? What about facts that are established in historical context years back...should we just dismiss them thanks to the number of years? I didn't know evidence can be "outdated" if that was what you were trying to imply.

For goodness sake, does discussion have to be about who can win over another? Damn it...I got reminded of why I haven't post in such a long time. You win.

 

Good Evening! Re-installed newest version of G-Data I.S.2015... 25.0.2.2...released in August...much lighter than previous version...So far Super Sicherheit! In tandem with AppGuard and MBAM Premium...super solid Trio! Sincerely...Securon

 

Well, apologize for that, I did not want to start a discussion how JIT compilers sanatize javascript. Since the Nozzle studies of Microsoft every javascript engine sanatizes codes. Even Firefox has some of those mechanisms now. Read this https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-stock.pdf let me quote something to make this clear.

And yes you will find post of PoC's bypassing Chrome's XSS Auditor, here is one to get the NoScript fan's going: http://blog.elevenpaths.com/2014/01/how-to-bypass-antixss-filter-in-chrome.html

Since mainstream browsers copied NoScript ideas way back, does an XSS auditor bypass prove that NoScript would have passed that? I dare to doubt that. For those not convinced there is uMatrix on Chrome, even the easier uBlock (from the same author) offers an easy non intrusive way to block third party iframes and scripts.

 

Well, now we are discussing.

I agree that browsers have kept up but their implementation will always priotitize usability for the masses. With NoScript, Maone is able to put security before usability and thus update its working methods to fix known bypasses earlier.

Even if we disregard or disagree on that, you cannot deny NoScript itself goes beyond anti-XSS protection.

https://noscript.net/features

What if I wish to control which scripts are allowed to run while I am using Firefox? I can't achieve that with Sandboxie alone. That is not disputable.

Same goes for Chrome. You won't say Chrome's sandbox (or it's anti-XSS) diminishes the value of add-ons by gorhill. Do everyone need them? Hardly. But is there value to NoScript and uMatrix? U bet....sandbox or no sandbox.

 

This is something that I feel good doing, like here. Out of 12 sites, only three load scripts, the ones to the right with the "Forbid", the nine sites to the left, don't load scripts and are not needed to watch the game.

Bo

 

Added Sandboxie to the mix. So now it's NVT.exe - SRP - W7 FW - Sandboxie - Private Tunnel VPN.
Browser Addons - AdGuard - uBlock
Everything for OD Scans.

 

Nines to the left featuring ad127m http://www.fixyourbrowser.com/removal-instructions/remove-s-ad127m-com-pop-removal-instruction/ but then you had SBIE when allowing this.

 

You don't understand NoScript, the nine sites to the left are blocked from loading scripts. The ones with "Allow" next to them, are sites that not only are blocked from loading scripts, they are sites that I added to my untrusted list. The only way ad127m will load scripts is if I click to temporarily allow it or to allow it.

Bo

 

Well, for members who are scared by BO's "thou shall block all scripts" wondering whether they should add some scripting protection, there is an easy to use adblocker like uBlock which also stops XSS examples at http://www.google.com/about/appsecurity/learning/xss/ without the hassle of enabling individual websites or scripts, see pic

 

Hassle, What hassle? Blacklisting sites with NoScript is done quickly and its easy to do. I enjoy setting up sites like the one in the picture. You do it once and forget about it. It feels good after doing it.

One good things about using NoScript along Sandboxie is that if you discover a new site that runs scripts from, for example, 20 sites, you can practice setting up the site while running sandboxed. After figuring out the sites that have to be allowed for you to be able to do what you want to do in the new site, then either you set the site up unsandboxed or in a sandbox where you allow NoScript to save settings out of the sandbox (I do the latter).

Kees, if you were a Firefox user, you would know that setting up sites with NoScript is easy. All the complains that we read about it makes me smile because all things related to NoScript make sense. People that complain about NoScript is because they want to know everything about the program in one day. In my personal case, NoScript was easy from day one and I am convinced that was so because I took a no nonsense approach to it. Doing it that way, after a while, all things related to using the program started making sense.

Bo

 

I dont block all scripts, I allow any and all scripts that are required for me to do what I want to do in any site. I only block whats not necessary.

Bo

 

Blocking all third-party scripts is not much of a useful feature. There are so many websites which need third-party scripts to function properly. On the other hand it's exactly those sites, which pack a ton of useless and potentially harmful third-party scripts as well, hence allowing all third-party scripts doesn't make much sense either. That's why you need more granular script control, IF you want to use script control at all. Either do it like bo elam or not at all.

 

The feature being talked here about uBlock is called Dynamic Filtering.
Quote pulled from uBlock Wiki -

I think this situation can easily be overcome, by white-listing 3rd party cell of that particular website. And the unwanted 3rd party resources will still be blocked by its pattern filtering engine. (aka ABP like rules. It supports ABP lists + host based files)
See this extension as ABP + Overly simplified noScript/uMatrix.

And for people wanting more granualar control on what to allow and what not to allow. Gorhill created uMatrix. See this as more like NoScript + Request Policy from firefox.

With these two extensions, i finally made a switch from hardcore Firefox user(ABP+noScript) to Chrome (uBlock+uMatrix) user. , which i thought it would never happen.

FYI, Here is a quick screenshot of wccftech site and how the requests can be viewed on both uMatrix Vs noScript

 

harsha_mic, your screenshot reveals some of the things why I have found uMatrix being a far superior blocker to NoScript. There is a 1st-party rule you have made to wcccftech.com domain. You are still able to block flexibly what you want in that rule. And you can add 3rd party subrules to that domain.You could have added a domain like ajax.googleapis.com instead that script and the effect would have been the same, in this case.

NoScript can do those things only with temporary permissions. All scopes in NS are global, there are no 1st-party and subrules for 3rd-party. In uMatrix you can safely allow all the 3rd parties, like say facebook.com, twitter.com, google.com and those allowances are still only valid for this site wccftech.com only. Of course global rules can be made same as with NS too if one wants to do so.

uMatrix has also blocklists. And many more things that NS don't have are of course hidden from that picture.

So, thank you for posting that screenshot for spreading the knowledge you and me already know.

Edit:
I don't have those *. prefixes on my matrix view, so I have no idea what they mean. I am using rule making on domain scopes, not global or www scopes. So what I saied applies to my uMatrix setup.

 

Jarmo P, You are welcome.
Yes, the screen shot does not show the features such as UA Spoofing/Refferer Spoofing/Referrer Control (which resides in 3 dots menu), helps in privacy front. Ofcourse, which you already know

 

So what are you doing with the time you saved other wise used for micro managing Noscript?

 

Well my lack of NO probably results in a nonsense approach using scripts, it is a small consolation that the majority of internet users do the same.

 

haha
I had skipped micro managing the things my making Noscript auto trust TLD. I think have selected 3rd option for that, not remember the exact option on top of my mind. This way i had to whitelist only few depandancies. However they are whitelisted globally

 

DefenseWall + Shadow Defender + Macrium Reflect
Simple - Solid - Secure

 

Router & Windows 7 firewall
Chrome Safe Browsing, uBlock, uMatrix and PrivacyChoice Opt Out for tracking prevention
AVG Linkscanner, javascript whitelisted for .com, .org, .edu, .net, travel and co.uk
Voodoo Shield
AppGuard
WinPatrol Plus
MBAE (beta)
Zemana Anti-Logger (free)
EEK, Herd Protect, Norton Power Eraser, SAS, Kaspersky TDSSKiller, ADWCleaner, Detekt - on demand scanners
Virustotal Uploader

I'm looking to add WinPrivacy to try anyway soon.

 

G Data Internet Security...2015...

 

uBlock with uMatrix, NVT Exe Radar pro and Hitman pro Alert with AX64 time machine regular backups with Image for Windows Monthly backups.

This combination i believe is lightest and most secure setup i have used. Best of all, easy to use once rules in uMatrix and ERP are setup, with NO dependency on signature updates or realtime AV. Occasional scans with Hitman pro and Mbam on demand but they never find anything. Not even a cookie thanks to uMatrix. Sandboxie and Appguard are also my most recommended security applications.

regards.