No Script

Discussion in 'other security issues & news' started by JerryM, Mar 5, 2014.

Thread Status:
Not open for further replies.
  1. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    Ok, I have to confess that I actually do :shifty:
     
  2. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Why is it when installing NoScript it says (author not verified)
    but when I install Adblock Plus it states the author?

    Both installed at addons.mozilla.org
     
  3. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Hi Compu KTed, I goggled a little about this after reading your post. It seems most Firefox addons don't verify the author. The main reason for not doing it being the cost. It seems NoScripi has been this way since around the middle of last year.

    Bo
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    There''s a lot of factors involved that matter as much or more than the PC specs, browser, and internet speed.

    Web pages are assembled from multiple sources. Even if you don't count the ads, the page layout or structure can come from one server and the content from another. Images and other page content can come from yet another server. One part uses a script to fetch another. That next part might use a script to fetch more content. Depending on the page setup, content can end up being fetched in specific sequences with server loads and network delays for the individual components adding together. Scripts can stall waiting for a response or the receipt of one component before fetching the next. Add in the ads, trackers, etc doing the same things, with the same issues. A single website can end up making over 50 connections. Delayed or failed responses to any of them can slow or stop a page from loading properly. On top of this, there's whatever anti-tracking or ad blocking measures on the users machine and the methods each part uses.
    Example using a webpage with a link to Google:
    If I block connections to "google.com" with a hosts file entry, the browser returns page unavailable for that link almost immediately and the rest of the page loads fast. If the link is removed by a filtering proxy, the page loads even faster. If I block Google's IP range with a firewall entry, the browser will wait for a response on that link until it times out and the page takes a long time to finish.

    More often than not, the problem isn't the speed that the content is rendered. It's the speed that the content is fetched and total amount of time the browser is waiting for all of the content.
     
  5. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Thanks Bo. I don't know if Mozilla's rapid release cycle or NoScript being updated
    more frequently than other addons has anything to do with (author not verified). You mentioned cost. The last time I used Request Policy the author was verified.
    Adblock Plus which is a popular addon was also verified.
     
  6. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    I looked around in Giorgio's forum but couldn't find anything about this. I had never noticed this thing but after reading your post, I installed NoScript in a different Firefox profile and saw "Author not verified". Its how it is. Don't worry about it.

    Bo
     
  7. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Update on Request Policy. Just went to see what would happen if I try to install
    Request Policy. Also tried NoScript with Pale Moon browser. Same results on both addons.

    Not to concerned because I run a virtualized system and sandboxed browser. Empty sandbox
    on close of browser session.
    Request Policy.jpg
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks for the insight, however the slowdown that I´m talking about is clearly caused by scripts being too "heavy", you can clearly see that browsers need quite a lot of CPU time, while loading all these scripts. Examples: Facebook, Twitter, Dell.com, to me they are all crappy designed websites. :gack:
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I visit a few sites that load extremely slow and use 100% of the processor while they do. I don't think it's caused by scripts running in the browser. Proxomitron blocks those scripts. The main TorStatus page is like that for me. As far as I can tell, the problem is waiting for content. Does TorStatus show the same behavior on yours as the sites you mentioned? I don't use Facebook or Twitter. Their IP ranges, along with those of Google are blocked at the firewall for everything but Tor. Unless I disable the blocking rules, I can't visit any of them without going through Tor. I'll definitely agree with you regarding crappy websites. It seems that they're more concerned with appearing "modern" and using effects than they are with delivering the content in decent time.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes exactly, my motto is: keep it simple stupid. :)

    Just to clarify, I´m not saying that scripts are the ONLY reason that browsers sometimes use the CPU extensively. I know lots of websites that are slow to load while scripting is disabled. And if a browser is just waiting for content, it shouldn´t even use the CPU, because there´s nothing to process, I suppose. ;)

    Also, I´m not an expert in website design, but I noticed that for example a site like VKontakte (Russia´s Facebook) is loading a lot smoother and quicker than Facebook and Twitter. So it´s clearly designed differently, perhaps less (or more optimized) scripts, or something like that.

    An example (Selena Gomez):

    vk.com/id112985556
     
  11. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    I think it is more a difference in philosophy versus style. Europe seems much more committed to respecting peoples privacy.

    Here in the USA in my opinion advertisers and sites are uniting to make it extremely difficult to use the web without allowing a lot of things that one used to be able disable.

    Here is the sad reality for me. I always install No Script, and then I find that almost no page I visit will run.

    In the good old days I would just say 'Allow this Site', or 'Trust this site' whatever the wording was, for the usual sites that I visited. They were not all even effected by having no script running. It actually made browsing faster because a lot of glitzy, annoying, and time consuming stuff did not load.

    Today, as usual, I have it deactivated. There are virtually no sites that will run with No Script installed. Between that, and the necessity for JAVA, and ActiveX, requirements for cookies, I feel like you simply can't have safe settings anymore, and still be able to use the web.

    I am not aware of having any malware installed as a result. On the other hand sites and advertisers don't have to install malware because they force me to allow their bad behavior by seemingly locking out people that don't permit bad behavior.

    My vote: It used to be my very favorite plugin. Now I have given up on it.

    -HandsOff
     
  12. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    556
    Location:
    USA
    It's the nature of the internet these days. It used to be that most sites were isolated, and if you wanted to see content you had to visit a site directly. Now, more and more content is set up to be embedded and aggregated into other sites. More scripts need to run from more domains; it's often not enough to allow the site's chief domain. Even images can get their own domains.

    I don't think they're uniting with the advertisers; it's that content is increasingly being treated like ads, separated in the page structure.
     
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Between Proxomitron and Request Policy, I see very little unwanted content. That said, on many sites I have to whitelist specific individual scripts, objects, content, etc and allow certain connections to other servers via Request Policy. On the sites I frequent it's not a problem. On new sites, I frequently have to decide what needs to be allowed to get the page displayed properly. Most of the time it's fairly obvious but not always. Sometimes I have to go through the page a couple times, but in the end I don't have to see any Like or Tweet buttons, no Google content, almost no ads, and no iFrames or flash content except those I specifically click on. I don't know how my setup compares to NoScript in regards to fine grained control over whitelisting individual scripts and other items. With desired content and ads being treated in a very similar manner, you pretty much need fine grained control if you want to see clean pages and still kill the trackers. I suspect that one of the biggest problems people have with NoScript, Proxomitron, Request Policy, and similar tools is the user interaction needed to get the pages right.
     
  14. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California

    I see what you are saying, but it seems but I don't see why so many of the links have to be so cryptic. It would be nice to know what job a script is handling. Also, sometimes a site won't run if I have No Script installed, even if it is deactivated. I have to actually remove it before a page will run. Sort of makes you wonder if we are just being pushed away from a good security tool.
     
  15. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Hi HandOff, I don't feel like that at all. I can do most of the things that I want to do in most sites without having to allow scripts. If we take Wilders as an example, the only time that I allow scripts here is if I want to add a smiley or an attachment in a post. If I am making a post and I am not doing any of that, I don't allow scripts here. On this site you could also allow scripts when you login, that saves you one step but I am so used to login into sites without allowing scripts, that I just don't do it.

    Bo
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You can click your middle mouse button when the mouse pointer is over a given domain to get more info on it. Or you can search for it at http://website.informer.com.
     
  17. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Thanks for the last to comments-

    I actually feel bad about relating my experience because I really liked using No Script in the past. But lately even if I tell it to allow everything on the page, or even deactivate the plugin and then restart the browser sometimes a page just won't work until I actually remove the plugin. Am I the only one that has had that experience?
     
  18. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    I've encountered that issue myself with certain parts of SUSE Studio. It doesn't seem very widespread though.
     
  19. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    When you click a few times to Temporarily allow a webpage and you still can not accomplish successfully certain function in a site, it could be because you need to allow scripts that you have "Untrusted". The solution is to Allow for good or to Allow temporarily scripts from that site.

    Bo
     
  20. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    That hasn't worked for me. Is it impossible that a site could detect that you have No Script, and block you for that reason? It sounds extreme, but if the derive benefit from tracking you, or recording what ever info, then they may have incentive to want users to stop using No Script.

    I never had to delve deeply into no script works, but in the past it was by far the most effective way to block really irritating behavior of sites. And I do know when you deactivate No Script you have the option to leave certain protections in place. This makes me wonder if when I deactivate it, it leaves some protections in place regardless of intent. Nothing short of removal allows me access to some sites. There is something bad about that. I'm glad I am not the only one who has dealt with this. Since I stopped using it I can't supply specific examples, but I hope someone can explain what is going on.

    Still puzzled, I am trying to compare this to messages from sites that say they have detected that I don't have a necessary plugin required by a site. Now, No Script is listed as an add-on, but still there are add ons like Grease Monkey that presumably are detected by pages that use them. Perhaps by making a call to the add on to handle a script. This is total speculation from someone that knows nothing about the way web pages work, so try not to flame me for making a wild guess, but could a page make a call for an add on supposedly to handle a script or to check its version number for the sole purpose of seeing if the computer accessing the site possesses and add on?

    What exactly can a site determine about the O/S, Browser, and Plugin/add ons/extensions. Will a browser explicitly supply version information? Sorry about having to ask such an ignorant question.



    -HandsOff
     
    Last edited: Apr 5, 2014
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  22. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Mr. Brian-

    I hate when my worst case scenarios are open secrets!

    Doesn't Firefox think that it might compromise your user experience, much less you security if a web page is able to determine what plugins you are using? My anti-virus has a plugin for its web content protection. If I understand it, a webpage can identify my antivirus that way?

    Now I will say that the information was a bit old and maybe Firefox has addressed this issue. There was a statement on Jeremiah Grossman's page (at the top of it, actually) saying: "I know what plugins you have" Originally, so he says, a list of all your plugins would be displayed on the right. It says further down that the script was removed because it messed up IE. First of all, who cares if it messes up IE. Secondly, IE should not be effected, I would think because the script would either return negative results, or a gatekeeper could easily be put in place to detect if IE was the brower, and then skip all the Firefox protections. Thirdly, he could have put a link to run the detection and clearly state do not use if you run IE. Anyway, what's the worst that could happen? You have to restart your browser?

    I'd really like to know if what he said in 2006 was true, and is true today.

    If anyone happens to know of a site that does this detection and displays the results please let me know!
    (Oh, wait, further down in the comments to the blog someone says:

    MTec89 said...

    this doesn't work any more. JS Error Console marks all references to chrome:// as security risk and is disabled.

    Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11) Gecko/2009060308 Ubuntu/9.04 (jaunty) Firefox/3.0.11
    June 30, 2009 at 3:49 PM )

    So I'm back to just suspecting it can be done. I see no other explanation for a page not loading unless No Script is actually completely removed! Unless some undetected maleware has been installed.


    BTW your link linked to this, but to make it easier for others here is the URL: http://jeremiahgrossman.blogspot.com/2006/08/i-know-what-youve-got-firefox.html

    -HandsOff
     
    Last edited: Apr 5, 2014
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  24. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  25. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Thanks for the info. I am checking it out now!

    Is the difference easy to define?

    ===========

    https://panopticlick
    Was considered an unsafe site by my AV

    https://wiki.mozilla.org/Fingerprinting
    It appears that this has only been (mostly) fixed since FF v28 (the current version of Firefox) I say mostly because they excepted Quicktime, Flash, and a couple others that websites have a reason to check for.

    ===========

    I decided to re-install No Script and give it another try. Perhaps it will work better now!

    -HandsOff
     
    Last edited: Apr 5, 2014
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.