Top 10 Firefox extensions to avoid

The message regarding Adblock and Noscript seems to be to get rid of them, the poor litlle dot com boys can't get their crap in, very lame stuff indeed.

And always using that stupid argument; 'without advertising there would not be an internet'

Lamehand

 

At least they're clear about whose interests determined that recommendation.

 

I read this last night before it got posted here by Ron, and almost had to check my calender t see if it was April 1st. Lamehand points out their pathetic and predictable comments over Adblock. But it's their remarks on Noscript I find a worry, particularly this bit of advice.

Change it just a little to see how silly that sounds.
Does locking your car make it safer? Sure. Is it worth the hassle? No. For some reason, paranoia seems to be cool among BMW drivers, but for the most part, it is totally unwarranted unless you own an expensive car.

The only trouble is we know, or at least in Oz, that it's the old family car that is targeted much more than the expensive ones.

[ok, ok, cut me a little poetic license on this one, I'm trying to ram the point home ]

 

I looked it over, along with their list of 20 recommended extensions. Save for one item, not much piqued my interest. And that item is the NoScript opinion.

NoScript makes a somewhat safer browser much safer. I cannot disagree one bit that it takes some time to get NoScript configured (so that websites work correctly.) But to imply it makes minimal impact on safety is, IMO, factually wrong...

 

First they say about NoScript.

(Is it worth the hassle? No. For some reason, paranoia seems to be cool among Web geeks, but for the most part, it is totally unwarranted unless you're sending and receiving sensitive data)

Then this about Greasemonkey.

(It can potentially get you in trouble because it allows JavaScripts written by other people to run in Firefox. If one of those scripts is malicious, your system could be at risk.)

Hello, anybody in lol ?


StevieO

 

I think they are right about Noscript and the paranoia = webgeek. Not in any way what Firefox is about, practically the opposite. That some prefer and feel good about barricading them self is their business, does not belong on a general top xx list that is for sure. Extension ok but have special purpose. When promoted as a must have it is a solution in search of a problem as said here http://adblockplus.org/blog/usability-vs-security

An easy observation to make but they did not check out Adblock Plus very well. Power is on user side with white listing, probably not comforting either - should make most ADMs concentrate on more important things though.

I think there was one Greasemonky script having some security flaws, 2-3 years ago. Was fixed instantly. 1 out of 5000 and nobody should or does care. But as with those who advice to "harden" Firefox they see a scenario where a case can be made. Has nothing to do with reality.

Avoid the buggy ones...

 

Granted, for some people, it still proves valuable. But as a general recommendation for a 'typical user', a good case can be made against using it.

 

I think the question is if it has any relevance at all. It treats javascript/java as a danger we all must protect against. Sooner than later it will go wrong - http://noscript.net/ Has nothing to do with safe surfing - internet and Firefox would be in poor shape if that was the case. I doubt you have gotten malware on computer through Firefox, with or without noscript. You can argue that exploits are being revealed in test labs and occasionally see their way to Secunia, Bugzilla and other places. Sure and there will be more. But not the same as impact on general browsing/security and all must improve on Firefox security or pay the price. Firefox is not IE4! If whatever becomes a problem it will be dealt with by Mozilla and the many people who watch these things. If not project die out very fast.

How to evaluate when scripting is needed?, when it breaks a site? Pain in the butt extension if not used correctly and the way it is being promoted I doubt very much half can manage it. Javascript off as default is more like saying the earth is flat than an extra layer of security - or I stay in bed to avoid being run over by a car.

On that site there is a comment about Firebug being vulnerable and so should not be on top list - better replaced by Noscript or something. Well yes and how many hours went by before it was fixed? Bugs and exploits never go away - Firefox and the better extensions deal with problems.

Anyway, and speaking of where real crap comes from, I find it more interesting Noscript site advertise for SpyFighter - is on Rogue list http://www.spywarewarrior.com/rogue_anti-spyware.htm for delivering Adware among other things...

 

I keep my extensions "Adblock" and "Noscript", I don't listen to everybody's opinion/advice, if I don't see a DECENT explanation.
You are more vulnerable without Noscript than with Noscript. If you don't use Noscript, you better disable Java and JavaScript

 

Hello,

Generally, I loathe these kinds of anti-advice. Instead of explaining the situation to people and leave the choice to them, they hand you a platterful of opinion. Not good.

The proper advice for Noscript should be: can cause problems with certain sites, requires per site handling etc while offering protection against ... Then people can make their own decision whether the tradeoff is worth the sacrifice.

The same applies for all other extensions, save the "spy" ones, which really fall into a different category.

Hell, listening to every piece of advice anyone puts on the net, one should be Anti-Phishing CookieLock Toobar and paying monthly tribute to AOL.

Mrk

 

Erik,

Check out Hyperwords. Decent explanations are available. It is one of the most useful extensions I have ever used, plus the two you also use.

Silver

 

Hopefully you dont mean the old buggy Adblock but the new Adblock Plus.

Well there is enough explanation in the fact you cant show any real life security value coming from Noscript. Not any warranting the claim Im vulnerable because I shake head at your reasoning. You like to feel secure and like to think you have made an extra effort, wants to protect yourself against the unknown - all there is to it. Anyone who does not is in danger - you think people listen when you ignore facts? Your business - just stop the vulnerability for mankind talk, why I dont like the way it is being promoted. Firefox, Opera or IE dont need this, part of paranoia, extreme/nonsense security thinking. Have to give Computerworld that. Normal users have and should not have a clue.

I could go for a little extension I cant remember name of, puts 2 buttons on statusbar. JS and JV I think. Disable/Enable Javascript/Java. No need to expect the worst/unknown.

In case you did not read my link to the blog post go there again. Wize words based on logic and reality. Nobody stops you from building a bunker with a little peek hole of course.

 

Hello,
Noscript is a useful app, if nothing for making the Internet less noisy.
Mrk

 

I rather stay in the bunker,when the ICBM's fly around, no crap on desktop, very nice.

Lamehand

 

I'm still working on my bunker, as long my bunker isn't finished I keep Adblock and Noscript. The security experts told me that FF is safer without Java and JavaScript and Noscript makes it just easier to allow Java(script) or not, depending on the website I'm visiting.
Once my bunker is ready, I might not need Adblock or Noscript anymore.
The only extension I really like is Forecastfox, because it has nothing to do with security.

 

Sorry for the late reply. Yeah I know you are and Im not - but not more vulnerable. Loads of other "hardening" extensions available and tricks to do with Firefox. Just not an extension which should be advertised for like author does him self. Only for bunker builders. Phishing is a real danger and so Opera, IE7 and Firefox now have phishing filters build in. Have to relate risk to real life, Noscript does not.

I think IEs zone policy could be useful in Firefox. Idea is ok, matter of how to implement. Actually it already is in Mozilla/Firefox - look at Policy Manager from 2002 http://piro.sakura.ne.jp/xul/_policymanager.html.en I guess they dumped that because of what is said in blog post, will only be false security/pain for majority. And probably also convinced that Firefox would be safe enough without this, why claim superiority over IE then play copycat when it comes to security? Probably what they have been thinking.

 

I read that several days ago in GRC NewsGroups. I thought it was silly. I only use one of the extensions but it is the reason I use Fx. Without it, I wouldn't bother with Fx. Of course, I am talking about the original extension...the first ....Tabbed Browser Extensions for Fx and Mozilla/Seamonkey. It was TBE that got me hooked on tabbed browsing. But tabbed browsing without TBE is awful. I still use Fx 1.5.0.11 and will not move to 2.0 unless and until Piro finishes writing TBE for 2.0. I have 2.0 on a virtual machine and have TBE working fairly well but not like it works on 1.5. Plus, 2.0 is not to my taste for many reasons. So, I just ignore articles like this usually.

 

Well, TBE as nice and original as it might be, also turns the interest to the real deal with extensions. Avoid those who dont play ball with Firefox. The old Adblock, Forecastfox and even Noscript are all among those which are or have been questionable as being "safe" - safe in the meaning of code flawless coding and interaction with browser. Check out Mozillazine Knowledge base for this. They even keep a list of problematic extensions - sadly it should be more updated and a mile longer. Lots to avoid but then issue is not some made up security weakness but solid browser, no more memory leaks than what is build in etc. etc.

Piro who made TBE also did Policy Manager - nobody else did at the time. If only he had been sucked up by Mozilla team... His early versions of TBE actually did mess up with original code from what I understand and so it got a (very) bad name - distracting the fact extension was ahead of its time and just brilliant. Have you seen the attempts to make Firefox able to have window in window or rather tab in tab? Sorry attempt, try Piros Split browser - now we are talking. He could do wonders with Firefox if he was assimilated! But Tabmix Plus and Firefox itself take care of most needed features today. You have to be very stubborn or look way down the feature list to find something that warrent attitude of not wanting to upgrade. Not upgrading browser is not the most clever move you can make - except compatibility with not supported/broken extensions there are no advantages what so ever with old code.

 

in my experience the opposite is true
as the paranoia neophyte starts to set rules for the commonly visited sites and observes the sheer volume of extraneous javascripts many sites employ that offer them no real utility value, they learn just how much tracking of their habits and client side crapware they are avoiding

it then becomes perfectly acceptable to play the game of how few permissions you need to grant to get the thing to work, they even start to make judgments about temporary and permanent rules.

an educational odyssey with an ever increasing utility value
it becomes an important part of educating the consumer about security decisions and threat vectors
a gateway drug to security

 

This is the key

 

The author of the article seems to agree with Wladimir Palant (developer of Adblock Plus), who has some well-reasoned arguments against a general recommendation for Noscript's use.

Wladimir Palant prefers Firekeeper's approach, rather than Noscript's. (see here)