Do most people on Wilders still use a Script Blocker?

Discussion in 'other anti-malware software' started by gugarci, Oct 1, 2015.

  1. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    NoScript+Disconnect+uBlock+ HTTPS Everywhere+BetterPrivacy+

    and...

    uMatrix+Disconnect+uBlock+ HTTPS Everywhere+BetterPrivacy

    Tried NS with RequestPolicy but found the combo too cumbersome. I've used NS for 1+ years & uMatrix for a few months - i didn't find either one very difficult to pickup - just browse the FAQs first. i have found uMatrix less likely to break a site, but takes longer to fix when it does... NS has XSS, clearclick, etc... For usability i could make an argument either way - for security, i don't know
     
  2. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    The default install settings of uMatrix allow all 1st-party which makes it in general easier than NoScript on an unknown site with scripts. With NS you will have to whitelist more often.

    I agree with your comment too about it taking longer to whitelist in uMatrix 3rd-party than NS. For 2 reasons. One is the blacklisting hosts files. And the other is the scope concept of uMatrix. NS whitelists the domains globally, so often the 3rd party is already whitelisted. It is possible to do also with uMatrix. But more natural to allow 3rd-party to a scope. uBlock Origin is much easier to whitelist globally than with uMatrix UI.

    This as a wishlist feature to gorhill. The 3rd-party domain selectors in uMatrix could be divided into global and local whitelisting, they are wide and that concept could be easy understood. No idea how easy that would be to implement. When newcomers try to make global rules with the top left cell, they can often mess their uMatrix rules quite badly when not remembering to set it back to domain scopes.

    Those are good rules to fall back that Brummelchen has in the post below. Except I would block plugins in Chrome with the 'Let me choose when to run plugin content' browser setting rather than with uMatrix. Easier that way in my opinion to allow what is just needed and no more. The third party plugins will still be blocked by uMatrix.

    EDIT:
    For security when running Firefox I would most likely use NoScript in allow mood to have the extra protection of those things you mentioned together with uMatrix or uBlock Origin in medium mode. However because of the rules restricted to first party scope, uMatrix is by default safer at least with privacy regard than NS. Plus you can block with it also 1st-party cookies.
     
    Last edited: Oct 4, 2015
  3. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,001
    I've never used a script blocker and probably never will. I've never felt the need to use one.
     
  4. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,972
    uBlock contains such control like RequestPolicy, same for Disconnect. and https everywhere i no guarantee for a save site, it only offers an ssl/tls connection if server offers. if you want ssl try https for the website directly no with tricks. most websites which offer ssl for purpose detours from http to https them-self. if you can use https adjust your bookmarks, any other is self-deception. if you want more granular control install uMatrix beside uBlock.
    the major current problem for httpS is the ssl control within antivirus-software versus firefox. the injected cert from av-software is in most cases not valid. this issue is discussed more than once here and nearly all av-software is vulnerable, more vulnerable than firefox. and firefox broke with several free certs since its revised cert policy.

    concerning NoScript/ABE and some other features - maybe effective but to complicated for real usage, far away from click and set.
    ofc it does
    maybe this results in a vs b extension but for true there are differences between those extension which can be measured. the major problem for adblock (plus) is the heavy waste of memory, ublock dont. the basic security from umatrix is much more than noscript whithout spending any click about as Jarmo also mentioned

    @rm22 same advice for you drop Disconnect and get more familiar with the u-series.
    i dont think so, for me it was easier to determine missing elements as with noscript - due the "matrix"
    but for sure you can set defaults within uMatrix in the beginning
    xhr = popups, other = misc content like video/audio in most cases.
    for subdomains you can use "inherit"
    (the block events are not really necessary because the general * * * block rule but it helps to understand)
    if you you want to deny popups by default set xhr to block.

    thee is one simple way to determine blocked content which is needed, see picture here
    https://github.com/gorhill/uMatrix/wiki/Very-bare-walkthrough-for-first-time-users
    if number is > 1 then its a needed content, any other is a one-time shot for ads or other crap
    sometimes ajax.googleapis.com or apis.-google-com are needed - for eg drop down menus

    blacklisted domains are found in the internal hosts file (in uMatrix and uBlock, enable in uMatrix, disable in uBlock if both installed)
    https://en.wikipedia.org/wiki/Hosts_(file)

    i had also some problems when using uMatrix the first time - although i knew it from my early chrome steps. meanwhile i am on a deny/allow policy and ofc this makes more work to me.

    uBlock has some really nice new feature since its latest beta - it can block scripts by content - although other scripts are allowed. *awesome*
    read here for infos
    http://forums.mozillazine.org/viewtopic.php?p=14351075#p14351075

    back to topic
    my experience outside forums is complete different, the majority i know use some adblocker but no script blocker. i can understand that. at first it needs attention for some people its waste of time and the rest of their security concept is proper enough to catch failures. they dont care about exploit kits in memory. more extensions makes the browser more slowly, thats another fact.

    but like the thread with installed security software you can read here that people have installed redundant extensions. but its like all security software: more does not protect more.
    you can filter websites to death.

    btw Disconnect and Ghostery are phoning home either you want or not. they collect anonymous data and sell it to 3rd party to optimize their technics and portfolio. this is the price for more "privacy".

    Cheers
     
  5. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,158
    Location:
    Slovakia
    Same here, creating custom rules is just as bothersome as creating rules for a firewall, too much work, too little security in return. Just not worth it.
     
  6. monkeylove

    monkeylove Registered Member

    Joined:
    Dec 10, 2013
    Posts:
    115
    NoScript with top-level sites temporarily allowed, Origin uBlock, Cookie Controller, UA Control.
     
  7. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,972
    if you prefer wrong site creating :p
    au contraire - changing the UA would point you out of the masses
     
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,895
    Actually uMatrix isn't more difficult. You don't have to whitelist one cell after the other but you can use it similar to Noscript. It's explained on this HTTP Switchboard wiki site and it's still relevant to uMatrix.
     
  9. monkeylove

    monkeylove Registered Member

    Joined:
    Dec 10, 2013
    Posts:
    115
    I use it with the others to decrease the browser fingerprint following Panopticlick.
     
  10. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    9,565
    Location:
    Lloegyr
    OK, thanks. I'll have to experiment. :thumb:
     
  11. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,972
    Panopticlick is futile. most servers dont care about you, but some use other methods to determine who you are.
    its not "i have something/nothing to hide", but UA changer is pretty pointless.

    HTH
     
  12. monkeylove

    monkeylove Registered Member

    Joined:
    Dec 10, 2013
    Posts:
    115
    They don't care but will use other methods. That sounds like a contradiction to me.
     
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,895
    Disconnect is completely superfluous as uBlock Origin also offers the Disconnect filterlists. Alternatively you can also manually add them to uMatrix:
    Code:
    https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
    https://s3.amazonaws.com/lists.disconnect.me/simple_malware.txt
    https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
    https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
     
  14. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    864
    Location:
    Canada
    Read the whole thread and I am surprised at how it appears few use uBlock Origin itself to block scripts -- many report using uBlock Origin, but along NoScript (I have even seen ScriptSafe mentioned elsewhere). There is no need to go full uMatrix to control scripts on a page.

    If someone was asking me an alternative to NoScript, my first recommendation would not be uMatrix but rather uBlock Origin in advanced user mode -- you immediately gain point-and-click per-scope script unblocking layered on top of a generic blocker (EasyList + EasyPrivacy).

    Anyway, that's how I am currently blocking scripts, all 3rd-party scripts (and 3rd-party frame) are blocked by default.
     
  15. gugarci

    gugarci Registered Member

    Joined:
    Mar 30, 2009
    Posts:
    288
    Location:
    Jersey
    Thanks for the reply gorhill. I was playing around with those settings earlier today.
     
  16. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,972
    idd. thats why i recommend umatrix for the more granular filtering - and it makes filtering for me more easy by clicking into the matrix.
    i think its possible to block same granular in ublock, i never did in "my rules"

    would that be possible in uBlock?
    Code:
    www.wilderssecurity.com google.com 3p-script block
    www.wilderssecurity.com bing.com 3p-script allow
     
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,385
    Location:
    Slovenia
    Yes it is possible to configure it that way.
     
  18. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    I just basically mostly use local noop rules using the UI. But this tells different: https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-rule-syntax
    The line:
     
  19. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,385
    Location:
    Slovenia
    Last edited: Oct 6, 2015
  20. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    864
    Location:
    Canada
    No, it would have to be:

    Code:
    www.wilderssecurity.com google.com * block
    www.wilderssecurity.com bing.com * noop
     
  21. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    @Brummelchen I know uBlock Origin has simular functionalities as RequestPolicy, but I can never get used to the way uBlock works. Making it "default deny" is way easier on RP then UB. I tried uMatrix too and no matter what I did, it would always allow scripts and images, and I had to first enter a website so that I could then block what I wanted.

    I use https mainly because of their observatory. The second reason is that it's easier to establish https connections to webistes that provide such.
     
    Last edited: Oct 7, 2015
  22. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,051
    yes.
    I use ublock origin.
     
  23. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    • * * * block
    • * * cookie block
    • * * css allow
    • * * doc allow
    • * * frame block
    • * * image block
    • * * script block
    • * 1st-party * allow
    • * 1st-party frame allow

    The above settings are quite paranoid restrictive. Much of the practical usability of browsing is destroyed. To go that far why not remove also the global 1st-party frame allow rule.

    If you want to allow 1st-party images, add * 1st-party image allow rule. And for scripts * 1st-party script allow.

    For anyone reading this post, you can play with your settings in Sandboxie without messing your real install rules. They will be temporary and gone after the sandbox is deleted.
     
    Last edited: Oct 6, 2015
  24. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    @Jarmo P Again, no matter what I did, it would always allow first (not mattering if it's first party or not) and then I'd have to block everything, piece by piece (having to obviously let uMatrix allow everything first). That's why I use RP nowadays, because it blocks everything by default (as long as you remove the "International" checkmark the first time RP starts).
     
  25. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    With the above rules, you won't see any images or scripts allowed. No avatars for instance in wilders.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.