Firefox NoScript Tutorial

Discussion in 'other anti-malware software' started by TheKid7, Mar 10, 2011.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    Does anyone know of a good Firefox NoScript Tutorial? I have tried NoScript before, but it seems to be frustrating to use. Please share any tips for making surfing the web with Firefox NoScript a Safe and Enjoyable Experience.

    Thanks in Advance.
     
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    You have to allow scripts per domain, so it's always a hassle to use in the beginning until you've build a decent whitelist. However it is also possible to allow all scripts globally and then you'll still have a more secure browser than without NoScript.
     
  3. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    How would the web browser be more secure if you allow all scripts globally?
     
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    http://hackademix.net/2010/08/01/al_9x-was-right-my-router-is-safe/
     
  5. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
  6. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    We had a recent discussion with some strategies put forward in this thread: https://www.wilderssecurity.com/showthread.php?t=293545 starting at about post #18...

    This is also worth reading: http://www.dedoimedo.com/computers/noscript-use.html
     
  7. Francis93

    Francis93 Registered Member

    Joined:
    Feb 1, 2011
    Posts:
    311
    It would be dangerous if you allow scripts globally. I would set "Allow all this page" to my trusted websites, and forbid all other websites by default.
     
  8. sweater

    sweater Registered Member

    Joined:
    Jun 24, 2005
    Posts:
    1,674
    Location:
    Philippines, the Political Dynasty Capital of the
    I just manually allow trusted sites. :cool:
     
  9. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    my tips would be to uninstall the bloody nuisance.
    you can thank me later. ;)
     
  10. tlu

    tlu Guest

    If you can tell what is wrong with what I wrote here, I will accept your statement. If you can't, your remark is simply irrelevant.
     
  11. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    there is nothing wrong with what you wrote.

    it's your opinion, i have mine.

    that's all.
     
  12. tlu

    tlu Guest

    Fair enough. But a bit contextual supplementation would be nice ;)
     
  13. jasonbourne

    jasonbourne Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    247
    --Nice read there. Thanks. I too am contemplating to allow scripts globally (though am jittery here...) because sometimes (sometimes when in a hurry...)to allow it manually is annoying. I experimented turning NoScript off and just use Avast's Script shield in the meantime. Loads faster and smoother (in SBIE) but still observing. Will also try with Avast's own sandbox later this week.
     
  14. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    Allowing scripts globally is OK, if you consider the main risks coming from embedded objects (Flash/Java/Other plugins etc.) and XSS/Clickjacking/CRSF/MITM deception type attacks rather than delivered through Javascript.

    As you're running SBIE, using NoScript for controlling Javascript and embedded objects is probably a moot point anyway! I use SBIE as well and run NoScript more for its awareness of deception/spoofing techniques (XSS/Clickjacking/CRSF etc.) and the blocking of third-party scripting which is mostly advertising and tracking.

    As an cheap hardening technique, if you're wanting to allow scripts globally, you could implement an anti-executable with SRP/Applocker. This will stop virtually all Javascript delivered malware (that normally tries to download and run a file on your system) even if SBIE fails...
     
  15. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    there is no need for Java or JavaScript and other scripting to run for every site out there. Matter of principle
     
  16. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Here's my tutorial:
    If you sandbox your browser and/or whitelist your system, remove unless sensitive about privacy and/or has old hardware that can't support scripts efficiently.
     
  17. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,716
    I support this statement. Do yourself a favor and begin with building the white-list for sites that you frequent. Just open up in tabs those sites as you often go to (try to think of them right now) and if need be, even those that you visit once in a while. It won't be easy and might take you a few days...or even weeks. Go easy and browse along like you normally do...patience is the keyword here. Make sure to white-list only those specific individual domains that the sites need to work. You might even want to blacklist a few certain domains. (e.g. ad/tracker domains usually). Backup your config. This is very important...otherwise, you end up losing your time and manual work for nothing.

    When things seem to go wrong and you can't figure out which domains to white-list on a particular site, choose to "Allow all this page". Again, keep a backup of your new config (and don't delete the older one).

    When you're finding NoScript a nuisance, a pain in the neck, bothersome, etc etc, then try going with the setting "Temporarily allow top-level sites by default" checked. This is a compromise but with far fewer manual input (having to white-list each and every single domain can be tiring if you're not the type who have a strict browsing "pattern" and keep on venturing/stumbling onto new sites) IMO, this is a fair setting especially for those who practice safe surfing in general (let's not get into the "no sites are safe" argument/debate here) but don't have the willingness to build a white-list.

    If things reach to the point where you feel tired/sick of NoScript, to the point of uninstalling it, then choose to just "Allow all Scripts Globally". Forget those statements that advises you against the idea. It's natural for NoScript users to tell you that because either they're not comfortable with the notion or think that it's counter-productive/self-defeating. While they're right in their own ways, I think a bit of flexibility is needed. The thing is you need time to regain patience and motivation to work things out at such moments and having to restrain yourself listening to advices by those hardcore NoScript users won't do you any good. To the contrary, you might end up hating NoScript to the max and swear that you'll never ever use it again. Or spread word around as to how idiotic NoScript is. That's not the objective here, isn't it? :p

    Whichever option you go with, you can't possibly end up with anything worse than a vanilla Firefox without NoScript. Just keep remembering that and you'll see no fuss.
     
Thread Status:
Not open for further replies.