@bo elam you seem to forget something. a very simple & obvious fact. that, not everyone, not even the geeks and/or tech savvy people like wilders users, got the time to try to figure what to allow among tens of domains to try to unbreak a website just to watch a simple video or login to a website or view/download a document, or to shop online, etc. an average person (including wilders users) browse tens or even hundreds of websites on an ordinary (work) day, most of which you'll never land on again. that's way too tiresome, bothersome, time consuming & inefficient. you don't always get to have the time to use common sense during your daily browsing session with so many things to think about and so little time, not in this age.
Hi Davesky, I discovered Sandoxie and NoScript right at about the same time and started using both programs at the same time. Ever since, is like malware doesn't exist for me. That is despite not using any kind of scanners. Before, I used to get infected once or twice a year, every year. And I am not a saint. Even now, I still go to the same sites than when I used to get infected and do same type of searches that I did before. I can safely say that my browsing habits are probably less safer now than they were 7 years ago. Seven years ago I did not stream basketball, baseball live every day or every other day. This is something that I do almost every day now. Last night I watched the Atlanta Hawks beat the Utah Jazz and tomorrow and looking forward for the Hawks game in Toronto. For an Atlanta fan like me, thats a great game to watch. And I can do it safely and without any kind of worries because I am using NoScript, Adblock plus and Sandboxie. The sites that I use for watching this games are very dangerous when you don't block scripts, use Adblock plus or browse with Sandboxie. If you go to the site below every other day using Firefox without NoScript and Sandboxie, its likely in a matter of a few weeks, you ll get infected. Guaranteed. This sites are loaded with dangerous scripts. In my opinion, this sites are more dangerous than porno. http://goatd.net/ A year or so ago while showing a friend of mine in his computer how to use one of this sites for watching Barca games, immediately after clicking the link for a game, bang, a fake scanner jumped right in the middle of the screen. His AV didnt cry anything. He is using Sandboxie so there was no problem but if he had been using NoScript, the fake scanner would not have appeared in the middle of the screen. Its likely NoScript or ABP would have blocked it silently. Bo
Today, you are going to spend more time updating your antivirus and rebooting the PC if necessary than what I ll spend caring for NoScript during the next two months. Believe it or not, that is the truth. Bo
I understand where you're coming from Bo, and I admire your approach. I do use uBlock on Firefox and have WOT and Flagfox. My Firefox is synched though and I tend to use it mostly in Ubuntu. In Windows my default browser is K-Meleon. I believe that there have been unofficial extensions of NoScript for KM. I do also have SpywareBlaster. My ultimate back-up is a Macrium image though. I think I'll be OK without NoScript.
FWIW, I think HTTPS Everywhere is a "force HTTPS where its developers have found a way to do that without [significant] breakage" approach, and NoScript's feature is a "force HTTPS where I tell you regardless of breakage" approach. I don't think NoScript is the only extension which implements the latter approach, and said approach can be advantageous. You don't have to monitor someone else's set of rules and you decide when it is better to break something than risk running without HTTPS. I've used several approaches to force HTTPS over the years. Including NoScript with a force HTTPS list containing hundreds of sites. I'm quite certain that forcing HTTPS has never caused an IP ban. I think the issue you ran into is a rare one. Using a self-maintained force HTTPS list is normally rather easy. You can get an initial feel for whether a site will tolerate a force simply by entering via HTTPS url. Is there an HTTPS server? Does it redirect to HTTP or fail certificate checks? Are links to other pages at the site showing HTTPS? Do you see any secondary requests at the site that are HTTP? If you want to give it a try, setup a force and then test more carefully. If there is intolerable breakage, just back out the site(s) you added or add an exception. That is "too complicated" for some, and if a user is truly stuck on a ISP account that prohibits IP Address changes they might want to think twice. Most shouldn't be scared away though. Edit: BTW, if a FF user wants to look for prospects, note the sites in the SiteSecurityServiceState.txt file in your profile.
I only tried to force HTTPS with NoScript on two sites as an experiment. The second one broke the Internet lol! Luckily the company in question have good customer policies and I got an email at 11pm (GMT) from them informing me they'd fixed the problem and unbanned my IP. It's the last time I'll use NoScript for anything. I've uninstalled it and I feel liberated for it.
Thanks @bo elam that was very helpful! What was the sites purpose for the other URL's you don't need? Will other parts of Tinypic.com which are not related to uploading pics be missing? So even though this site is dangerous and loads 7 bad scripts it's still a legitimate trustworthy site? Who would be responsible for hypothetically infecting me from this site? The website itself or simply another site user who can hack? Would you say Ublock Origin is comparable to ABP? Lastly, when I visit a site for the 1st time w/ NoScript, all scripts are blocked by default correct? So if a site works or is able to do whatever it is I'm intending it to do while all the scripts are blocked can I simply leave it as is?
I am glad it was, Brosephine. I read post 107 when you first wrote it, then later you edited it to add what I am quoting above. This part of your post clearly shows NoScript is starting to make sense in your head. And you are correct, all scripts are blocked by default. And yes, if all you need to do in a site can be done without allowing scripts, you can leave it like that. Thats exactly what I do. And for sites that I visit regularly, I only allow the scripts that are required for me to do what I do in this sites. Nothing more, nothing less. In tiny pic, trackers and ad servers. Q2. If the sole purpose for me going to tiny pic is to upload pictures, then the only scripts I ll allow there are the ones that are required for me to be able to do that. As far as I am concerned, I am not missing nothing by not allowing any scripts that are not required for uploading pictures. For me the site is not dangerous, I am using NoScript. NoScript tames the site. Go back to the picture of the streaming site, the seven sites listed on the left side of the NoScript menu with the "Allow" next to the name are domains that I black listed. They are in my Untusted list. By adding this domains to my Untrusted list, they are forbidden from loading scripts anywhere, even when I click to Temporarily allow a site they are not going to run. Black listing nasty domains, trackers, ad servers is important. Thanks to NoScript, only the three domains that are required to watch games run when I use the site. But if I visited the site without NoScript, nothing gets blocked. All scripts run and this is a dangerous site. Also the site can be annoying and confusing. NoScript cleans the garbage, ads and confusing messages, messages that suggest you install applications (malware) for watching games, content. This applications are unnecessary and they probably are malware. Lets take a look at a few of the domains that I black list, and did not run when I streamed the game. If you middle click a domain listed in the NoScript menu, you ll get a page like the one below. This information pages can give you a rough idea about how bad or good a domain is. https://noscript.net/about/tradeadexchange.com;tradeadexchange.com I am not a WOT fan, but this is what WOT says about this 4 domains that were in my black list when I streamed the game. https://www.mywot.com/en/scorecard/tradeadexchange.com https://www.mywot.com/en/scorecard/oclaserver.com https://www.mywot.com/en/scorecard/directrev.com https://www.mywot.com/en/scorecard/popads.net Bo
Bo, thanks for checking! But please go into Help > troubleshooting (or about:support) and look at the section titled "extensions". Do you not see "Firefox Hello Beta" there with "true" under "Enabled"?
WOT is a bit useless, especially because Firefox already use a disconnect filter list + googles list which makes (except some cookie related things) Wot and Ghostery pretty useless. WOT also confused more people as it helps, and disconnect list simply blocks stuff instead of that it notify (sure there is also the red banner) but I guess reputation wise it's more helpful for beginners. I think most people disabling it on problematically pages because it possible ends up with problems and this should not be the goal of using such addons. About https/NoScript, to force https is also possible since I don't know how many years within firefox about:config but then you have to work with a whitelist which is then a little bit easier to handle via HTTPS-E. or NoScript. Most addons/extensions are not really 'necessary' privacy wise and people often re-spell that you 'need' it even FF can handle it for years but I do agree as mentioned the GUI is a little bit more easier as about:config mess.
So, you are saying we can handle it (forcing https) via about:config. If so, please share it. I am very much interested..
New member here. I came here for the "Sandboxie VS VirtualBox" thread but this thread really piqued my interest, especially regarding NoScript. My understanding is that NoScript will have several hurdles to cross with FireFox's decision to replace the XPCOM API with its WebExtensions replacement in the forthcoming Electrolysis project (http://arstechnica.com/information-...refox-add-ons-move-to-chrome-like-extensions/). Does anyone know how/if NoScript will adapt to this change? It sounds like there will be workarounds until 18 months or so after the stable release of Electrolysis, which will be included in FireFox 46 next month (https://wiki.mozilla.org/Electrolysis#Schedule). Now, back to the topic of NoScript usage. I used it for several years, taking a very conservative approach. I kept almost everything except my most commonly-visited high-level domains blacklisted. Only domains like google.com, amazon.com, etc. would make it to my whitelist. When I visited a lesser-used site that I needed to whitelist, I would do so temporarily. I did this with an abundance of caution, knowing that any site could unknowingly serve up malicious scripts, even from its own domain. This made normal browsing quite a hassle. My initial approach was to whitelist each domain one at a time( picking the most obvious ones first), check if I could view the desired content, and then re-blacklist that domain when the desired content didn't load. For many sites (like the aforementioned huffingtonpost.com), whitelisting a single domain would reveal several others that remained blacklisted. Oftentimes my initial "one at a time" approach didn't work because it was necessary to complete a multi-step whitelisting process to allow the multiple domains that were necessary to view a single video. Eventually I got fed up with FireFox/NoScript and switched to Chrome with uBlock Origin. I know this doesn't have any script-blocking per se, but I haven't had any malware issues. Which brings me to the topic of security in general. I've never had a virus or serious malware infection, based on scanning via MBAM and highly rated security software (currently ESET). Which makes me wonder if suffering through NoScript's constant temporary whitelisting was worth it. Which then brings me to the question of whether or not my system might have been compromised without me even knowing it. This kind of circular thinking keeps me up at night. (kidding) And what are people's opinions about NoScript vs uMatrix? I used uMatrix for a while in Chrome and find it unbelievably confusing. I think I need to become a web developer to understand everything it offers. Anyway, thanks to everyone who has contributed to this thread so far (especially bo elam, imdb, and Daveski17). I look forward to reading more. I have a lot to learn.
^ I can't edit my post, possibly because I'm a newbie and my post is awaiting mod approval. Just wanted to add this link that indicates NoScript should live on after the transition to the WebExtensions API. https://hackademix.net/2015/08/22/webextensions-api-noscript/
Vasa, the Hello icon is nowhere to be found and if I click to Start a conversation in Tools, nothing happens but Hello is listed in my about:support under Extensions. Bo
Okay, then we're on the same page. My point is that I can't get the Hello extension to be "false" under "Enabled" in the about:support page. I wasn't concerned about the icon. I got rid of that (and Pocket) a long time ago.
I find Firefox Hello Beta with about:support under Extensions but Note: Not available for Firefox 45.0 https://addons.mozilla.org/en-US/firefox/addon/firefox-hello-beta/ May be a place holder (for now)...?
Okay. You got me. But that is only because of a RAM leak that affects my system at the moment so rebooting can be needed though updates are done automatically
I see the same as both of you. And Hello Beta is not listed among the other add-ons in the normal add-ons list. Wonder if it really is enabled or if it just says "enabled / true" in about:support. Couldn't they have implemented it properly in a normal visible way so users can understand whether it is enabled or disabled, and not sneak it in like this.
Very possible it is a place holder for now, but it still says "enabled / true" in about:support, and enabled or not - doing it like this is a great way to confuse users at least.
@vasa1 @bo elam I was thinking and wanted to try something despite what Brummelchen talked about here regarding to not screw around with this function in CCleaner: https://www.wilderssecurity.com/threads/ccleaner-v5.370654/page-8#post-2562203 Before I opened CCleaner I was totally sure that CCleaner probably wasn't going to pick it up and display "Firefox Hello Beta" at all in the list, but..... So I disabled it in CCleaner. Then started up Firefox and went straight into about:support to check..... What a surprise. It now says "false" at least, but whether it actually is totally disabled now and/or recommended to do it via CCleaner is another question.
@SweX, thanks for taking a look. I'm on Linux and so no CCleaner for me. The pesky Hello xpi file itself is here: /path/to/firefox/browser/features/loop@mozilla.org.xpi. Someone who filed a bug about how Hello couldn't be removed, not just disabled, warns against deleting this file because then all updates will be full rather than differential: https://bugzilla.mozilla.org/show_bug.cgi?id=1251846#c0
