No Script

Discussion in 'other security issues & news' started by JerryM, Mar 5, 2014.

Thread Status:
Not open for further replies.
  1. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    It seems that many safe sites I visit require a couple of clicks to permit their use with No Script. It is a pain, and I am wondering if No Script is really necessary considering I use a good AV and MBAM Pro?

    What are your thoughts on this?

    Thanks,
    Jerryo_O
     
  2. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Hi Jerry, I am a huge believer in NoScript. In the little more than five years that I used NoScript, I haven't seen anything that looks tike malware attempting to run while browsing. Thats how good the addon is. And I wouldn't trade it for nothing (except Sandboxie).

    Personally, I never felt using the program is a pain like many people say. For the sites that you constantly visit, you can add what you feel is required for the site to work properly to the whitelist, that way you wont have to be bother with them when you visit the site again. Or you can click "Temporarily allow all this page".

    In my personal case, I don't use a whitelist and only allow whats really necessary like when I want to download something from a site like Rapidshare or if I like to attach something in a post or add an smiley or upload a file at Virus total. After using the program for a while, all things regarding NoScript start making sense, you just need to be patient a little.

    Bo
     
  3. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    That's the problem with no script, to view some (many) websites properly you need to allow something and if a good site or linked provider of ads is compromised serving adware/spyware/malware then you are done... ;)

    Malware developers are targeting good websites to serve malware... this was not happening often in the past but a common reality today.

    So whats the point of running noscript if you need to disable it to view websites? Well... I never understood it. LOL
    Best to use other means of control via sandbox, hips and the like...
     
  4. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Fax, when you allow a site, NoScript is not disabled, you are just allowing that particular site to run but Flash, other plugins, Java (if you use Java) is still blocked if you have chosen to do so. I do. NoScript also protects against clickjacking and cross site scripting. In my previous post I mentioned never seeing anything that looks lie malware attempting to run while using Firefox, that's a pretty powerful statement and its due to NoScript.
    http://noscript.net/features

    Bo
     
  5. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    Go to settings and enable Temporarily allow top-level sites by default. Add ajax.googleapis.com, font.googleapis.com, cloudfront.com, google.com and yimg.com to whitelist and 90% of your clicks are gone.
     
  6. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    NoScript is less painful if you have a following a routine. I frequent a lot of sites regularly, so I know exactly what to allow (bare minimum) to make these sites function properly. Personally, I prefer the inconvenience, because as others have stated, many legitimate sites are being used to distribute malicious agents or are being targeted. Not that I'm under any false illusions that my security couldn't be bypassed. One of my instructors provided an eye opening metaphor for how security is currently practices in the business world. I think is speaks volumes for why the only person responsible for your security and privacy is you.

    There were two men walking across the Steppes when they stumbled across a lion that had not fed for some time. For the lion, diner had just come knocking. The two men ran for their lives. The slower of the two noticed that the other man was not running at full speed, but kept one step in front and appeared rather undisturbed by the ordeal of being chased by a hungry lion.

    "What are you doing?" he asked his partner.

    "I am fast," the other partner said, "but not faster than the lion. Still, I don't need to be faster than the lion, only faster than you, my friend."


    The point of the metaphor is that these large corporations are content with doing the bare minimum to stay ahead of threats, while being productive. This erroneous logic presumes that attackers will focus predominately on the easier prey, but this doesn't always play out in the real-world. Sticking with this metaphor, lions will coordinate as a groups to go after more dangerous prey that poses a significant threat to their own well-being, such as hippos. It's no different for attackers in the real-world, as they realize you have to take big risks sometimes to get big rewards. Also, like the lions they are going to target larger crowds to increase the chances of success. Where better than twitter or any number of popular web-services. This is same reason why Windows, Java, Flash, etc. are heavily targeted. The interesting thing is that the hypothetical what-if doesn't always match the real-world experience. I know plenty of folks running far lighter setups without noscript that have managed to do as well as I have. More than likely your security setups address threats that are statically improbable and not likely to happen. You need to ask yourself whether or not its worth being prepared anyways. This isn't paranoia, just prudent planning imho. But best practices would also suggest running as light of a setup as possible, since each plug-in, application, etc. that helps to decrease your attack surface area, also increases it by adding new vulnerabilities that can be exploited, etc. It's really about finding the balance you need.
     
  7. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Thanks for the input. Even though it is inconvenient at times the majority opinion is that it is worth it.
    Regards,
    Jerry
     
  8. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    I think the point is, you're potentially reducing your exposure to malicious scripts. Even if you enable top-level domains, you're still cutting down on the number of scripts being called and ran. You end up enabling only what you need to use each site. And even if sometimes you have to "give up" and temporarily enable all to get content to show, if you only do that for 1 out of 10 pages you're still running far fewer scripts.
     
  9. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    I'm convinced NS is well worth whatever hassle it may cause.

    I can't count the number of times I've went to a new site and saw it needed scripting. Thanks to NS, I was able to pass on executing any unknown code, say thanks but no thanks and no harm came to my PC.

    It's not for everyone (as the subject of this thread is questioning) but its ability to protect a user is quite powerful.
     
  10. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    I agree with bo elam. I trust No Script like nothing else. The first security measure I take after a re-install of Windows, reformatting Windows is installing NS in FF.

    Same here.:thumb:
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    RequestPolicy further increases one's ability to control scripts beyond NoScript by itself because RequestPolicy can control requests per site. I use RequestPolicy 1.0.0b3 in default-allow mode.
     
  12. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    :thumb:
    Actually I'm Using Firefox because of NoScript :)
     
  13. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    Thanks, again. I am now convinced.
    Regards,
    Jerry
     
  14. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    NoScript won't help you if a domain you trust is is serving you malicious scripts. Further the burden is on you to determine which scripts to trust and which not. You can't know if something is malicious unless you allow it in the first place. That's the downside of it all.

    Aside from that you still profit from the XSS filter and other protection features of NoScript, even if you allow scripts. In addition to that I have experienced that many things still work without scripts, which is particularly important if you want to take a first look, or you are just looking for something specific. For example, if I use Google's picture search and navigate to the pages of the results, very often I don't have to allow anything on those websites in order to download the pictures.

    The most important thing you have to consider though is the security of your browser and your system. Firefox does not use a multi process sandbox architecture like Chrome. If an attacker compromises the browser through javascript, he own's the entire browser and thus a process on your system which runs at medium integrity level. With Firefox it's a lot easier to compromise both the browser and the system. In Chrome the attacker would just own a tab, which runs at untrusted integrity level and has a lot of additional restrictions on it.

    I wouldn't run Firefox because of NoScript. I'd rather say I would certainly refrain from using Firefox, if it weren't for NoScript (and RequestPolicy, Sandboxie etc.), because this browser definitely needs it.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    To me it's not about security, but all about speed. :)

    I thought that buying a new and fast PC would solve the problem of slow loading webpages, but boy was I wrong. Javascript trackers are truly horrible. o_O

    I'm using ScriptKeeper in Opera v12, it really makes quite a difference when it comes to speed.

    Actually I'm using two different versions of Opera, one only with Ghostery (doesn't break sites) and the other with Ghostery combined with ScriptKeeper. If I sometimes don't want to deal with broken sites, I use only Ghostery.
     
  16. RCGuy

    RCGuy Registered Member

    Joined:
    Aug 7, 2005
    Posts:
    541
    I'm with Rasheed on this one. I use NoScript with Firefox and if you're surfing the web/researching a topic, you can tab open a lot of websites that are stripped of their scripts and all the other junk that websites carry these days and your computer functions a lot faster than if each of those tabbed websites had included the scripts and had downloaded all those other websites.

    Plus, with a lot of webpages that you encounter when you're surfing/researching, all they require is for you to allow or temporarily allow javascript in order for those pages to display their content properly.

    But like the OP said, it's only those few sites that you visit regularly that you have to click 'Temporarily allow all this page' several times. Plus, if you're not sandboxed, you could click 'Allow all this page' or 'allow' each item that makes the website function, and that would permanently allow that website to function.

    Addtionally, if you're sandboxed and inadvertently allow an adware or maleware site to download, after you empty the sandbox, it will all be wiped away.
     
  17. RCGuy

    RCGuy Registered Member

    Joined:
    Aug 7, 2005
    Posts:
    541
    Actually, the OP(original poster) said many sites. My bad. Although with me, it's only a few sites.
     
    Last edited: Mar 8, 2014
  18. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    658
    Location:
    Italy
    Noscript (TH Giorgio) save from Drive-by-Download in 2 steps:

    Noscript.JPG

    Noscript1.JPG
     
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From its FAQ:
     
  20. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    795
    What's the reason for this option not being enabled by default?
    Does it weaken your protection in any way by enabling this?
     
  21. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    747
    Location:
    Canada
    I think in general malwares on good sites (still a rare occurrence) are often served from within an iframe, and NoScript has a solution for this, were iframe can be blocked unconditionally, waiting from a click from the user to be unblocked.

    It has been a while since I used NoScript... Doesn't support the import of 3rd-parties blacklists, so that even when a user allow all on a page, it will still block whatever is not trusted, i.w. in a blacklist?
     
  22. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    With malicious and undesirable content being placed in the ads on pages, sites themselves being compromised, malicious or compromised DNS settings in compromised routers, modems, etc, there is no such thing as a site that can be totally trusted. Some form of control over scripts, content, plugins, etc is necessary, either as a browser extension like NoScript or a free-standing application such as Proxomitron. I haven't used NoScript in ages. I don't know how fine grained its whitelisting abilities are or whether individual items like iframes can be allowed once or whitelisted for a specific site or domain without allowing other potentially undesired content. With Java, Flash, iframes, etc, the simplest approach is to block them by default, allow when necessary. On my setup, Proxomitron converts iframes to links. The iframes aren't displayed until I click on them. It's the same with Flash and Java. Neither runs until I click on them.
    If you're concerned with being tracked and datamined, those settings will allow 90% of it.
     
  23. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    In my personal case, I have "ajax.googleapis.com" blacklisted, the only time that I have to allow it is when I upload a file at Virus total. In the case of "google.com", I don't blacklist it but I rarely have to allow it. I allow it when I am searching for something like in YouTube and I want to have suggestions being displayed as I search. For "yimg.com", pages from Yahoo requires it for pictures to be displayed.

    Bo
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Yes, I was shocked to see that some sites still load a bit sluggish even on a new PC. o_O

    But this also means that browsers still have difficulty processing lots of script at the same time. On my old PC I would get 100% of CPU usage on certain sites, now I only get 10% usage, still the browser freezes.

    So it´s not only about a faster processor, more RAM and a fast HDD/SSD, it´s also about browser design. But don´t get me wrong, I´m not blaming it on the browser, I´m blaming it on webdesigers who are complete idiots. o_O
     
  25. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    It's far from pretty but you can add your own list by adding it to the Noscript:untrusted parameter in Firefox 'about:config'.
     
Loading...
Thread Status:
Not open for further replies.