NoScript Plugin

Discussion in 'other anti-malware software' started by TomAZ, Sep 3, 2012.

Thread Status:
Not open for further replies.
  1. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,002
    Location:
    USA
    Is the anyway to use NoScript "comfortably" and effectively (in Firefox) without it being so terribly annoying?
     
  2. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,124
    Location:
    Pennsylvania.
    Yup have a good white list :)
     
  3. Pinga

    Pinga Registered Member

    Joined:
    Aug 31, 2006
    Posts:
    1,420
    Location:
    Europe
    Education :p
     
  4. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    221
    I globally allow scripts and kill scripts on pages I often visit. Speeds pages up. Pretty much everything else is enforced. Clickjack, XSS, ABE etc.

    For banking...whitelist.


    You could run allow .com and block everything else.
     
  5. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    Most of the time you only have to whitelist the first domain on the list. How can that be annoying? You can also set useless tracking crap scripts on untrusted to make your life easier when you need to whitelist domains.
     
  6. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,965
    Location:
    Parallel Universe
    Exactly.
     
  7. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,002
    Location:
    USA
    Thanks to all for the input and comments. I guess the "annoying" part comes particularly for a new user -- it's a little confusing. When you get the "Forbidden Scripts and Objects" notice at the bottom of your screen, do you need to take action or is that just sort of an FYI? If action is required, how do you know which option to choose? And, if you don't take some sort of action, will the functionality of that site be impaired?


    Also, for online banking, is it best to simply to Whitelist the site (as mention by Sordid)?
     
    Last edited: Sep 3, 2012
  8. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    In my opinion, liking NoScript develops with time, the longer you use it, the more you ll understand it and like it. In a way, I am lucky because I liked NoScript from day one even though I did not understand it well.

    You ask, " how do you know which option to choose? And, if you don't take some sort of action, will the functionality of that site be impaired?". If you go to a site that doesn't require you to allow anything more than whats already allowed by default, then don't allow nothing but if you go to a site that needs Flash, for example, then click on allow temporarily so Flash gets allowed on that site.

    Trial and error is the key with this wonderful program. Personally, I love NoScript, its the main reason why I use Firefox. If you take your time to learn it, you ll like it too when things begin to make sense.

    Bo
     
  10. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    one of our member here (tlu) has made a 'blacklist' (Untrusted) that is very useful to cut down on the numbers of items shown.
    here:
    https://www.wilderssecurity.com/showpost.php?p=2083653&postcount=125

    i like to add manually to this list by checking the reputations of site with NoScript.

    pretty good things to do since i've seen sites with up to 30 third party scripts trying to load.
    when you have too much stuff showing it's hard to tell what is what. ;)

    i like to keep my whitelist to a minimum and allow temporarily instead.
    but everyone has their own method.

    for beginners:
    make sure that you check all the boxes in the "Additional restrictions" in the Embeddings tab.
    also check the "Forbid WebGL" which is not checked by default.

    pretty soon, you will know what needs to be allowed and what deserves to end up on your blacklist.

    i'm one of those who hated NoScript for years until one day i gave it a proper try.
     
  11. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    221
    NoScript blocks JS. The notification is telling you it has made a block. This is often as overwhelming amounts of sites use JS.

    I assume NS has global block on, so just turn the annoying notifications OFF.

    Pages will often break...why I globally allow scripts and blacklist. Much higher risk but great usage.

    But for banking, I go the inverse and an isolated portable browser. Only allowing scripts from my bank. So my bank would need to get jacked and embed malware. Most banks have 100% guarantee cash back, and it would be clearly their fault. Low risk, high usage IMO. Somewhat redundant since the browser is already isolated. Only tab open is banking.

    If you are looking for secure banking, consider using a clean image virtual machine along with RSA or rather two-point verification. You can also create a guest account with some banks. This is a lower admin account access. So even if your password is discovered, less damage can occur.
     
  12. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,002
    Location:
    USA
    A lot of good info from everyone.

    Being new to all of this, I am a little curious about this Untrusted "blacklist" - so a couple questions:

    1) What exactly is it supposed to do?

    2) After opening the link and reading it, I still wasn't exactly sure how to "install" it. Any additional help would be appreciated.

    3) If I were to use it and decided I no longer wanted it, how do you get rid of it?
     
  13. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    it help unclutter the list of scripts shown.
    like i said, some site can have lots 3rd party scripts that wants to load.
    blacklisting the cr*p cuts down the list to something manageable.

    in Noscript go to Options. there is an Import button at the bottom.

    Export you current settings (before you Import as in step 2 above).
    then you can reload it if you want.

    you could also manually Allow back in the stuff that is Untrusted.
    but it was 'blacklisted' for a reason. ;)
     
  14. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    Nice description of what the Blacklist does.

    http://noscript.net/features#blacklist

    Before you install Tlus blacklist, go to NoScript and save a copy of your settings by clicking Export. Save a copy of the text file. Afterward, copy and paste Tlus blacklist over yours and click import.

    Bo
     
  15. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,002
    Location:
    USA
    Thanks Bo, for the additional Blacklist info. Does this list in any way cut down of the functionality of sites?

    Do you all use this Blacklist -- or do you create your own as you go?
     
    Last edited: Sep 3, 2012
  16. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    No,

    it keeps privacy trackers away.

    anyway, you don't have to use the blacklist at first if you don't want to.
    you can create you own as you go by marking them as Untrusted.

    get your feet wet a little and experiment.
     
  17. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    In my opinion, none.

    Bo
     
  18. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,002
    Location:
    USA
    Just wondering if you, Bo and Sordid use the Blacklist?

    Also, does the Reset button in Embeddings reset the Default Embeddings settings?
     
    Last edited: Sep 3, 2012
  19. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i do, but i've added stuff as i go along and i keep adding stuff once in awhile.
     
  20. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    I am using the blacklist but is not something that is required for NoScript to do its job. Google some of the names on that list and you ll see why is benefitial to use it.

    By the way, in my opinion, Sordid gave you good advice when he suggested to disable notifications. I have been doing that since about day one. If you like to do it, go to options and under notifications, tick off "Show messages about blocked scripts".

    Bo
     
  21. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,002
    Location:
    USA
    One other observation. . .

    I run Firefox sandboxed (Sandboxie). The load time is already slower than using FF unsandboxed. However, I've noticed that since adding NoScript, the load time seems to be even slower. Would that be normal?
     
  22. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    All addons affect the loading of the browser, NoScript might be making Firefox take and extra second to open.

    Bo
     
  23. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    221
    NoScript blocks JS--the notification is telling you it has made a block. This is often overwhelming since large amounts of sites use JS.

    I assume your NS has global block on (default), so just turn the annoying notifications OFF via controls. Assume NS is blocking some scripts. NS creates a circular problem here with usage and security, but still is of use.

    Pages will often break...why I globally allow scripts and blacklist despite the shortcomings. Much higher risk but great usage.

    But for banking, I go the inverse and an isolated portable browser. Only allowing scripts from my bank. So my bank would need to get jacked and embed malware via JS. Most banks have 100% guarantee cash back, and it would be clearly their fault. Low risk, but high usage, IMO. Somewhat redundant since the browser is already isolated. Only tab open is banking.

    But remember, using extensions for sec is far from bulletproof.

    If you are looking for secure banking, consider using a clean image virtual machine along with RSA or rather two-point verification. You can also create a guest account with some banks. This is a lower bank account admin account access per your site's policy. So even if your password is discovered, less damage can occur. Gmail has this option too, BTW.

    I use the blacklist style namely for speed. I hate laggy pages. But this does offer some cosmetic security using NS addition protections. I also generally use Chrome with Moons blocks. Block all JS but allow .com .edu .org .co.uk.

    You use sandboxie, and NS is a very good addition--quite secure.

    Good luck, guys.
     
  24. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,002
    Location:
    USA
    What exactly are you referring to here?
     
  25. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    it means you don't Allow Scripts Globally.
    hover your mouse over the little NoScript icon and you'll see.
     
    Last edited: Sep 4, 2012
Thread Status:
Not open for further replies.