Noscript

Discussion in 'other software & services' started by max2, Nov 2, 2015.

  1. max2

    max2 Registered Member

    Joined:
    Sep 22, 2011
    Posts:
    339
    Does anyone else use it ? Is it necessary ?

    I hate when going to some websites not knowing what scripts to allow. It sucks. Especially when there is like 20 + scripts.

    Any way to make this easier ?
     
  2. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    Yes, and IMO yes.

    AFAIK, no.
     
  3. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,282
    http://www.ghacks.net/2014/11/29/how-to-use-noscript-efficiently/
    I maintain a limited whitelist and over time it gets easier to judge which scripts I'll temp allow on trusted sites.
    I even block scripts by default on trusted financial sites.
    So, I see how the site loads before I allow site function.
    There's an option to allow bookmarked sites.
    NoScript can be a annoying at first... but, I'd feel naked wo.
    Remember, to Export your preferred setup.
     
    Last edited: Nov 2, 2015
  4. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    If you use UBlock/UMatrix, then you can afford to relax a bit with NoScript. Otherwise, run NoScript full-throttle and accept the learning curve that follows. The good side of either approach is, once your regular browsing sites have been set up... it's a done deal; no more tinkering required.

    The same applies for software packages, whether hobby-based or security-based; if you cbf learning how to use it, then don't bother using it.
     
  5. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    Depends. Malware could download to desktop or to Temp folders by itself and then run, so it all comes down, how secure your computer is.

    If you uninstall powershell and disable WSH, you increase your security better than with noscript.
    Powershell can be turn off via Windows Features and to disable WSH just run this in CMD as admin:
    reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d 0 /f
     
  6. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Not the only thing a script could do, there are a lot of scripts that can do damage without downloading an executable, a lot of phishing scripts for example. Blocking javascript also eliminates a lot of annoying behavior from websites. A modern browser is a high level interpreter that can run some pretty complicated code. The plugins like noscript are themselves coded in JS.
     
  7. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,278
    I had never used NoScript, but recently a script began causing problems in a website I open frequently ["Script does not respond" warning]. NoScript has solved this. Also, some sites like Huffpost work much better.
     
    Last edited: Nov 3, 2015
  8. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    Like bjm was saying, after a while, just by looking at the names in the NoScript menu is easy to tell what you need to allow and what not. For me, one extra benefit of running sandboxed all the time is that if I have a site that I want to work on, I can trial and error under SBIE and after I figured out what to white list and black list, I open Firefox in another sandbox were I allow changes in NoScript out of the sandbox and apply them. Figuring out any site shouldn't take more a minute.

    I think black listing is as important as white listing sites. If you black list, then when you open a new site that runs scripts from many domains, perhaps a few of them would already be in your Untrusted list making it easier to figure out the rest. I spend very little time making changes in NoScript.

    I think the benefits of using NoScript are many, for me personally, getting rid of annoyances is the most important. The way I see it, NoScript cleans the internet, doesn't break it. And for sure, makes me more secure. I used NoScript for a little over 6 years, in all this time, I never seem anything that looks like malware while browsing. Not even once. I never seen anything like a fake scanner or Cryptolocker. That kind of malware is not gonna get close to you if you use NoScript.

    Bo
     
  9. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    579
    Use ublock/umatrix (says a former longtime noscript user). And use Sandboxie.
     
  10. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    I think, changing a few default settings gives a better feeling about using NoScript. In NoScript Options>Embeddings, Untick Show placeholder icons and Tick Collapse blocked objects. Also, in Appearance, Untick Show status bar label. Making those changes make pages look clean and gives me a better feeling about using NoScript since nothing looks broken, out of place or annoying (Status bar label).

    Bo
     
  11. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr

    Actually, that's a good idea, NoScript does need a tiny bit of customising in that respect.

    noscriptoptions.jpg

    At the end of the day though, the only way to deal with NoScript is to learn how to use it. I think that it is indispensable on Firefox or *SeaMonkey and I even use it on Linux.

    https://noscript.net/faq

    *Admittedly I don't use it on SeaMonkey nowadays as 'a' I rarely use SeaMonkey (except for a few certain sites) and 'b' I have WOT and uBlock on it. But if it became highly used again I would almost certainly reinstall NoScript.

    I've been running NoScript for close on seven years and it still confuses me lol.
     
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    Yes, I also get rid of that setting too (I Untick, Show messages about blocked scripts). :)

    Bo
     
  13. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    I let it flash up for a second then disappear, it's about the same lol. NS can be hard work sometimes, but I think its benefits outweigh its detriments.
     
  14. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,867
    Location:
    Australia
    Me too!
     
  15. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,282
    +1
     
  16. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    301
    Location:
    Swiss
    I tried to make it a bit easier for some people.

    https://github.com/CHEF-KOCH/NoScript-Whitelist

    Of course it's depending on your usages. I'm not a 'fan' of browser sandboxing because this never prevent the infection, so NoScript act more like a webbased firewall because it prevent stuff instead of wiping them after all is done like the sandbox. Of course NoScript is much underrated it can clean hsts and such things but it need a bit user interaction.
     
  17. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    I agree with that. I credit NoScript for not seeing malware while doing browsing but you get a good feeling when you team NoScript with Sandboxie. By using SBIE, you know malware is not going to make changes to your system unless you let it out of the sandbox and run it unsandboxed. And its rare to see any malware while browsing when using NoScript, I never see any. I feel confident browsing with nothing but NoScript but by having NoScript doing the blocking and Sandboxie containing, the chances of getting infected are very very low and both programs get along so well, its the perfect team (for me).:)

    Bo
     
  18. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    If you are letting it flash for a second, you ought to get rid of it completely. You ll probably enjoy NoScript more if you do so. In my opinion, that message from NoScript is not only meaningless but is as annoying as the jumping ads and garbage that we get rid of with NoScript itself.:)

    Bo
     
  19. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    301
    Location:
    Swiss
    The problem today isn't malware anymore, I not care, it takes me 10-15 minutes to re-install the OS or to install the backup. Today it's more to steal your data via XSS attacks on banking pages and such and because of this I not see much arguments for sandboxing everything, because it not prevent data theft. So the malware argument is from the 90's. In the 21h nobody need anymore to worry that much about it (that much as the AV industry always telling), it's more data theft as said or just C&C which acts in the background. The problem what we really have is that there not exists a tool for the OS, I mean it's good to have that for the browser but since e.g. WIn 10 is bundled with pre-installed flash I'm worried about hacks which directly attacks the OS level. So the sandbox is based on Software, if that is already infected because the OS is infected (you can't sandbox all sectors btw) the change is very high you get anyway infected or the sandbox will be manipulated that you think it works but it may not works anymore. Don't get me wrong I will not start a sandbox discussion but I highly doubt that this prevent anything. Especially I saw a lot of hacks which detects sandbox that easy by searching for the driver and gets only activated after it's inactive/shutdown. So, the malware designer are not that stupid and they learn a lot since the 90's.

    What I like about NoScript that this project is constantly under development and very well documented.

    The problem what I see with every security solution and also with NoScript is the compromise, you can choose to block everything and make exceptions or you have the philosophy to allow everything and clean it after you shutdown the page/browser. The problem is the security + effort aspect because as said it needs a lot of user interaction if you want to work with the whitelist because it may break several aspects like the login field, additional stuff which requires javascript, flash or html5. And the real problem about this is, even if you know what to trust and what stuff not there is still no guarantee that legit pages will be infected/attacked. As I already gave the example, legit online banking pages can be infected by XSS attacks but if you enable such a protection within NoScript you still not know if it's save to deal with it, if your exception isn't really that good or what to do. Even for professionals this is a problem and the time you need to control a lot of pages would be huge (without the aspect to break functions).

    So I never saw any addon/software or such which handle such a case, even no AV because it's user trust we talking about.
     
  20. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    Yeah, I agree. I think it goes back a few years when I was trying to get my head around NoScript and was still in a learning phase with it.
     
  21. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    Many do their online banking with Linux particularly because of security problems with Windows.
     
  22. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    720
    I'm using Noscript with all scripts allowed in combination with uMatrix. uMatrix is much more powerful and has several important advantages over Noscript:

    1. It comes with several huge hosts files which explicitly blacklist most adservers, trackers and malware sites. Thus, it's hardly possible that you allow such a site by accident.
    2. With uMatrix you can control much more than only scripts and plugins but also, e.g. cookies and images (-> webbugs!).
    3. Its biggest advantage is the usage of scopes (a short introduction is available on the wiki of its predecessor HTTP Switchboard). If you're using the domain-level scope (which you definitely should do by default!) and load, say, the site abc.com where you have to allow the third-party site xyz.com, this only applies to abc.com. In other words: xyz.com is still blocked on all other sites - if it's malicious only abc.com would be affected.

    On the other hand, Noscript has some goodies like a sophisticated XSS filter. However, they work even if scripts are generally allowed in Noscript. Hence, using both extensions together is the perfect combo. They do not get in each other's way.
     
  23. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,768
    Location:
    Nicaragua
    That is why using the sandboxed Firefox with NoScript has worked so well for me. Even though I have to trust scripts sometimes in order to get things done, because I run my browser under Sandboxie, my browsing sessions always runs untrusted. None of vwhat happens while browsing is going to have an effect in the system, in other programs or registry.

    And if you are worried about keeping sensitive files and folders safe, there are settings in Sandboxie that can be used to block sandboxed programs from having access to this files. For banking, Sandboxie is not an anti keylogger but if you run a fresh browsing session using Firefox with no other addon but NoScript, go to your banking site, and immediately after you finish doing banking, you delete the sandbox before resuming regular browsing, you are well cover. CHEFKOC, this is a bit off topic so I ll stop now talking about SBIE but I think you are not aware of all you can do with it.

    Bo
     
  24. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    NoScript Script Surrogates explained - gHacks Tech News
     
  25. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,063
    Location:
    Netherlands
    A minute only? Here is a challenge: set this website to allow video's: www.nu.nl

    I will make it easier, lets reduce the challenge to one (1) video, any of the video's on the right will do

    When Bo-san accomplishes this I will make a deep bow, take my hat off and change my avitar to silenced Straw-man

    upload_2015-11-25_13-9-53.png
     
    Last edited: Nov 25, 2015