ScriptNo Efficiency Questions

I am debating again whether to use ScriptNo again. I have 3 questions regarding it:

1. Does it block all scripts at first on a page, or only after selecting block or whatever and reloading the page? I believe it does block on the first time because some pages that worked before adding it didn't work after installing it.

2. The goal of it is to block malicious scripts. Do most or all malicious scripts show up as separate scripts, or are they injected into existing scripts on the page? For example, say I wanted Facebook to work properly, so I selected to always allow Facebook's main script. Would that be safe, or if Facebook was compromised with a malicious script, would it be the main Facebook script compromised so it would then be allowed? Sorry if that's hard to understand what I'm asking.

3. Are most drive-by downloads caused by malicious scripts running when you go to an infected page? Would using ScriptNo end almost all malware infections not caused by downloading and running malware?

Thank you

 

Possibly - not reliably. This is due to the Chromium APIs being asynchronous ie: they can't say "stop page load until I'm done" they can only try to be the first to load.

Depends. Oftentimes scripts are loaded in an iframe that comes from a separate site, so no it wouldn't be mixed into the same domain. It can be though.

Sort of. You need Javascript to load most things. So if the page has a Flash exploit or Java exploit you probably need Javascript to load it up.

 

It would seem, to me, a reliably functioning ScriptNo extension would make Chrome as close to perfectly secure as one could hope for However, even without this extension, Chrome's rendering processes running at at an impressive "Untrusted" integrity level and enabling only its ppapi flash has compelled me to settle on Chrome (with AdBlock) as my browser of choice over Firefox with NoScript. I have also examined while testing, that Chrome uses fewer cpu cycles than FF when playing back Flash content.

 

Chrome has plenty of room for improvement without anything like ScriptNo but implementing a 'NoScript' XSS auditor as well as ClearClick would be nice.

 

Huh, that's annoying. Hopefully they change this in the future.

Well I don't have Java installed on my PC, so I would be safe from these anyway?

 

you have Flash, don't you?

 

Just Chrome's built-in Flash

 

that's pretty good.
getting rid of Java is always a good idea if you don't need it.

last time i checked, ScriptNo hadn't been updated since February this year.


when i tried ScriptNo, it seemed erratic in it's blocking behaviour.
certainly no replacement for NoScript, imo.

 

exactly.

 

I wonder if I should remove it from my site, if it can't guarantee it will block scripts before they load.

 

i would.

i just checked the Chrome App store; ScriptNo still has not been updated since February 18 this year.

 

Done. Think I'll add BD Trafficlight when they release the HTTPS update. Can you think of any other good user-friendly add-ons for Chrome other than AdBlock and WOT?

 

Do Not Track I would add that.

 

Doesn't AdBlock with EasyPrivacy and FanBoy's privacy whatever lists do about the same thing?

 

nobody has mentioned Ghostery?

 

If Chrome could get this to function as well as NoScript does for Firefox, it would be hard to justify using another browser. Other than of course the: "I just don't trust Google" defense, which myself use.

But I'll tell you what, if Sandboxie doesn't play well with 64-bit Win7 by the time I'm ready to upgrade... I may just get over that paranoia real quick. Because I need a sandbox for my browser, period. And I will be using the 64-bit variety of Win7.

Hopefully both Sandboxie will play nicely with my OS, and ScriptNo will be fully functional by then, so that I'll have a decision to make. Not be forced into one.

 

You could use AppGuard

Also, why is it bad that BitDefender TrafficLight uses HTTP right now, not HTTPS? What is the privacy issue?

 

It means it's unincrypted, so anyone can see where your surfing the web. with HTTPS it's encrypted so no one can eavsdrop on you. there are tools out there like SSL strip that can break SSL too.