Slashdot Mirror

My problem with this, and the reason why I'm willing to accept the policy as it stands is that I'm constantly surprised by the new features in NoScript. However this is in a good way. I find it solving problems I had never even realised I had and that, once I know about them I realise I wanted them solved. Adding features is a good thing.

Agreed. Seems like this upgrade was also solving problems you might know you had, though?

The easiest way is to make sure that those that might have a privacy implication or similar have to be turned off by default.

Which they were in this TACO upgrade...

My problem with this, and the reason why I'm willing to accept the policy as it stands is that I'm constantly surprised by the new features in NoScript. However this is in a good way. I find it solving problems I had never even realised I had and that, once I know about them I realise I wanted them solved. Adding features is a good thing. It's very difficult to write a policy which says which features should be allowed and which not. The easiest way is to make sure that those that might have a privacy implication or similar have to be turned off by default. The real problem which remains is that the people chose the software believing that it's license would protect them. They could always tell what software they had and fix it if something bad did happen. Instead a license change took away that right. That's what Mozilla should be protecting against.

I’m going to have to call bullshit on that. Citation needed.

http://noscript.net/features

Show me which of those features requires frequent updates to NoScript’s actual engine.

Our code is partially based on the STS implementation from the groundbreaking NoScript project.

Q: I don't like NoScript redirecting the browser on its release notes page every time I upgrade it. Is there any way to prevent this?
If you feel you don't need such heads up, you can disable this feature by clicking the NoScript icon, selecting Options and unchecking "Display the release notes on update" in the "Notifications" tab.

He's intentionally driving traffic to his page, but you can disable it easily (it used to require about:config, but it was a boolean that was fairly easy to find).

Preferences for enhancing HTTPS behavior and cookies:
Force the following sites to use secure (HTTPS) connections - a space-separated list of site patterns

Then again, if you don't trust the NoSript author after the controversy, this might be a good alternative. I figure NoScript is under more scrutiny than any other extension and the author learned his lesson.

Better yet, use NoScript's ABE facility to block any non-Facebook web page from loading a Facebook page or API. From http://noscript.net/abe/ :

# This one allows Facebook scripts and objects to be included only
# from Facebook pages
Site .facebook.com .fbcdn.net
Accept from .facebook .fbcdn.net
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

http://noscript.net/ for every site you don't explicitly trust

From TFA:

"There are some effective countermeasures, however. A uniquely identifiable IDG News Service Windows XP computer running Firefox could not be identified with the NoScript safe browsing extension turned on. Adding the Tor Internet anonymization software also works, Eckersley said."

Doesn't NoScript allow element specific blocking?

http://noscript.net/

Oh, how I wish the network were still missing that "essential ingredient".

Wish no longer!

Feed me a pop up or pop under and I instantly block.

If the page takes ages to load because it's waiting for the ad server. I block.

Feed me more content than crap, and I disable ad block on that site.

ps: I usually use "no script" because 99.99% of what I care about doesn't need JavaScript and 99.99% of what pisses me off does!

I find NoScript pretty effective for what you describe. Ad servers are usually on a specific domain, even those hosted by the content providers themselves, thus making them easy to block. It requires some tweaking at the start, including personalizing a lot of settings and teaching NoScript exactly what to block, but once you've been running it for a while you won't even remember that it ever existed, you won't have third party WSRP slowing your browser down, you will never have to run untrusted Flash content again, and your regular websites will continue to work as they always did.

Covered in the Q&A on NoScript's page: http://noscript.net/faq#qa2_6.

The answer Maone gives is detailed, and contains a few "fixes" for your on-your-tit-getting.

You are a moron. Google Search logging the queries is not the problem. Google Analytics is. If I query Google it really isn't that surprising that they know what I am searching for. But they really shouldn't know every single time I visit Slashdot, without even using Google to get there.

And here again the problem is not that I can't protect me against that. I can. The problem is that the vast majority of web users doesn't even know about it.

Yes, exactly. I use noscript firefox extension and it's astounding how many sites have installed a google-analytics script in return for higher page rankings, even ones who are supposedly concerned about privacy.

Considering that many people use other browsers and that most firefox users probably don't even know about noscript or why they need it, the compromising of privacy by google-analytics is on a huge scale.

BTW, on the other end, try to use a private search engine such as the ixquick meta search engine, which doesn't store your IP.

There's an app for that...

NoScript

Ad Block Plus

NoScript allows per site javascript blocking. And flash blocking. And XSS protection. In combination with adblock+ my web surfing is much safer and faster. http://noscript.net/ Personally I usually set it to allow javascript from the site itself (top-level), but block external javascript. That makes most pages work. Also disable the annoying pop-up telling you it blocked something.

From a user perspective, a user that uses https://addons.mozilla.org/en-US/firefox/addon/2497 cookiemanager and for web sites that suck, no cookies for you. I don't really see a problem with requiring permission from the user to store a file on their computer for your use, after all I go through that process every time I browse the net and visit a web site for the first time added to that I also use http://noscript.net/ and no cookies definitely no scripts.

So should you be required to gain permission to run a script something which if often entails far greater risk than a simple limited size text file cookie. So web more web sites that didn't use script or cookies would certainly simplify my browsing time.

I installed NoScript recently along with Request Policy. One protects from any request to a foreign domain and one blocks scripts until I allow them.

Have I reduced my exposure enough?

What I want to see is a community mediated system whereby the whitelists and blacklists are distributed amongst the community. A bit like ThreatNet, SpyNet, PrevX and all the other proprietary security systems. How the decision of whether or not to allow or disallow a request will be made but it needs to be made by a massive community. I generally experiment whitelisting a website until it works. If this information was made subscribable, people could browse with a bare minimum of exposure?

Sam

Here, let me fix that for you.

http://noscript.net/

http://hasthelhcdestroyedtheearthyet.com/

        <script type="text/javascript">
            try {
                document.write("NO");
            } catch(err) {
                document.write("YES");
            }
        </script>
        <noscript><p>NO</p></noscript>

This just in: Noscript saves the world!

"FireFox have like serious issues when dealing with JavaScript. I use it in Windows and Linux, just awful for some stuff i use. For example, try kangi If you try to sort by the first column for example (#), in Firefox it just stops responding and CPU is at 100%. This happens in Windows and Linux"

I just tried it in FF under Ubuntu running off a USB device and - not a problem - it sorted in just over a second. Where Java is problematical, it's usually a slow or buggy site, where everything is stuck waiting on a javascript to finish. That's why I use noscript.

I think Adblock may do more harm than good. With all the major browsers moving towards HTML 5, advertisers will have many more opportunities to inject intrusive advertising into web content with simple CSS commands.

NoScript already blocks the HTML5 audio and video tags. Also, it isn't as if Adblock Plus can't incorporate the same functionality in a future version.

FlashBlock can be easily circumvented by any attacker.
The only reliable flash-blocking whitelist is NoScript.

NoScript actually mitigates this vulnerability. The ABE feature, in particular:
http://noscript.net/abe/

So although I added the firewall mitigation in dd-wrt, I was pleased to find that NoScript blocked the CSRF request before it even got to the router.

Noscript 1.9.5 causes a slowdown when opening multiple tabs. You can test this by trying the development build http://noscript.net/getit#devel

Careful.

The official NoScript site is http://noscript.net/.

To anyone who doesn't already know: NoScript prevents Javascript scripts from running unless they are chosen from a menu. That even protects against vulnerabilities that haven't been discovered yet.

I had heard about this earlier in the week and decided to give the demo exploit (which executes calc.exe) a run. As soon as I tried to save the HTML to a file Microsoft's Forefront A/V popped up with an alert detecting the shellcode within the sample code. Not bad, MS.

But if you really want to be safe you should be running noscript. It'll save you from running malicious code on sites you don't trust.

Cuz yeah, Flash locking up the entire browser wasn't a pressing need until IE8 and Chrome. Riiiight.

Not when there's already an easy solution. I don't remember the last time my browser crashed.

Supplemental: http://noscript.net/ and http://www.sandboxie.com/

From TFA. Specifically the responses at the bottom: "Brian, wouldn't an add-on like Giorgio Maone's NoScript stop the processes necessary for this kind of fraud to succeed on Firefox ?". Which gets this as an answer: "@mhenriday - I suppose it's possible, but I doubt it."

Next he refers to the Security labs article for more information. Notice the "payload" section and the marked sections. See how this is all javascript code? Now check the NoScript website, see how its primary use is a "Javascript/Java/Flash" blocker?

So why would the author have any doubts if this NoScript plugin can actually stop the execution of this javascript code block? Does he somehow think this block of code is very different from other javascript snippets or could it be that he doesn't like (or understand) this free, easy and most of all safe kind of protection ?

Maybe I'm too cynical here but I wonder.. Double agenda perhaps?

Okay, I'll bite. Why is Firefox better for watching porn?

Addons, my man, addons.

AdBlock Plus - block ads, other random stuff if you want (like Slashdot's CSS)
NoScript - blocks nasty javascript unless you enable it so you don't get owned
DownThemAll! - download all linked videos/images from a page

Oops... I'm very sorry about the inaccuracy above. Of course what I fiddled with was not AdBlockPlus but NoScript.

It seems like it's been fixed.

NoScript.

I just had a Slashdot page load wait 9 seconds for "bs.serving-sys.com".

NoScript (FireFox extension: http://noscript.net/)

I don't run AdBlock, just NoScript, and the only reason I know that /. has ads now is that people not running NoScript talk about it.

v 1.9.2.3

+ A "NoScript development support filterset" gets added to AdBlock
Plus, whitelisting the noscript.net, flashgot.net, informaction.com
and hackademix.net web sites recently broken by an aggressive
EasyList campaign against sites sponsoring NoScript development.
ABP users are informed both on the install and on the release notes
pages, so they can easily disable the filterset if they whish to.

v 1.9.2.5

+ One-time startup prompt to ask users *beforehand* if they want to
install/keep or permanently delete the AdBlock Plus "NoScript
Development Support Filterset" deployed with NoScript 1.9.2.3
and above

v 1.9.2.6

+ NoScript now automatically removes the controversial "NoScript
Development Support Filterset" deployed with NoScript 1.9.2.3 and
above on startup, permanently and with no questions asked.

This is aside from the fact that I only see a couple tiny squares of ads on the page - nothing flashy or obtrusive. And I may be wrong, but I believe you can adjust in the settings somewhere so the noscript page does not even come up with each update... never tried because I like reading what was changed.

Cheers.

Firefox with noscript plugin certainly does.

Important update for Adblock Plus users: Version 1.9.2.6 automatically and permanently removes the cotroversial NoScript Development Support Filterset deployed with NoScript 1.9.2.4. I sincerely apologize with ABP users. Even though information about its presence and how to remove it in two clicks was given on the AMO install page, on this site's install page, on the release notes landing page and in the FAQ, not including a prompt asking for explicit permission beforehand from the start has been a very bad omission, and I want all the ABP users who felt betrayed to know how much I'm sorry for that. As a sign of good will and repent, current NoScript 1.9.2.6 completely removes the ABP filterset on startup with no questions asked. Thanks for your patience.

-- Giorgio

Update: More apologies and background facts on author's blog Hackademix.net.

Giorgio released version 1.9.2.6 which disables the filter. I quote from http://noscript.net/?ver=1.9.2.6&prev=1.9.2.5

Why such a tight release schedule? Version 1.9.2.6 automatically and permanently removes the cotroversial NoScript Development Support Filterset deployed with NoScript 1.9.2.4. I sincerely apologize with those ABP users who missed the information about it given on the AMO install page, on this site's install page, on this very release note page and in the FAQ. Not including a prompt asking for permission beforehand from the start has been a very bad omission, and I want all the ABP users who felt betrayed to know how much I'm sorry for that. As a sign of good will, current NoScript 1.9.2.6 completely removes the filterset itself, if found there, on startup with no questions asked. Thanks for your patience. -- Giorgio

It seems that he eventually got it right.

It seems that he eventually got caught.

Giorgio released version 1.9.2.6 which disables the filter. I quote from http://noscript.net/?ver=1.9.2.6&prev=1.9.2.5

Why such a tight release schedule? Version 1.9.2.6 automatically and permanently removes the cotroversial NoScript Development Support Filterset deployed with NoScript 1.9.2.4. I sincerely apologize with those ABP users who missed the information about it given on the AMO install page, on this site's install page, on this very release note page and in the FAQ. Not including a prompt asking for permission beforehand from the start has been a very bad omission, and I want all the ABP users who felt betrayed to know how much I'm sorry for that. As a sign of good will, current NoScript 1.9.2.6 completely removes the filterset itself, if found there, on startup with no questions asked. Thanks for your patience.
-- Giorgio

It seems that he eventually got it right.

http://noscript.net/changelog

Minutes after the suggestion, and it is already in the new version that was just pushed out.

The changelog is here.

Look at the freaking homepage:

http://noscript.net/

It has been mentioned in Forbes and the New York Times. Anybody who wants to mess around dealing with blocking javascript already knows about it, no one else even cares.

That the author is apparently a bit of douche makes it even less interesting.

When the Easylist filter was made for Adblock Plus, it generically blocked ads for many websites, with some specific rules for other sites. Giorgio Maone (creator of NoScript) relies to a certain extent on ad revenue on his websites, without which he may spend less time working on the extension. He made a workaround on the ad blocking, and though the filter could have been updated to counter this, no attempt was made to update it.

When Rick Petnel died, they needed a new maintainer for the filter. Ares2 continued where Rick left off. He decided to fix the workaround made on Giorgio's sites.

What then followed was a game of cat-and-mouse. Giorgio would attempt a new workariound, and Ares2 would attempt to block the ads. It reached the stage where large parts of Giorgio's sites weren't working due to false positives.

Here, it seems clear that Ares2 has gone too far, and a compromise should have been reached. ABP and NoScript are a good pair when working together, though the people behind them have different philosophies. Unfortunately, things start to take a turn for the worse.

In an attempt to defend his site and ad revenue, he makes an update of NoScript to version 1.9.2. This version contains a file called MRD.js, which adds a CSS stylesheet rule to his websites that overrides the filter, by adding -moz-binding: none after the filter has loaded, which the filter depends upon. Furthermore, the file is obfuscated to hide what it does. No warning is given to Firefox users of what the extension has added in this tit-for-tat battle.

When this addition started breaking users ABP installations, version 1.9.2.3 instead adds his websites to the ABP whitelist, calling it a "NoScript development support filterset". The user isn't informed of what this is, and isn't given a choice on whether to accept it.

At present, the filter has removed its false positives, though leaves the ad blocking in place. The NoScript behaviour still remains in the latest version.

Ares2 was overzealous in attempting to block ads, and shouldn't have made Giorgio have to make excessive changes to his site. But the larger concern is that while Easylist is a filterset, which can be removed and updated by the user, NoScript went further and started to modify existing extensions, executing code without user's consent or awareness, and acting in a way that resembled malware, to display ads on his websites.

Extensions can be great for giving people freedom to control how they view the web. But creators of extensions need to be careful in what they do with them, especially with those with a large user-base like Adblock Plus and NoScript. If not handled correctly, Firefox extensions could become the next vector of malware, and that would be a shame for all.

I'd have thought most people who post here would be savvy enough to have NoScript installed. I appreciate that stuff like this is a pain for anyone who has to lock down Windows boxen in a company but that's what web filtering proxies are for, no?

Regular users have no hope but unfortunately that's been the case on so many fronts for so long that one extra Acrobat vulnerability isn't going to make things much worse.

Adblock Plus is the real reason to use Firefox

I've found NoScript to be more compelling. Maybe we should say that extensions are the reasons to use Firefox?

I have a Blackberry and use it to browse the net. It doesn't have Flash. Something like >14 million people have Blackberries, and >8 million people have iPhones. Those devices don't support Flash yet,though a player is in development for the iPhone. Additionally some of the most savvy web users don't run scripts, including Flash, for security reasons. This story sounds like Adobe-flavored Kool Aid.

Check out their website:
http://noscript.net/

Bright colors, exclamation points, crazy logos, claims of a "safer internet" [1]. That sort of stuff screams EVIL to me... I might be the only one, though.

I've never actually scrolled to the bottom of their page, so this is the first time I've seen the citations they've received in real news publications. That does offset the spammy feel of the rest of their site.

[1] Yeah, I know that noscript really does make a safer internet. A lot of evil software makes that same claim, so ya know... :)