Slashdot Mirror

Which is why Man created NoScript (firefox addon)

NoScript requires you to explicitly enable sites to run scripts, either per session or permanently. This turns people off, but security is never easy and it's just two clicks.

So it sounds like that in addition to AdBlock, you should also use NoScript when reading Snopes.

As I understand it, even with this so-called pharming technique, the bad guys still cannot correctly spoof an "https:" page... at least not without compromising the private key used to secure the SSL connection, or compromising the private key of the certificate signing authority.

When I explain to people how to use the Web, I always tell them to look for the security indicators before doing anything involving money.

P.S. I wouldn't be surprised if the bad guys here added Javascript code to their fake bank site, to rewrite the address bar of the web browser to show the "https:". This is why I prefer to do all my online banking with Javascript disabled; thank you, NoScript.

steveha

Actually, it's not quite as easy as just installing FF and making it the default browser. Firefox on it's own in the default configuration will protect your users from a lot of stuff (ActiveX installers come to mind), but I've found that some stuff will still get through.

FF with NoScript installed is a much better option if you don't mind spending a few minutes with your end-users and explaining what Javascript is, why it's abused and only to enable it for trusted websites. Amazingly enough I've found that even most of my computer-illiterate users are able to grasp this concept and I haven't had a single machine using the FF/NoScript combo infected with anything nasty.

GP's probably running NoScript in FireFox. I had to temporarily allow scripts from gawker.com to see the pictures and video.

NoScript currently blocks Silverlight (among others).

Yeah sure, but after you install AVG, ZA and Spybot your system performs like an ass. Really, on a Mac you do not need those, so you do not get that performance loss.

When I ordered the MacBook Pro I'm typing this on I also ordered VirusBarrier and if ZoneAlarm had a version of ZA for Macs I would have gotten it too. I have the paid version of ZA on my Windows PC and loved the configuration options it offers. Such as being able to allow some websites to use javascript while javascript from other websites was blocked. Yesterday another /.er posted a link for an addon for Firefox, NoScript which does the same for Firefox so I'll try it out. However whereas ZA works with more than one browser NoScript only works with Firefox.

Google add words are targeted at sellers not buyers. I got sick of the low end merchants, interstate/overseas merchants that it always seemed to spew up and used http://noscript.net/ to permanently kill the google anal-ytics script (not to forget doubleclick).

Quote: "I personally think Google is on thin ice here and would personally not like to see this deal go through."

I agree.

Anyone doubting how much Google has started to become a factor in our lives should run Firefox with the NoScript add-on. NoScript will show you that most web sites deliver all of your browsing history to Google-Analytics.com.

The U.S. government's idea that it can get any information from any U.S. company at any time by threatening to put the executives of the company in jail, and can keep that secret, means that, using Google's information, your entire history online can be tracked by the U.S. government.

Only Firefox with NoScript can prevent this. Since Google has been paying $50,000,000 each year to the Mozilla Foundation, the developers of Firefox, and since Google makes money through advertising, it seems likely that Firefox will eventually not allow add-ons like NoScript and Ad-Block.

When I learned that the founders of Google bought themselves a Boeing 747, I began to worry that they are not people like us any more, but have rich man's sickness. Someone with that sickness will do anything to make more money.

NoScript makes your browsing much more secure, in addition to giving you the option to stop spying. It's amazing how many web sites run Javascript scripts linking the web sites we visit to other servers at other companies.

Deciding what needs to be unblocked is extra work, however.

I've got two profiles for Firefox: one for everyday stuff, and one for banking. Originally I'd done this because the banks all seemed to require Javascript, and I simply don't leave that on (I hate dancing baloney on websites, and a lot of the time it's just used to serve ads anyhow). Nowadays I use NoScript to turn on JavaScript when I want to, but I still do all the banking stuff in a separate profile.

I did read an interview with a security researcher recently (sorry, can't dig up the link) who said that he used a separate browser in a separate VM for his banking. I suppose you could be even more safe by using a Knoppix CD and avoiding your usual OS altogether.

Blatantly off topic, but my karma's fucked anyway - these posts are one of the best adverts possible for Noscript. All that posting goes to waste if the Javascript won't start.

I actually use the NoScript plugin for Firefox. It blocks all javascript (so no datacollecting and cookieplacing nonsense, and no ads, since they all use javascript) and all plugins like Java and Flash by default (so certainly no flashy resourcehogging ads). You can whitelist the sites you like (for example Youtube), so you can have the best of both world: java(script) and Flash when you want it, and only when you want it. I like it a lot.

As for obscuring your searches try this http://mrl.nyu.edu/~dhowe/TrackMeNot/ it doesn't use much overhead and well, by far the majority of searches originating from my IP address have nothing to do with me at all, sometimes I wonder who google is targeting those adds at.

As far as I know the "do no evil" has already been edited from google's corporate policy with the more marketdroid speak version "6. You can make money without doing evil." http://www.google.com/corporate/tenthings.html. Now WTF is that meant to mean anyhow, of course I simply read it as, but you can temporarily make more money with doing evil, well, at least until you get caught and you marketddoid trolls can't out shout or can't shut down the critics.

I recommend NoScript brand condoms, the best condom for your cyber-sex needs.

My experience with the new Yahoo mail beta is limited (tried it, hated it, went back to old way), but I never had any crashes or blips when using it. Full disclosure: I use No-Script and only allow the minimum possible scripts and still function. Also, this is a Ubuntu 6.06 laptop, Firefox 2.0.0.11, so no Windows insight here. Good luck.

It is really annoying when people try to disable right click, some idiot message pops up on the screen, which you have to cancel prior to gaining the right click menu. Under firefox of course Tools, Options, 'Content tab', Enable Java Script(should be on but do use http://noscript.net/), Advanced, Diasble or Replace context menus (make sure it is un-ticked). My browser, not your browser, my browser ;).

Unfortunately a little common sense goes a long way and most people have even less (common sense) than that.

If this is really a cross-site scripting vulnerability, NoScript might help protect against it (if you're using FireFox).

According to the article, exploint uses Cross-site scripting, also known as XSS. There is a firefox plugin called NoScript that limits cross site scripts. The article points you to http://noscript.net/features#xss which describes the anti-XSS protection of noscript. The noscript pages suggests that you only load firefox plugins from addons.mozilla.org and sends you to https://addons.mozilla.org/en-US/firefox/addon/722 where you can download noscript.

Google: Do no evil.
is now changed to, "We want to be like the U.S. government."
Google: Do evil if it pays more.

In my opinion, this is the beginning of the end for Google, as the founders lose touch with reality and fly around in their huge corporate jets. If you want responsibility, don't depend on a billionaire to do the work.

Eventually, there will be a new search engine with no Flash ads, and everyone will use that. Eventually, people will say, "Google? What's that?"

The new profit-making Mozilla will probably try to get the U.S. government to ban NoScript and AdBlock Plus and FlashBlock.

The problem with ads is not that I don't like advertising. The problem with ads is that they are nearly always stupid in some way. Some of the ads IBM ran on Slashdot were more than stupid, they were embarassing.

Mostly, ads are written by people with absolutely NO interest in the product they are selling. I'm guessing that more than 50% of ads include at least some dishonesty. It is the ad makers that have given advertising a bad name.

Larry Page and Sergey Brin, your usefulness to the world is coming to an end. Please find someone to carry on your original vision, and retire.

NoScript does. It basically blocks javascript and flash for any pages you hadn't whitelisted. Since most security problems are related to javascript, it does make browsing more safe... and less annoying. :)

I wouldn't mind seeing something similar for software now too... as long it's open source.

Somewhat offtopic, but often Slashdot warns if TFA is pdf or flash. In this case, the article has style="visibility: hidden;" on the text of the article, so that it only appears when you turn javascript on (or turn off CSS). You're all paid-up geeks, so you're all surfing the web with noscript whitelisting... right?

The words obnoxious, useless and stupid spring to mind.

http://noscript.net/

Allows you to turn scripting off (including most flash) on a per-domain basis. Kill the ads, keep the content.

I have to take issue with a few things here:

First, Javascript and Actionscript are both essentially the same core language with different extensions, so it makes no sense to choose one over the other on the basis of which is the best language.

Second, the core language, Ecmascript, is not a mess. In fact, I find it the most elegant and intuitive language I have used (including Ruby, though I'd put that a close second). There are specific problems with its implementations both as a browser scripting language and within Flash. Actionscript suffers from its relationship with the Flash IDE which - to a programmer - is less than intuitive, though the larger your flash app the more you get away from this. Javascript's burden is differences in implementaion of a few features, which unfortunately are key ones. The solution to this is to use a framework. I use jQuery, which does such a good job of hiding these differences I'd have to rack my brains to remember what they are and how to work around them in regular js.

Thirdly, I agree that animated nav bars can enhance a site but they can also detract, especially if the user has a slow PC. This is a matter of good taste and judgement, but I'd suggest thinking at least three times before doing a site's navigation in flash. As you point out, it can be built to degrade in such a way that the NoScript user (and we're on the increase) doesn't even know they're missing something. CSS can accomplish an enormous amount in making a well marked up nav look the business.

Fourthly, if you really must have them, you'd be surprised what kind of animation effects can be achieved quite easily using a framework like jQuery.

I switched my non-tech friends to Firefox or Seamonkey ages ago(depending on whether they still use regular email or webmail)and with the noscript+adblock plus I've found the rate of "computer is acting funny" calls have dropped way down.Hats off to the noscript and adblock plus guys.Keep up the good work!

And here are the links so you can simply copy/paste: Noscript-http://noscript.net/ Adblock plus-http://adblockplus.org/en/

Well, they didn't test it against WebKit/Safari/Konq, which blazes through Javascript tests.

No-Script does a great job solving this problem.

When you hover over your example link, it shows where you are really going.

When you use Evil JavaScript(tm) you can REALLY fuck with the user, who will have NO idea where the link goes, which is why tools like NoScript are so important. Don't surf naked - use NoScript. Don't get me wrong, javascript can be useful, but so many sites use it gratuitously. They use it for things like roll-over highlighting, when CSS does it cleaner with less code. Most sites I visit seem to use javascript now. Less than half actually need it as NoScript has proven.

Use NoScript. Turn on JavaScript or Java for the site(s) in question, leave it off for everything else. Problem solved. It's what I do for all the university stuff that requires it.

In the meanwhile, NoScriptis your friend

The latest version of the Firefox extension NoScript also filters URLs that are passed to external handlers. Once installed, at least the demo exploits only open empty windows, while for example normal mailto:-URLs still work.

NoScript
Repeat ad nauseum.

Once again NoScript helps out here since it can block Flash. I don't run Flash on any pages that don't absolutely require it, and I find few that do. Flashblock is another option for Firefox users that only want to block Flash and nothing else. Browse safely everyone.

And I would visit your review site provided you don't use those god awful double underlined adds...

I only ever see those on other people's computers. Between Adblock Plus and NoScript, they don't show up here.

That's the difference between NoScript's script management and the ordinary enable/disable JavaScript controls.

NoScript lets you allow JavaScript on the sites you trust (and those only), either temporarily or permanently, with a click.

Furthermore, it gives you the same trust-based control over other potentially dangerous and exploitable technologies, like Java or Flash, and protects your trusted sites against XSS attacks.

That's the difference between NoScript's script management and the ordinary enable/disable JavaScript controls.

NoScript lets you allow JavaScript on the sites you trust (and those only), either temporarily or permanently, with a click.

Furthermore, it gives you the same trust-based control over other potentially dangerous and exploitable technologies, like Java or Flash, and protects your trusted sites against XSS attacks.

That's funny, I thought it was on the 21nd.

You're either using NoScript or an O.S. different of Windows.

No, adoblocking "firefoxrurl:" won't work because Firefox doesn't receive a firefoxurl:, but a javascript: URL (The "firefoxurl:" part is stripped out by IE or whatever the calling application is).

As I said, NoScript it the extension providing specific protection against this class of attacks.

Firefox users with the NoScript extension installed have been already protected both from MacManus/Larholm remote code execution and from Rios "Universal XSS" since June, the 22th, see NoScript changelog.

More in general, they're protected from chrome privilege escalation gained by opening non-chrome URLs in top-level chrome windows (Larholm's PoC) and from javascript: URLs being loaded in externally opened browser shells (Rios' PoC), no matter if attempted through the firefoxurl: handler (like in this specific case) or by other yet unknown means, thus these features are meant to stay in place even after Firefox 2.0.0.5 with its commandline-specific fix is released.

Firefox users with the NoScript extension installed have been already protected both from MacManus/Larholm remote code execution and from Rios "Universal XSS" since June, the 22th, see NoScript changelog.

More in general, they're protected from chrome privilege escalation gained by opening non-chrome URLs in top-level chrome windows (Larholm's PoC) and from javascript: URLs being loaded in externally opened browser shells (Rios' PoC), no matter if attempted through the firefoxurl: handler (like in this specific case) or by other yet unknown means, thus these features are meant to stay in place even after Firefox 2.0.0.5 with its commandline-specific fix is released.

Apparently, the NoScript firefox plugin solves this problem (or so they claim at the website: http://noscript.net/).
So this will serve as a workaround for those who wanted one.

While it's true that it's much better to follow the RFC here, just switching to POST doesn't solve the CSRF problem. An attacker could set up a malicious Web page which has a form with all the necessary parameters and a JavaScript to automatically submit it, hence meeting the POST requirement. Similarly, if the client has an older version of Flash or a buggy version which does not obey same-source security principles, the attacker could embed a malicious SWF which creates the entire HTTP request from scratch, even forging the Referer header if you were checking that as a security measure.

This is another good reason for using Firefox extensions such as Flashblock and Noscript. As a client, you can protect yourself pretty easily from a lot of these attacks. Noscript also has some nice features which help filter out the more common brands of XSS attacks.

• Brendan Eich, the father of JavaScript, proposes a <JAIL> tag to block scripting (PDF slides warning)
• RSnake's take on content restrictions proposals.

You do realize he's talking about the NoScript Firefox Extension, right?

If we continue down that line of thought we end up at the point where we just go back to static pages with no scripting.