Slashdot Mirror
NoScript Awarded $10,000
An anonymous reader noted an interesting bit of information about a tool a ton of Slashdot users make use of every day: "NoScript has been chosen as the recipient of the DRG Security Innovation Grant. This is a great honor and a spur to keep making the Web a safer place. I feel the urge to thank the committee for recognizing NoScript as a pioneering force in browser security, and the community of contributors, researchers, translators, beta testers, and loyal users who keep this project alive day after day. The grant will fund the effort to merge the current two development lines, i.e. 'traditional' NoScript for desktop environment."
The fact that this ever had to be an *add-on* is just shameful. The fact that IE and Safari still don't have it (or something very similar) is close to criminal. Okay, Chrome has NotScripts, but that apparently requires some weird hacking to use securely.
And, no, the non-default ability to turn *all* scripts on or off isn't even close to the same thing. As the great Jules would say--it's not the same ballpark, not the same league, not even the same sport.
SJW: Someone who has run out of real oppression, and has to fake it.
Did they also get a grant for messing with other addon settings so their ads show up on their homepage?
Does this mean web designers will start making their web sites actually work when users without javascript try to use them?
(The list of offenders is too long to name.)
For safari: Glimmer blocker is both an ad blocker and can deny and or rewrite scripts on the fly.
That's too bad, because it's awesome. I haven't found anything else that comes close to how flexible and easy to use it is.
As far as trust goes - I trust the developer of NoScript over the entirety of the javascript code injected by advertising and tracking agencies out there.
By the way - did you read the NoScript developer's mea culpa?
My Other Computer Is A Data General Nova III.
Even though the author recognized his mistake, backed out the changes, and apologized profusely in a very public manner you still don't trust him? Harsh man, harsh.
http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/
I'd rather not blacklist somebody over a single incident. However, if you happen to know of other instances where he did something sketchy, please let us know.
Ghosteryexists for Firefox/Chrome/IE/Safari, and can be taught to behave as noscript.
Free unix account: freeshell.org
Well I love the Neutered web experience because I absolutely Hate flash/silverlight and iframes because they've been exploited to many times. As to the usability of a website, I feel that any site that absolutely depends upon flash/silverlight to be usable is one I don't need to visit again. For those business sites like Asus or HP, I've begun filing ADA (american disabilities act) complaints that the websites are no accessible to disabled users (flash doesn't support screen readers - nor does it work worth a damn for those who have even a mild vision impairment).
Hopefully, we'll start seeing companies getting it right by sticking with Standards compliant HTML for their main pages with proper links to the various departments. There is absolutely no reason for a website to depend on anything except HTML for functionality, as it is the lowest common denominator.
Mod me up/Mod me down: I wont frown as I've no crown
Fool me once, fool me twice...
No, no, no.... it's
"Fool me once, shame on... shame on you. Fool me... you can't get fooled again!" -- GW Bush
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
For many of them (e.g. Clickjacking or cross-zone CSRF with DNS rebinding) NoScript features specific countermeasures which go far beyond script blocking.
Furthermore NoScript blocks plugins, XSLT, HTML5 media and web fonts on untrusted sites, which reduces the attack surface to HTML/CSS parsing or image decoding vulnerabilities, relatively rare nowadays. And even those, usually, still require scripting to be exploitable on modern systems (e.g. for heap spray preparation).
This, exactly. I would rather backup my machine properly and practice safe browsing habits then put up with NoScript's bullshit. Ive read for years people extolling its virtues, but i personally cannot stand the neutered web it presents.
The whole point of NoScript is to allow you to control whether scripts run on a finer level than the "off/on" that browsers support natively, and it does that easily, with one click per domain.
If you use NoScript to deny scripts globally, then you are using it wrong. Instead, you enable each domain (just once, as NoScript remembers the setting) that you deem safe. This makes browsing much more secure, although you can still be caught if a trusted domain starts serving malware scripts, but it's better than being open to attack from every domain.
I've tried to use it four or five times through the years, and I always end up removing it almost immediately. I find the UI to be confusing (and just plain bad) to the point of uselessness
What, exactly, is confusing about clicking one time on a menu item that reads "Allow slashdot.org" (for example)?
The only time I find there to be a problem is when a domain loads scripts from 5-10 other domains. That does make it difficult to figure out which scripts are required to make the site functional, but that's not a problem with NoScript...that's a problem with the site. And, it's exactly this "code from random sites" that makes NoScript important for browser security.
No Script helped in stemming the amount of infected PCs I received. I'd install it on my customer's PCs and showed them how it worked and that they should turn it off only when doing stuff like online banking, otherwise leave it on.
It was of tremendous help and a lot of repeat customers stopped coming back with the same infection.
Previewing comments are for sissies!
I'm not a big fan of Flash on the web, but it is absolutely untrue that Flash doesn't support screen readers. http://www.adobe.com/accessibility/products/flash/best_practices.html
What is true is that it is possible to build websites in either HTML or Flash that don't support screen readers.
There are plenty of vulnerabilities found that do not need scripts, lets not make NoScript out to be more than what it is.
I'm sorry, I've got to call BS. That's like saying "There are plenty of illnesses out there that aren't virus-based or bacterial, so let's not make washing our hands out to be more important than it is."
Fact is, NoScript is an invaluable resource, with a clear, easy-to-use interface, and even the less-than-tech-savvy user can use it to vastly reduce their chance of 'catching' something. Yes, it does not provide perfect protection from everything, but I'm afraid the only way you can achieve that is to pull the plug on teh interwebs and live in your own virtual 'bubble'.
I for one applaud this award as well-deserved. Good on them!
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
PrefBar restores this functionality. Single-click control of images (for those not-necessarily-SFW threads), colors (for that asshat on FailSpace who thought that red on a green background was a good idea), and of course, Javashit, Java, Flash, cookies, referrer-sending, and so on.
Not having JS loading makes all pages load incredibly fast. Use it like a turbo button. That combined with Ghostery and Better Privacy make for a pretty good browsing experience (and shows you what each page is attempting to do). If you are looking for perfection, there is nothing stopping you from writing your own browser. NoScript is the biggest reason I stick with FF. Love it!
I use both. it makes the list of scripts that I should consider considerably shorter and also blocks confusing scripts I may otherwise allow in the process of trying to get a webpage to work. They all make life easier and more secure. Or at least I feel secure knowing so many things that used to happen now are blocked and I still have a usable web browsing experience.
The author deserves this. I reported a small problem on Amazon and he had a release candidate ready for testing about six hours later.
The UI isn't confusing, what is confusing is the tendency of sites to use a large number of largely anonymous servers to give even basic functionality. What NoScript really needs is a way of blacklisting domains manually so that I have to manually enable them if I decide I want them. For things like Facebook which are inexplicably everywhere even though they aren't necessary on any site that I routinely go to.
I tried to use it for a couple months, but more than half of the web-forms on the internet require javascript to submit properly. So I would spend all this time filling out these forms, get to the end, and either nothing happens when you click submit or you get an error. So I disable NoScript for the site, only to have the browser (or the website) clear everything that I just entered into the form, and I have to start over again.
Other sites wouldn't have working menus, others didn't have working links at all. All of this is the fault of bad developers, but regardless of who is to blame, I still have to live with it. JavaScript is too tangled up into the design of most sites to be able to disable it and not have half the web break. It isn't like plugins like flash, where you get a nice segregated box that is disabled, and everything else works like normal.
The only way I could stand to use NoScript was to Allow All, but keep the cross-site scripting protection on.
What NoScript really needs is a way of blacklisting domains manually so that I have to manually enable them if I decide I want them.
You mean like 'mark as untrusted'?
I'd like to see domain-based functionality, so for example I can allow Facebook Javascript when I'm actually using Facebook, but block if when I'm at any other site.
Ah, I still remember the early days of Javascript when we were telling people what a horrible insecure pile of crap it would be and they were assuring us that nothing could possibly go wrong.
I haven't found anything else that comes close to how flexible and easy to use it is.
Have you checked out Request Policy?
I don't suggest it out of NoScript hate[0] -- I still run noscript on some machines -- but because it's fantastically easy to use to do things you need to mess with ABE to do on NoScript (if even then. I haven't had the time to mess much with ABE). My favorite is being able to block everything google, and then only allow it, if needed, permanently and only on the sites that need it (mostly on sites using recaptcha)
It's pretty nice and one of the four extensions that keeps me shackled to Firefox, much to my continued misery (The other four being ABP, PasswordMaker, and Lazarus)
[0]Though its insistence on opening up the homepage twice a week lately on minor updates is becoming a pet peeve.
Government. Is there anything it can do that does not hurt the economy? If it can, I haven't found one example yet so far.
+5 ironic for writing that on the internet.
When information is power, privacy is freedom.
Safari still has menu items to turn images, JavaScript, and CSS on and off for the current web page. The point of NoScript is to give you a greater level of granularity (i.e. allow just these scripts on this site, but not those) and to make these persist across browsing sessions.
I am TheRaven on Soylent News
One feature I would love is if it supported whole lists. That is whole white and black lists from different people that are assigned at different priority levels.
This morning I was awoken by my alarm clock powered by electricity generated by the public power monopoly regulated by the US Department of Energy. I then took a shower in the clean water provided by the municipal water utility. After that, I turned on the TV to one of the FCC regulated channels to see what the National Weather Service of the National Oceanographic and Atmospheric Administration determined the weather was going to be like using satellites designed, built, and launched by the National Aeronautics and Space Administration. I watched this while eating my breakfast of US Department of Agriculture inspected food and taking the drugs which have been determined as safe by the Food and Drug Administration. At the appropriate time as regulated by the US Congress and kept accurate by the National Institute of Standards and Technology and the US Naval Observatory, I get into my National Highway Traffic Safety Administration approved automobile and set out to work on the roads built by the local, state, and federal Departments of Transportation, possibly stopping to purchase additional fuel of a quality level determined by the Environmental Protection Agency, using legal tender issued by the Federal Reserve Bank. On the way out the door I deposit any mail I have to be sent out via the US Postal Service and drop the kids off at the public school. Then, after spending another day not being maimed or killed at work thanks to the workplace regulations imposed by the Department of Labor and the Occupational Safety and Health Administration, I drive back to my house which has not burned down in my absence because of the state and local building codes and the fire marshal's inspection, and which has not been plundered of all its valuables thanks to the local police department. I then log onto the Internet which was developed by the Defense Advanced Research Projects Administration and post on Slashdot how the government can't do anything right.
"But this one goes to 11!"
I so agree! I've always wanted to print my own currency, but that darn gubermint just stops me all the time! :)
Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)