ScriptNo; NoScript Clone?

General discussion about the NoScript extension for Firefox

Re: ScriptNo; NoScript Clone?

Postby GµårÐïåñ » Fri Apr 13, 2012 2:43 am

They rely on superficial and insecure methodologies to perform what they claim echoing a false sense of function and security. There is no API or core browser functionality that they are leveraging to perform the task. While NoScript rightly waited until something resembling a worthwhile API was created to POSSIBLY accommodate its awesome power. Hence why currently in Alpha/POC phase to see if the newly created API are sufficiently powerful and granular enough to give a NoScript port for Chrome the same bang as the original. Doubtful that will ever be true on Chrome, but its a start and being worked on by Giorgio. We'll see how it turns out.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
[ Major's Blog ] .:. [ Security Pack ] .:. [ Productivity ]
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.140 Safari/535.19 Comodo_Dragon/18.0.3.0
User avatar
GµårÐïåñ
Lieutenant Colonel
 
Posts: 2918
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA

Re: ScriptNo; NoScript Clone?

Postby Tom T. » Fri Apr 13, 2012 7:23 am

NoScript has been many times recommended by US-CERT, the operational arm of the National Cyber Security Division (NCSD) at the United States Department of Homeland Security (DHS).

For fun, go to http://www.us-cert.gov/
and search for NoScript. Here is the first page of 151 results.

US-CERT Vulnerability Note VU#441529 - Mozilla Firefox JavaScript ...
... Use NoScript Using the Mozilla Firefox NoScript extension to whitelist web sites
that can run scripts and access installed plugins will mitigate this ...
www.kb.cert.org/vuls/id/441529 - 13k

US-CERT Vulnerability Note VU#758769 - Adobe Flash Player ...
... Consider using the NoScript extension to whitelist web sites that can run Flash
in Mozilla browsers such as Firefox. See the NoScript FAQ for more information. ...
www.kb.cert.org/vuls/id/758769 - 16k
[ More results from www.kb.cert.org/vuls/id ]

US-CERT Vulnerability Note VU#395473 - Adobe Flash player code ...
... Workarounds for users running Mozilla-based browsers: Using the Mozilla Firefox
NoScript extension to whitelist websites that can run scripts and access ...
www.kb.cert.org/CERT_WEB/services/vul-n ... enDocument - 18k

US-CERT Vulnerability Note VU#751808 - Apple QuickTime remote ...
... Using the NoScript Firefox extension to whitelist web sites that can run scripts
and access installed plugins will mitigate this vulnerability. ...
www.kb.cert.org/CERT_WEB/services/vul-n ... enDocument - 17k

US-CERT Alert TA08-087A -Mozilla Updates for Multiple ...
... 9. Disable JavaScript. Some of these vulnerabilities can be mitigated by
disabling JavaScript or by using the NoScript extension. ...
www.us-cert.gov/cas/techalerts/TA08-087A.html - 12k

US-CERT Alert TA07-199A -Mozilla Updates for Multiple ...
... page. Disable JavaScript. Some of these vulnerabilities can be mitigated
by disabling JavaScript or using the NoScript extension. ...
www.us-cert.gov/cas/techalerts/TA07-199A.html - 12k
[ More results from www.us-cert.gov/cas/techalerts ]

US-CERT Vulnerability Note VU#159523 - Adobe Flash Player integer ...
... Consider using the NoScript extension to whitelist web sites that can run Flash
in Mozilla browsers such as Firefox. See the NoScript FAQ for more information. ...
www.kb.cert.org/CERT_WEB/services/vul-n ... enDocument - 14k

US-CERT Vulnerability Note VU#443060 - Mozilla Firefox 3.5 ...
... Use NoScript Using the Mozilla Firefox NoScript extension to whitelist web sites
that can run scripts will help to mitigate this vulnerability. ...
www.kb.cert.org/CERT_WEB/services/vul-n ... enDocument - 15k

US-CERT Vulnerability Note VU#466433 - Web sites may transmit ...
... The NoScript Firefox extension may mitigate these types of vulnerabilities by forcing
specified websites to use HTTPs
and by setting the secure attribute on ...
www.kb.cert.org/CERT_WEB/services/vul-n ... enDocument - 20k

US-CERT Current Actvity Archive
... Users should consider disabling JavaScript and using the NoScript Add-on as
workarounds until a fix is released by the vendor
. Additional ...
www.us-cert.gov/current/archive/2010/10/27/archive.html - 28k


Enjoy browsing the rest of the recommendations by the US Government's cybersecurity agency. :)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: ScriptNo; NoScript Clone?

Postby Giorgio Maone » Fri Apr 13, 2012 8:32 am

esheesle wrote:Think you missed my spelling, I was saying scriptno vs notscripts. I was in no way saying either was remotely comparable to noscript. I love noscript for firefox and would love to see it in chrome, and still hope the chrome security team opens up the necessary hooks for you. You mentioned earlier in this thread that scriptno was less secure than notscript (both of which are worse than noscript).


Sorry for my misplaced rant, I actually misread "Notscripts" for "NoScript" (and this makes me wonder how many people gets confused, something I probably underestimated so far).

However, in my reply I wrote
Giorgio Maone wrote:I did look both at the NotScripts and at the ScriptNo code, and while the latter is slightly better than the former (which is outright broken)

In facts, recent ScriptNo versions take advantage of latest Chrome APIs to block inline scripts, while last time I checked NotScripts was unable to perform this very basic task for a script blocker, so while I can't recommend any of them, I surely advice more strongly against NotScripts.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 7325
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: ScriptNo; NoScript Clone?

Postby Tom T. » Fri Apr 13, 2012 8:43 am

Giorgio Maone wrote:Sorry for my misplaced rant, I actually misread "Notscripts" for "NoScript" (and this makes me wonder how many people gets confused, something I probably underestimated so far).

Exactly.

Which is why, earlier in this thread, I wrote:
Tom T. wrote:I don't know the law in the EU, or whether it's worth your trouble. But the NS site has at the bottom, "Copyright © 2004-2011 InformAction - All rights reserved".

So under US law, you have a trademark right to the name "NoScript", and I think any reasonable Court would find that "ScriptNo" could easily be confusing to the public, and an illegitimate attempt to capitalize on your reputation, user base, and goodwill. They would then issue an injunction prohibiting the use of the name "ScriptNo", probably award you court costs, attorney fees, etc. It would be more difficult to prove monetary damages, since the product is free and donation-supported, unless there were a sudden drop-off in donations that correlates to the release of ScriptNo. But at least they'd have to come up with a more original name, like maybe "ScriptBlock" or something else not so close to NoScript.

Again, not sure it's worth the trouble of hiring a US attorney, and don't know EU law, but just mentioning that it's a pretty solid case. Same goes for "NotScript" -- too close to yours.

Perhaps MZ would help a little there, by requiring other alleged script-blocking add-ons to choose names less similar to NoScript?
Have you asked?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: ScriptNo; NoScript Clone?

Postby esheesle » Fri Apr 13, 2012 11:09 am

Thanks for the explanation and sorry for the confusion. Cant wait for a true noscript for chrome(and dolphin mobile hopefully)
Mozilla/5.0 (Linux; U; Android 2.3.4; en-us; ADR6425LVW Build/GRJ22) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
esheesle
 
Posts: 4
Joined: Fri Aug 20, 2010 3:44 pm

Re: ScriptNo; NoScript Clone?

Postby lipsin » Mon Apr 16, 2012 1:48 am

Current Scriptno got 1 strangest (maybe serious) bugs.

On a fresh chrome + fresh scriptno.
Code: Select all
http://www.isjavascriptenabled.com/

Paste into URL bar
Image
Reload
Image
Observe this behaviour on quite a number of site.

2nd if temporaly allowed top level domain, sometimes some 3rd party script also pull in simultaneously.

Noscript obviously does not have this problem.

Chrome + NOTscript also does not have this behaviour.

Latest Scriptno with webrequest api got this behaviour.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20100101 Firefox/12.0
lipsin
 
Posts: 2
Joined: Mon Apr 16, 2012 1:15 am

Re: ScriptNo; NoScript Clone?

Postby Tom T. » Mon Apr 16, 2012 2:29 am

lipsin wrote:Current Scriptno got 1 strangest (maybe serious) bugs.

On a fresh chrome + fresh scriptno.
Code: Select all
http://www.isjavascriptenabled.com/

Paste into URL bar

Reload

Observe this behaviour on quite a number of site.

That's terrible. It sounds as if reloading the page is allowing the script. That's not a bug, it's a broken product.

2nd if temporaly allowed top level domain, sometimes some 3rd party script also pull in simultaneously.

The same. Useless.
Noscript obviously does not have this problem.

Chrome + NOTscript also does not have this behaviour.

Latest Scriptno with webrequest api got this behaviour.

I wish that other products were forbidden to use confusing names that sound like NoScript.

"A false sense of security is worse than no security at all."

Perhaps you could post your results in a review of ScriptNo, and at Chrome sites? Users should know how flawed the product is.

Thanks for the information.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: ScriptNo; NoScript Clone?

Postby Giorgio Maone » Mon Apr 16, 2012 7:53 am

lipsin wrote:Current Scriptno got 1 strangest (maybe serious) bugs.

On a fresh chrome + fresh scriptno.
Code: Select all
http://www.isjavascriptenabled.com/

Paste into URL bar
Image
[...]
2nd if temporaly allowed top level domain, sometimes some 3rd party script also pull in simultaneously.

Noscript obviously does not have this problem.

Chrome + NOTscript also does not have this behaviour.

Latest Scriptno with webrequest api got this behaviour.


It sounds really bad: ScriptNo for Chrome can't protect you when you really need it most, i.e. when visiting an unknown website for the first time.

Regarding NotScripts, while it's not affected by the same bug, it's useless as well: try to visit this page, which exposes NotScripts for Chrome's inability to block inline scripts.

Yet another proof that the current "NoScript-like" extensions for Chrome offer their users a very dangerous false sense of security.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 7325
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: ScriptNo; NoScript Clone?

Postby lipsin » Mon Apr 16, 2012 9:28 am

Approach the developer on twitter quite a while ago.

Reply "Will look into it soon."

Maybe should send another mail with detail now.

My reaction is the same like you guy. Total deal breaker, no way the version can be use at all if this is true.

***

NOTscript got their own set of trouble.

1) Like Giorgio said, it doesn't block inline script. (Developer did admit that limitation)

2) Won't work correctly with 3rd party cookies blocked.

3) Abandonware (Developer maybe moveon to opera, but that also seem abandon)

4) As usual bugs here and there. (since basically developer abandon it)

5) Can't match noscript robustness even in core feature "Block Script"

***

The only things keep me on Firefox is a true "NOSCRIPT".

Chrome missing piece.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20100101 Firefox/12.0
lipsin
 
Posts: 2
Joined: Mon Apr 16, 2012 1:15 am

Re: ScriptNo; NoScript Clone?

Postby GµårÐïåñ » Tue Apr 17, 2012 4:19 am

Giorgio Maone wrote:Sorry for my misplaced rant, I actually misread "Notscripts" for "NoScript" (and this makes me wonder how many people gets confused, something I probably underestimated so far).

If you recall Giorgio, this was EXACTLY why I was upset and urged to nip it in the bud when we first discovered it but everyone, including you thought people can tell the difference, similarities are disallowed in branding for this reason. Everyone thought I was overreacting, but I saw this coming.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
[ Major's Blog ] .:. [ Security Pack ] .:. [ Productivity ]
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.152 Safari/535.19 Comodo_Dragon/18.1.2.0
User avatar
GµårÐïåñ
Lieutenant Colonel
 
Posts: 2918
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA

Re: ScriptNo; NoScript Clone?

Postby GµårÐïåñ » Tue Apr 17, 2012 4:23 am

lipsin wrote:Current Scriptno got 1 strangest (maybe serious) bugs.

Observe this behaviour on quite a number of site.

2nd if temporaly allowed top level domain, sometimes some 3rd party script also pull in simultaneously.

Noscript obviously does not have this problem.

Chrome + NOTscript also does not have this behaviour.

Latest Scriptno with webrequest api got this behaviour.

I go back to my initial and long ago objection to these tools that provide false sense of security which is as my friend has also said, worse than no security. They are not properly initializing the hook or the API so they are catching after the fact, which is often when the damage is already done. I wear the vest BEFORE I get shot, not after I get shot and put it over the gaping hole.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
[ Major's Blog ] .:. [ Security Pack ] .:. [ Productivity ]
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.152 Safari/535.19 Comodo_Dragon/18.1.2.0
User avatar
GµårÐïåñ
Lieutenant Colonel
 
Posts: 2918
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA

Re: ScriptNo; NoScript Clone?

Postby Tom T. » Tue Apr 17, 2012 8:27 am

Giorgio Maone wrote:...Regarding NotScripts, while it's not affected by the same bug, it's useless as well: try to visit this page, which exposes NotScripts for Chrome's inability to block inline scripts....

@ Giorgio:

Sorry, I don't understand the point of the demo. With noscript.net whitelisted, the page shows blank, as does the page source code, on both Fx. 3.6.28 and Fx 11.0.

If there is some script trying to run that NotScripts *should* block, but doesn't, shouldn't allowing the domain let your demo run?

RequestPolicy shows no attempted requests elsewhere, on either version of Fx, so apparently there's no third-party script or plug-in content being called?


GµårÐïåñ wrote:
Giorgio Maone wrote:Sorry for my misplaced rant, I actually misread "Notscripts" for "NoScript" (and this makes me wonder how many people gets confused, something I probably underestimated so far).

If you recall Giorgio, this was EXACTLY why I was upset and urged to nip it in the bud when we first discovered it but everyone, including you thought people can tell the difference, similarities are disallowed in branding for this reason. Everyone thought I was overreacting, but I saw this coming.

(cough)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: ScriptNo; NoScript Clone?

Postby Giorgio Maone » Tue Apr 17, 2012 8:43 am

Tom T. wrote:Sorry, I don't understand the point of the demo. With noscript.net whitelisted, the page shows blank, as does the page source code, on both Fx. 3.6.28 and Fx 11.0.

Sorry, I forgot the "t" and "s" in "notscripts.html" (confusion, again), should have been http://noscript.net/misc/notscripts.html
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 7325
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: ScriptNo; NoScript Clone?

Postby Tom T. » Tue Apr 17, 2012 9:31 am

Giorgio Maone wrote:
Tom T. wrote:Sorry, I don't understand the point of the demo. With noscript.net whitelisted, the page shows blank, as does the page source code, on both Fx. 3.6.28 and Fx 11.0.

Sorry, I forgot the "t" and "s" in "notscripts.html" (confusion, again), should have been http://noscript.net/misc/notscripts.html

Thanks, I see the demo now. Very effective!

Can you find a way to publish this where Chrome users would see it?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: ScriptNo; NoScript Clone?

Postby Thrawn » Thu May 03, 2012 1:11 pm

I really think that Giorgio should take up the trademark issue here. Maybe taking out the fakes would spur Google to enable the real thing. Cease and desist letter?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (Linux; U; Android 2.2.1; en-gb; GT-S5570 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
User avatar
Thrawn
Senior Member
 
Posts: 1718
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia

PreviousNext

Return to NoScript General

Who is online

Users browsing this forum: No registered users and 0 guests