seleko wrote:It copies MSIE concept of security zones... Not using much CAPS concept that already Mozilla has. It would be right to give user opportunity to configure WHAT site can or can't instead of creating whitelist or blacklist.
It is generally agreed that disabling unneeded software features reduces the attack surface, so the more features that are disabled, the less attack surface there is. Of course, reducing the attack surface is a good thing, even for trusted sites.
In terms of NoScript, I want to be able to minimize my attack surface, even for trusted sites. In other words, I would like some method assign different options on different websites.
One way to accomplish this would be to allow the user to define and name multiple sets of NoScript trust options, then allow the user to assign websites to one of those named option sets. This would allow him to pick a level of trust from a manageable number of choices.
NoScript could come with some example option sets, perhaps three options sets:
1. Unknown: Everything disabled (Unknown sites assigned to this set of options, by default)
2. Known: Many features disabled. (Many web sites should work, but with reduced risk)
3. Trusted: Most features enabled. (Only very trusted sites should be assigned to level)
The user could modify or delete these sets of options. Or he could create more.
From a practical viewpoint, trust is not simply black or white. There are many levels of trust. My trust in someone is based on more than whether they are easily identifiable and reachable and on more than whether or not I could sue them. The same goes for a web site. Some web sites should clearly not be trusted,
and should be on everyone’s black list.
Some sites can be totally trusted and can be put on your white list.
However, most sites are somewhere in between.
Grumpy Old Lady wrote:...Certainly plugin whitelisting is not as finely controllable. I would say that many particular site requirements for plugin whitelisting could be met by a user creating a profile for this kind of whitelisting.
donwms wrote:Grumpy Old Lady wrote:...Certainly plugin whitelisting is not as finely controllable. I would say that many particular site requirements for plugin whitelisting could be met by a user creating a profile for this kind of whitelisting.
Sorry, I rambled on and on in my previous post. I should have simply said that it would be very nice to have a site list which could be used to select a trust profile.
I agree that by using temporary trust and context menus you could approximate my suggestion. However, frequently I close applications that I not using, otherwise I get too many applications going at the same time and my system bogs down or I bog down trying to keep track of them. So my temporary trust assignments would disappear many times a day.
P.S. As you add more and more options to any program, it becomes easier for others to find a bug that they can exploit. Adding more options to a security program like NoScript increases its attack surface; therefore one has to carefully weigh the benefits of the new options against the potential threats.
donwms wrote:On the PC platform, I do not have an equivalent environment available. How do you avoid the temptation to use TA on the cool new website that your best buddy found yesterday?
donwms wrote:While prevention is good, I would like notification as well.
Sandboxie protects your system's integrity from malware without having to evaluate it
Users browsing this forum: No registered users and 4 guests