by Tom T. » Tue Oct 06, 2009 7:11 am
roparr2 wrote:
What do these mean:
Clearclick
http://noscript.net/faq#faqsec7 explains, but if it's too much detail, here's the short version:
Bad person puts a button on their site that does something evil (loads spyware in your machine, etc.). "Covers" it with a photo or other graphic, especially a "click here" button that looks reasonable. You click the button you see, but you're really clicking the evil one underneath. NoScript protects you against this without any action on your part. Just leave the default checked (Options > Plugins > ClearClick protection) for both Trusted and Untrusted, since it's possible that a trusted site could have been hacked by Mr. Bad Guy. If you ever get an alert of a Clickjack attempt (ClearClick warning), let us know. Gross over-simplification, but simple enough?
ABE
Something else you don't have to mess with. Prevents sites and programs on the Web from crossing over their own boundaries into other sites or programs, preventing attacks called Cross-Site Request Forgeries, and also Web sites trying to sneak into your home network and do bad stuff. Advanced users can make their own rules for fine-tuning protections, but this is something else that works silently for you without you having to do anything. If you get an ABE alert, let us know. Again, way over-simplified, but good enough?
Base 2nd level domains? Full addresses and Full domains. Isn't the same address implied even if I don't type in http:// and www?
Actually, not. noscript.net is the same as
http://noscript.net, because your browser automatically adds http:// However, if you type in
http://www.noscript.net, you'll find that the address in the browser changes to
http://noscript.net. The address of noscript.net does *not* have www in it, but the owner of that site has arranged it so that anyone who types in www. will be "redirected" to the correct address, without the www. This indeed happens automatically.
I can't think of an immediate example, but of the many sites on the web that do NOT have www in their address, it's possible that
http://www.example.com would take you to a different place than example.com, especially if an evil person registered the site the opposite way, before the legitimate owner could register both, as noscript.net did with
http://www.noscript.net.
BUT
Yahoo.com
mail.yahoo.com
finance.yahoo.com
news.yahoo.com etc.
If you have Base 2nd level domain allowed, you might allow all of yahoo.com. But what if you wish to allow mail.yahoo.com, but not news.yahoo.com?
The full domain address is important because
http://www.bankofamerica.com is VERY CRUCIALLY different from
https://www.bankofamerica.com. I believe they've fixed this issue now, due to substantial adverse publicity (including from NoScript and its users), but the "s" after http indicates "secure" -- a site whose connection between you and them is encrypted, or encoded, so as to be unreadable to the eyes along the Internet, of which there are many (your Internet Service Provider, the people who work at the "backbone structure" of the Net, etc.) If you entered your login credentials at the http site instead of the https site, you might as well shout them out the window.
Personally, I consider this such a non-issue choice that I just check them all on the Appearance tab. Might as well see all that there is to see about who is trying to do what on my computer. The only time it matters is if you're checking "Temporarily allow top-level sites by default", and this user hates allowing anything by default except that which he's placed in his whitelist, which we've already discussed.
Yes, I've read the introductory guide and FAQ, but a good deal of the programming terms are strange to me.
You have my sympathy. It isn't always easy explaining complex issues in simple terms, whether it's nuclear power plant management, rocketry, or computing. We try to reach a balance, but we also get complaints from advanced users of being "too condescending". Please feel free to ask about anything else puzzling you, although searching the Web, Wikipedia, and other resources will often help you educate yourself. Computers and the Internet are complicated things; the threats are complicated, and so the defenses are a little complex. Let us know if we can help any more. Cheers!
[quote="roparr2"]
What do these mean:
Clearclick[/quote]
[url]http://noscript.net/faq#faqsec7[/url] explains, but if it's too much detail, here's the short version:
Bad person puts a button on their site that does something evil (loads spyware in your machine, etc.). "Covers" it with a photo or other graphic, especially a "click here" button that looks reasonable. You click the button you see, but you're really clicking the evil one underneath. NoScript protects you against this without any action on your part. Just leave the default checked (Options > Plugins > ClearClick protection) for both Trusted and Untrusted, since it's possible that a trusted site could have been hacked by Mr. Bad Guy. If you ever get an alert of a Clickjack attempt (ClearClick warning), let us know. Gross over-simplification, but simple enough?
[quote]ABE[/quote]
Something else you don't have to mess with. Prevents sites and programs on the Web from crossing over their own boundaries into other sites or programs, preventing attacks called Cross-Site Request Forgeries, and also Web sites trying to sneak into your home network and do bad stuff. Advanced users can make their own rules for fine-tuning protections, but this is something else that works silently for you without you having to do anything. If you get an ABE alert, let us know. Again, way over-simplified, but good enough?
[quote]Base 2nd level domains? Full addresses and Full domains. Isn't the same address implied even if I don't type in http:// and www?[/quote]
Actually, not. noscript.net is the same as http://noscript.net, because your browser automatically adds http:// However, if you type in http://www.noscript.net, you'll find that the address in the browser changes to http://noscript.net. The address of noscript.net does *not* have www in it, but the owner of that site has arranged it so that anyone who types in www. will be "redirected" to the correct address, without the www. This indeed happens automatically.
I can't think of an immediate example, but of the many sites on the web that do NOT have www in their address, it's possible that http://www.example.com would take you to a different place than example.com, especially if an evil person registered the site the opposite way, before the legitimate owner could register both, as noscript.net did with http://www.noscript.net.
BUT
Yahoo.com
mail.yahoo.com
finance.yahoo.com
news.yahoo.com etc.
If you have Base 2nd level domain allowed, you might allow all of yahoo.com. But what if you wish to allow mail.yahoo.com, but not news.yahoo.com?
The full domain address is important because http://www.bankofamerica.com is VERY CRUCIALLY different from https://www.bankofamerica.com. I believe they've fixed this issue now, due to substantial adverse publicity (including from NoScript and its users), but the "s" after http indicates "secure" -- a site whose connection between you and them is encrypted, or encoded, so as to be unreadable to the eyes along the Internet, of which there are many (your Internet Service Provider, the people who work at the "backbone structure" of the Net, etc.) If you entered your login credentials at the http site instead of the https site, you might as well shout them out the window.
Personally, I consider this such a non-issue choice that I just check them all on the Appearance tab. Might as well see all that there is to see about who is trying to do what on my computer. The only time it matters is if you're checking "Temporarily allow top-level sites by default", and this user hates allowing anything by default except that which he's placed in his whitelist, which we've already discussed.
[quote]Yes, I've read the introductory guide and FAQ, but a good deal of the programming terms are strange to me.[/quote]
You have my sympathy. It isn't always easy explaining complex issues in simple terms, whether it's nuclear power plant management, rocketry, or computing. We try to reach a balance, but we also get complaints from advanced users of being "too condescending". Please feel free to ask about anything else puzzling you, although searching the Web, Wikipedia, and other resources will often help you educate yourself. Computers and the Internet are complicated things; the threats are complicated, and so the defenses are a little complex. Let us know if we can help any more. Cheers!