After updating noscript from an older to the current version 2.9.0.11, access to the whitelisted URL fails, since the browser forces a connect to the SSL port via https which is not requested and not possible with several URL targets (e. g. device administration interfaces). Non-SSL connects to these whitelisted URLs is not possible any more. As soon as the affected URL is deleted from the whitelist, access to that URL without SSL is possible again. Only workaround seems to be to disable the whitelist.
As I do not see a relation between the scripting-oriented whitelisting of domains and the SSL access to these domains, nor an option to toggle this, I assume it a bug and kindly ask for a fix. Thanks
Noscript breaks access to whitelist entries by forcing SSL
Noscript breaks access to whitelist entries by forcing SSL
Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0 SeaMonkey/2.40
Re: Noscript breaks access to whitelist entries by forcing S
about:config > set noscript.httpsDefWhitelist to false
enjoy the insecure connections
(ok yeah, i run with that disabled all the time...)
You are not the only user reporting such breakage. Can you please post which URLs you're visiting that are broken by httpsDefWhitelist?
enjoy the insecure connections
(ok yeah, i run with that disabled all the time...)
You are not the only user reporting such breakage. Can you please post which URLs you're visiting that are broken by httpsDefWhitelist?
*Always* check the changelogs BEFORE updating that important software!
-
Re: Noscript breaks access to whitelist entries by forcing S
This thread is a little "dead" but I feel that some enlightenment is required.
until I had a run-in with not being able to connect to a site. Though, once I became aware
I am amazed at how great a tool NoScript really is.
Onto the subject of SSL. When connecting through HTTPS two things are occurring,
one is verifying the identity of who your talking to and the second is encrypting the
communication. The important bit for NoScript is verifying the identity. Let's look
at an example.
Alice wants to talk to Bob, so she sends out a request to talk and ask for encryption.
Bob accepts and sends back his information. Alice verifies the identity information
Bob sent back and if it matches Bob's they start talking.
Now, again, without identification, Alice wants to talk to Bob, so she sends out a
request to talk and asks for encryption. Evil-Man sees this request and sends out
a response claiming to be Bob. Without any identity verification Alice will think
she's talking to Bob, but Evil-Man is actually receiving the data. This makes having
encryption pretty useless.
How does this apply to NoScript? Well, when you whitelist a script you're, presumably,
saying that "Script-A.js from example.com is safe and I want to run it" (doing all the
safety checks and whatnot). Without HTTPS / SSL then Evil-Man can send his own
version of Script-A.js claiming to be from example.com. From your end it looks like
Script-A.js was received from example.com and therefore NoScript will allow it to
run. You are now running Evil-Man's code.
--
Now, one thing I can think of to help mitigate this issue is to store a checksum for
each allowed script. That way if the received Script-A.js is different from the one
that was allowed the user can be notified and asked to reallow.
I don't know if NoScript implements checksumming. Although, it's key to remember
that checksums are not free, it'd introduce overhead.
Whitelisting and SSL have a very important relationship. I wasn't aware of this featurebugzillus wrote:As I do not see a relation between the scripting-oriented whitelisting of domains and the SSL access to these domains, nor an option to toggle this, I assume it a bug and kindly ask for a fix. Thanks
until I had a run-in with not being able to connect to a site. Though, once I became aware
I am amazed at how great a tool NoScript really is.
Onto the subject of SSL. When connecting through HTTPS two things are occurring,
one is verifying the identity of who your talking to and the second is encrypting the
communication. The important bit for NoScript is verifying the identity. Let's look
at an example.
Alice wants to talk to Bob, so she sends out a request to talk and ask for encryption.
Bob accepts and sends back his information. Alice verifies the identity information
Bob sent back and if it matches Bob's they start talking.
Now, again, without identification, Alice wants to talk to Bob, so she sends out a
request to talk and asks for encryption. Evil-Man sees this request and sends out
a response claiming to be Bob. Without any identity verification Alice will think
she's talking to Bob, but Evil-Man is actually receiving the data. This makes having
encryption pretty useless.
How does this apply to NoScript? Well, when you whitelist a script you're, presumably,
saying that "Script-A.js from example.com is safe and I want to run it" (doing all the
safety checks and whatnot). Without HTTPS / SSL then Evil-Man can send his own
version of Script-A.js claiming to be from example.com. From your end it looks like
Script-A.js was received from example.com and therefore NoScript will allow it to
run. You are now running Evil-Man's code.
--
Now, one thing I can think of to help mitigate this issue is to store a checksum for
each allowed script. That way if the received Script-A.js is different from the one
that was allowed the user can be notified and asked to reallow.
I don't know if NoScript implements checksumming. Although, it's key to remember
that checksums are not free, it'd introduce overhead.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Re: Noscript breaks access to whitelist entries by forcing S
NoScript doesn't do checksumming, the reasons has been discussed before:SxDerp wrote:Now, one thing I can think of to help mitigate this issue is to store a checksum for
each allowed script. That way if the received Script-A.js is different from the one
that was allowed the user can be notified and asked to reallow.
I don't know if NoScript implements checksumming. Although, it's key to remember
that checksums are not free, it'd introduce overhead.
viewtopic.php?f=8&t=17045
viewtopic.php?f=10&t=17874
*Always* check the changelogs BEFORE updating that important software!
-
Re: Noscript breaks access to whitelist entries by forcing S
In NS 2.9.0.14 in Fx 49 Win (Firefox, not TBB), this seems to recently started breaking sites .
My circumstances are a bit different than OP's.
When OP said, "access to whitelisted sites," I assume some sites that failed were user added?
For me, NS seems to force https for all sites not supporting https, as soon as I click "temporarily allow" the base domain.
It reloads the page & switches to https - which fails.
The sites are not in my whitelist (Options / Whitelist) & scripts are blocked globally.
In Firefox, setting "noscript.httpsDefWhitelist" pref to false solved the problem (for now).
Note: In Tor Browser, "noscript.httpsDefWhitelist" is True, and it doesn't force https on non whitelisted sites (they work OK).
If the bug was fixed, this pref shouldn't affect sites not in whitelist(s) - correct? But it is affecting non-whitelisted sites.
I uninstalled & reinstalled NS - no change yet. I didn't try a new profile, yet - as this just started.
I disabled all other addons - to test, but sometimes that's not sufficient to fix a problem.
My circumstances are a bit different than OP's.
When OP said, "access to whitelisted sites," I assume some sites that failed were user added?
For me, NS seems to force https for all sites not supporting https, as soon as I click "temporarily allow" the base domain.
It reloads the page & switches to https - which fails.
The sites are not in my whitelist (Options / Whitelist) & scripts are blocked globally.
In Firefox, setting "noscript.httpsDefWhitelist" pref to false solved the problem (for now).
Note: In Tor Browser, "noscript.httpsDefWhitelist" is True, and it doesn't force https on non whitelisted sites (they work OK).
If the bug was fixed, this pref shouldn't affect sites not in whitelist(s) - correct? But it is affecting non-whitelisted sites.
I uninstalled & reinstalled NS - no change yet. I didn't try a new profile, yet - as this just started.
I disabled all other addons - to test, but sometimes that's not sufficient to fix a problem.
-
Re: Noscript breaks access to whitelist entries by forcing S
Have anything in NoScript Options | Advanced | HTTPS -> Behavior?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 SeaMonkey/2.40