Alan Baxter wrote:Tom T. wrote:Also, if you use the Hosts file from
http://www.mvps.org/winhelp2002/hosts.htm, you'll be automatically blocked from visiting badscriptingsite.com, which is a pretty good clue not to allow it.
But
not being in that hosts file is no evidence that the site is safe.
Enumerating Badness is "Dumb Idea" #2). Or maybe I don't know what you're getting at. Surely most users aren't using sandboxie while deciding what scripts to allow.
Sorry, it's getting late and my reply was rushed.
1) Defense in depth. Not being in Hosts is no proof of benignity (now
there's a cool word!)
, but if it *is* there, end of story.
2) Defense in depth. I guess I'm not most users. Actually, I'm not most people. (I might not be people at all.) But I recently raised my percentage of browsing sandboxed from 80-90% to 100%, when I ran out of reasons not to. (Just finished tweaking Sandboxie.ini to allow NS allow/deny permission changes to penetrate through to prefs.js. The actual site scripts still stay in the sandbox, of course.)
3) Defense in depth. Recently I saw that a certain sw developer had added several new scripts to his site, and while I'm familiar with most of the Net ad agencies, this one was new to me. I wanted to visit and see what their model was, what their sales pitch to site owners was, etc. So I opened a new sandboxed browser and visited, not that I was going to allow it anyway.
4) Finally: defense in depth. Why count on one wall when you can have two, in case there's a crack in one? Several times at the old forum I suggested Sandboxie (pretty much got ignored; hey, I don't get anything if you use it, so no sweat here). Have suggested to MA1 that he look into SB and verify or refute the developer's claims; if true, it seems the NS/SB combination is a virtually bulletproof way to browse. No offense intended to Maone 1.0, or that NS isn't the greatest browse tool in the world. It is, and I would never be without it. But to my surprise, once or twice a year there's a Flash video at YouTube that I actually want to watch, and I don't trust either Flash or YouTube farther than I could throw Hillary Clinton sitting on Rush Limbaugh's shoulders. So after allowing YouTube and ytimg, just click the NS block logo *for only the video I want to watch*, keeping all others disallowed. But in case that one video happens to be evil or have been injected, I still have it in the sandbox.
And *one* of these days, maybe
RSnake or
Sirdarckat is going to succeed in XSSing one of Giorgio's sites.
Sirdarckat tells us that he's hacked NS several times over the years, but always reported privately to Giorgio, and praised Giorgio's prompt response, to wit:
""hours", (or minutes in some cases)". I'd just like a backup for those few minutes, amazing though Giorgio be (I mean that truly, and he knows it).
Yes, I wear two condoms when I have sex, even with myself. I don't know where that hand's been.
G'night!
Edit: (AB:) "Sometimes I'm paranoid about the social engineering danger associated with NoScript Support. How do I know that someone's post of "Please check out this site. I can't get it to work with NoScript" isn't an attempt to get me to load a malicious web page with NoScript disabled."
Perfect time to use Sandboxie.