unknown domains - can you tell user if it's 'safe'-ish??

[ljmonk]

Hi. I just started using NoScript. It's very nice.

I searched the forums, etc and can't find much on this...

First let me describe the dilemma: One thing that is annoying is that just about every site I go to has a list of anywhere from 1-10+ different domains seeking access. So, if I 'know' (or feel confident) about a certain site, by default I 'allow' the top domain. I also usually allow those that 'seem' legit. Now, I suppose I could just allow ALL domains that are seeking access (since I feel ok about the main domain). However, there are probably many reasons NOT to do that. For example, if I just want to save resources and speed up page loads I might not allow those domains which 'seem' useless.

So, the question is: Is there a feature (or one in devel) that will give some sort of rating next to the domain name in the NoScript taskbar. I know people might argue that each person has to decide for themselves since it's different for everyone. But, if it's generally known that a certain domain is fairly safe or whatever, why should a user have to either 1) do research to figure that out or 2) just randomly allow it or not? I mean, how is someone to know whether to allow a domain like 'eea112_good'?

For now, I decided to search for each domain on the siteadvisor site (hope that one is safe!! )

What's the story glory??

[Giorgio Maone]

For now you can use WOT.
However a "Show info about these sites" command is under development.

[ljmonk]

Thanks for the quick response!

So, you recommend WOT over siteadvisor ? Is it more trustworthy?

Thanks again! J

[Giorgio Maone]

So, you recommend WOT over siteadvisor ? Is it more trustworthy?

Yes, the rating process is more transparent and the Firefox extension better written and compatible.

[Jim Too]

Following up on the use of WOT. Let me use The New York Times web site as an example
In Noscript I have allowed NYTIMES dot COM.
Noscript is blocking several other sites/domains (e.g. DOUBLECLICK dot NET)

On the Noscript popup menu where I can choose to allow these other sites/domains there is no WOT guidance.
So how do I use WOT to decide if I should allow these other sites/domains (I know I can go to the WOT web site and ?
Would it be possible for Noscript to query WOT for these sites/domains and provide WOT information to the user to help them decide what risk is associated with allowing scripts from a particular site/domain.

[Alan Baxter]

I don't want to sidetrack your discussion with Giorgio, the NoScript developer. Your questions and suggestions are good ones, and he will consider them when he has time to develop a NoScript release which includes them. http://forums.informaction.com/viewtopi ... 4722#p4722

Noscript is blocking several other sites/domains (e.g. DOUBLECLICK dot NET)

If I recall correctly, the only site I've needed to Allow for the NY Times site to work correctly is brightcove.com. I've added that to my whitelist. The rest of them are advertisement and tracking scripts. You can safely ignore them.

[GµårÐïåñ]

WOT has its own overlay notification for each site you access and doesn't need to be integrated into NS for it to show you. When you have WOT installed and you go to a site that has a bad reputation, it will cover your whole screen with an overlay complaining about it and giving you a choice to say YOU trust it and go on or temporarily dismiss the screen and let me access the site. Unfortunately since its community based rating, there are ALOT of false positives that get annoying but you can override the false positive with your own rating which will always supersede the community rating.

[ljmonk]

Thanks for all the info everyone. One more thing comes to mind.. Is there a way to control when the notification pops up at the bottom of the browser? I assume it is either turned on or turned off (I also see that I can control how long it stays there).

I guess what I'm getting at is probably not currently implemented, but would be nice - I would like to be able to have the notification pop up only if a domain deemed 'basically essential for basic content/use' is being blocked.

Because, as it is now, the thing pops up on about every page I go to. I don't want to turn it off however, because there is usually at least one domain that I need to unblock when I go to a new site...

Here's an idea-- is there a way to define a list of top-level domains which, when accessed, would not cause the notification to pop up (regardless of whether other domains are being blocked). This way, I could choose (for a given top-level domain) which domains to block and it would no longer pop up every time. This might be the most elegant solution.

Thanks!!
J

[Alan Baxter]

Because, as it is now, the thing pops up on about every page I go to. I don't want to turn it off however, because there is usually at least one domain that I need to unblock when I go to a new site...

Turn it off. That's what most of the rest of us do. The appearance of the status bar icon tells us whether anything is being blocked. A right-click on the status bar icon will give you more detailed information when desired.
http://noscript.net/features#basics

[AlphaCentauri]

If you're visiting a trusted domain like New York Times, it's not a question of safety so much as privacy and annoyance. I want animated news videos but not animated ads. You will tend to learn from experience which domains are required for the content and which are only needed for the ads. You'll also recognize things like akamai often hosts real content and doubleclick is usually only for ads.

It's safe on a site like NYT to give each one a temporary okay and see which ones actually are useful, and you can eventually give a permanent okay to some. It's easy enough to toggle on and off in Noscript.

In general, if there's a video to see or a form to fill out, you're probably going to have to allow javascripts for something.

[Alan Baxter]

It's safe on a site like NYT to give each one a temporary okay and see which ones actually are useful

Not if the site has been hacked. Don't assume a 3rd party script from an unknown site is benign. Check it out in WOT or Site Advisor first.

[AlphaCentauri]

It's safe on a site like NYT to give each one a temporary okay and see which ones actually are useful

Not if the site has been hacked. Don't assume a 3rd party script from an unknown site is benign. Check it out in WOT or Site Advisor first.

Very true, I was just assuming a site as heavily used as NYT wouldn't stay hacked long without being reported, so it's safer than most.

[GµårÐïåñ]

You'd be amazed how often that logic is wrong. Dell was hacked for 3 weeks and they didn't know it and when they found out, they didn't know how to fix it. The only thing they ended up doing was to restore their server to an old copy. My cousin who works in engineering (out of Canada) told me that they are running around like chickens with their head cut off and clueless, so they are going to hire an outside company to come and fix it and train their monkeys to run it. Its sad actually and they never even made a public announcement or notify the many people whose accounts were up for grab.

[AlphaCentauri]

You'd be amazed how often that logic is wrong. Dell was hacked for 3 weeks and they didn't know it and when they found out, they didn't know how to fix it.

I heard about Kaspersky, but I didn't hear about Dell. Yeah, it's pretty depressing. And while I've never tried to find a contact link on Dell's website, I'm guessing they're as firewalled from personal contact from people without support accounts as all the other tech companies. So if their website were distributing malware, it would be hard for a volunteer to alert them to the fact.

[GµårÐïåñ]

You'd be amazed how often that logic is wrong. Dell was hacked for 3 weeks and they didn't know it and when they found out, they didn't know how to fix it.

I heard about Kaspersky, but I didn't hear about Dell. Yeah, it's pretty depressing. And while I've never tried to find a contact link on Dell's website, I'm guessing they're as firewalled from personal contact from people without support accounts as all the other tech companies. So if their website were distributing malware, it would be hard for a volunteer to alert them to the fact.

You would be absolutely correct. They are one of the worst in giving people the runaround and avoiding talking to you. Let me give you an example. My wife has a Dell XPS M1330 and her warranty expired 3 weeks ago and suddenly her video card started acting funny and just died. I ran a test on it and found that it was indeed the nVidia chipset that was bad and further found out that for almost 18 months now they have known about an nVidia GPU issue and internally decided that if anyone bitched they would fix it for an additional 1 year to their warranty, because they knew it was defective and yet used it and sold it. But they never told anyone, didn't issue a recall or service order, did NOT automatically extend the units that were affected or notify their users, finally because of pressure they buried it in a blog post on their community page. Now the funny thing is that if you need to get service under warranty for this, because they didn't attach it to your tag, if you are out of regular warranty, you CANNOT even get to talk to someone online, via email or via phone because it forwards you to their pay support service ONLY. I had to pull string through my engineer contacts in Canada to get a ticket opened for it and she got to talk to someone and get a box sent to her to send it in and have it fixed and it got back just two days ago. Almost 9 days for the whole ordeal to resolve and I had connections, imagine what that would mean to the regular joe public with no one to help them. Worst company EVER (add CBG attitude, thank you comic book guy).