What am I not protected against?

Ask for help about NoScript, no registration needed to post
OldGrantonian
Posts: 2
Joined: Mon Jul 27, 2009 10:55 am

What am I not protected against?

Post by OldGrantonian » Mon Jul 27, 2009 11:07 am

I want to try NoScript. There is a very impressive FAQ. I intend to study this carefully over the next few weeks.

Here are two quotes from the NOSCRIPT QUICK START GUIDE FOR BEGINNERS

"No configuration is required."

"this is all you need to do to have NoScript start protecting you now!"

So, I have a single question:

If I install NoScript, and accept all the defaults, what am I NOT PROTECTED AGAINST?

Based on the answer to the question, I can pay more attention to setting the options for those threats.
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: What am I not protected against?

Post by Grumpy Old Lady » Mon Jul 27, 2009 12:29 pm

OldGrantonian wrote:

So, I have a single question:

If I install NoScript, and accept all the defaults, what am I NOT PROTECTED AGAINST?

Based on the answer to the question, I can pay more attention to setting the options for those threats.


Well, I'll bite :-)
Yourself is the greatest threat.
The answer depends on what you yourself consider to be a threat. I'm not being flippant here.
This recent thread has a few real-life examples from a respected long-time NS user who likes a fair amount of control of his web experience and who is ready to exchange usability for security if it comes down to that.
viewtopic.php?f=7&t=2110

My own answer would be around the same, except that I've found that the one thing that NS will never protect a user against is FMS syndrome: where a user who is afraid they may miss some content on a page (Fear of Missing Something) hits "Allow" before putting any research into a domain.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

User avatar
Giorgio Maone
Site Admin
Posts: 9000
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: What am I not protected against?

Post by Giorgio Maone » Mon Jul 27, 2009 12:32 pm

OldGrantonian wrote:If I install NoScript, and accept all the defaults, what am I NOT PROTECTED AGAINST?

What NoScript can't protect you against in its default configuration is basically your own stupidity or carelessness, i.e. marking as trusted a script source which is serving a self-contained browser exploit.

Fortunately, this is quite difficult, unless you use the not recommended "Allow scripts globally (dangerous!)" feature.
Even if a site you trust and you whitelisted gets compromised, you're usually still protected because almost surely (actually in every single case of mass-infection we observed so far) the actual exploit is served by a 3rd party untrusted source, which is much more convenient and easy for the attacker.

Limited attacks to your privacy, such as cookie-based tracking and CSS-based history sniffing, are still possible notwithstanding NoScript. The former is easily handled by any cookie-controlling tool (e.g. CS Lite, the one I use), and the latter can be prevented by setting the layout.css.visited_links_enabled about:config preference to false.

Aside this, there's practically no web-based attack NoScript can't protect you against.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: What am I not protected against?

Post by Tom T. » Mon Jul 27, 2009 12:44 pm

NoScript blocks *all* scripting, all plugins listed on the Options > Plugins tab, (Java, Flash, Silverlight, and others,) and has default protection against clickjacking and cross-site scripting. So you are protected against all of those, at the best present state of the art, until and unless YOU decide to allow any of them, either temporarily at a given site, permanently at a given (trusted) site, or blanket permission (not recommended). For example, on the Plugins tab, if you uncheck "Forbid Flash", then Flash will be allowed *everywhere*. It's better, in my opinion, to allow it only at sites you trust or only on a per-use basis. For example, if I visit YouTube, rather than allow the entire site to run Flash, I click the red NoScript block-logo, or "placeholder", for the particular video I want to watch. Then I'm only exposing myself to one video instead of millions.

On the Advanced/Untrusted tab, I prefer to check everything except "Hide NOSCRIPT elements". There is no need to change anything else in the Advanced, at least until you become very comfortable with NoScript and want to try, e. g., the forced HTTPS for forcing secure sites (banks, etc.) to use secure cookies (and secure logins, for the ones that are very poorly coded).

More information can be found in the FAQ on such advanced features. In the meantime, just use your bank's (credit card company, etc.) secure login page, rather than their home page, to login. For example, instead of logging in from http://www.wachovia.com, bookmark their secure login page, https://onlineservices.wachovia.com/aut ... returnHome. Fortunately, many of these poorly-coded sites have corrected their mistakes due to the negative publicity from the existence of tools like NoScript's Force HTTPS. For example, http://www.wachovia.com is now also secure - you are automatically redirected to https://www.wachovia.com/. This is a good trend.

Please remember that NoScript is *not* an anti-virus program, although it blocks many viruses that are delivered by scripting or plugins. You still need a good AV program and a good firewall. Anti-phishing protection is available through Firefox itself. Safe practices such as not opening spam e-mail, and especially not opening attachments from unknown sources, are still a necessity. And of course, you must only download and install software from sources that you trust. I still scan it with my anti-virus before installing it anyway, in case the site has been compromised.

As the primary author of the Guide, it was my hope to make clear that NoScript "out of the box" provides immediate and complete blocking and protection, and that the user must configure it to do less than that if s/he wishes, rather than having to configure it to protect you. It's already configured that way. If you have any suggestions as to wording, as to how I could make that point more clear, of course I'd appreciate hearing them. And if you have any questions that the FAQ don't answer, and a search of the forum doesn't answer, please feel free to post them. We'll be happy to help.

Thanks for installing NoScript, and welcome to the community of safer browsing!

Edit: I was still composing this lengthy message while Giorgio was posting his. Hopefully, it never hurts to hear from two different sources. ;)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

OldGrantonian
Posts: 2
Joined: Mon Jul 27, 2009 10:55 am

Re: What am I not protected against?

Post by OldGrantonian » Mon Jul 27, 2009 5:30 pm

Thanks to Grumpy Old Lady, Giorgio Maone, and Tom T. for a very thorough list of recommendations :)

I've extracted the quotes I need to get me up and running. The fine tuning can wait till later.

Grumpy Old Lady wrote:Yourself is the greatest threat.


Giorgio Maone wrote:What NoScript can't protect you against in its default configuration is basically your own stupidity or carelessness, i.e. marking as trusted a script source which is serving a self-contained browser exploit.

Fortunately, this is quite difficult, unless you use the not recommended "Allow scripts globally (dangerous!)" feature.


Giorgio Maone wrote:Limited attacks to your privacy, such as cookie-based tracking and CSS-based history sniffing, are still possible
Aside this, there's practically no web-based attack NoScript can't protect you against.


Tom T. wrote:NoScript blocks *all* scripting, all plugins listed on the Options > Plugins tab, (Java, Flash, Silverlight, and others,) and has default protection against clickjacking and cross-site scripting.


Tom T. wrote:just use your bank's (credit card company, etc.) secure login page, rather than their home page, to login.


Tom T. wrote:You still need a good AV program and a good firewall. Anti-phishing protection is available through Firefox itself.


Tom T. wrote:NoScript "out of the box" provides immediate and complete blocking and protection, and that the user must configure it to do less than that if s/he wishes


Once again, thanks for all the help :)
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

Post Reply