How to decide: safe or unsafe?

Ask for help about NoScript, no registration needed to post
roparr2

How to decide: safe or unsafe?

Post by roparr2 » Mon Oct 05, 2009 1:39 am

Win XP Pro SP3
FF 3.5.3
Noscript 1.9.9.0.1
=====================

Just downloaded NS last night. I know nothing about programming, but I'm a ware of the possible misuse of Javascript. In between the really safe sites, like the NY TImes, and obviously sleazy sites, I don't really know how to decide if a site is safe. Also, all the options in the right-click menu are confusing.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: How to decide: safe or unsafe?

Post by Alan Baxter » Mon Oct 05, 2009 2:05 am

roparr2 wrote:In between the really safe sites, like the NY TImes, and obviously sleazy sites, I don't really know how to decide if a site is safe.

It's not a trivial decision. Since potentially any site can be hacked, there's always a risk associated with allowing javascript or other active content, even on "really safe sites". That said, I only allow JavaScript when it's necessary to get a site to display properly or access any of its features that I need. And then only for mainstream sites that I've navigated to myself. I don't allow JavaScript or any other active content for unfamiliar sites unless I'm running Firefox in Sandboxie. I also make sure Windows and Firefox are always up-to-date with the most current security patches.

Be sure to read NOSCRIPT QUICK START GUIDE FOR BEGINNERS.

Also, all the options in the right-click menu are confusing.

You may find answers to some of your questions on http://noscript.net/. Pay particular attention to the "what is it?", features, and faq pages. Feel free to post back here whenever you have more specific questions. Hope this helps.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: How to decide: safe or unsafe?

Post by Grumpy Old Lady » Mon Oct 05, 2009 8:59 am

For a more optimistic view, be aware that even if you don't block Javascript or any plugin content on any web page, NoScript remains protecting your Firefox from most of the current Javascript exploits without your having to change anything - and, more importantly, NoScript is pre-arming Firefox to protect you from those that haven't been set loose on the web yet.

Alan's advice is good, but even in a sandbox, your browsing session can be compromised with Javascript exploits.
For a quick fix, the "Temporarily Allow All this Page" on sites that you have a fair guess are OK enough is useful, but before allowing Javascript on them, carefully look up what Javascript and plugin "exploits" (good search term) might be targeting sites where you have to enter credentials that you don't want others to use. Examples of this kind of site range from social networking ones like Facebook and Twitter through ecommerce sites like Amazon and ebay to financial management sites like ------- Your Bank.

You may also be interested in what ways Javascript is used by advertisers and web service providers on web sites to collect information that you consider to be privacy compromising and consequently "unsafe". That's where your search skills, using the domains listed on a site's NoScript menu can help you to decide which domains, other than the main one, you want to allow to run scripts. Or even if you want to give the main domain any of your browsing details :-)
Nobody in here can be the ultimate authority about what domains are safe or unsafe, NoScript gives you the tools to act after you've made those decisions yourself.
If you're interested in deepening your security understanding a little, there are some interesting threads in the NoScript Security forum here that could be a springboard for your research.
viewforum.php?f=19
Mozilla/5.0 (X11; U; Linux i686; en-AU; rv:1.9.0.14) Gecko/2009090216 Ubuntu/9.04 (jaunty) Firefox/3.0.14

roparr2

Re: How to decide: safe or unsafe?

Post by roparr2 » Mon Oct 05, 2009 11:24 pm

Thanks. It looks like a lot of it is done by the program itself.

Interestingly, when I open the 2 ads at the top of the developer's page, I get blocked scripts.
http://noscript.net/faq.
Isn't that an oxymoron?

Why are so few sites in the default whitelist, with so many millions on the web?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: How to decide: safe or unsafe?

Post by Alan Baxter » Tue Oct 06, 2009 3:43 am

roparr2 wrote:Interestingly, when I open the 2 ads at the top of the developer's page, I get blocked scripts.
http://noscript.net/faq.
Isn't that an oxymoron?

You clicked on the ads! :shock: Never click on ads unless you're sure where they go. Better yet, never click on ads, period. (Obviously the developer doesn't share my sentiment.)

Why are so few sites in the default whitelist, with so many millions on the web?

It limits the attack surface to sites the user chooses to trust.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

roparr2

Re: How to decide: safe or unsafe?

Post by roparr2 » Tue Oct 06, 2009 5:06 am

"You clicked on ads." :roll:

I have Clipmate. I can right-click a link and see where it points first. :o

So the developer trusts only about 12 or 15 sites on the entire web, including his own 2, yet he has ads on his own site with scripts that have to be stopped? Uhhh...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: How to decide: safe or unsafe?

Post by Tom T. » Tue Oct 06, 2009 5:52 am

The idea is for you to build your own whitelist. I personally delete some of the ones the developer puts in. :twisted:

For this user and support team member, it's on a "need" basis: If the function you need at a site does not require scripting, then there is no need to allow it or whitelist it, even if you trust it completely. I like to keep the whitelist as small as possible.

You can also "temporarily allow" sites you don't intend to visit frequently.

My whitelist has about 40 entries, mostly banks and financial companies, my e-mail provider, and certain government sites and services that I use regularly.

It's not the developer's place to decide which of all of those millions of sites is trustworthy, even if he had time. What he did was provide you the tools so that after you made that decision, you could enforce it. The only reason some of those sites were placed there by default was to prevent 20 million Yahoo mail users from posting problems with their mail, etc.

The material you were pointed to should help make those decisions. If you have any other questions, or questions about specific sites, of course we'll try to help.
Cheers.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

roparr2

Re: How to decide: safe or unsafe?

Post by roparr2 » Tue Oct 06, 2009 5:57 am

Maybe we'd better go on to the program itself. :mrgreen I can take up the other problem with Mr. Maone at one of his own trusted sites.

What do these mean:
Clearclick
ABE
Base 2nd level domains? Full addresses and Full domains
Isn't the same address implied even if I don't type in http:// and www

Yes, I've read the introductory guide and FAQ, but a good deal of the programming terms are strange to me.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: How to decide: safe or unsafe?

Post by Tom T. » Tue Oct 06, 2009 7:11 am

roparr2 wrote:What do these mean:
Clearclick

http://noscript.net/faq#faqsec7 explains, but if it's too much detail, here's the short version:
Bad person puts a button on their site that does something evil (loads spyware in your machine, etc.). "Covers" it with a photo or other graphic, especially a "click here" button that looks reasonable. You click the button you see, but you're really clicking the evil one underneath. NoScript protects you against this without any action on your part. Just leave the default checked (Options > Plugins > ClearClick protection) for both Trusted and Untrusted, since it's possible that a trusted site could have been hacked by Mr. Bad Guy. If you ever get an alert of a Clickjack attempt (ClearClick warning), let us know. Gross over-simplification, but simple enough?
ABE

Something else you don't have to mess with. Prevents sites and programs on the Web from crossing over their own boundaries into other sites or programs, preventing attacks called Cross-Site Request Forgeries, and also Web sites trying to sneak into your home network and do bad stuff. Advanced users can make their own rules for fine-tuning protections, but this is something else that works silently for you without you having to do anything. If you get an ABE alert, let us know. Again, way over-simplified, but good enough?
Base 2nd level domains? Full addresses and Full domains. Isn't the same address implied even if I don't type in http:// and www?

Actually, not. noscript.net is the same as http://noscript.net, because your browser automatically adds http:// However, if you type in http://www.noscript.net, you'll find that the address in the browser changes to http://noscript.net. The address of noscript.net does *not* have www in it, but the owner of that site has arranged it so that anyone who types in www. will be "redirected" to the correct address, without the www. This indeed happens automatically.
I can't think of an immediate example, but of the many sites on the web that do NOT have www in their address, it's possible that http://www.example.com would take you to a different place than example.com, especially if an evil person registered the site the opposite way, before the legitimate owner could register both, as noscript.net did with http://www.noscript.net.

BUT
Yahoo.com
mail.yahoo.com
finance.yahoo.com
news.yahoo.com etc.

If you have Base 2nd level domain allowed, you might allow all of yahoo.com. But what if you wish to allow mail.yahoo.com, but not news.yahoo.com?

The full domain address is important because http://www.bankofamerica.com is VERY CRUCIALLY different from https://www.bankofamerica.com. I believe they've fixed this issue now, due to substantial adverse publicity (including from NoScript and its users), but the "s" after http indicates "secure" -- a site whose connection between you and them is encrypted, or encoded, so as to be unreadable to the eyes along the Internet, of which there are many (your Internet Service Provider, the people who work at the "backbone structure" of the Net, etc.) If you entered your login credentials at the http site instead of the https site, you might as well shout them out the window.

Personally, I consider this such a non-issue choice that I just check them all on the Appearance tab. Might as well see all that there is to see about who is trying to do what on my computer. The only time it matters is if you're checking "Temporarily allow top-level sites by default", and this user hates allowing anything by default except that which he's placed in his whitelist, which we've already discussed.
Yes, I've read the introductory guide and FAQ, but a good deal of the programming terms are strange to me.

You have my sympathy. It isn't always easy explaining complex issues in simple terms, whether it's nuclear power plant management, rocketry, or computing. We try to reach a balance, but we also get complaints from advanced users of being "too condescending". Please feel free to ask about anything else puzzling you, although searching the Web, Wikipedia, and other resources will often help you educate yourself. Computers and the Internet are complicated things; the threats are complicated, and so the defenses are a little complex. Let us know if we can help any more. Cheers!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

User avatar
roparr2
Posts: 6
Joined: Tue Oct 06, 2009 6:01 am

Re: How to decide: safe or unsafe?

Post by roparr2 » Wed Oct 07, 2009 5:19 pm

Tom T. wrote:
The only reason some of those sites were placed there by default was to prevent 20 million Yahoo mail users from posting problems with their mail, etc.

20 mill users already have problems by choosing Yahell mail and Hotmail. I've removed them from my whitelist!

I don't need sympathy. :lol: I've been computing 15 years, build my own, and have a consulting service. I've used FF since its inception, Netscape before that. But programming is not my area. :mrgreen: We all need analogies to understand complex concepts.

Why am I getting red messages about scripts in mozillazine.org.? They don't take ads, and there's no one trying to take over my computer there.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: How to decide: safe or unsafe?

Post by Tom T. » Thu Oct 08, 2009 1:28 am

roparr2 wrote:....Why am I getting red messages about scripts in mozillazine.org.? They don't take ads, and there's no one trying to take over my computer there.

Well, you don't know that for a *fact* :twisted:

Assuming that by "red messages" you mean the NS logo turning red, indicating scripts being blocked? NoScript notifies you, by popup and/or audible warning if you so configure it, but *always* by color change of the logo, whenever *any* site that is not in your whitelist tries to run scripts. This alerts you and gives you the option to allow, if you so desire.

Again, NoScript does not decide for you which sites are safe. The truth is that any site can be hacked, and every major one -- Google, Yahoo, Facebook, MySpace, Twitter, etc. -- has been, usually more than once. Therefore, NoScript alerts you of all scripting or other plugins or code objects attempting to run at all but your trusted sites.

I hope that answers your question. Did you mean anything else by "red messages"?

P. S. No offense to my beloved boss, but I wouldn't even allow scripting here if it weren't for the convenience of the top reply panel (bold, italic, quote, URL, etc.) You can even do the smileys without scripting. ;)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

MENSA

Re: How to decide: safe or unsafe?

Post by MENSA » Fri Jan 15, 2010 2:20 pm

Once I have given my credit card details on some merchants' websites, they take me to a security site run by my bank. I am asked to put in my password (or part of it) to authorise the transaction. If I start to do so, a 'possible clickjacking attempt' warning screen appears. At the foot of a clickjacking alert screen I see a URL address. This appears to be the address of the security site. Why does Noscript show this address? What is the effect of clicking it? Does it take you past the problem and connect you directly to the security site? Unfortunately, Noscript is silent on this matter, even in its basic guidance. Thanks
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)

User avatar
Giorgio Maone
Site Admin
Posts: 8833
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: How to decide: safe or unsafe?

Post by Giorgio Maone » Fri Jan 15, 2010 2:25 pm

@MENSA
Could you use the "Report" button in the ClearClick dialog and tell me the assigned ID?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)

mensa

Re: How to decide: safe or unsafe?

Post by mensa » Fri Jan 15, 2010 3:42 pm

Sorry, I do not know what you mean by 'assigned ID'. That's why I am called mensa. Sadly I need non technical answers. Also I would need to wait until the problem happened again for me to use your report button. Meanwhile I would still like to know why this address appears under the window. What is it for? Where is it generated from? Should I click it to bypass the problem or not? Thanks
(PS when I reported the problem to my bank fraud officer he said ' personally I just turn off Noscript'. He says the bank would see all of this as a 'third party' problem and would not investigate or sort it!)
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)

User avatar
Giorgio Maone
Site Admin
Posts: 8833
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: How to decide: safe or unsafe?

Post by Giorgio Maone » Fri Jan 15, 2010 8:10 pm

mensa wrote:why this address appears under the window. What is it for? Where is it generated from?

That's the address of the embedded page where the element you're interacting with lives. It's always different from the main address you can see in the location bar, and since some elements of the embedded page are hidden you may not be aware of what you're doing exactly. That's why ClearClick issues you a warning and shows you a wider screenshot and the address, so you can better check.
mensa wrote:Should I click it to bypass the problem or not?

You can click it to better understand what's going on, or even to complete the action on a stand-alone (not embedded) page.
If you're sure of what you're doing, you can uncheck the "Keep blocked" checkbox and retry.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)

Post Reply