Using NoScript with '' Temporarily Allow Top-Level Domain''

[Tar_Ni]

Hi,

I find NoScript to be too much of a pain in the a** to set up on a site by site basis, the only way I can use this addon is by temporarily allowing top-level domain. In this way, it's much easier to handle and saves me a lot of time, since the majority of websites out there require top level javascript to function properly anyway. Occasionally I need allowing a second or third level but not often.

So I guess my question is, can using NoScript this way still protects me against threats like Drive-by downloads? In your experience, does this kind of thing usually happens on top-levels or by usually the result malicious third-party scripts?

Secondly, would a standard Adblocker (like ADP or uBlock) offer the same layer of protecton as NoScript (with top-level allowed) against drive-by downloads or scareware?

Thanks

[Thrawn]

So I guess my question is, can using NoScript this way still protects me against threats like Drive-by downloads?

It depends. Are you concerned about drive-by downloads from unknown, malicious sites (eg poisoned search results), or malvertising on legitimate sites? In general, malvertising will be blocked, but as soon as you actually visit a malicious domain, all bets are off.

In your experience, does this kind of thing usually happens on top-levels or by usually the result malicious third-party scripts?

Can't say that I have much experience of getting compromised, since I always block JavaScript . However, automatically allowing top-level sites is a risky business. Note that if you get redirected to a site and then redirected back, it may be invisible to you, but it will trigger the whitelisting.

Secondly, would a standard Adblocker (like ADP or uBlock) offer the same layer of protecton as NoScript (with top-level allowed) against drive-by downloads or scareware?

Definitely not Adblock Plus, which is no longer reliable for any security purpose. uBlock I'm not sure about. Is it tolerable to use both?

[barbaz]

Secondly, would a standard Adblocker (like ADP or uBlock) offer the same layer of protecton as NoScript (with top-level allowed) against drive-by downloads or scareware?

No. You probably want a tool like Policeman or µMatrix for that.
(Note that those tools only block based on domain. If you need reliable, secure blocking based on path, just use NoScript's own ABE.)

[Tar_Ni]

Thanks for your replies.

At this point I will stick with NoScript's ''Temporarily Allow Top-Level Domain'' on. Maybe I am looing in security but then the web is a very dull place without the top-level javascripts enabled these days... What difference would it made if I enable them one by one anyway? How would I know which ones are malicious or not? The second and third-party scripts I can manage easily and it's less time-consumming. From the research I made on this recently, it seems that most drive-by download and scareware threats comes from malicious iframes and third-party scripts, which I've got covered.

I don't want to use 2 or 3 browser addons, I prefer to use one which is multi-purpose, it is easier on ressources. NoScript is great because by blocking scripts you also block ads and trackers, which means I don't need to also add an Adblocker on top of my Firefox install.

[barbaz]

Maybe I am looing in security but then the web is a very dull place without the top-level javascripts enabled these days...

I have not noticed that.. guess you browse a very different set of sites from me...

What difference would it made if I enable them one by one anyway?

You are more sure what you'll Temp-Allow that way. As said above, if you are redirected through another site, it'll get Temp-Allowed if you automatically temporarily allow top-level site. And you won't know it until you check what's Temporarily Allowed.

How would I know which ones are malicious or not?

It's not always possible to be sure. See viewtopic.php?p=75314#p75314 for one method that might help.
(You just have to compare against the lists. No need to actually install ABP for that method if you don't want to, you can just save the list somewhere on your computer and search it with your favorite text editor. In your case, you would download the Malware Domains ABP subscription.)

I don't want to use 2 or 3 browser addons, I prefer to use one which is multi-purpose, it is easier on ressources.

It's not necessarily easier on resources to use one multi-purpose addon vs multiple addons. It depends what the addon(s) are optimized for and what you want to do.

NoScript is great because by blocking scripts you also block ads and trackers,

NoScript blocks ads only incidentally... although largely the ads NoScript does end up blocking are the invasive ones, while letting the "nicer" ads through.
Also you are not blocking trackers by using NoScript. They just use a scriptless alternative (usually a 1x1 GIF image).

[Tar_Ni]

I have not noticed that.. guess you browse a very different set of sites from me...

Blocking top-level javascripts by default breaks nearly every sites I visit. I understand that's the whole point of NoScript but since Top-Level Domain is a must for my web activities - that I will allow them in every case anyway - than I am better off automatically Temp allowing them all. It saves quite a lot of time. I occasionally have to allow a second level (akamaihd.net on Facebook for instance) or a third-party to enable a missing functionality on a webpage.

That's often a trial and error in this case. But at this point, I've become mostly aware of which scripts are ads, trackers and widgets so those can safely be avoided. I Temp Allow a script which I suspect to be the culprit and see if it works then whitelist it if that's a website I'll come back to.

NoScript blocks ads only incidentally... although largely the ads NoScript does end up blocking are the invasive ones, while letting the "nicer" ads through.Also you are not blocking trackers by using NoScript. They just use a scriptless alternative (usually a 1x1 GIF image).

Of course, NoScript is as the name says, a Script blocker that is meant as a security tool but it so happens that the vast majority of ads (and trackers like Google-analytics for instance) are served through third-party scripts and iframes in some cases.

There are in-page elements (DOM element objects) on some top-level domains which happens to be ads but those I really don't mind.

[barbaz]

(You might want to look into NoRedirect configured to block all redirects. It may cut down on the number of "surprise" sites that are Temp-Allowed. It's not a perfect solution, since it doesn't cover JS redirects, but it gets the rest, so it's far better than nothing.)

There are in-page elements (DOM element objects) on some top-level domains which happens to be ads but those I really don't mind.

Also my opinion of Internet ads
I actually go out of my way to whitelist such ads, but that's another story.