Hi,
I find NoScript to be too much of a pain in the a** to set up on a site by site basis, the only way I can use this addon is by temporarily allowing top-level domain. In this way, it's much easier to handle and saves me a lot of time, since the majority of websites out there require top level javascript to function properly anyway. Occasionally I need allowing a second or third level but not often.
So I guess my question is, can using NoScript this way still protects me against threats like Drive-by downloads? In your experience, does this kind of thing usually happens on top-levels or by usually the result malicious third-party scripts?
Secondly, would a standard Adblocker (like ADP or uBlock) offer the same layer of protecton as NoScript (with top-level allowed) against drive-by downloads or scareware?
Thanks
Using NoScript with '' Temporarily Allow Top-Level Domain''
Using NoScript with '' Temporarily Allow Top-Level Domain''
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Re: Using NoScript with '' Temporarily Allow Top-Level Domai
It depends. Are you concerned about drive-by downloads from unknown, malicious sites (eg poisoned search results), or malvertising on legitimate sites? In general, malvertising will be blocked, but as soon as you actually visit a malicious domain, all bets are off.Tar_Ni wrote: So I guess my question is, can using NoScript this way still protects me against threats like Drive-by downloads?
Can't say that I have much experience of getting compromised, since I always block JavaScript . However, automatically allowing top-level sites is a risky business. Note that if you get redirected to a site and then redirected back, it may be invisible to you, but it will trigger the whitelisting.In your experience, does this kind of thing usually happens on top-levels or by usually the result malicious third-party scripts?
Definitely not Adblock Plus, which is no longer reliable for any security purpose. uBlock I'm not sure about. Is it tolerable to use both?Secondly, would a standard Adblocker (like ADP or uBlock) offer the same layer of protecton as NoScript (with top-level allowed) against drive-by downloads or scareware?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Re: Using NoScript with '' Temporarily Allow Top-Level Domai
No. You probably want a tool like Policeman or µMatrix for that.Tar_Ni wrote:Secondly, would a standard Adblocker (like ADP or uBlock) offer the same layer of protecton as NoScript (with top-level allowed) against drive-by downloads or scareware?
(Note that those tools only block based on domain. If you need reliable, secure blocking based on path, just use NoScript's own ABE.)
*Always* check the changelogs BEFORE updating that important software!
-
Re: Using NoScript with '' Temporarily Allow Top-Level Domai
Thanks for your replies.
At this point I will stick with NoScript's ''Temporarily Allow Top-Level Domain'' on. Maybe I am looing in security but then the web is a very dull place without the top-level javascripts enabled these days... What difference would it made if I enable them one by one anyway? How would I know which ones are malicious or not? The second and third-party scripts I can manage easily and it's less time-consumming. From the research I made on this recently, it seems that most drive-by download and scareware threats comes from malicious iframes and third-party scripts, which I've got covered.
I don't want to use 2 or 3 browser addons, I prefer to use one which is multi-purpose, it is easier on ressources. NoScript is great because by blocking scripts you also block ads and trackers, which means I don't need to also add an Adblocker on top of my Firefox install.
At this point I will stick with NoScript's ''Temporarily Allow Top-Level Domain'' on. Maybe I am looing in security but then the web is a very dull place without the top-level javascripts enabled these days... What difference would it made if I enable them one by one anyway? How would I know which ones are malicious or not? The second and third-party scripts I can manage easily and it's less time-consumming. From the research I made on this recently, it seems that most drive-by download and scareware threats comes from malicious iframes and third-party scripts, which I've got covered.
I don't want to use 2 or 3 browser addons, I prefer to use one which is multi-purpose, it is easier on ressources. NoScript is great because by blocking scripts you also block ads and trackers, which means I don't need to also add an Adblocker on top of my Firefox install.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Re: Using NoScript with '' Temporarily Allow Top-Level Domai
I have not noticed that.. guess you browse a very different set of sites from me...Tar_Ni wrote:Maybe I am looing in security but then the web is a very dull place without the top-level javascripts enabled these days...
You are more sure what you'll Temp-Allow that way. As said above, if you are redirected through another site, it'll get Temp-Allowed if you automatically temporarily allow top-level site. And you won't know it until you check what's Temporarily Allowed.Tar_Ni wrote:What difference would it made if I enable them one by one anyway?
It's not always possible to be sure. See viewtopic.php?p=75314#p75314 for one method that might help.Tar_Ni wrote:How would I know which ones are malicious or not?
(You just have to compare against the lists. No need to actually install ABP for that method if you don't want to, you can just save the list somewhere on your computer and search it with your favorite text editor. In your case, you would download the Malware Domains ABP subscription.)
It's not necessarily easier on resources to use one multi-purpose addon vs multiple addons. It depends what the addon(s) are optimized for and what you want to do.Tar_Ni wrote:I don't want to use 2 or 3 browser addons, I prefer to use one which is multi-purpose, it is easier on ressources.
NoScript blocks ads only incidentally... although largely the ads NoScript does end up blocking are the invasive ones, while letting the "nicer" ads through.Tar_Ni wrote:NoScript is great because by blocking scripts you also block ads and trackers,
Also you are not blocking trackers by using NoScript. They just use a scriptless alternative (usually a 1x1 GIF image).
*Always* check the changelogs BEFORE updating that important software!
-
Re: Using NoScript with '' Temporarily Allow Top-Level Domai
Blocking top-level javascripts by default breaks nearly every sites I visit. I understand that's the whole point of NoScript but since Top-Level Domain is a must for my web activities - that I will allow them in every case anyway - than I am better off automatically Temp allowing them all. It saves quite a lot of time. I occasionally have to allow a second level (akamaihd.net on Facebook for instance) or a third-party to enable a missing functionality on a webpage.barbaz wrote:I have not noticed that.. guess you browse a very different set of sites from me...
That's often a trial and error in this case. But at this point, I've become mostly aware of which scripts are ads, trackers and widgets so those can safely be avoided. I Temp Allow a script which I suspect to be the culprit and see if it works then whitelist it if that's a website I'll come back to.
Of course, NoScript is as the name says, a Script blocker that is meant as a security tool but it so happens that the vast majority of ads (and trackers like Google-analytics for instance) are served through third-party scripts and iframes in some cases.barbaz wrote:NoScript blocks ads only incidentally... although largely the ads NoScript does end up blocking are the invasive ones, while letting the "nicer" ads through.Also you are not blocking trackers by using NoScript. They just use a scriptless alternative (usually a 1x1 GIF image).
There are in-page elements (DOM element objects) on some top-level domains which happens to be ads but those I really don't mind.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Re: Using NoScript with '' Temporarily Allow Top-Level Domai
(You might want to look into NoRedirect configured to block all redirects. It may cut down on the number of "surprise" sites that are Temp-Allowed. It's not a perfect solution, since it doesn't cover JS redirects, but it gets the rest, so it's far better than nothing.)
I actually go out of my way to whitelist such ads, but that's another story.
Also my opinion of Internet adsTar_Ni wrote:There are in-page elements (DOM element objects) on some top-level domains which happens to be ads but those I really don't mind.
I actually go out of my way to whitelist such ads, but that's another story.
*Always* check the changelogs BEFORE updating that important software!
-