Hi guys,
I have been a very satisfied user of NoScript for years, I'm pretty sure it saved me from some actual damage on a couple occasions, and I would love to keep it that way, but I feel I'm slowly loosing it.
I guess it was known for long that it would get increasingly complicated to micromanage whitelists with the advent of CDNs and other multi domain usage, but I just feel we're getting there fast, and more than often I just end up giving up and temporarily allowing a page after having unsuccessfully tried to figure out what essential domains I was missing.
It just feels it's becoming more of a task that could successfully be handled collectively.
Now I understand the argument that it should remain an individual task, that many would not like to trust more than a handful of essential domains.
But I don't consider myself computer illiterate and I'm usually more patient with reloading a page a couple times to get it right, than the occasional people watching my screen are willing to understand.
Then if I find myself giving up more often than I would like to, I imagine a lot of people probably feel the same, which kind of defeats the initial intent.
Now I'm sure some users are still very happy the way it is, and they probably have a whitelist that I would gladly import to keep myself current, provided that's something public that can be scrutinized by expert eyes in this forum for instance.
I suppose if anybody's unhappy with any domain included for any reason, then there's not need to argue endlessly, and I'm fine having to deal with it individually in my turn, but I'm also convinced a lot of domains would still make an easy consensus and save the hassle for many.
What do you guys thing about it?
Have you thought about a way to propose larger community-approved whitelists?
What about community whitelists?
What about community whitelists?
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Re: What about community whitelists?
NoScript does contain the needed functionality to support "subscriptions", however I've never seen an actual publicly available service providing this and no one here wants or is able to take on the responsibility of maintaining a whitelist/blacklist. Thing is, NoScript is designed to give control to the user, and different people have completely different ideas of what is trustworthy, so even if someone could maintain such a list there's no way to guarantee that the list will suit everyone who wants to use such a list.
OTOH, as for determining what sites you shouldn't allow, there is a method to help reduce that problem: viewtopic.php?p=75314#p75314
OTOH, as for determining what sites you shouldn't allow, there is a method to help reduce that problem: viewtopic.php?p=75314#p75314
*Always* check the changelogs BEFORE updating that important software!
-
Re: What about community whitelists?
Thanks for your quick answer.
Again I understand that ultimately it is everyone's responsibility to manage what's in their whitelist, and I understand that the default whitelist should fit everyone's needs, and be resilient to future threats.
Now, if in the end that makes the tool too hard for me to keep using, as well I believe as for an increasing number of people (again, that's just a natural trend and no one's fault, really), then I think it's sad no one would step out with a "use at your own risk" solution that we'd be willing to try, rather than ending up not having any.
Yet, I find it hard to believe no one would be willing to share at least some one time exports. Now hosting a subcription list with guarantees would be quite a responsibility indeed, but are there really a lot of users who regularly spend some time to review their own whitelist? I wouldn't know really where to start, so again, it seems to me as yet another case of Nirvana fallacy.
Have you thought of something like a dedicated community forum section with the appropriate warnings?
Now in the long run, and I'm sure it won't get any better, some dedicated process might help sharing the responsibility. Without going as far as a sophisticated blockchain, maybe a simpler publish and merge+vote mechanism could possibly save the day.
Again I understand that ultimately it is everyone's responsibility to manage what's in their whitelist, and I understand that the default whitelist should fit everyone's needs, and be resilient to future threats.
Now, if in the end that makes the tool too hard for me to keep using, as well I believe as for an increasing number of people (again, that's just a natural trend and no one's fault, really), then I think it's sad no one would step out with a "use at your own risk" solution that we'd be willing to try, rather than ending up not having any.
Yet, I find it hard to believe no one would be willing to share at least some one time exports. Now hosting a subcription list with guarantees would be quite a responsibility indeed, but are there really a lot of users who regularly spend some time to review their own whitelist? I wouldn't know really where to start, so again, it seems to me as yet another case of Nirvana fallacy.
Have you thought of something like a dedicated community forum section with the appropriate warnings?
Now in the long run, and I'm sure it won't get any better, some dedicated process might help sharing the responsibility. Without going as far as a sophisticated blockchain, maybe a simpler publish and merge+vote mechanism could possibly save the day.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Re: What about community whitelists?
Because the URLs in the NoScript whitelist (+ Untrusted) export gives an indication of both A) what sorts of sites user browses and B) what sorts of sites user considers trustworthy/untrustworthy, it can be considered private information.Jessynoo wrote:Yet, I find it hard to believe no one would be willing to share at least some one time exports.
Well, I for one review my whitelist irregularly...Jessynoo wrote: are there really a lot of users who regularly spend some time to review their own whitelist?
That'd be just asking for flame wars. Seriously, that's how different people's opinion of sites are and why the concept of "trusted" cannot be reasonably delegated to any third party, period.Jessynoo wrote:Have you thought of something like a dedicated community forum section with the appropriate warnings?
Crowd-sourcing system can be more easily gamed so it just makes the problems worse. NoScript is a security tool and given that it'd be pretty much impossible to sufficiently vet the people participating, there's no security or integrity in a "whitelist" generated by such means.Jessynoo wrote:Now in the long run, and I'm sure it won't get any better, some dedicated process might help sharing the responsibility. Without going as far as a sophisticated blockchain, maybe a simpler publish and merge+vote mechanism could possibly save the day.
Maybe you might like using NoScript in Cascading Permissions mode? NS Options > Advanced > Trusted, check "Cascade top-document's permissions..."
This way you only have to decide whether you want JS or not, no need to go sifting through to see which domain(s) are needed & which not - plus you can still Mark as Untrusted any domains you really don't want to executing scripts.
*Always* check the changelogs BEFORE updating that important software!
-
Re: What about community whitelists?
Yes I get the privacy issue with raw individual exports. I would think of something prepared, maybe through collaborative pads or wikis to make it easier, safer and more consensual.barbaz wrote: Because the URLs in the NoScript whitelist (+ Untrusted) export gives an indication of both A) what sorts of sites user browses and B) what sorts of sites user considers trustworthy/untrustworthy, it can be considered private information.
Do you have suggestions on how to properly do that? What do you check your list against?barbaz wrote: Well, I for one review my whitelist irregularly...
I get that some people have heated opinions about security, but that does not mean some people cannot share some opinions, provided there is a place for those willing to try. Furthermore there is quite some space between blindly following a third party, and trying to build some trust, transparently and collectively.barbaz wrote: That'd be just asking for flame wars. Seriously, that's how different people's opinion of sites are and why the concept of "trusted" cannot be reasonably delegated to any third party, period.
There's no shortage of innovations those days about delegating trust, but this is even missing the point since I'm not talking about a solution that would work for everybody, just for those who don't know better. Again this is not about forcing a single whitelist and lower everyone's security. Those who cannot maintain a good whitelist like myself will end up having bad security anyway. Those who want to control everything themselves would not be affected. This is only about making the situation a little better. Now I understand that flame wars could be a moderation issue, and if that's the case then fine, but even pretty consensual bootstrapping lists, ones that include major libs and domains cdns, would be a real progress.
Honestly, although my personal list is probably shit by many's standard, starting over from scratch when I once lost my environment was a real pain.
I understand that any official whitelist is an invitation to compromise the listed domains, so it has to be taken seriously, that's why I'm rather thinking of something not officially sanctioned unless there is a good mechanism to get enough scrutiny.barbaz wrote: Crowd-sourcing system can be more easily gamed so it just makes the problems worse. NoScript is a security tool and given that it'd be pretty much impossible to sufficiently vet the people participating, there's no security or integrity in a "whitelist" generated by such means.
Thanks for the advice, I will look into that, although as I understand this amounts more or less to what I have been doing lately, and I feel it kind of defeats the original purpose.barbaz wrote: Maybe you might like using NoScript in Cascading Permissions mode? NS Options > Advanced > Trusted, check "Cascade top-document's permissions..."
This way you only have to decide whether you want JS or not, no need to go sifting through to see which domain(s) are needed & which not - plus you can still Mark as Untrusted any domains you really don't want to executing scripts.
Thanks anyway for having that discussion yet once again I suppose, and sorry for being annoying with my insistence. It just feels too familiar of a situation, where doing nothing seems worse than seeking a compromise.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Re: What about community whitelists?
I check it against the set of sites I'm currently browsing frequently. If I browse a site like all the time it (plus its dependencies) stays on the whitelist.Jessynoo wrote:Do you have suggestions on how to properly do that? What do you check your list against?barbaz wrote: Well, I for one review my whitelist irregularly...
Any "trusted" JS-requiring sites I don't browse frequently, but browse somewhat regularly, will generally get partially de-listed, meaning that it's either not allowed to run scripts by default or totally broken by default, but with one or two obvious clicks on "Temporarily allow somesi.te" entries, it'll be back working. (All the other needed permissions, if any, stay on the permanent whitelist.)
Any sites I don't browse regularly, or that I don't remember what they're for, just get removed (if it turned out to be important... well, I'll find out sooner or later I also keep irregular backups from which I can restore.)
That's just more or less how I personally work it, hope it helps.
Not so much, if you use a content blocker such as uBlock Origin with security-related blacklists. Won't be perfect but blacklist-based (uBlock Origin subscriptions + your NoScript Untrusted list) is still a HUGE step up from nothing.Jessynoo wrote:Those who cannot maintain a good whitelist like myself will end up having bad security anyway.
Well it's fewer clicks, so you won't get impatient...Jessynoo wrote:Thanks for the advice, I will look into that, although as I understand this amounts more or less to what I have been doing lately,
Unfortunately figuring out the required permissions for a site is just trial-and-error to some extent, that can't be avoided. The best that can be done is reduce the amount of trial-and-error involved using blacklists and dumping definitely-unwanted sites in Untrusted.Jessynoo wrote: I feel it kind of defeats the original purpose.
If you're really stuck with some specific site feel free to ask for help in NoScript Support section of this forum.
*Always* check the changelogs BEFORE updating that important software!
-
Re: What about community whitelists?
"Trustworthy" aside, I could see where a list of "PITA" sites might be beneficial.
Someone who wanted to take the time to host somewhere, a list of particular sites & the particular domains needed to get it working.
Maybe just a very basic PITALIST.com
Here is a list of PITA websites & what might be needed to get them working:
pain.in.the.butt.worthless.news.site.com
www.moviesite.com
www.bankofamerica.com
That said, sites update often.
Users use different settings, overall, have different ways of going about things...
Someone who wanted to take the time to host somewhere, a list of particular sites & the particular domains needed to get it working.
Maybe just a very basic PITALIST.com
Here is a list of PITA websites & what might be needed to get them working:
pain.in.the.butt.worthless.news.site.com
- > site.com
> who.would.have.guess.i.need.this.com
> addserver.com
www.moviesite.com
- > moviesite.com
> clickaction.com
> obscuredomain.com
> googleapis.com
www.bankofamerica.com
- > bankofamerica.com
That said, sites update often.
Users use different settings, overall, have different ways of going about things...
Last edited by barbaz on Mon May 23, 2016 4:04 pm, edited 1 time in total.
Reason: kill board-generated links
Reason: kill board-generated links
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 SeaMonkey/2.40