What about community whitelists?

[Jessynoo]

Hi guys,

I have been a very satisfied user of NoScript for years, I'm pretty sure it saved me from some actual damage on a couple occasions, and I would love to keep it that way, but I feel I'm slowly loosing it.

I guess it was known for long that it would get increasingly complicated to micromanage whitelists with the advent of CDNs and other multi domain usage, but I just feel we're getting there fast, and more than often I just end up giving up and temporarily allowing a page after having unsuccessfully tried to figure out what essential domains I was missing.

It just feels it's becoming more of a task that could successfully be handled collectively.
Now I understand the argument that it should remain an individual task, that many would not like to trust more than a handful of essential domains.
But I don't consider myself computer illiterate and I'm usually more patient with reloading a page a couple times to get it right, than the occasional people watching my screen are willing to understand.
Then if I find myself giving up more often than I would like to, I imagine a lot of people probably feel the same, which kind of defeats the initial intent.

Now I'm sure some users are still very happy the way it is, and they probably have a whitelist that I would gladly import to keep myself current, provided that's something public that can be scrutinized by expert eyes in this forum for instance.
I suppose if anybody's unhappy with any domain included for any reason, then there's not need to argue endlessly, and I'm fine having to deal with it individually in my turn, but I'm also convinced a lot of domains would still make an easy consensus and save the hassle for many.

What do you guys thing about it?
Have you thought about a way to propose larger community-approved whitelists?

[barbaz]

NoScript does contain the needed functionality to support "subscriptions", however I've never seen an actual publicly available service providing this and no one here wants or is able to take on the responsibility of maintaining a whitelist/blacklist. Thing is, NoScript is designed to give control to the user, and different people have completely different ideas of what is trustworthy, so even if someone could maintain such a list there's no way to guarantee that the list will suit everyone who wants to use such a list.

OTOH, as for determining what sites you shouldn't allow, there is a method to help reduce that problem: viewtopic.php?p=75314#p75314

[Jessynoo]

Thanks for your quick answer.
Again I understand that ultimately it is everyone's responsibility to manage what's in their whitelist, and I understand that the default whitelist should fit everyone's needs, and be resilient to future threats.

Now, if in the end that makes the tool too hard for me to keep using, as well I believe as for an increasing number of people (again, that's just a natural trend and no one's fault, really), then I think it's sad no one would step out with a "use at your own risk" solution that we'd be willing to try, rather than ending up not having any.

Yet, I find it hard to believe no one would be willing to share at least some one time exports. Now hosting a subcription list with guarantees would be quite a responsibility indeed, but are there really a lot of users who regularly spend some time to review their own whitelist? I wouldn't know really where to start, so again, it seems to me as yet another case of Nirvana fallacy.

Have you thought of something like a dedicated community forum section with the appropriate warnings?
Now in the long run, and I'm sure it won't get any better, some dedicated process might help sharing the responsibility. Without going as far as a sophisticated blockchain, maybe a simpler publish and merge+vote mechanism could possibly save the day.

[barbaz]

Yet, I find it hard to believe no one would be willing to share at least some one time exports.

Because the URLs in the NoScript whitelist (+ Untrusted) export gives an indication of both A) what sorts of sites user browses and B) what sorts of sites user considers trustworthy/untrustworthy, it can be considered private information.

are there really a lot of users who regularly spend some time to review their own whitelist?

Well, I for one review my whitelist irregularly...

Have you thought of something like a dedicated community forum section with the appropriate warnings?

That'd be just asking for flame wars. Seriously, that's how different people's opinion of sites are and why the concept of "trusted" cannot be reasonably delegated to any third party, period.

Now in the long run, and I'm sure it won't get any better, some dedicated process might help sharing the responsibility. Without going as far as a sophisticated blockchain, maybe a simpler publish and merge+vote mechanism could possibly save the day.

Crowd-sourcing system can be more easily gamed so it just makes the problems worse. NoScript is a security tool and given that it'd be pretty much impossible to sufficiently vet the people participating, there's no security or integrity in a "whitelist" generated by such means.


Maybe you might like using NoScript in Cascading Permissions mode? NS Options > Advanced > Trusted, check "Cascade top-document's permissions..."
This way you only have to decide whether you want JS or not, no need to go sifting through to see which domain(s) are needed & which not - plus you can still Mark as Untrusted any domains you really don't want to executing scripts.

[Jessynoo]

Because the URLs in the NoScript whitelist (+ Untrusted) export gives an indication of both A) what sorts of sites user browses and B) what sorts of sites user considers trustworthy/untrustworthy, it can be considered private information.

Yes I get the privacy issue with raw individual exports. I would think of something prepared, maybe through collaborative pads or wikis to make it easier, safer and more consensual.

Well, I for one review my whitelist irregularly...

Do you have suggestions on how to properly do that? What do you check your list against?

That'd be just asking for flame wars. Seriously, that's how different people's opinion of sites are and why the concept of "trusted" cannot be reasonably delegated to any third party, period.

I get that some people have heated opinions about security, but that does not mean some people cannot share some opinions, provided there is a place for those willing to try. Furthermore there is quite some space between blindly following a third party, and trying to build some trust, transparently and collectively.

There's no shortage of innovations those days about delegating trust, but this is even missing the point since I'm not talking about a solution that would work for everybody, just for those who don't know better. Again this is not about forcing a single whitelist and lower everyone's security. Those who cannot maintain a good whitelist like myself will end up having bad security anyway. Those who want to control everything themselves would not be affected. This is only about making the situation a little better. Now I understand that flame wars could be a moderation issue, and if that's the case then fine, but even pretty consensual bootstrapping lists, ones that include major libs and domains cdns, would be a real progress.
Honestly, although my personal list is probably shit by many's standard, starting over from scratch when I once lost my environment was a real pain.

Crowd-sourcing system can be more easily gamed so it just makes the problems worse. NoScript is a security tool and given that it'd be pretty much impossible to sufficiently vet the people participating, there's no security or integrity in a "whitelist" generated by such means.

I understand that any official whitelist is an invitation to compromise the listed domains, so it has to be taken seriously, that's why I'm rather thinking of something not officially sanctioned unless there is a good mechanism to get enough scrutiny.

Maybe you might like using NoScript in Cascading Permissions mode? NS Options > Advanced > Trusted, check "Cascade top-document's permissions..."
This way you only have to decide whether you want JS or not, no need to go sifting through to see which domain(s) are needed & which not - plus you can still Mark as Untrusted any domains you really don't want to executing scripts.

Thanks for the advice, I will look into that, although as I understand this amounts more or less to what I have been doing lately, and I feel it kind of defeats the original purpose.
Thanks anyway for having that discussion yet once again I suppose, and sorry for being annoying with my insistence. It just feels too familiar of a situation, where doing nothing seems worse than seeking a compromise.

[barbaz]

Well, I for one review my whitelist irregularly...

Do you have suggestions on how to properly do that? What do you check your list against?

I check it against the set of sites I'm currently browsing frequently. If I browse a site like all the time it (plus its dependencies) stays on the whitelist.
Any "trusted" JS-requiring sites I don't browse frequently, but browse somewhat regularly, will generally get partially de-listed, meaning that it's either not allowed to run scripts by default or totally broken by default, but with one or two obvious clicks on "Temporarily allow somesi.te" entries, it'll be back working. (All the other needed permissions, if any, stay on the permanent whitelist.)
Any sites I don't browse regularly, or that I don't remember what they're for, just get removed (if it turned out to be important... well, I'll find out sooner or later I also keep irregular backups from which I can restore.)

That's just more or less how I personally work it, hope it helps.

Those who cannot maintain a good whitelist like myself will end up having bad security anyway.

Not so much, if you use a content blocker such as uBlock Origin with security-related blacklists. Won't be perfect but blacklist-based (uBlock Origin subscriptions + your NoScript Untrusted list) is still a HUGE step up from nothing.

Thanks for the advice, I will look into that, although as I understand this amounts more or less to what I have been doing lately,

Well it's fewer clicks, so you won't get impatient...

I feel it kind of defeats the original purpose.

Unfortunately figuring out the required permissions for a site is just trial-and-error to some extent, that can't be avoided. The best that can be done is reduce the amount of trial-and-error involved using blacklists and dumping definitely-unwanted sites in Untrusted.

If you're really stuck with some specific site feel free to ask for help in NoScript Support section of this forum.

[therube]

"Trustworthy" aside, I could see where a list of "PITA" sites might be beneficial.

Someone who wanted to take the time to host somewhere, a list of particular sites & the particular domains needed to get it working.

Maybe just a very basic PITALIST.com

Here is a list of PITA websites & what might be needed to get them working:


pain.in.the.butt.worthless.news.site.com

• > site.com
  > who.would.have.guess.i.need.this.com
  > addserver.com

While you might not want addserver, it is necessary

www.moviesite.com

• > moviesite.com
  > clickaction.com
  > obscuredomain.com
  > googleapis.com

Note: Flash must be set to Always, Click-to-play won't work.

www.bankofamerica.com

• > bankofamerica.com

Note: blacklist screw.your.tracking.server.bankofamerica.com


That said, sites update often.
Users use different settings, overall, have different ways of going about things...