Page 1 of 1

NoScript and Dencentraleyes

Posted: Sat Jan 27, 2018 5:17 pm
by beerconnctn_enabled
Hello, I've been using Noscript "intensively" for close to 3 years now, and I'm still learning the ropes (I've donated!). Actually, the more secure I try to get, the less I seem to understand.

Lately, I've been trying to figure out HTTP Headers and their relationship to privacy/tracking, the new DOM entries I see everywhere, which seem to be making a lot of people a little creeped out, and now, yet another thing I've never thought about, CDN services used as trackers and fingerprint services. One semi-popular plugin for firefox called Decentraleyes claims to address the latter.
• Protects privacy by evading large delivery networks that claim to offer free services.
• Complements regular blockers such as uBlock Origin (recommended), Adblock Plus, et al.
• Works directly out of the box; absolutely no prior configuration required.

I went to the decentraleyes test url with NoScript installed. Obviously, it blocks the test. Out of curiousity, I ran the test with permissions enabled.
https://decentraleyes.org/test/

I failed, I was "unprotected." After reading this FAQ:
https://github.com/Synzvato/decentraley ... -Questions
I am now uncertain if I should be going through the trouble of learning how to juggle yet another plugin. Does NoScript or Ublock Origin address this dev's claims, how much of an issue is this? The plugin claims to "work with" NS and many others, but it requires a lot more fiddling with settings, and I spend lots of time doing this already.

Also, I wanted to say thank Giorgio and all the other people who work on this project for all that you've done. After I was very terribly hacked, there were few places that felt like "lighthouses" where I could regain some confidence and help.

Re: NoScript and Dencentraleyes

Posted: Sat Jan 27, 2018 6:19 pm
by barbaz
beerconnctn_enabled wrote:Does NoScript or Ublock Origin address this dev's claims,
Which specific claims are you referring to?
beerconnctn_enabled wrote:The plugin claims to "work with" NS and many others, but it requires a lot more fiddling with settings, and I spend lots of time doing this already.
Last I heard, it only requires allowing file:// in NoScript - https://forums.informaction.com/viewtop ... =7&t=23481

Is this no longer the case?

Re: NoScript and Decentraleyes

Posted: Mon Jan 29, 2018 8:03 pm
by beerconnctn_enabled
barbaz wrote:
beerconnctn_enabled wrote:Does NoScript or Ublock Origin address this dev's claims,
Which specific claims are you referring to?
As the FAQ makes no specific reference to NoScript except at the end, where dev states the plugin "complements NoScript" and others, I think I'm referring to this broad answer:
Most content blockers do not block delivery networks by default, as doing so breaks pages. This extension works out of the box, unless it's asked to operate under strict blocking rules. Any policies set by other extensions are respected. As such, blocked resources will not be served locally.
I apologize in advance, I learn all I can by myself, but I'm still pretty low level in my understanding of scripting and exploring the secrets of the debug tool. The dev goes on to discuss Ublock Origin/Matrix; basically saying that if you don't mess with any settings in these plugins, Decentraleyes will "complement" the plugin. I guess I am wondering 1) How "serious" is the need for something like this plugin, in controlling CDNs through a 3rd party (Noscript used to come with amazaws and maxbootstrp and other CDNs whitelisted, so, isn't that bad?)
Decentraleyes offers improved protection by stripping optional headers from intercepted CDN-requests. This keeps specific data, such as what page you are on, from reaching delivery networks.
2) Does NoScript solve the problems the plugin's author claims to make or can it? If I use NoScript to block a CDN, I break pages, which means I need this plugin? As Noscript does a whole lot of stuff beyond just killing .js, can I get NS do to this stuff?
beerconnctn_enabled wrote:The plugin claims to "work with" NS and many others, but it requires a lot more fiddling with settings, and I spend lots of time doing this already.
Last I heard, it only requires allowing file:// in NoScript - https://forums.informaction.com/viewtop ... =7&t=23481

Is this no longer the case?
I actually don't know, but thank you for that link. For now, I've removed Decentraleyes, because I don't quite understand what I should be tweaking or what I should be doing. I've gotten used to customizing noscript, and don't want to install something that doesn't work because of something or other. Per your instructions, adding allow-all permissions on file:// seems safe unless I open a cached html file that happens to have malicious script on it by accident or something, right? I am interested to know what the thoughts are on the necessity of something like Decentraleyes. Thank you!

Re: NoScript and Decentraleyes

Posted: Mon Jan 29, 2018 9:05 pm
by barbaz
beerconnctn_enabled wrote:I guess I am wondering 1) How "serious" is the need for something like this plugin, in controlling CDNs through a 3rd party
There is no single authoritative answer to this question. Different people have different views on this. No one can decide your view for you. So ask yourself how serious do YOU consider it?
beerconnctn_enabled wrote:2) Does NoScript solve the problems the plugin's author claims to make or can it?
NoScript Classic can perform the function of Decentraleyes, but it requires a lot of fiddling in about:config. The instructions are in the thread I linked.

NoScript 10 doesn't have this feature yet.
beerconnctn_enabled wrote:Per your instructions, adding allow-all permissions on file:// seems safe unless I open a cached html file that happens to have malicious script on it by accident or something, right?
Even that wouldn't be a security problem with allowing file:// . You would pretty much have to deliberately download a malicious webpage.

Re: NoScript and Dencentraleyes

Posted: Mon Jan 29, 2018 9:27 pm
by Pansa
Installed it out of curiosity.
Seems to work as intended.

It only seems to do it's magic once you allow the cdn script request on the page in question, because logically if your browser doesn't want to run a Script, there is no request to intercept and reroute.

Or to put it differently DCE does it's thing AFTER Noscript.

Not much to configure. It basically does the same thing as written in the other thread (not connecting to the web for a JS package but to your drive instead, but automated)
Didn't need to configure anything, to be precise turning on "block request for missing resources" obviously breaks pages even if you allowed them in NS ^^.

So if a page yells at you that it needs jquerry.com, you allow it in NS, and DCE then reroutes the request to your drive instead of connecting to Jquerry.

So the only "issue" I can see that might be confusing is the order.
One might have wished that DCE would come first, so that you don't need to enable something in NS first, not knowing whether it will then reroute, but I guess that can't be helped.
Your browser needs to first try to get the JS delivered before DCE can intercept the call.

If you go to the testpage and set both domains NS calls out to temp trusted, DCE will then reroute the call from google to your hardrive, using THAT version of Jquerry.