ScriptNo; NoScript Clone?

General discussion about the NoScript extension for Firefox

ScriptNo; NoScript Clone?

Postby redwolfe_98 » Fri Aug 12, 2011 6:39 am

hello.. i saw "scriptno", an addon for google's "chrome" browser, mentioned in another forum.. in reading the details about the addon, i thought it might be a clone, a rippoff, of "noscript", so i wanted to bring it to giorgio's attention..

https://chrome.google.com/webstore/detail/oiigbmnaadbkfbmpbfijlflahbdbdgdf

http://www.dslreports.com/forum/r26193101-ScriptNo-qNoScriptq-like-Chrome-Extension
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18
redwolfe_98
Senior Member
 
Posts: 55
Joined: Wed Apr 22, 2009 6:27 am
Location: South Carolina, USA

Re: ScriptNo; NoScript Clone?

Postby Giorgio Maone » Fri Aug 12, 2011 11:21 am

My only concern is that it is even less reliable than NotScripts, so its user will likely suffer of a false sense of security.
Other than that, it's not a ripoff nor a clone (its name is quite different too), but obviously is something I cannot recommend.
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8625
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: ScriptNo; NoScript Clone?

Postby Tom T. » Sun Aug 14, 2011 7:29 am

Giorgio Maone wrote:My only concern is that it is even less reliable than NotScripts, so its user will likely suffer of a false sense of security.
Other than that, it's not a ripoff nor a clone (its name is quite different too), but obviously is something I cannot recommend.

I don't know the law in the EU, or whether it's worth your trouble. But the NS site has at the bottom, "Copyright © 2004-2011 InformAction - All rights reserved"
So under US law, you have a trademark right to the name "NoScript", and I think any reasonable Court would find that "ScriptNo" could easily be confusing to the public, and an illegitimate attempt to capitalize on your reputation, user base, and goodwill. They would then issue an injunction prohibiting the use of the name "ScriptNo", probably award you court costs, attorney fees, etc. It would be more difficult to prove monetary damages, since the product is free and donation-supported, unless there were a sudden drop-off in donations that correlates to the release of ScriptNo. But at least they'd have to come up with a more original name, like maybe "ScriptBlock" or something else not so close to NoScript.

Again, not sure it's worth the trouble of hiring a US attorney, and don't know EU law, but just mentioning that it's a pretty solid case. Same goes for "NotScript" -- too close to yours.

Fun fact: When the giant Standard Oil was broken up under US Anti-trust law, one of the companies formed from it was called "Esso", a phonetic pronunciation of the initials of Standard Oil, "S.O." But there was a small manufacturer of vacuum cleaners that had trademarked the name "Esso" for one of their products, and the Court upheld the small company versus the oil giant. So the oil company asked a computer to come up with thousands of two-syllable pronounceable combinations. Which ended up being "Exxon".
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/3.6.18
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: ScriptNo; NoScript Clone?

Postby dhouwn » Sun Aug 14, 2011 9:43 am

Tom T. wrote:I don't know the law in the EU, or whether it's worth your trouble. But the NS site has at the bottom, "Copyright © 2004-2011 InformAction - All rights reserved"
So under US law, you have a trademark right to the name "NoScript"
Huh? Since when you get a trademark implicitly? AFAIK, even under US law you first need to apply for one.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
dhouwn
Bug Buster
 
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: ScriptNo; NoScript Clone?

Postby Tom T. » Sun Aug 14, 2011 9:55 pm

dhouwn wrote:
Tom T. wrote:I don't know the law in the EU, or whether it's worth your trouble. But the NS site has at the bottom, "Copyright © 2004-2011 InformAction - All rights reserved"
So under US law, you have a trademark right to the name "NoScript"
Huh? Since when you get a trademark implicitly? AFAIK, even under US law you first need to apply for one.

You have to apply for a patent.

You don't even need to claim copyright, at least in the US: You have an automatic copyright on any original composition the minute you set it on paper or disk. The copyright notice simply serves to alert people to the fact that this is your original writing. But it is not required. If your adversary, who copied it without credit, can't show that the same composition appeared elsewhere before you wrote it, you have copyright infringement and/or plagiarism.

The entire page is copyrighted, and "NoScript" was a word that did not exist in the language of the copyrighted page (English), or in any other language on Earth AFAIK, so it's the original composition of Giorgio Maone.

http://en.wikipedia.org/wiki/Trademark
"The owner of a registered trademark may commence legal proceedings for trademark infringement to prevent unauthorized use of that trademark. However, registration is not required. The owner of a common law trademark may also file suit, but an unregistered mark may be protectable only within the geographical area within which it has been used or in geographical areas into which it may be reasonably expected to expand." (the boldface was mine).

The "geographical area" of NS is certainly global; is there a country in which no one uses it?
Last edited by Tom T. on Sun Aug 14, 2011 9:58 pm, edited 1 time in total.
Reason: clarity
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/3.6.18
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: ScriptNo; NoScript Clone?

Postby dhouwn » Mon Aug 15, 2011 12:04 pm

Ah OK, seems you already get some trademark protection without registration. Didn't know that.
Note, that it's still pretty different from (basic) copyright protection which protects creative works for a limited time. I doubt the word alone would reach the threshold of originality.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
dhouwn
Bug Buster
 
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: ScriptNo; NoScript Clone?

Postby Tom T. » Tue Aug 16, 2011 5:03 am

dhouwn wrote:Ah OK, seems you already get some trademark protection without registration. Didn't know that.
Note, that it's still pretty different from (basic) copyright protection which protects creative works for a limited time.

NS is open-source sw, copyrighted/licensed under GNU "copyleft", as per the link to GNU on the home page. Anyone can copy, distribute, and/or modify the code, though per the license, they too must license it with at least the same rights. This choice was voluntary on the part of the developer.

However, if you create a vastly different product, you can't call it by the same name, because the reputation of the original could be harmed if the second one proved to be faulty. If you create your own fork of Firefox or Seamonkey, don't you have to call it something else? -- and something not so close to the original that a reasonable person might confuse the two. (N0Script? No. ;) )

dhouwn wrote:I doubt the word alone would reach the threshold of originality.

I would stand by my previous statement that the word did not exist before Giorgio Maone invented it. That's as original as you can get.

Note that makers of very popular products have often had to defend their trademark name from becoming a generic term, which is a different issue. For example, the brand name Kleenex™ became synonymous in the US with "facial tissue", as in "Hand me a kleenex, please". The company would write letters to those who used it that way in writing, reminding them to capitalize it, being a proper noun (name of a particular brand). However, the trademark was registered in 1924, and with common usage and passage of time, it is acceptable to some dictionaries as a generic term, and AFAIK, the company doesn't fight it much anymore.

Hormel Foods Corporation has specifically stated that they do not object to the use of "spam", in all lower-case letters, to refer to unsolicited, bulk commercial e-mail, provided that people use only SPAM, in all caps, to refer to their brand of canned meat.

"Kleenex" and "SPAM" were words invented by their respective producers. (IIUC, "SPAM" was a part-contraction, part-acronym of "shoulder pork and ham").

Did the word "NoScript", especially in camel-case, exist before this product existed? ... In any event, the original point was that the names of the other products were too similar to the original, and might cause confusion, including harming the reputation of the original.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/3.6.18
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: ScriptNo; NoScript Clone?

Postby GµårÐïåñ » Wed Aug 24, 2011 2:10 am

Not arguing one side or another, but you could also make the same argument about Xerox as well. Some might argue that NOSCRIPT as part of the HTML tag list would supercede the right of the creator that camel cased it. Just saying ;)
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/6.9 (Windows NT 6.9; rv:6.9) Gecko/69696969 Firefox/6.9
User avatar
GµårÐïåñ
Lieutenant Colonel
 
Posts: 3299
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA

Re: ScriptNo; NoScript Clone?

Postby Tom T. » Thu Aug 25, 2011 9:08 am

GµårÐïåñ wrote:Not arguing one side or another, but you could also make the same argument about Xerox as well. Some might argue that NOSCRIPT as part of the HTML tag list would supercede the right of the creator that camel cased it. Just saying ;)

Yes, I've seen very dramatic ads by Xerox trying to protect their trademark from becoming generic.

Good point about the noscript HTML tag. But NoScript is a powerful product, not a single tag, and the imitators aren't imitating the tag, they're imitating the name of the product. Also, as a tag, it can be all lower case, whereas proper nouns (names of products, etc.) are customarily capitalized on the first letter, camel-case or not.

Example: mustang or pinto = type of horse. Mustang and Pinto = vehicle brand names that are registered trademarks of Ford Motor Company. No one would dispute that as a model of automobile, they have a right to trademark it. They just can't trademark the horse itself, lol,
corvette - type of sailing ship. You know where this is headed. ;)

And it's good to see you again!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/3.6.18
Tom T.
Field Marshal
 
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: ScriptNo; NoScript Clone?

Postby GµårÐïåñ » Thu Aug 25, 2011 5:22 pm

Yeah I know where you are going with it and its good to see you too. I have been meaning to sit down and write a proper response to the emails you sent me, I just have not had the chance or the right state of mind to do it. Sorry about that.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/6.9 (Windows NT 6.9; rv:6.9) Gecko/69696969 Firefox/6.9
User avatar
GµårÐïåñ
Lieutenant Colonel
 
Posts: 3299
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA

Re: ScriptNo; NoScript Clone?

Postby Giorgio Maone » Sun Aug 28, 2011 8:32 pm

Jason wrote:I use Chrome too, is there any perticular reason that u may not recommend the scriptno for chrome?

Yes. Chrome/Chromium misses many key hooks and infrastructures which are indispensable to deliver the security features provided by NoScript with an acceptable degree of completeness and reliability.
If/when they're there, I'm gonna port the proper NoScript to Chrome.
Until then, any "NoScript clone" for Chrome can't be compared to the original, because it's just a different (and inferior) thing.
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:6.0) Gecko/20100101 Firefox/6.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8625
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: ScriptNo; NoScript Clone?

Postby GµårÐïåñ » Mon Aug 29, 2011 9:00 pm

Giorgio Maone wrote:Until then, any "NoScript clone" for Chrome can't be compared to the original, because it's just a different (and inferior) thing.

I agree completely. I have extensively tested and evaluated the two extensions that claim to deliver NoScript function.

One is called NotScripts, descent interface mimicker of NoScript but functionally quite limited and very slow, causes many scripting hangs and page timeouts. It also doesn't expose what its blocking and what it is not, as it is all defaulted into the code. Configurations is manual and in my opinion begging for a direct access exploit, effectively allow any page to whitelist itself by detecting the extension, its hash and then writing to its temp file. It does however give a very convincing perception of full script control, which is dangerous in giving the user a false sense of security.

Second one is called ScriptNo and although it has a much more elaborate and configurable interface, it is quite superficial and unproven. The individual page controls are elaborate but could potentially be very confusing and offer very little in the way of appeal. It seems decent in many of the Ghostery and Adblock Plus type features it embeds and implements but I think that's window dressing for the fact that in actuality the function is no better than smoke and mirror gimmickry of function and not actual core level reliability. I would posit that it could be defeated by any injected code via Chrome's built-in script interpreter designed to allow function to bookmarklets and widgets.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/6.9 (Windows NT 6.9; rv:6.9) Gecko/69696969 Firefox/6.9
User avatar
GµårÐïåñ
Lieutenant Colonel
 
Posts: 3299
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA

Re: ScriptNo; NoScript Clone?

Postby esheesle » Thu Apr 12, 2012 7:22 pm

Giorgio Maone wrote:My only concern is that it is even less reliable than NotScripts, so its user will likely suffer of a false sense of security.
Other than that, it's not a ripoff nor a clone (its name is quite different too), but obviously is something I cannot recommend.


Can you elaborate on why it is even less secure? Just curious as it seems to have more capability than the original Notscripts did.
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
esheesle
 
Posts: 4
Joined: Fri Aug 20, 2010 3:44 pm

Re: ScriptNo; NoScript Clone?

Postby Giorgio Maone » Thu Apr 12, 2012 8:58 pm

esheesle wrote:Can you elaborate on why it is even less secure? Just curious as it seems to have more capability than the original Notscripts did.

More capability? Could you please elaborate?

These are just a few of the many features which NoScript has and ScriptNo (or any other browser extension, for the matter) has not:

  1. Injection Checker Anti-XSS filter. Without it, a script blocker can be easily circumvented by injecting a malicious script in a whitelisted where it will be executed. Before you say Chrome has a built-in one, let me add that Chrome's XSS Auditor, which has been developed years after NoScript pioneered this kind of technology (which at that time was considered non viable) is a joke, being by far the easiest to circumvent, followed by Microsoft's, while NoScript's Injection Checker is still the gold standard in reflective and DOM (type 1 and type 2) XSS protection, as any security researcher with XSS expertize can confirm.
  2. ClearClick Anti-Clickjacking protection. There's nothing like that, in any other browser. As Google itself admits in its Browser Security Handbook,
    Google's Browser Security Handbook wrote:the only freely available product that offers a reasonable degree of protection against the possibility [of Clickjacking] is NoScript
  3. ABE anti-CSRF protection, which by default prevents any attack from the internet to your intranet devices and web applications.
  4. HTTPS enhancements (whose code is reused in the EFF's HTTPS Everywhere extension)

Side notes:

  • The technological foundations which NoScript leverages have been proved and improved in 7 years, and NoScript is the browser security tool of choice of practically all the web security researchers out there, which means a lot of qualified testing. On the other hand, both ScriptNo and the Chromium technologies it leverages are very young and likely buggy: the Web Request and Content Settings APIs, which provide the basic NoScript functionality, just exited their beta stage.
  • I did look both at the NotScripts and at the ScriptNo code, and while the latter is slightly better than the former (which is outright broken), I'd never use either for daily browsing because -- bugs and reliability aside -- they appear to be written with no attention and/or understanding for runtime performance, hence are likely to slow down the browser.
  • Developing NoScript is my main occupation, and I breath web browser security all the day. I'm a member of the Mozilla Security group and an invited expert in the Web Application Security Working Group. Hell, I even won hacking contests involving the best XSS hackers in the world :)
    I'm sure these "clones" have quite bad ass developers as well, but just saying...
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8625
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: ScriptNo; NoScript Clone?

Postby esheesle » Fri Apr 13, 2012 12:05 am

Think you missed my spelling, I was saying scriptno vs notscripts. I was in no way saying either was remotely comparable to noscript. I love noscript for firefox and would love to see it in chrome, and still hope the chrome security team opens up the necessary hooks for you. You mentioned earlier in this thread that scriptno was less secure than notscript (both of which are worse than noscript).
Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.151 Safari/535.19
esheesle
 
Posts: 4
Joined: Fri Aug 20, 2010 3:44 pm

Next

Return to NoScript General

Who is online

Users browsing this forum: No registered users and 1 guest