What protection with scripts globally allowed?

[Aspirant]

First, I would thank the NoScript creator and support team for the advanced and innovative protection it provides for users.

I have NS 1.9.8.86 installed on my PC with Fx 3.5.3, and I am learning, tuning and testing it before installing it on my spouse's PC. My spouse is very non-technical and doesn't want to spend time learning about PC security. When I installed a HIPS on my spouse's PC, which created lots of pop-ups while it trained on applications, she learned to just allow everything. In her hands, the HIPS provides no security. I learned from this that I must find security solutions that are 99% transparent for normal activities so that she will not learn to automatically allow everything.

My experience with testing legitimate web sites is that a significant percentage of them are unusable without JavaScript. If I use the default settings of NS, I am sure my spouse will learn to allow all new sites that don't work completely. Therefore, I decided that I must allow scripts globally with NS and find more surgical methods to block security and privacy problems. I don't want to go into much detail here, but my successful surgical security measures include normal PC usage on a limited user account, software restriction policy, software firewall and HIPS that silently block anything I didn't install, and Fx extensions: ABP, BetterPrivacy, MediaPlayerConnectivity and Roboform. In this topic, I would rather not debate about whether or not to allow scripts globally.

In addition to allowing scripts globally, I presently have the boxes "Apply these restrictions to trusted sites too" and "Forbid <IFRAME>" checked in the Plugins tab. I have already seen how NS protects against automatically running Java apps with this configuration, and I am quite pleased. I read (http://noscript.net/faq#qa7_3) that ClearClick works with scripts globally allowed. My first question is, besides ClearClick and blocking automatic execution of plugins, what other protection does NS provide with this configuration? Specifically about XSS, JAR, HTTPS and ABE.

My spouse has successfully implemented many security strategies that involve a rule/behavior applied 100% of the time. Given that I allow scripts globally, my second question is what behavior can I do to prevent XSS problems with sites I log into (especially financial sites)? Perhaps close Fx, open Fx, log into the site, don't open tabs for other sites, close Fx (which deletes regular and super cookies). I am hoping someone suggests a more convenient procedure with full XSS security.

Thanks in advance for help from the support team.

[Aspirant]

I found the FAQ confirming that JAR blocking works with scripts globally allowed: http://noscript.net/faq#jar

Since I checked "Apply these restrictions to trusted sites too", there is no benefit to putting sites in the whitelist for many of the NS protections. I am especially unclear about whether XSS and HTTPS protections work with my settings, even if I add to the whitelist sites where I log in.

[Giorgio Maone]

I am especially unclear about whether XSS and HTTPS protections work with my settings, even if I add to the whitelist sites where I log in.

Yes, XSS and HTTPS protections are independent of your whitelist permissions.
So are ClearClick (anti-Clickjacking) and ABE (anti-CSRF): they all work with "Scripts Globally Allowed" as well.

[Aspirant]

Thanks for the quick and helpful reply Giorgio.

My spouse has successfully implemented many security strategies that involve a rule/behavior applied 100% of the time. Given that I allow scripts globally, my second question is what behavior can I do to prevent XSS problems with sites I log into (especially financial sites)? Perhaps close Fx, open Fx, log into the site, don't open tabs for other sites, close Fx (which deletes regular and super cookies). I am hoping someone suggests a more convenient procedure with full XSS security.

Here are some questions to help me understand better how to guide the user behavior with scripts globally allowed:
1. If I display a malicious site, then log into a financial site on the same tab, can the scripts of the malicious site cause problems for me with the financial site?
2. If I am logged into a financial site, then display a malicious site on the same tab, can the scripts of the malicious site cause problems for me with the financial site?
3. Do scripts from a web page terminate if I navigate to another domain on the same tab?

[Giorgio Maone]

1. If I display a malicious site, then log into a financial site on the same tab, can the scripts of the malicious site cause problems for me with the financial site?

Usually not, if you reached the financial site through a bookmark or manually typing its address. If you reached it by navigating from a link on the malicious site, you're probably in troubles.

2. If I am logged into a financial site, then display a malicious site on the same tab, can the scripts of the malicious site cause problems for me with the financial site?

Yes it can, while you're still logged in.

3. Do scripts from a web page terminate if I navigate to another domain on the same tab?

Usually yes, unless a vulnerability like this affects your browser.

[Aspirant]

Thanks again for the quick and helpful reply Giorgio. Thanks also for the info on the mysterious ghost scenario. Good that I have IFRAME protection enabled in NS.

Is there better security/privacy for a financial site by opening it in a second Fx window instead of a second Fx tab?

Does the following procedure provide at least equal financial protection compared to scripts globally disabled?
1. Close Fx (if open)
2. Open Fx
3. Navigate to the financial site using a bookmark or typing in the address
4. Log out from the financial site
5. Navigate to any site in Fx

[Giorgio Maone]

Does the following procedure provide at least equal financial protection compared to scripts globally disabled?
1. Close Fx (if open)
2. Open Fx
3. Navigate to the financial site using a bookmark or typing in the address
4. Log out from the financial site
5. Navigate to any site in Fx

Yes, this is a good setup. However it's still vulnerable to session hijacking, especially in hostile network environments.
NoScript's HTTPS enhancements (to be manually configured) and the new Strict Transport Security support (transparent, as soon as web sites will implement it consistently) help against it.

[Aspirant]

I am glad to learn about the vulnerabilities with my procedure. I use static addresses for DNS (OpenDNS) and, so far, I have not tried an anonymizing proxy. I guess there is still a chance of session hijacking on my cable internet. I am looking forward to the next NS version supporting Strict Transport Security since I use PayPal.

It is painful to use the NS's HTTPS enahancements. If I set it to "Always" require HTTPS for active content, then a lot of sites break. I put sites that I log into in my whitelist to get NS's XSS protection. I could put most of them in the HTTPS force list, but it would be really tedious to synchronize these two lists (and then synchronize two computers and preserve the lists across NS updates). It would be great if NS provided an option to force HTTPS for sites in the whitelist, with exceptions in the Never list (a small list for me).

[Arpirant]

Maybe my suggestion about the new HTTPS option is not practical. Instead of putting most of my whitelist sites into the HTTPS force list, I decided to just put sites from which a hacker could steal money (using a money mule). This list consists of credit card and banking sites, which is a small and stable list. Thus, the current NS HTTPS interface works well for this.

[Agent99]

4. Log out from the financial site
5. Navigate to any site in Fx

Apologies for the hijack.
I replace step 5 with Close Fx session| restart Fx session. in case the site's server stuffs up the logout response page. ...or the user forgets to logout and navigates away from the site forgetfully.
Additionally, since there is a lot of complementary security functionality under the Fx, not just the NS, hood, could I point at the the Fx hidden preference:
browser.identity.ssl_domain_display;2 The default value for Fx3.x is 1, but with 2, the URL bar is given as eyecatching a full, blue confirmation of the certificate details as the Extended Validation green bar display.

This is text, is highlighted, has value for careful readers, and has complementary value to all the other security measures discussed in this thread.
Some non-technical users I've dealt with are very comfortable with the concept of using it and report feeling more confidence in text than in padlock icons; they are either confused by icon styles or by icon positions.

[Aspirant]

My thanks to Giorgio and Agent99 for help. I am still interested in the answer to this:

Is there better security/privacy for a financial site by opening it in a second Fx window instead of a second Fx tab?

[Giorgio Maone]

Is there better security/privacy for a financial site by opening it in a second Fx window instead of a second Fx tab?

No.