Jojo999 wrote:If I DON'T allow a script to run, then in many cases, I don't see any content on the page. So I am going to allow the script to run, otherwise, I would be staring at little or nothing.
That's when you need to use either sandbox and try it and see or better yet, add RequestPolicy to the mix and a nifty ABE rule that will keep you isolated and safe in case something makes it past you. There is no magic bullet here and any product that promises you that, you should truly be suspicious of it, because its a snake oil. The fact is that NoScript goes as far as possible using code logic, human adapted logic and a dedicated person like Giorgio who busts his ass to keep it as up to date as possible and nabbing anything in the works, however minor, to make it as safe as possible. hell several times while the world was caught with their pants down, the NS users were just fine, because Giorgio already implemented it when he was made aware of it and didn't wait for the rest of the world to fix it.
What is needed (was hoped for) is for NS to recognize when a script like this is bad and whether certain parts or all of it should not be allowed. If this is not technically possible, then so be it. But then there is nothing that can be done about this type of attack other than for the user to pay attention to the Address line.
How do you propose that NoScript make that very human and very subjective diagnosis for you? Think about it, have you ever seen TWO programmers writing their crap the same way? let alone the entire web? How is a program supposed to evaluate a code for being "bad". There is nothing more than a code logic (logic AI) and what you are asking requires more than that. What you are asking for at this time is pure fiction. 20+ years on the internet (before it was even the shiny crap it is today) and I have NEVER EVER been pawnd, or phished, or hacked, or anything, its ridiculous how complacent and incapable most of the user base really is. The reason I have not been affected is because I never "set it and forget it" as most of the solutions out there advertise and people buy into it hook line and sinker until they are screwed then they whine. I do intrusion and malware testing for a living and I do all that on my OWN computer, on the SAME profile I use for the rest of my web access, even my banking and all that, not once had an issue. I mean does it kill anyone to check? I went to the link and even when I did allow it and it showed up with the fake Gmail page, nothing and I mean NOTHING showed up because my RequestPolicy nailed the cross domain reference that was allowed to slip through because the script was allowed. Now is it a pain in the ass to browse the web, hell yah, but consider the alternative and decide what's more important to you, form or function? NoScript is as close to BOTH as you are going to get, so if you find a better solution, please by all means enlighten us.
Same issue with the CSS mod. When I see one of those, I nearly always click allow unless if I am on what I think is a safe site. Most users have no way of knowing if these things are safe or not. This is also why so many users get in trouble with firewalls. Most don't understand what they should or should not allow, so they just click yes to everything.
Well those who take the time and learn, do well and those who sit back and say its too hard to understand and difficult this and that, are the ones who get pawnd, what's new? I say take a day, a week, a month and put your system through rigorous and step by step processing and THEN what you do normally will be fine and what suddenly jumps out at you, you know to take a second look at. There is no magic here people, its called being vigilant.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Now understood.