Fine-tuning Akamai permissions via ABE

[ori999]

(Split from the large thread, "Discussion: Site Specific Permissions Policy", as this particular discussion focused solely on Akamai.
Intent is to make it more visible to users with Akamai-related questions; more easily found by Search; and to serve users who understandably don't want to wade through the 12+ page main thread -- Tom T. )

Hi, and thank you for the great tool.

I'm a bit confused about the current status of this feature request. I found this when researching the akamai.net problem.

It seems like currently, creating an ABE rule is the only solution? If that's the case, can you please add instructions on how to do this to the FAQ? As I understand it, FAQ #5.4 is wrong anyway (akamai.net doesn't structure its resources like that any more, and hasn't for at least a couple years), so it would seem prudent to update the FAQ in any case, no?

I don't have the time to dig through 11 pages of this discussion to find the information on how to set up an ABE rule to obtain this feature, so it'd be great if that information was somewhere easier to find.

I see reference above to version 3.0 solving this feature in a different way (?), but the link to the announcement of 3.0 talks about a mobile version..... which is really confusing -- I'm just wondering about my desktop's Firefox NoScrirpt addon.

I'd appreciate clarification of where this is at.

Thanks again.

[Tom T.]

It seems like currently, creating an ABE rule is the only solution?

Correct, presently.

If that's the case, can you please add instructions on how to do this to the FAQ?

ABE FAQ, esp. FAQ 8.10. It provides a template that you can use anywhere. Substitute the script source (URL) for which you want to define permissions, then specify at what domain(s) it wall be allowed. Finally, end with "Deny", which is short for "Deny everywhere else except for the site(s) I just allowed in the preceding line".

If you have any trouble, provide the site and the scripts, what you want to do, and we'll help you write it.

As I understand it, FAQ #5.4 is wrong anyway (akamai.net doesn't structure its resources like that any more, and hasn't for at least a couple years), so it would seem prudent to update the FAQ in any case, no?

Probably. Akamai used to serve content at Yahoo Mail, which I use, and you're right, it disappeared from the menu some time ago, as it's no longer in my whitelist.

Can you provide a site that still uses Akamai, so I can see how they're doing it now? Then we can do something.

I don't have the time to dig through 11 pages of this discussion to find the information on how to set up an ABE rule to obtain this feature, so it'd be great if that information was somewhere easier to find.

ABE FAQ... oops, already said that.

Don't blame you for not wanting to dig through this discussion, but the NoScript FAQ are searchable with Edit > Find (search term). Also, the Forum Rules, which are at the top of this forum and the other NoScript forums, highlighted in a box with "Please read this first" (hey, we asked nicely. ) , has as its very first rule,

1) Please search the FAQ for NoScript or Flashgot, as appropriate, and also search this Forum, *before posting*, to see if your post has already been answered...

Considering the thousands of hours donated by Giorgio Maone to create, maintain, and enhance this *free* tool, and the thousands of hours *donated* by the support team to help users, is it really too much to ask users to take fifteen minutes or less to do that? ... not picking on you personally; many questions at this forum (and most other forums, actually) are answered in the FAQ. It's *faster for the user*, as well as letting the developer and support staff concentrate on things that aren't covered there.

Admittedly, the FAQ has not evolved as fast as NoScript has. The priorities are: Deal with emerging web threats, often even before they're revealed (or in some cases, even discovered); fix genuine bugs in function; provide enhancements that add genuine user value, often suggested by users; then -- everything else.

<not quite totally facetious> NoScript has several million users worldwide. If each of them were to donate *one* euro, Pound, or dollar, I bet Giorgio could afford to hire someone full-time to edit, update, and improve the FAQ. </not quite totally facetious>

The Support Team consists of four unpaid volunteers, who have to make a living in the Real World, and have some kind of life, we hope , plus donate whatever time we can here.

I see reference above to version 3.0 solving this feature in a different way (?), but the link to the announcement of 3.0 talks about a mobile version..... which is really confusing -- I'm just wondering about my desktop's Firefox NoScrirpt addon.

If you read the linked article, NoScript 3.x for the desktop, you'll see that the intent was to port the mobile version to the desktop, hopefully in late 2011.
Unfortunately, these pesky evildoers keep coming up with new threats, to which Giorgio often responds almost immediately:

Is important to say, that Giorgio fixes stuff in "hours", (or minutes in some cases), and he has done some crazy stuff, just so NoScript users can be safe, so if you dont use it, go get it.

That's from Giorgio's friend and fellow white-hat hacker, sirdarckcat.

Also, the new HTML5 standard went into effect recently, and Firefox has followed the crowd with the "rapid release cycle" of new full version bumps every month or two, some of which may require compatibility updates from NoScript and other add-ons.

I'd appreciate clarification of where this is at. Thanks again.

I hope this does the trick. And you're quite welcome.

[Tom T.]

@ ori999:

Not to belabor the point, but just saw that NS 2.2.6 latest development build includes this entry:

v 2.2.6rc1
===========================================================
x [XSS] Protection against new kind of response splitting + XSS combo
attack responsibly disclosed by Mike Brooks

That wasn't there 24 hours ago.

Just another example of "rapid response", and priorities. Would still like to see Akamai in action, if you have a site, and I'll recommend the appropriate FAQ edits.
Thanks.

[ori999]

It seems like currently, creating an ABE rule is the only solution?

Correct, presently.

If that's the case, can you please add instructions on how to do this to the FAQ?

ABE FAQ, esp. FAQ 8.10. It provides a template that you can use anywhere. Substitute the script source (URL) for which you want to define permissions, then specify at what domain(s) it wall be allowed. Finally, end with "Deny", which is short for "Deny everywhere else except for the site(s) I just allowed in the preceding line".

If you have any trouble, provide the site and the scripts, what you want to do, and we'll help you write it.

Thank you for the detailed response. This looks workable once I find the time to put it together. Just for the record, I had had ABE actually disabled entirely as it was causing me grief with some sites at random (browser reboot always fixed it, so it didn't seem to be rule-based but rather a bug. But it's been a while, so I'll turn it back on and see how we go.

As I understand it, FAQ #5.4 is wrong anyway (akamai.net doesn't structure its resources like that any more, and hasn't for at least a couple years), so it would seem prudent to update the FAQ in any case, no?

Probably. Akamai used to serve content at Yahoo Mail, which I use, and you're right, it disappeared from the menu some time ago, as it's no longer in my whitelist.

Can you provide a site that still uses Akamai, so I can see how they're doing it now? Then we can do something.

Today I ran into github.com requiring it. I also read on a slightly older noscript thread somewhere today that etrade.com and newegg.com amongst some others are using it.

I don't have the time to dig through 11 pages of this discussion to find the information on how to set up an ABE rule to obtain this feature, so it'd be great if that information was somewhere easier to find.

ABE FAQ... oops, already said that.

Don't blame you for not wanting to dig through this discussion, but the NoScript FAQ are searchable with Edit > Find (search term). Also, the Forum Rules, which are at the top of this forum and the other NoScript forums, highlighted in a box with "Please read this first" (hey, we asked nicely. ) , has as its very first rule,

1) Please search the FAQ for NoScript or Flashgot, as appropriate, and also search this Forum, *before posting*, to see if your post has already been answered...

I appreciate the nice manner in which you've said all this and I certainly do want to express my appreciation for such a great tool, ESPECIALLY in this world that's gotten us used to being tracked without thinking anything of it.

The thing about the FAQ is that if you read #5.4, you get wrong information. And you have no idea that you can get what you need from ABE/FAQ #8.10. I did a bunch of searching before I got here today - posting here was definitely not what I did first - probably took 30 minutes of reading and searching before I did. Just a quick fix in the FAQ #5.4 would make things pretty good I'd say. (And if there is a better fix than creating ABE rules coming in a new version, it might be helpful to note that, too, because writing ABE rules isn't going to be everyone's cup of tea.)

Thanks again.

[Tom T.]

Investigating Akamai, thanks.

btw, if you have *only* the default SYSTEM rule for ABE, it shouldn't break anything, except for the sites listed in the, uh, pardon my saying this,
ABE FAQ. See 8.3 -- 8.9 and 8.11. Probably others will crop up from time to time, since more and more websites seem to consider the user's machine as the site's property , and use 127.0.0.1, the "local host" or "loopback address" of a machine calling to itself, for Web purposes, for which it really wasn't intended.

(I wouldn't use such a site, but that's just MHO. YMMV.)

[Tom T.]

As I understand it, FAQ #5.4 is wrong anyway (akamai.net doesn't structure its resources like that any more...

Today I ran into github.com requiring it. I also read on a slightly older noscript thread somewhere today that etrade.com and newegg.com amongst some others are using it.

Newegg and etrade don't seem to use it any more. Some sites are creating their own Content Delivery Networks, e. g., Facebook.com and fbcdn.net (Facebook Content Delivery Network). An article in a business-oriented (as opposed to tech-oriented) news space said that 800-lb-gorilla Amazon's entry into the edge-server business, cloudfront.net, was crushing profit margins in that sector, and that Akamai was struggling as a result.

Github indeed uses Akamai. But the Aka scripts do, in fact, have prefixes. At Github, I saw a248.e.akamai.net.

Check NS Options > Appearance. If you have only "Base 2nd level Domains" checked (the default, IIRC), then also check Full Domains and/or Full Addresses. This will expose the prefix before akamai.net, or any other subdomain on the planet. It's optional whether to keep Base 2nd Level. The menu can get very cluttered, although you can always toggle any of these with a few clicks on the NS GUI. I presume that Giorgio wanted to keep the GUI, script menu, etc., as simple as possible for novice users, while allowing the more tech-savvy, or more willing, to fine-tune -- as said in, uh, FAQ 5.4.

However, it was a surprise that Github had *exactly* the same Akamai subdomain as in the FAQ, especially since the FAQ was written (AFAIK) before Github existed. The answer comes from using the JSView add-on, which gives us the entire URL of the Akamai scripts running at GH:

Code: Select all

https://a248.e.akamai.net/assets.github.com/javascripts/bundles/jquery-2bdf48207f435863de9c5786265d27d992c7f6c0.js
https://a248.e.akamai.net/assets.github.com/javascripts/bundles/github-826c6f1fd72f47fab15f6fc2a01e5fb90daa9d56.js

That's an awfully long ABE rule , and the random-looking strings at the end probably change.
But what *should* be enough to identify Akamai/Github, unless I miss my guess, is

https://a248.e.akamai.net/assets.github.com

Actually, if the a248.e is common, rather than unique, we may not even need it.

Let's try akamai.net/assets.github.com, which *should* uniquely identify all github assets served via Akamai.

ABE USER box:

Code: Select all

#Github Akamai rule
Site akamai.net/assets.github.com *.akamai.net/assets.github.com
Accept from github.com *.github.com
Deny

If you encounter Akamai at more than one site, and want to make one rule instead of many, we can probably take advantage of that unique appendage, assets.github.com. ("Probably", because as said, I 'haven't seen much of Akamai lately.)

Code: Select all

#Akamai rule
Site akamai.net *.akamai.net
Accept from github.com *.github.com somesite.com *.somesite.com othersite.com *.othersite.com
Deny

*Presumably*, akamai will run only the appropriate script, e. g.,
akamai.net/assets.somesite.com there, and
akamai.net/assets/othersite.com there.

You can check this for yourself with JSView, a must-have for power-users, but there's no need to be bashful if that's a bit above your tech level, of which of course I'm not aware. Just point us to the multiple sites where akamai occurs, and I or someone else will verify that only the proper scripts are running at each.

Also, if you run into a prefix other than a248.e., then you can create a separate rule for it, including each site at which you see it.

Try this, and please post back on the results.

I may eventually split this off into a separate topic, "Fine-tuning Akamai with ABE", or something like that, as Akamai certainly still has a presence, and a lot of users no doubt have the same question.

For the moment, though, I don't believe that FAQ 5.4 requires editing at his time. Let us see how ubiquitous a248.e is. Agree?

I appreciate the nice manner in which you've said all this and I certainly do want to express my appreciation for such a great tool, ESPECIALLY in this world that's gotten us used to being tracked without thinking anything of it.

And I appreciate your taking a positive attitude, and the whole team, especially Giorgio (sole developer and coder of NoScript), appreciates your kind words.

The thing about the FAQ is that if you read #5.4, you get wrong information. And you have no idea that you can get what you need from ABE/FAQ #8.10.

After our previous exchange, I took a break, and it occurred to me that what was needed was a new post at the top of each forum, locked, stating in only a few sentences what one can do, and pointing to the FAQ. And came back and found your support for that idea. GMTA (great minds think alike).

I'll do that, and ask Giorgio to make them sticky if he approves. It should save hundreds or thousands of posts, and save users like yourself a lot of time and frustration.

(And if there is a better fix than creating ABE rules coming in a new version, it might be helpful to note that, too, because writing ABE rules isn't going to be everyone's cup of tea.)

Great idea. Will include that, too.

Thanks again.

And thank you for testing the above, for your feedback on the results, and for the ideas.

[Tom T.]

The thing about the FAQ is that if you read #5.4, you get wrong information. And you have no idea that you can get what you need from ABE/FAQ #8.10.

After our previous exchange, I took a break, and it occurred to me that what was needed was a new post at the top of each forum, locked, stating in only a few sentences what one can do, and pointing to the FAQ. ...

(And if there is a better fix than creating ABE rules coming in a new version, it might be helpful to note that, too, because writing ABE rules isn't going to be everyone's cup of tea.)

Great idea. Will include that, too.

Done. Check these out (they're all the same):

NS Support
NS Development
NS General

Of course, they need to be discussed among the rest of the team, and it's Giorgio's call as to whether to retain them.

But in any event, thanks for what I thought was a very good suggestion.

Cheers!

[ori999]

Tom, WOW, you've really gone far beyond the call in providing such detailed responses here. I just lament the fact that it will be lost in the noise of 12 pages of discussion and others will miss it.

I also regret I'm not going to be able to give the response it deserves, but I do have a couple things I can offer:

As I understand it, FAQ #5.4 is wrong anyway (akamai.net doesn't structure its resources like that any more...

Today I ran into github.com requiring it. I also read on a slightly older noscript thread somewhere today that etrade.com and newegg.com amongst some others are using it.

Newegg and etrade don't seem to use it any more. Some sites are creating their own Content Delivery Networks, e. g., Facebook.com and fbcdn.net (Facebook Content Delivery Network). An article in a business-oriented (as opposed to tech-oriented) news space said that 800-lb-gorilla Amazon's entry into the edge-server business, cloudfront.net, was crushing profit margins in that sector, and that Akamai was struggling as a result.

A-ha. Well, this is important news for me, as I'd had it whitelisted from a long time ago, but you've made me go look and see that in fact I don't need to whitelist it any more! Problem solved. But let me add a few things:

Github indeed uses Akamai. But the Aka scripts do, in fact, have prefixes. At Github, I saw a248.e.akamai.net.

Check NS Options > Appearance. If you have only "Base 2nd level Domains" checked (the default, IIRC), then also check Full Domains and/or Full Addresses. This will expose the prefix before akamai.net, or any other subdomain on the planet. It's optional whether to keep Base 2nd Level. The menu can get very cluttered, although you can always toggle any of these with a few clicks on the NS GUI. I presume that Giorgio wanted to keep the GUI, script menu, etc., as simple as possible for novice users, while allowing the more tech-savvy, or more willing, to fine-tune -- as said in, uh, FAQ 5.4.

However, it was a surprise that Github had *exactly* the same Akamai subdomain as in the FAQ, especially since the FAQ was written (AFAIK) before Github existed.

That's why I still believe FAQ #5.4 should be changed. While perhaps we can all celebrate the demise of Akamai and less people will need that FAQ, those who do are misled into whitelisting a domain that may serve other content than they intended to whitelist, and that's really not a good thing. For some (most?) people, I think the actual NoScript FAQ is going to be the first port of call when diagnosing issues.

Here is the post I read yesterday that included more info about this (although you have shown it is dated):

http://forums.informaction.com/viewtopi ... t=60#p3089

As for the ABE rules you've SO VERY KINDLY suggested for me, it ends up I don't need to run them thanks to Akamai's downfall, but I did want to acknowledge your time and effort and say that for me, it looked pretty straight forward (but I am a technical person). The rules *looked* like they'd do what you'd want them to do. I guess the only other important thing to note is that, as I believe from reading the FAQ, you need to whitelist the akamai.net domain in the main NoScript settings for those rules to take effect.

The thing about the FAQ is that if you read #5.4, you get wrong information. And you have no idea that you can get what you need from ABE/FAQ #8.10.

After our previous exchange, I took a break, and it occurred to me that what was needed was a new post at the top of each forum, locked, stating in only a few sentences what one can do, and pointing to the FAQ. And came back and found your support for that idea. GMTA (great minds think alike).

I'll do that, and ask Giorgio to make them sticky if he approves. It should save hundreds or thousands of posts, and save users like yourself a lot of time and frustration.

(And if there is a better fix than creating ABE rules coming in a new version, it might be helpful to note that, too, because writing ABE rules isn't going to be everyone's cup of tea.)

Great idea. Will include that, too.

Well, I was making suggestions for the FAQ itself, but I read your sticky thread/post and it is very informative and well written. Maybe the only thing I'd suggest is putting an actual link to the FAQ in there. If anyone finds these posts like I did - through a search engine - then it's less than clear how to find the FAQ, especially since these forums aren't on the same domain as the main NoScript site.

Again, THANK YOU for going beyond the call!

[Tom T.]

Tom, WOW, you've really gone far beyond the call in providing such detailed responses here. I just lament the fact that it will be lost in the noise of 12 pages of discussion and others will miss it.

Which supports the earlier idea of splitting this off into a new topic, "Fine-tuning Akamai permissions via ABE".

I agree that the SSP thread has become far too bulky to be useful. It was (quite correctly) created quite a while back by merging many posts on the same topic, but those questions still continue to arrive in new topics created by users. One can hardly blame them (or you) for not wanting to dig into all 160+ posts in the existing thread.

It's hoped that if the proposed stickies stay, it will greatly reduce the need for same, and would then limit such queries only to specific instances or problems (and to those who won't read a sticky that's posted at the top of all three main NS forums ).

As I understand it, FAQ #5.4 is wrong anyway (akamai.net doesn't structure its resources like that any more...

Today I ran into github.com requiring it. I also read on a slightly older noscript thread somewhere today that etrade.com and newegg.com amongst some others are using it.

"Slightly" older? Almost three years old. Computer years are like dog years -- that's almost 21 years old. IOW, totally obsolete.

Github indeed uses Akamai. But the Aka scripts do, in fact, have prefixes. At Github, I saw a248.e.akamai.net.
However, it was a surprise that Github had *exactly* the same Akamai subdomain as in the FAQ, especially since the FAQ was written (AFAIK) before Github existed.

That's why I still believe FAQ #5.4 should be changed. While perhaps we can all celebrate the demise of Akamai and less people will need that FAQ, those who do are misled into whitelisting a domain that may serve other content than they intended to whitelist, and that's really not a good thing. For some (most?) people, I think the actual NoScript FAQ is going to be the first port of call when diagnosing issues.

I'm still not completely sold. The missing info is a large sampling of the (diminishing number of) sites that use Akamai, to see whether unique identifiers are still used as sub-domains. Perhaps Aka lost the contract with the previous owner of a248.e, and, after some reasonable period of time, reused that ID for a new customer -- much as a telephone company or ISP might do. It would be a coincidence that you stumbled on the exact recipient, Github, but if Aka has so few customers any more....

Posting a number of sites with identical prefixes supports your suggestion.
If they can't be found, and/or a number of sites with differentiating prefixes are posted, then the FAQ is still valid, it seems. And ABE is not required in that case.

As for the ABE rules you've SO VERY KINDLY suggested for me, I guess the only other important thing to note is that, as I believe from reading the FAQ, you need to whitelist the akamai.net domain in the main NoScript settings for those rules to take effect.

Correct.

Well, I was making suggestions for the FAQ itself, but I read your sticky thread/post and it is very informative and well written. Maybe the only thing I'd suggest is putting an actual link to the FAQ in there.

Third line of all three contains the link to the general ABE FAQ, and to the specific per-site-permission subsection, at least on my screen. Do they not on yours?

Again, THANK YOU for going beyond the call!

You're very welcome. And thank you for motivating the needed investigation/update of Aka's current status.

SSP is an important issue that is growing in popularity.
If the stickies work out, it's an epic win for both users and support team.

[ori999]

As I understand it, FAQ #5.4 is wrong anyway (akamai.net doesn't structure its resources like that any more...

Today I ran into github.com requiring it. I also read on a slightly older noscript thread somewhere today that etrade.com and newegg.com amongst some others are using it.

"Slightly" older? Almost three years old. Computer years are like dog years -- that's almost 21 years old. IOW, totally obsolete.

Github indeed uses Akamai. But the Aka scripts do, in fact, have prefixes. At Github, I saw a248.e.akamai.net.
However, it was a surprise that Github had *exactly* the same Akamai subdomain as in the FAQ, especially since the FAQ was written (AFAIK) before Github existed.

That's why I still believe FAQ #5.4 should be changed. While perhaps we can all celebrate the demise of Akamai and less people will need that FAQ, those who do are misled into whitelisting a domain that may serve other content than they intended to whitelist, and that's really not a good thing. For some (most?) people, I think the actual NoScript FAQ is going to be the first port of call when diagnosing issues.

I'm still not completely sold. The missing info is a large sampling of the (diminishing number of) sites that use Akamai, to see whether unique identifiers are still used as sub-domains. Perhaps Aka lost the contract with the previous owner of a248.e, and, after some reasonable period of time, reused that ID for a new customer -- much as a telephone company or ISP might do. It would be a coincidence that you stumbled on the exact recipient, Github, but if Aka has so few customers any more....

I'm going to have to have to STRONGLY disagree with your logic here. Privacy concerns like this should always be handled more pro-actively than you suggest. As far as we known, the last known methodology Akamai had for its content hosting was to use the same host for more than one customer. You reason that because some sites appear to have stopped using Akamai that they MAY have changed their hosting methodology? That's a GUESS, and our privacy should not be based on guesses - bad ones at that --> I think if Akamai is losing market share, they probably have fewer resources to invest in changing systems that are already functioning fine. Moreover, we now see that a much newer site just happens to be using the same hostname - as you admit, that's an interesting coincidence at least. Seeing that, I'd say the BEST GUESS we can make is that in fact Akamai has not changed their system and is still putting multiple customers on the same host. And short of making guesses, we should stick with the last known information. Being more CAREFUL about privacy issues means FAQ #5.4 really should be re-written. At a minimum, a note should be added letting people know that whitelisting Akamai may risk whitelisting other content.

Additionally, changing the FAQ in this manner preempts the possibility that Akamai could revert to putting multiple customers on one host even if they're not doing that now, and it DOES NOT HURT users' NoScript settings if they whitelist Akamai only for a certain site, whereas a blanket whitelist of Akamai DOES carry risk that your guesses are wrong (as honestly, I'd say they are).

Sorry for the rant, but I think privacy protection deserves more rigorous thought.

Posting a number of sites with identical prefixes supports your suggestion.

If they can't be found, and/or a number of sites with differentiating prefixes are posted, then the FAQ is still valid, it seems. And ABE is not required in that case.

Looks like this site uses the same host for hosting mostly images (but maybe not scripts):

http://www.crutchfield.com
http://www.crutchfield.com/S-t0fEunxevLq/

And as already noted:

http://github.com

Well, I was making suggestions for the FAQ itself, but I read your sticky thread/post and it is very informative and well written. Maybe the only thing I'd suggest is putting an actual link to the FAQ in there.

Third line of all three contains the link to the general ABE FAQ, and to the specific per-site-permission subsection, at least on my screen. Do they not on yours?

Oops! Sorry, I got too busy reading the rest to notice. Yes the links are there!

[Tom T.]

Posting a number of sites with identical prefixes supports your suggestion.

Looks like this site uses the same host for hosting mostly images (but maybe not scripts):

http://www.crutchfield.com

That single example of a second same prefix proves the need for updating the FAQ -- and also renders the long rant moot.

Now, wasn't it easier to prove the need than to argue the principle that the FAQ shouldn't be changed until it was known for certain that it should be?
The one case proved nothing. The second case proved everything. And your research probably took less time than composing the argument.

But for the heck of it:

As far as we known, the last known methodology Akamai had for its content hosting was to use the same host for more than one customer.

We knew nothing of the sort. We knew that Github used the prefix listed in the FAQ.

And as said before, Idk for certain when, where, or how Giorgio chose that example. I "guessed" (that's the real meaning of "AFAIK", lol), but I could have been mistaken. He could have taken it from Github at some later date. I'd ask him, but as he's been on hiatus for a while, finding a second site was faster.

I'll recommend the FAQ edits. Since only Giorgio can edit the FAQ, Idk when that will happen. Especially since the entire FAQ will have to be revamped when NS 3.x comes to the desktop. Still, FAQ should be accurate at any given stage.
(Um, you haven't by any chance donated towards that full-time paid staff yet, have you? -- KIDDING!)

Thanks again for the investigation and suggestion.

[ori999]

Posting a number of sites with identical prefixes supports your suggestion.

Looks like this site uses the same host for hosting mostly images (but maybe not scripts):

http://www.crutchfield.com

That single example of a second same prefix proves the need for updating the FAQ -- and also renders the long rant moot.

Now, wasn't it easier to prove the need than to argue the principle that the FAQ shouldn't be changed until it was known for certain that it should be?
The one case proved nothing. The second case proved everything. And your research probably took less time than composing the argument.

No, the rant was important. The principle shouldn't be overlooked just because a mundane proof was found. The principle is really important I think.

But for the heck of it:

As far as we known, the last known methodology Akamai had for its content hosting was to use the same host for more than one customer.

We knew nothing of the sort. We knew that Github used the prefix listed in the FAQ.

Not true. I showed you a post that's over 2.5 years old that showed something like five sites that were using the same Akamai domain. It seems like *you* hadn't heard of Akamai before, so you might have missed this, and that's fine, I'm not calling you out. But I do believe my logic is correct. In my searching around, I think I may have read another thread or two that pointed out the same problem, but I don't feel like it's important to get too pedantic.

And as said before, Idk for certain when, where, or how Giorgio chose that example. I "guessed" (that's the real meaning of "AFAIK", lol), but I could have been mistaken. He could have taken it from Github at some later date. I'd ask him, but as he's been on hiatus for a while, finding a second site was faster.

Your guess was appropriate. He wrote that FAQ a long time ago, probably before Github was on the scene. Your logic stands to reason, and when user privacy is in the balance, following that logic is the safer choice - the RIGHT choice. Instead, you started advocating not to make the safe choice just because you didn't know for sure if your guess was right. I'm a little perplexed that someone involved in a community supporting a tool that has privacy as one of its primary uses would do that. If it was because the FAQ is off limits for you to edit yourself - and the hassle involved might have factored into your wanting to just leave it as is (and please excuse my projecting), well, then it seems like maybe NoScript or at least its supporting tools should be more *open* (to its support team) in the true spirit of FOSS.

Again, don't get me wrong - I still really appreciate the way you've gone out of your way to respond to me and offer such detailed, excellent help. I'm NOT calling you out, but I do think it's important to make safer choices when the result of making the other decision has the potential of compromising user privacy.

I'll recommend the FAQ edits. Since only Giorgio can edit the FAQ, Idk when that will happen. Especially since the entire FAQ will have to be revamped when NS 3.x comes to the desktop. Still, FAQ should be accurate at any given stage.
(Um, you haven't by any chance donated towards that full-time paid staff yet, have you? -- KIDDING!)

Thanks again for the investigation and suggestion.

And thanks for all YOUR help!!

[Tom T.]

I really don't want to get in an argument, especially an O/T one, or get too pedantic, so just a couple of quick notes on specifics. Our philosophies are more in line than you might think.

Of course I've heard of Akamai. In an earlier post, I said that it used to be part of Yahoo Mail, which is my daily provider for non-sensitive (non-encrypted) e-mail. And that Aka disappeared from Ymail some time back. But of course I was aware of it.

As for the 2009 post, .... my bad.
You had named two sites that used to use Akamai, newegg and etrade, based on a "slightly older" post. I checked, and they didn't.
So when you posted the specific link, I checked the age of the post, and replied as you saw -- obsolete. But didn't read the whole thing; specifically, the *five* domains that shared the a248.e. prefix. Which, uh, you never mentioned.

Today I ran into github.com requiring it. I also read on a slightly older noscript thread somewhere today that etrade.com and newegg.com amongst some others are using it.

Nope, they weren't any more.
(later post):

Here is the post I read yesterday that included more info about this (although you have shown it is dated):

viewtopic.php?f=10&t=415&start=60#p3089

Still no heads-up about the five identical sub-d's, so given that it was dated.... I throw myself on the mercy of the Court, figuring that my posts were long enough already , and time-consuming enough, for each of us. Maybe a teensy bit of omission on your part not to alert to The Five, esp. after it was plain that I'd checked newegg and etrade, without comment on others?

Or we could quit playing the blame game altogether, be glad that an ongoing situation is being addressed, and thank each other for the mutual effort to achieve the goal. I vote for that. Do I hear a second?

As for the FAQ, it's no hassle at all. I PM Giorgio. If he agrees, he does it when he can do it. That is his *own* site, at his expense, and he'd prefer to be responsible for every word on it, just as he is responsible for every line of code in NS. Do you blame him?
Discussing things here, and editing them, even among Moderators, is fine. The FAQ isn't a discussion place or a place for Mods to make edits.

Unfortunately, Giorgio's relative hiatus is running a bit longer than expected. This is one of the downsides of BusFactor=1 projects. The upside is very fast emergency response, a single point of authority and responsibility, etc. The flip side is "too many cooks spoil the broth", and other proverbs. The more people involved, the more the final project is likely to be bloated, and probably more insecure. Microsoft and Adobe are prime examples, and alas, Mozilla is headed in that direction rapidly.

Would you want NoScript to be designed by Wikipedia? And have a Wiki for the FAQ, Features, and other documentation? (rhetorical question )

I hope that addresses, and to some degree explains, the differences, when in retrospect all these words were needless.
If I could edit the FAQ, I would. I can't. I've done what I can. Anything else within my power, like the ABE rules, don't hesitate to ask.

Are we cool?

[ori999]

be glad that an ongoing situation is being addressed, and thank each other for the mutual effort to achieve the goal. I vote for that. Do I hear a second?

Sure, of course! I do appreciate your help very much!

As for the FAQ, it's no hassle at all. I PM Giorgio. If he agrees, he does it when he can do it. That is his *own* site, at his expense, and he'd prefer to be responsible for every word on it, just as he is responsible for every line of code in NS. Do you blame him?
Discussing things here, and editing them, even among Moderators, is fine. The FAQ isn't a discussion place or a place for Mods to make edits.

Unfortunately, Giorgio's relative hiatus is running a bit longer than expected. This is one of the downsides of BusFactor=1 projects. The upside is very fast emergency response, a single point of authority and responsibility, etc. The flip side is "too many cooks spoil the broth", and other proverbs. The more people involved, the more the final project is likely to be bloated, and probably more insecure. Microsoft and Adobe are prime examples, and alas, Mozilla is headed in that direction rapidly.

Would you want NoScript to be designed by Wikipedia? And have a Wiki for the FAQ, Features, and other documentation? (rhetorical question )

There can be big problems for "BusFactor=1" projects. I wouldn't be so quick to throw the Bazaar model under the bus (pun intended!).

https://en.wikipedia.org/wiki/The_Cathe ... the_Bazaar

But we digress.

If I could edit the FAQ, I would. I can't. I've done what I can. Anything else within my power, like the ABE rules, don't hesitate to ask.

Are we cool?

Absolutely. Again, THANK YOU!

[Tom T.]

There can be big problems for "BusFactor=1" projects. I wouldn't be so quick to throw the Bazaar model under the bus (pun intended!).

https://en.wikipedia.org/wiki/The_Cathe ... the_Bazaar

I don't see why the Bazaar model necessarily applies only to projects with many developers. One dev can use the model.

NoScript's latest development build is available to everyone. Anyone can open the .jar and other files to look at the code. Feedback from users has led to many, many enhancements and fixes in NS. Giorgio is one of the most receptive people I know in this regard, and not just in sw.

btw, IMHO, I disagree strongly with the "Release early. Release often" philosophy, which too often amounts to doing beta testing on (non-tech-savvy) consumers. The list of examples is endless. The approach with NS is to make the dev builds available ASAP to those willing to try them, but to have a high confidence level before issuing a new stable release. This, on a product that runs around 2 MB. Do the "early, often" stable release with Windows, Adobe, or, for that matter, Firefox -- meh. YMMV.

There was a thread requesting an open repository of working code. One concern is that someone could create their own fork, perhaps with a flaw or two thousand, and it would end up reflecting negatively on Giorgio. Another is that while this is not "proprietary sw" by any means, it has become pretty much a full-time (if not more) project for Giorgo, and donations and the ads at the home page (not here, and not in the product -- no splash screens, nag screens, etc.) are the only way he is compensated for being taken away from his real job, while still being able to support his wife and family.

I have privately expressed concern about the Bus Factor. In the dreaded event that Giorgio is unable to continue for any reason, I'd hope he has a backup plan in mind, perhaps his good friend Eduardo Vela or a few others. I think the subset of devs that are capable of this is fairly small, else there would be genuine competition, as opposed to pathetic wanna-bes. (ScriptNo, etc.)

Again, THANK YOU!

And you.
And again, cheers.