Add a subscription for white/black-lists
Re: Add a subscription for white/black-lists
any news?
Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.3a5pre) Gecko/20100427 Minefield/3.7a5pre YB/3.5.1
Re: Add a subscription for white/black-lists
this idea was forgotten?
Mozilla/5.0 (Windows NT 5.1; rv:2.0b4pre) Gecko/20100805 Minefield/3.7a5pre YB/3.5.1
Re: Add a subscription for white/black-lists
hope it wasn't forgotten. still hoping to see it implemented.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Re: Add a subscription for white/black-lists
A year has passed. Nothing changed.
Giorgio, why?
Giorgio, why?
Mozilla/5.0 (Windows NT 6.1; rv:2.0b13pre) Gecko/20110223 Firefox/4.0b13pre
Re: Add a subscription for white/black-lists
It is true that convenience is antagonistic to security. Certainly, subscribing to someone else's analysis of what is and isn't safe is a security compromise.
So, what have we learnt from this thread?
1) Blacklisting becomes unwieldly
2) Whitelisting by subscribing to someone else's list is a risk. But also it is subscribing to their preferences - they might have different needs to you; i.e. they might be browsing in a chroot environment like VMWares Browser appliance.
However,
the problem is still there. That is:
- the workload of reading javascript manually for every site is too high.
For many people who don't bother much with security (perhaps interested in noscript for saving bandwidth), they might just remove noscript and fall back to image and flashblocking.
- The work in determining what is and isn't safe is being duplicated.
I know that when I'm browsing on Facebook thousands of other noscript users have already sifted through the Javascript.
Wouldn't it be nice to share that knowledge?
There are dangers in sharing this knowledge if there is a single source of failure such as a subscription list. So how do we mitigate for that? -through democratic controls in a p2p (aka Hive way). A Firefox extension called PropertyBee does this in a simple, non democratic way. Could this be extended? Sure, there could be disagreement over what is and isn't safe, could we err on the side of caution and still have a few sites everyone agrees are safe?
Right now though, why not post your whitelist rules here for all to comment on?
So, what have we learnt from this thread?
1) Blacklisting becomes unwieldly
2) Whitelisting by subscribing to someone else's list is a risk. But also it is subscribing to their preferences - they might have different needs to you; i.e. they might be browsing in a chroot environment like VMWares Browser appliance.
However,
the problem is still there. That is:
- the workload of reading javascript manually for every site is too high.
For many people who don't bother much with security (perhaps interested in noscript for saving bandwidth), they might just remove noscript and fall back to image and flashblocking.
- The work in determining what is and isn't safe is being duplicated.
I know that when I'm browsing on Facebook thousands of other noscript users have already sifted through the Javascript.
Wouldn't it be nice to share that knowledge?
There are dangers in sharing this knowledge if there is a single source of failure such as a subscription list. So how do we mitigate for that? -through democratic controls in a p2p (aka Hive way). A Firefox extension called PropertyBee does this in a simple, non democratic way. Could this be extended? Sure, there could be disagreement over what is and isn't safe, could we err on the side of caution and still have a few sites everyone agrees are safe?
Right now though, why not post your whitelist rules here for all to comment on?
Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20110508 Firefox/4.0.6 PaleMoon/4.0.6
Re: Add a subscription for white/black-lists
I really would like to see this feature too. Most of the time I spend whitelisting domains which allows me to access the basic functionality of a website. As stated in this post the source code is available in the .xpi file (unzip -> chrome/noscript.jar), so we could add it. For the time being, I think we have to come up with a whitelist creation process anyway => create by single users, democratic, technocratic etc.
Giorgio, thanks for the add-on btw!
Giorgio, thanks for the add-on btw!
Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0
Re: Add a subscription for white/black-lists
Any news?Giorgio Maone wrote:It is, but I've got higher priorities too.iDrugoy wrote:@al_9xSo I just wonder isn't it in his priority list?
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:13.0a1) Gecko/20120210 Firefox/13.0a1
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Add a subscription for white/black-lists
Not yet: current top priorities are 1) Android native UI compatibilit 2) investigation on new Clickjacking techniques and countermeasures 3) Chrome portingiDrugoy wrote:Any news?Giorgio Maone wrote:It is, but I've got higher priorities too.iDrugoy wrote:@al_9xSo I just wonder isn't it in his priority list?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20100101 Firefox/10.0
Re: Add a subscription for white/black-lists
Too bad.Giorgio Maone wrote:Not yet: current top priorities are 1) Android native UI compatibilit 2) investigation on new Clickjacking techniques and countermeasures 3) Chrome porting
When you reach these 3 goals - there will appear more platforms/browsers to port to
Last edited by iDrugoy on Sun Feb 12, 2012 7:40 pm, edited 1 time in total.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:13.0a1) Gecko/20120211 Firefox/13.0a1
Re: Add a subscription for white/black-lists
Giorgio, I wonder why you didn't include Noscript 3 desktop version. Is it postponedGiorgio Maone wrote: Not yet: current top priorities are 1) Android native UI compatibilit 2) investigation on new Clickjacking techniques and countermeasures 3) Chrome porting
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Add a subscription for white/black-lists
All the changes and upgrades to NS will ultimately culminate to what is designated as NS 3.x and given the impracticality of global whitelist/blacklists, it shouldn't be and I would be very surprised for this product if it ever is on a high priority list. It is at best a nice to have feature that is not critical and given such variety of online practices and user behavior, the list based system will undoubtedly be slow, introduce unnecessary issues, ineffective for the masses (payoff v. work that goes into implementing it) and be simply a reason for users to get complacent and lazy. How about we let NS do what its good at and that is to protect us against REAL threats rather than cater to the set-it-and-forget-it style of security.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Add a subscription for white/black-lists
Yes it is, as a consequence of the forced changes which NSA is undergoing because of the sudden move of Mozilla to drop Electrolysis in favour of the Java-native Android shell.tlu wrote:Giorgio, I wonder why you didn't include Noscript 3 desktop version. Is it postponedGiorgio Maone wrote: Not yet: current top priorities are 1) Android native UI compatibilit 2) investigation on new Clickjacking techniques and countermeasures 3) Chrome porting
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
Re: Add a subscription for white/black-lists
Thanks. I had read before that E10 was put on hold - a decision which I regret. I had already suspected that that decision might cause problems for you. Does that mean that you have to completely rewrite NS 3 (or, at least, large parts of it)?Giorgio Maone wrote:Yes it is, as a consequence of the forced changes which NSA is undergoing because of the sudden move of Mozilla to drop Electrolysis in favour of the Java-native Android shell.tlu wrote:[
Giorgio, I wonder why you didn't include Noscript 3 desktop version. Is it postponed
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
Re: Add a subscription for white/black-lists
Hi Giorgio,
thanks so far for implementing this feature. I'm like to use it with our corporate client PCs, in order to deploy our domains and those of our customers to be trusted as part of our business. The subscription will be created by our support system every day.
Is there any way to reject domains, which were trusted before? This would be necessary e.g. if a customer quits.
As far as I can see, the contents of the subscription list is being merged with "capability.policy.maonoscript.sites" resulting in a mix of subscripted and own declared trusts. Wouldn't it be better to devide those lists?
The solution could be to leave the own declarations in "capability.policy.maonoscript.sites", import the subscription to a new variable (which will be overwritten on each import) and add the variable to "capability.policy.maonoscript.sites".
I'm not sure if this is possible at all. Please regard this as a suggestion.
Thanks in advance and have a happy Easter weekend!
thanks so far for implementing this feature. I'm like to use it with our corporate client PCs, in order to deploy our domains and those of our customers to be trusted as part of our business. The subscription will be created by our support system every day.
Is there any way to reject domains, which were trusted before? This would be necessary e.g. if a customer quits.
As far as I can see, the contents of the subscription list is being merged with "capability.policy.maonoscript.sites" resulting in a mix of subscripted and own declared trusts. Wouldn't it be better to devide those lists?
The solution could be to leave the own declarations in "capability.policy.maonoscript.sites", import the subscription to a new variable (which will be overwritten on each import) and add the variable to "capability.policy.maonoscript.sites".
I'm not sure if this is possible at all. Please regard this as a suggestion.
Thanks in advance and have a happy Easter weekend!
Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 Iceweasel/19.0