Embedded Object Allowances

[Identities Infinite]

That makes total sense. It is coincidental you mention Justin Samuel's RequestPolicy because I have used that for probably about 6 months now and like it just about as much as NoScript. It allows me to not allow externally hosted graphics to load which might slow the time the page takes to load. Not to mention they do me no good so to me they are useless. I also use Ghostery, TrackerBlock, Adblock Plus and RefControl [the latter has no effect on making pages load faster by blocking content].

I was wondering why Giorgio's blog was not on the whitelist. I would hope he deletes malicious code if it happens to find its way on there. Lesson learnt: not to allow any font embedding ever.

[Tom T.]

I also use RefControl [the latter has no effect on making pages load faster by blocking content].

Yes, RefControl is for privacy only, by not letting sites know what site you just left, or which site had a link that you clicked to get there, and many other ways that sites can gather your browsing history.

I was wondering why Giorgio's blog was not on the whitelist. I would hope he deletes malicious code if it happens to find its way on there.

Of course he would, but one of the purposes of that blog is exactly to explore new vulnerabilities, potential methods of attack or trying to bypass NoScript, etc. So exploit code may be deliberately hosted, although it should be benign. Please understand that no one person can constantly monitor every post on this forum and his blog, while also running a business, developing and enhancing NoScript and Flashgot, having a life and a family, etc. So the script at the blog is not default white-listed. The blog is mostly for power-users, who would examine the code first, or take proper precautions like sandbox or virtual machine before running it.

This is true of other so-called "white-hat hacker" sites -- those that try to find and fix security issues before bad people find them.

Lesson learnt: not to allow any font embedding ever.

Better lesson learnt: Not to allow anything, ever, that isn't absolutely necessary for the function you need on that page.

Wikipedia has a good introductory article on Principle of Least Privilege, a time-honored concept that seems to have been forgotten by many these days.
This is becoming a duplicate of my discussion with another user about FRAME and IFRAME, so if you have time, you might want to look at that thread.
Click the following link: http://forums.informaction.com/viewtopi ... 373#p35373

On the Java issue, it occurred to me during my break that if you set Java to check for updates on its own, won't it automatically determine whether you have the latest version, and if not, download it for you? Or does NoScript block that process?

You are correct that the Java Virtual Machine is a program that is installed on your hard drive like any other. In XP, it is in C:\Program Files. I don't use Vista or Win 7, but wherever other programs are stored on those systems, there will be a Java folder. This program is updated occasionally, just as you might update your anti-virus, office suite, etc.

Firefox launches the Java Virtual Machine on demand, if you allow it in NoScript of course. You can see the Java plug-in by typing about:plugins in the Address Bar. There, you will find listed the Mozilla Default Plug-in, probably Shockwave Flash if you have it, and the Java Platform, including the version number.

Please advise if automatic updates of Java isn't working for you. I haven't heard of this problem before, but that doesn't mean that is hasn't happened.

There is probably a Java logo in your Windows Control Panel, which is usually accessible through the Start menu. Double-click the Java logo in Control Panel,
then click the Update tab, and check the box labeled "Check for updates automatically". You then have a dropdown window to select whether to notify you before installing, or before the download itself. You might want to pick an install time when the computer is not too busy doing other things. If you have a fast connection, the download itself may not slow you very much; else, don't OK the download until you have free time. I personally don't let *anything* connect to the Internet, even my anti-virus updater, while I'm doing online banking or other very sensitive things. Perhaps I am overly cautious, but better safe than sorry.

Don't forget to click "OK" after making any changes in the Java Control Panel.

I hope this is helpful. By the way, may I ask for some site locations where Java is required?
Cheers,
- Tom

[Identities Infinite]

Can you link to the article? I would not mind giving it a close read.

Oh man, that Java control panel? Let me get my migraine capsules out for this one. Ever since the beginning of time that thing has never been accessible for me. When I used XP before June 2011 I installed something called Java Access Bridge. At that time it was version 2.0.1 and it worked almost perfectly. They updated it to version 2.0.2 and idiotically they did not compile an executable but rather a simple ZIP file. Every time I copy the exact files to their exact locations outlined by the instructions it does not work. If it did that control panel would be fully or almost fully accessible. I do not know if I would benefit from using version 2.0.2 over 2.0.1 now that I use Windows 7 Ultimate Service Pack 1 32-bit but I am tempted to seek 2.0.1 just to have some control over that Java control panel. I wish somebody would compile an executable for 32-bit operating systems. I have a 50 MiBs down 20 MiBs up connection so I would not notice it.

In regards to sites that use Java, I think the Google site now does. I recently noticed when I press the Search button the page does not reload which caught me offguard initially. When I click on something the page no longer switches to another one; something appears somewhere. Since I block the referrer and switch my IP addresses on every site using AnonymoX I feel more confident using it. It is a shame the Scroogle Scraper site has not worked for quite some time but I hope it comes back. If Google does not make use of it, I can not think of any Java-intensive sites. That is my biggest hang-up about Google: they could use HTML for a lot of their functions but they decided to use that and I never liked it really.

[GµårÐïåñ]

I have NoScript set up to show only base-level domains. This makes it much more easy for me to manage the whitelist and creative.com is on the whitelist. There is a font object still blocked when one of the Flash objects are allowed [not the one with 2 domains like creative.com and http://creative.com I think it is]. The font box is checked and the box to extend untrusted site restrictions to whitelisted sites is also checked. It says something like ‘temporarily allow font at themes.googleusercontent.com’.

I'd say that its an unwise choice to only make decisions on the top level. I would highly recommend that you also have NS show the second one, the third one my opinion is too much and can be mitigated in other ways. But keep in mind that when you have something like bad.domain.com or ads.domain.com, using the first level only give you domain.com and allowing that will allow the other two. But if you were to allow at least the second level too, you could mark the bad.domain.com and ads.domain.com as untrusted and still allow the domain.com and not be opening yourself up to EVERYTHING the site might serve you. Just something to consider.

[Identities Infinite]

I never thought about marking the base-level domain as untrusted whilst allowing a sub-domain. I never have and never will utilise social networking of any kind, do online banquing or purchase online so I should be secure with respect to financial situations. As far as everything else is concerned, I should start to consider sub-domains instead of being too inclusive.

[Tom T.]

Can you link to the article? I would not mind giving it a close read.

If you are referring to the Wikipedia article on Principle of Least Privilege, click here.

It sees that you're quite able to use this forum. Is Wikipedia not easy for you to use? -- just curious. And I did look up the JAWS program there -- very impressive! I had no idea that screen-to-voice readers dated back to the days of MS-DOS.

I was not aware of any use of Java at Google.

I intend to post elsewhere about Scroogle, and suggesting a good alternate: https://duckduckgo.com. Same type of privacy as Scroogle, and *no* scripting or code objects of any kind are required. So you can keep your NoScript lockdown there. And now, maybe the entire Java issue is moot?

I never thought about marking the base-level domain as untrusted whilst allowing a sub-domain.

Actually, I use "full addresses", which includes the protocol, such as http versus https.

This fine-tuning of permissions can solve many issues without having to create ABE rules, as when I couldn't reproduce your font-embedding object at first.
I've been recommending this for a long time, even before ABE.

[Identities Infinite]

I can make good use of forums that use the phpBB software but my personal opinion about it is it uses far too many list tags – when I navigate inside a board there are just too many lists to which I can jump both forwards and backwards. The sighted usually do not navigate by HTML attributes such as visited/unvisited link, list, frames, form fields [which encompass buttons, edit fields, buttons of several kinds, selection boxes etc.] so I notice all the coding in detail. I only read articles on WikiPedia so it is quite easy to navigate with respect to articles. The conception of JAWS goes way back so it was one of the most original inventions that could have hailed from that time period as far as computer technology is concerned.

Does that mean I have no reason to allow DuckDuckGo or any of its domain variants on the whitelist? It does not seem like there is reason to if I do not need to. If you or somebody can confirm there really is no need for the Java plug-ins or the Java program I will remove it completely.

[Tom T.]

I can make good use of forums that use the phpBB software but my personal opinion about it is it uses far too many list tags – when I navigate inside a board there are just too many lists to which I can jump both forwards and backwards.

I tent to avoid list tags, and just list things. If you wish, please try this post, which lists more than 100 sites that are advertising agencies, to help users decide whether to allow their scripting. There is a hash mark or pound sign or number sign, whichever you call it, before each entry, but no actual list tag. Is this readable for you?

The sighted usually do not navigate by HTML attributes such as visited/unvisited link, list, frames, form fields [which encompass buttons, edit fields, buttons of several kinds, selection boxes etc.] so I notice all the coding in detail. I only read articles on WikiPedia so it is quite easy to navigate with respect to articles.

I didn't know whether you could type the article title, "Principle of Least Privilege" into the Wikipedia search box, as you asked for a direct link to it.

Does that mean I have no reason to allow DuckDuckGo or any of its domain variants on the whitelist?

Yes.

It does not seem like there is reason to if I do not need to.

Correct -- everywhere, not just there. The best sites use the least code to accomplish their purpose. Some programmers get paid per line of code, so the more they write, the more they make. And the more useless or dangerous "features" they invent, the longer their employment continues.

Third-pary web site designers will sell the client on lots of bells and whistles so they can try to justify a higher fee.

If you or somebody can confirm there really is no need for the Java plug-ins or the Java program I will remove it completely.

You never know when you might need it for the future, so as long as it's default-blocked in NoScript, there's very little harm in having it.

I use it at one site only, hushmail.com, which offers encrypted e-mail service without the user needing to install an e-mail encryption program on their computer. They serve a Java applet that does the encryption before your message is sent outside of your computer, then the encrypted message is sent over a typical SSL/TLS encrypted connection for even greater safety. I clearly have to trust them, or the encryption is useless, so I trust their Java applet. Because it's the only one that I run, I'm not quite so concerned about having the latest version, as it would be difficult for an outsider to corrupt this. Of course, best practice is still to have the latest updates of all things. Personal opinion only.

[Identities Infinite]

I must admit laziness was the only reason I enquired for a link. I have never searched for anything on the site from the site because I always knew for what I was looking.

I was wondering about that post, thanks for reminding me. I read the list of companies but they are not links and they have that symbol preceding them. I initially thought he must be taking me back to the .ini days referencing comment lines being denoted by the same symbol. I then asked myself what benefit that is if they are not linked [I was actually going to mark every one as untrusted so I would never encounter the ‘zapp’ sound for the ad companies]. Are the names solely for reference?

Is HushMail better than Gmail? Somebody set me up with Gmail in I think 2007 before they changed the layout of all their services for the utmost worst and I just retained my account without thinking. By encryption do you speak of PGP encryption? I used Enigmail for a minute then became irritated when too many people said they could not open the attachment containing my importable RSA 2048 key so I removed it from Thunderbird.

[Tom T.]

I was wondering about that post, thanks for reminding me. I read the list of companies but they are not links and they have that symbol preceding them. I initially thought he must be taking me back to the .ini days referencing comment lines being denoted by the same symbol. I then asked myself what benefit that is if they are not linked [I was actually going to mark every one as untrusted so I would never encounter the ‘zapp’ sound for the ad companies]. Are the names solely for reference?

Yes. Here is the reason that they are not links: Visiting the site of an ad agency is not necessarily a bad thing. On the contrary, they want to attract as many new customers as possible to their advertising service. It's the script that the agency tries to run at the websites that we visit that may be privacy-invasive. They probably don't run their ad script at their own web site, (laugh a bit), so going there will not enable you to blacklist the site. Also, since most ads are served by scripting and other code objects instead of plain text, blocking these domains often results in blocking the ads, even though NoScript is not meant to be an ad-blocker per se. This saves annoyance and distraction to the sighted, and certainly makes page navigation easier for you, wouldn't it? The hash tags are there because the list was copied directly from Yahoo's Privacy Policy, and they were in that list. I used a plain-text copy to get rid of the embedded line breaks, but was too lazy to remove all the hash marks. Also, for the sighted, long lists are often less intimidating to read when there is some kind of marker at the beginning of each entry. There have been requests for an easy way for all users to import blacklists, and this may happen in some future version. Right now, the best I can suggest is to use the Export function mentioned earlier. In the File Name field, enter anything you like. Perhaps just the letters N S. Then "Enter", or click "Save", whichever is easier for you. Then go to your default save location, usually My Documents or Desktop, and open the N S dot T X T file. The third line reads as follows: quote untrusted quote dot. Then a set of quote marks to indicate the beginning of the untrusted list. You can copy from that post, in any order, but must be sure that there is exactly one space between each entry. No space after that opening quote mark, though. The string also closes with a quote mark, with no space between the last entry and the closing quote. Insert a comma immediately after the closing quote, and you are done. Save the changes as usual and close the file. Then open the GUI, click Import, navigate to your modified export, click OK, and you are done. One very long Untrusted list that will save you a lot of annoyance. By the way, after reading your previous comments about using only arrow keys, I have eliminated most of the line breaks and paragraph breaks in my posts. Is this easier for you? Sighted readers find the so-called "wall of text" look daunting, and usually prefer paragraphs that aren't very long, and a blank line in between paragraphs. Let me know if this is better for you.

Is HushMail better than Gmail?

From a privacy point of view, almost anything is better than almost any Google product.

By encryption do you speak of PGP encryption?

Yes, exactly.

I used Enigmail for a minute then became irritated when too many people said they could not open the attachment containing my importable RSA 2048 key so I removed it from Thunderbird.

If they do not have PGP capability installed, then they can't make use of your public key, although mine comes out as a simple dot A S C file, similar to T X T and also opens with Notepad. Encrypt/decrypt is a very specific capability. Hushmail offers the best of both worlds, though at the cost of your having to navigate a few more checkboxes and fields. By default, messages are encrypted. But in the "Message Options" field, you can unclick "Encrypt message", which applies to that message only, and therefore send ordinary mail to ordinary users. Or you can give a challenge/response question that only the recipient would know. For example, let's say that I did not have encrypted mail, but only my Yahoo mail, and we were close friends. You could encrypt the message, set the challenge question as "What is the last restaurant we ate at?", and specify the answer. I must answer that question correctly, then Hushmail will decrypt it for me even through my Yahoo account. As for the GUI, they just recently introduced a new version, which I haven't yet tried. So you could try both, and see which is more convenient for you. They let you have a free account, limited to 25 megabytes of storage, but you must log in once every three weeks, or the account is permanently closed and all saved messages are deleted. They also offer paid service, which does not require you to log in, only to pay the bill. (smile) It also has larger storage capability. I have used the free one for years, and only once did I lose the account. If it becomes your only account, this wouldn't be a problem, but I use Yahoo mainly. One reason is that the log in is a little more cumbersome at Hush. You enter username on the first page, then a new page loads with a password field. This page also has the option to enable the Java encryption applet, which takes about 15 seconds to load on my connection, which is 10 Mbps down and 1 Mbps up. I believe that you can set it to always force the Java encryption applet, but since I don't store permanent cookies on my machines, I need to click the "Enable Java" link each time. We could very easily write you an ABE rule that would allow the Java applet from Hushmail, so that NoScript would not block it. I use Yahoo for non-sensitive mail because of the unlimited storage capacity, and because the standard user-password page can be filled in automatically by my Password Safe tool. (That's with a space between "Password" and "Safe". I think there's another product by the same name, but without the space, in so-called camelcase. I prefer the one with the space.) In Hushmail, I can copy the username from Password Safe, with a U icon, and paste it into the name field, then copy the password by double-clicking on the Hushmail entry, or by using the P icon. then paste into the password field once the Java applet has finished loading. Of course, if you're not going to send encrypted mail during that session, you can skip the Java step. You still get an encrypted connection between you and the Hushmail server. And you can send to those who have their own PGP but do not have a Hushmail account. For example, Giorgio sent me his public key. I uploaded it to Hush, along with his associated email address. They quite properly sent him a confirmation, "Is this you, and do you want your public key stored on our server?". Once he clicks Yes, then we can trade encrypted mail. Of course, I sent him my public key, which Hush will let you download and save easily, and he imported that into his email program. I hope that helps.

[Identities Infinite]

It matters not if a blank line is inserted because JAWS reads a line till I press Down Arrow and continues where it stopped. Right and Left Arrow reads by character and links have 'link' or 'visited link' spoken before the word [e.g. link FAQ or visited link Features]. If there is more than a single subject and a reply for instance contains contrasting pieces it would probably be wise to include a blank line in order to separate.

Since I use Ghostery [block EVERYTHING], TrackerBlock [block EVERYTHING] and RequestPolicy I think I am much more safe than the average Firefox user. I also use Adblock Plus and the complementary Adblock Plus Pop-Up Addon that aids Firefox's native pop-up blocker as well. All that [plus more that escapes me at the moment] backed by NoScript I think I am OK till I encounter another site that belongs in the untrusted list. Speaking of that, I think there should really be a GUI list for those. A quick scenario: one visits a web site, accidentally marks it as untrusted but does not have the list of previously blocked sites option checked, now does not know how to reverse the action. Your instructions would accomplish that but it would be more easy for that novice if the Whitelist tab was renamed Permissions then contained sub-tabs Trusted and Untrusted or Whitelist and Untrusted. It makes more sense to me for something of that nature to be implemented. People will agree and disagree what should and should not be added to a blacklist. There is simply too much debate to use one in my opinion.

I made a mistake. It was RSA 4096 not RSA 2048 [although not important I had to correct myself]. Can HushMail be configured to use the IMAP protocol in conjunction with Thunderbird? I do not use Gmail's interface at all any more and when I did it was the Basic HTML version. The other one is extremely and so disappointingly messy it is horrible. I am sure Adblock Plus does its job there. I wonder if they give free accounts to blind/visually impaired users due to an undisclosed policy. Now defunct, MegaUpload did and they spoilt me with it so it is worth a try.

[Tom T.]

Thank you for clarifying about line and paragraph breaks. I agree that different topics should have their own paragraph if it is not an obstacle. I commented at your other post regarding the possibility of a GUI list for Untrusted being included in the next generation of NoScript. May I use the standard NoScript abbreviation, NS, from now on? I am not the world's best typist.

A quick scenario: one visits a web site, accidentally marks it as untrusted but does not have the list of previously blocked sites option checked, now does not know how to reverse the action.

Recently blocked sites is totally unrelated to Untrusted. If you can navigate the NoScript menu, it is easy to reverse a mistaken Untrusted listing. On the appearance tab, there is a general caption at the top that says "Show..." I don't know if this is read to you, but you seem to know already that checking the boxes causes the item to show in the NoScript menu. Check "Untrusted", keeping in mind that everything on this particular tab is prefixed by "Show". Then, if you accidentally mark a site as Untrusted, and you are still at the same site, open the menu and point to Untrusted. A sub-menu opens, listing the Untrusted scripts that tried to run at that particular site. Click to allow or temporarily alllow them, as you please. Either will remove it from the Untrusted list.

If the menu is difficult or impossible to navigate, it might be easiest just to open prefs.js when Firefox is not running, search for user_pref("noscript.untrusted", then search for the next instance of the site name. Is it possible to delete that site and exactly one trailing space? This would maintain the correct syntax between the surrounding items.

There have been requests for some standard blacklist, but any user is free to create one and offer it. I have always responded as you have, that there is too much debate to create a one-size-fits-all blacklist. Each user should create their own, although my post about some sites you might not want to allow was intended to be a head start on the most commonly-seen unnecessary scripts.

Please keep in mind that there is no need to mark a script Untrusted, as far as sheer permission goes. If it isn't whitelisted, either by default or because you allowed or temp-allowed it, it won't run. I understand that leaving them in this fashion causes you the annoying audible warning, whereas many sighted users, self included, disable that audible warning, so that we have to contend only with a menu full of annoyances, and the visual changes made to the NoScript logo by color-coding. Some elect to have a message show in a bar for some number of seconds, which is user-configurable. It doesn't sound convenient for you, especially if there are multiple script sources being blocked, as is usually the case. So I appreciate the desire to minimize the number of audible warnings by marking them Untrusted.

I made a mistake. It was RSA 4096 not RSA 2048 [although not important I had to correct myself].

Hushmail, like all other PGP-compatible products, uses the standard PGP, GPG, or GnuPG key. Since PGP combines hashing, symmetric encryption, and public-key encryption (asymmetrical encryption), the keys come out longer. Mine is about 1600 alphanumeric characters (not just hex characters). If each character is eight bits, then we have about 12,800 bits in the key. Perhaps this is why your RSA-only key did not work for others?

Can HushMail be configured to use the IMAP protocol in conjunction with Thunderbird?

Only in the Premium Plus version, which is USD $49.98 per year. I use the free version directly from the Web, right through Firefox. But that upgrade also raises the storage limit to ten gigabytes.

I wonder if they give free accounts to blind/visually impaired users due to an undisclosed policy.

If so, it must be undisclosed, as their site doesn't mention it, and a search turned up nothing. It wouldn't hurt to ask. In fact, I just sent them that very request on your behalf. They promise replies within 24 hours, and I need to log off for a long time anyway. I'll let you know when they respond, although we may be conversing before that anyway.

[Identities Infinite]

NS works; I am usually not accustomed to abbreviations but that is OK. What is the difference between recently blocked sites and untrusted? Is the former sites that have been automatically blocked per the default deny mechanism or specifically taken off the whitelist? The menu is easy to navigate, it always has been. I do mark many sites as Untrusted to minimise the audible warnings but do it especially for ad-serving and ad-affiliated domains. I can delete to the exact syntax if I had to but the GUI is obviously more straightforward.

Great minds think alike. I sent them a message earlier so hopefully they grant me something. It is a very steep price and Google offers over 75% of that space for free but with a huge cost of course – it is Google.

[Tom T.]

What is the difference between recently blocked sites and untrusted? Is the former sites that have been automatically blocked per the default deny mechanism

Yes, from previous pages (possibly within that same domain). The ones that are *currently* blocked by default-deny show up in the menu with the choice to Allow or Temp-Allow. So if you hear a script in the menu prefaced by those choices, it means that it tried to run, but it was default-blocked. Scripts that you have removed from the whitelist, but not marked as Untrusted, are placed in the general default-deny category along with the rest of the scripting universe. Those marked as Untrusted, as per other thread, are moved to a sub-menu reached by pointing to Untrusted in the menu, then sliding left or right, as the case may be. (Depends on where your icon is.)

By the way, since you said that JAWS attaches no significance to bold type (short for boldface), I tried another convention used for emphasis in plain-text messages: I put asterisks before and after "currently" in the previous paragraph. Does JAWS read the asterisks? Or is there another way that I can create emphasis on key terms?

Great minds think alike.

Indeed. Do you know the chat abbreviation, L O L ? And do I need to separate those characters? If I write LOL with no spaces, does it try to read it as "lull", or perhaps as something that rhymes with "doll"? Does JAWS attach any significance to a term that is in all-upper-case?

Google offers over 75% of that space for free but with a huge cost of course – it is Google.

Also, Google does not actually encrypt your mail, which is different from merely having an encrypted connection. The latter is better than nothing, of course, but if Google offers a PGP option, I was not aware of it. At Hush, you are getting automatic PGP encryption, whether in the free or paid version, unless you choose to send an unencrypted e-mail to users who don't have encrypted-mail capability.

[Identities Infinite]

JAWS says an asterisk as 'star' but now I understand why you did that. In case of upper case letters there is no difference unless I read by character and that is when the pitch is higher [to denote upper case]. Abbreviations for the most part should be expanded alongside acronyms but I guess that is an imformal and unrecognised one so the synthesiser says 'lole'.

Google never has and never will offer that. Not many people with whom I have ever communicated use it so it would not be too beneficial to me. People just do not understand waht it is and its purpose from a security standpoint. I told people the .asc file is just a textfile not meant to be opened unless you use this system but that just became too annoying.