ScriptNo; NoScript Clone?
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: ScriptNo; NoScript Clone?
They rely on superficial and insecure methodologies to perform what they claim echoing a false sense of function and security. There is no API or core browser functionality that they are leveraging to perform the task. While NoScript rightly waited until something resembling a worthwhile API was created to POSSIBLY accommodate its awesome power. Hence why currently in Alpha/POC phase to see if the newly created API are sufficiently powerful and granular enough to give a NoScript port for Chrome the same bang as the original. Doubtful that will ever be true on Chrome, but its a start and being worked on by Giorgio. We'll see how it turns out.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.140 Safari/535.19 Comodo_Dragon/18.0.3.0
Re: ScriptNo; NoScript Clone?
NoScript has been many times recommended by US-CERT, the operational arm of the National Cyber Security Division (NCSD) at the United States Department of Homeland Security (DHS).
For fun, go to http://www.us-cert.gov/
and search for NoScript. Here is the first page of 151 results.
For fun, go to http://www.us-cert.gov/
and search for NoScript. Here is the first page of 151 results.
Enjoy browsing the rest of the recommendations by the US Government's cybersecurity agency.US-CERT Vulnerability Note VU#441529 - Mozilla Firefox JavaScript ...
... Use NoScript Using the Mozilla Firefox NoScript extension to whitelist web sites
that can run scripts and access installed plugins will mitigate this ...
www.kb.cert.org/vuls/id/441529 - 13k
US-CERT Vulnerability Note VU#758769 - Adobe Flash Player ...
... Consider using the NoScript extension to whitelist web sites that can run Flash
in Mozilla browsers such as Firefox. See the NoScript FAQ for more information. ...
www.kb.cert.org/vuls/id/758769 - 16k
[ More results from www.kb.cert.org/vuls/id ]
US-CERT Vulnerability Note VU#395473 - Adobe Flash player code ...
... Workarounds for users running Mozilla-based browsers: Using the Mozilla Firefox
NoScript extension to whitelist websites that can run scripts and access ...
www.kb.cert.org/CERT_WEB/services/vul-n ... enDocument - 18k
US-CERT Vulnerability Note VU#751808 - Apple QuickTime remote ...
... Using the NoScript Firefox extension to whitelist web sites that can run scripts
and access installed plugins will mitigate this vulnerability. ...
www.kb.cert.org/CERT_WEB/services/vul-n ... enDocument - 17k
US-CERT Alert TA08-087A -Mozilla Updates for Multiple ...
... 9. Disable JavaScript. Some of these vulnerabilities can be mitigated by
disabling JavaScript or by using the NoScript extension. ...
www.us-cert.gov/cas/techalerts/TA08-087A.html - 12k
US-CERT Alert TA07-199A -Mozilla Updates for Multiple ...
... page. Disable JavaScript. Some of these vulnerabilities can be mitigated
by disabling JavaScript or using the NoScript extension. ...
www.us-cert.gov/cas/techalerts/TA07-199A.html - 12k
[ More results from www.us-cert.gov/cas/techalerts ]
US-CERT Vulnerability Note VU#159523 - Adobe Flash Player integer ...
... Consider using the NoScript extension to whitelist web sites that can run Flash
in Mozilla browsers such as Firefox. See the NoScript FAQ for more information. ...
www.kb.cert.org/CERT_WEB/services/vul-n ... enDocument - 14k
US-CERT Vulnerability Note VU#443060 - Mozilla Firefox 3.5 ...
... Use NoScript Using the Mozilla Firefox NoScript extension to whitelist web sites
that can run scripts will help to mitigate this vulnerability. ...
www.kb.cert.org/CERT_WEB/services/vul-n ... enDocument - 15k
US-CERT Vulnerability Note VU#466433 - Web sites may transmit ...
... The NoScript Firefox extension may mitigate these types of vulnerabilities by forcing
specified websites to use HTTPs and by setting the secure attribute on ...
www.kb.cert.org/CERT_WEB/services/vul-n ... enDocument - 20k
US-CERT Current Actvity Archive
... Users should consider disabling JavaScript and using the NoScript Add-on as
workarounds until a fix is released by the vendor. Additional ...
www.us-cert.gov/current/archive/2010/10/27/archive.html - 28k
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: ScriptNo; NoScript Clone?
Sorry for my misplaced rant, I actually misread "Notscripts" for "NoScript" (and this makes me wonder how many people gets confused, something I probably underestimated so far).esheesle wrote:Think you missed my spelling, I was saying scriptno vs notscripts. I was in no way saying either was remotely comparable to noscript. I love noscript for firefox and would love to see it in chrome, and still hope the chrome security team opens up the necessary hooks for you. You mentioned earlier in this thread that scriptno was less secure than notscript (both of which are worse than noscript).
However, in my reply I wrote
In facts, recent ScriptNo versions take advantage of latest Chrome APIs to block inline scripts, while last time I checked NotScripts was unable to perform this very basic task for a script blocker, so while I can't recommend any of them, I surely advice more strongly against NotScripts.Giorgio Maone wrote: I did look both at the NotScripts and at the ScriptNo code, and while the latter is slightly better than the former (which is outright broken)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Re: ScriptNo; NoScript Clone?
Exactly.Giorgio Maone wrote:Sorry for my misplaced rant, I actually misread "Notscripts" for "NoScript" (and this makes me wonder how many people gets confused, something I probably underestimated so far).
Which is why, earlier in this thread, I wrote:
Perhaps MZ would help a little there, by requiring other alleged script-blocking add-ons to choose names less similar to NoScript?Tom T. wrote:I don't know the law in the EU, or whether it's worth your trouble. But the NS site has at the bottom, "Copyright © 2004-2011 InformAction - All rights reserved".
So under US law, you have a trademark right to the name "NoScript", and I think any reasonable Court would find that "ScriptNo" could easily be confusing to the public, and an illegitimate attempt to capitalize on your reputation, user base, and goodwill. They would then issue an injunction prohibiting the use of the name "ScriptNo", probably award you court costs, attorney fees, etc. It would be more difficult to prove monetary damages, since the product is free and donation-supported, unless there were a sudden drop-off in donations that correlates to the release of ScriptNo. But at least they'd have to come up with a more original name, like maybe "ScriptBlock" or something else not so close to NoScript.
Again, not sure it's worth the trouble of hiring a US attorney, and don't know EU law, but just mentioning that it's a pretty solid case. Same goes for "NotScript" -- too close to yours.
Have you asked?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
Re: ScriptNo; NoScript Clone?
Thanks for the explanation and sorry for the confusion. Cant wait for a true noscript for chrome(and dolphin mobile hopefully)
Mozilla/5.0 (Linux; U; Android 2.3.4; en-us; ADR6425LVW Build/GRJ22) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Re: ScriptNo; NoScript Clone?
Current Scriptno got 1 strangest (maybe serious) bugs.
On a fresh chrome + fresh scriptno.
Paste into URL bar
Reload
Observe this behaviour on quite a number of site.
2nd if temporaly allowed top level domain, sometimes some 3rd party script also pull in simultaneously.
Noscript obviously does not have this problem.
Chrome + NOTscript also does not have this behaviour.
Latest Scriptno with webrequest api got this behaviour.
On a fresh chrome + fresh scriptno.
Code: Select all
http://www.isjavascriptenabled.com/
Reload
Observe this behaviour on quite a number of site.
2nd if temporaly allowed top level domain, sometimes some 3rd party script also pull in simultaneously.
Noscript obviously does not have this problem.
Chrome + NOTscript also does not have this behaviour.
Latest Scriptno with webrequest api got this behaviour.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20100101 Firefox/12.0
Re: ScriptNo; NoScript Clone?
That's terrible. It sounds as if reloading the page is allowing the script. That's not a bug, it's a broken product.lipsin wrote:Current Scriptno got 1 strangest (maybe serious) bugs.
On a fresh chrome + fresh scriptno.Paste into URL barCode: Select all
http://www.isjavascriptenabled.com/
Reload
Observe this behaviour on quite a number of site.
The same. Useless.2nd if temporaly allowed top level domain, sometimes some 3rd party script also pull in simultaneously.
I wish that other products were forbidden to use confusing names that sound like NoScript.Noscript obviously does not have this problem.
Chrome + NOTscript also does not have this behaviour.
Latest Scriptno with webrequest api got this behaviour.
"A false sense of security is worse than no security at all."
Perhaps you could post your results in a review of ScriptNo, and at Chrome sites? Users should know how flawed the product is.
Thanks for the information.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: ScriptNo; NoScript Clone?
It sounds really bad: ScriptNo for Chrome can't protect you when you really need it most, i.e. when visiting an unknown website for the first time.lipsin wrote:Current Scriptno got 1 strangest (maybe serious) bugs.
On a fresh chrome + fresh scriptno.Paste into URL barCode: Select all
http://www.isjavascriptenabled.com/
[...]
2nd if temporaly allowed top level domain, sometimes some 3rd party script also pull in simultaneously.
Noscript obviously does not have this problem.
Chrome + NOTscript also does not have this behaviour.
Latest Scriptno with webrequest api got this behaviour.
Regarding NotScripts, while it's not affected by the same bug, it's useless as well: try to visit this page, which exposes NotScripts for Chrome's inability to block inline scripts.
Yet another proof that the current "NoScript-like" extensions for Chrome offer their users a very dangerous false sense of security.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Re: ScriptNo; NoScript Clone?
Approach the developer on twitter quite a while ago.
Reply "Will look into it soon."
Maybe should send another mail with detail now.
My reaction is the same like you guy. Total deal breaker, no way the version can be use at all if this is true.
***
NOTscript got their own set of trouble.
1) Like Giorgio said, it doesn't block inline script. (Developer did admit that limitation)
2) Won't work correctly with 3rd party cookies blocked.
3) Abandonware (Developer maybe moveon to opera, but that also seem abandon)
4) As usual bugs here and there. (since basically developer abandon it)
5) Can't match noscript robustness even in core feature "Block Script"
***
The only things keep me on Firefox is a true "NOSCRIPT".
Chrome missing piece.
Reply "Will look into it soon."
Maybe should send another mail with detail now.
My reaction is the same like you guy. Total deal breaker, no way the version can be use at all if this is true.
***
NOTscript got their own set of trouble.
1) Like Giorgio said, it doesn't block inline script. (Developer did admit that limitation)
2) Won't work correctly with 3rd party cookies blocked.
3) Abandonware (Developer maybe moveon to opera, but that also seem abandon)
4) As usual bugs here and there. (since basically developer abandon it)
5) Can't match noscript robustness even in core feature "Block Script"
***
The only things keep me on Firefox is a true "NOSCRIPT".
Chrome missing piece.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20100101 Firefox/12.0
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: ScriptNo; NoScript Clone?
If you recall Giorgio, this was EXACTLY why I was upset and urged to nip it in the bud when we first discovered it but everyone, including you thought people can tell the difference, similarities are disallowed in branding for this reason. Everyone thought I was overreacting, but I saw this coming.Giorgio Maone wrote:Sorry for my misplaced rant, I actually misread "Notscripts" for "NoScript" (and this makes me wonder how many people gets confused, something I probably underestimated so far).
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.152 Safari/535.19 Comodo_Dragon/18.1.2.0
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: ScriptNo; NoScript Clone?
I go back to my initial and long ago objection to these tools that provide false sense of security which is as my friend has also said, worse than no security. They are not properly initializing the hook or the API so they are catching after the fact, which is often when the damage is already done. I wear the vest BEFORE I get shot, not after I get shot and put it over the gaping hole.lipsin wrote:Current Scriptno got 1 strangest (maybe serious) bugs.
Observe this behaviour on quite a number of site.
2nd if temporaly allowed top level domain, sometimes some 3rd party script also pull in simultaneously.
Noscript obviously does not have this problem.
Chrome + NOTscript also does not have this behaviour.
Latest Scriptno with webrequest api got this behaviour.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.152 Safari/535.19 Comodo_Dragon/18.1.2.0
Re: ScriptNo; NoScript Clone?
@ Giorgio:Giorgio Maone wrote:...Regarding NotScripts, while it's not affected by the same bug, it's useless as well: try to visit this page, which exposes NotScripts for Chrome's inability to block inline scripts....
Sorry, I don't understand the point of the demo. With noscript.net whitelisted, the page shows blank, as does the page source code, on both Fx. 3.6.28 and Fx 11.0.
If there is some script trying to run that NotScripts *should* block, but doesn't, shouldn't allowing the domain let your demo run?
RequestPolicy shows no attempted requests elsewhere, on either version of Fx, so apparently there's no third-party script or plug-in content being called?
(cough)GµårÐïåñ wrote:If you recall Giorgio, this was EXACTLY why I was upset and urged to nip it in the bud when we first discovered it but everyone, including you thought people can tell the difference, similarities are disallowed in branding for this reason. Everyone thought I was overreacting, but I saw this coming.Giorgio Maone wrote:Sorry for my misplaced rant, I actually misread "Notscripts" for "NoScript" (and this makes me wonder how many people gets confused, something I probably underestimated so far).
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: ScriptNo; NoScript Clone?
Sorry, I forgot the "t" and "s" in "notscripts.html" (confusion, again), should have been http://noscript.net/misc/notscripts.htmlTom T. wrote: Sorry, I don't understand the point of the demo. With noscript.net whitelisted, the page shows blank, as does the page source code, on both Fx. 3.6.28 and Fx 11.0.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Re: ScriptNo; NoScript Clone?
Thanks, I see the demo now. Very effective!Giorgio Maone wrote:Sorry, I forgot the "t" and "s" in "notscripts.html" (confusion, again), should have been http://noscript.net/misc/notscripts.htmlTom T. wrote: Sorry, I don't understand the point of the demo. With noscript.net whitelisted, the page shows blank, as does the page source code, on both Fx. 3.6.28 and Fx 11.0.
Can you find a way to publish this where Chrome users would see it?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
Re: ScriptNo; NoScript Clone?
I really think that Giorgio should take up the trademark issue here. Maybe taking out the fakes would spur Google to enable the real thing. Cease and desist letter?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (Linux; U; Android 2.2.1; en-gb; GT-S5570 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1