NoScript Sightings

[Giorgio Maone]

@ Giorgio:
Did you break the lnk deliberately?

No, I did it accidentally. Fixed, thanks.

[therube]

(I don't know why you only got a Page 3 billing )

6 Ways to Defend Against Drive-by Downloads

3. Install NoScript on your Firefox browser. NoScript is a free, open source add-on that allows only trusted websites that you choose to run JavaScript, Java and Flash. Brandt says running Firefox with NoScript prevents "a lot" of drive-by downloads. "As far as I can tell, it's the only surefire method of preventing an accidental infection of a Windows PC by exploit-kitted web pages," he wrote on Solera Networks' blog last December.

[GµårÐïåñ]

http://donttrack.us/

Lists NoScript as a tool to be used for privacy.

[therube]

Post mortem report on the sinowal/nu.nl incident « Fox-IT International blog

did the drive-by download also succeed when ff was used with NoScript ?

The drive-by would not have succeeded, as the g.js or gs.js javascript on nu.nl might have worked, because users of nu.nl might have whitelisted the site, but the exploit kit also requires javascript and the loading of a java applet or PDF file, which all requires interaction when using NoScript.

http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/

[GµårÐïåñ]

Comment on the popularity of NoScript and the ongoing MemShrink project for Firefox;
http://blog.mozilla.com/nnethercote/2012/01/11/memshrink-progress-week-30/

[dhouwn]

What security problems does sandboxing not solve?

We focus on certain aspects on protection - to avoid someone else than you to manipulate software that you use, to control in ways you do not want.
There are no such thing as a catch-all security solution, so, to be very clear -

• it is not a replacement for noscript + friends. A nasty javascript that does something INSIDE your browser might still be able to hurt you. The objectives of IronSuite is to restrict what an application can do to the surrounding environment, other applications and data. Cross-origin data thefts can still work, so thats why you need things like noscript
• […]

[DJ-Leith]

With the demise of Firefox 3.6.xx we will all soon be using a browser with HTML5.

In November 2011 Trend Micro published three linked blog posts on
HTML5: The Good, The Bad and The Ugly

I recommend that you read them in order but I can't post the URLs.

Code: Select all

http: //blog.trendmicro .com/html5-thegood
http: //blog.trendmicro .com/html5-the-bad
http: //blog.trendmicro .com/html5-the-ugly

At the end of the third post, HTML5 – The Ugly, Robert McArdle says:

... there are two free tools which can offer very good protection:
1. NoScript: The NoScript browser plugin is already well known in security circles. This excellent tool restricts how JavaScript and other plugins run on untrusted sites. ...

I transitioned from Fx 3.6.28 to Fx 11 on 20-April-2012.

DJ-Leith

[Tom T.]

...I recommend that you read them in order but I can't post the URLs....

I'm curious: Why not? You're an established member here, and the site is hardly spam; it's good tech info.
Did you get blocked when you tried to post them?

At the end of the third post, HTML5 – The Ugly, Robert McArdle says:

... there are two free tools which can offer very good protection:
1. NoScript: The NoScript browser plugin is already well known in security circles. This excellent tool restricts how JavaScript and other plugins run on untrusted sites. ...

The second post talks about Clickjacking and XSS, and mentions only some server-side protections against Clickjacking.
It omits that NoScript offers the best and most effective *user* protections available against Clickjacking and XSS, regardless of what the site does or doesn't do.

Did you not find it odd that the series lists Geolocation as both good and bad?
I don't see the good. If I need a site to know where I am (directions to some place), I'll enter it myself, thank you. The other 99.9% of the time, it's just another privacy invasion.

They cite "Web Notifications" as being good, but also an easy tool for phishers, etc.

I can foresee "Drag and drop" being another huge vector for malware installation. I'd like my browser to be like the current advertising campaign (in the US) for holidays to Las Vegas, Nevada: "What happens in Vegas stays in Vegas".
Moi: "What happens in the browser stays in the browser".

You can already move stuff out of your Temp or Temporary Internet Files folders, but that's a very deliberate process. Make it too easy, and I can see a lot of users being misled...

MHO. YMMV.

I guess this is my last day on 3.6.28....

Good post, thanks.

[DJ-Leith]

...I recommend that you read them in order but I can't post the URLs....

I'm curious: Why not? You're an established member here, and the site is hardly spam; it's good tech info.
Did you get blocked when you tried to post them?

Yes, the anti spam blocked the post. Nearly all my posts have links (and I've struggled with the anti spam before).
However, on reviewing my posts it is usually the URLs that are NOT forums.informaction .com or mozilla that trigger the anti spam. I'm very happy that you (the Moderators) try and 'keep the spam links down'.
I'm also happy to use the 'Code brackets'.
However, in this case - even the 'Code brackets' failed: I had to break the links.

Back to the main Topic, Tom T., I agree with all your points.
My intention was to let Robert McArdle speak for himself.
Your comments will, I hope, encourage more folk to read about HTML5.
His three posts are well written for an audience that is not too technical. You, I and many readers here, are well
aware that NoScript protects us.
Some of our 'friends and family' may need an introduction to some of these issues.
The reason I posted this now (as opposed to 2011) was to coincide with the end of Fx 3.6.xx.

Good post, thanks.

You are most welcome, thanks for your endorsement.

[Tom T.]

(The URL-posting issue was split to Metaforum, "Unable to post URLs in [Code] tags" -- Tom T.)

....
Your comments will, I hope, encourage more folk to read about HTML5.
His three posts are well written for an audience that is not too technical....
Some of our 'friends and family' may need an introduction to some of these issues.

Agree wholeheartedly. Do please pass on those links, and this thread, to all who are willing to read.

The reason I posted this now (as opposed to 2011) was to coincide with the end of Fx 3.6.xx.

Another good point. Most non-tech users have no idea that the basic language of the Web, HTML, is different for post-F3 versions of Firefox.

Most will update (some won't), so yes, very timely to post now. Thanks again.

[GµårÐïåñ]

This author tries in vane to give advise on beating NoScript, not knowing his suggestions are USELESS.
http://www.makeuseof.com/tag/3-tactics-dealing-adblock-users-site/

Not to mention attempts to bundle us as villains.

[Tom T.]

This author tries in vane to give advise on beating NoScript, not knowing his suggestions are USELESS.
http://www.makeuseof.com/tag/3-tactics-dealing-adblock-users-site/

Not to mention attempts to bundle us as villains.

See this very fine post by an enthusiastic NS supporter.
(And accept your fair share of the praise, my friend. )

[dhouwn]

Austrian science and technology show (on a public channel) had a segment on surveillance and privacy and NoScript is mentioned around the 22. minute for blocking stuff like Google Analytics scripts: http://tvthek.orf.at/programs/1306-Newton

[Thrawn]

GHacks 'Firefox Security Guide' article recommends NoScript to "give you the maximum security and privacy possible."

Several people may be interested/amused by the fact that the author suggests it as a replacement for Adblock Plus.

There's some other security advice there worth noting, too, including a few about:config tweaks.

[Tom T.]

(At this point, there was a discussion of a recent article about how to defeat ad-blockers and NoScript, and comments thereon. Split as O/T, to Forum Extras > Web Tech, here.)