Guest wrote:Thanks for the tip on
RefControl, installed and working great
.
Glad you like it. For another leap in more finely-grained control, look at
RequestPolicy. It dovetails beautifully with NoScript, because NS is not an image-blocker or content-blocker per se, but is targeted to *executable* content. RP shows
all requests to other sites, which can eliminate "web bugs" and other privacy invasions. The developers of each wholeheartedly endorse using both. A bit more to mess with in menus, but a small price for the huge increase in control.
I've changed the NS Force HTTPS entry to *.google.* per your advice. Thanks for that too.
Add all of your online banks and other financial institutions (credit card company, etc.), *including on the Cookie tab*. -- in case one of them is lazy. In fact, this feature was prompted by the revelation that certain banks (coughbofacough) were serving an *insecure* login page, with a big black padlock by the user/pass fields (but none in the browser). You *sent* your creds over a secure connection, but the insecure portal is massively easier for phishers to duplicate, intercept, etc.
Very few financial sites commit this error any more. We like to think that the publicity created by the discussion and implementation of the Force HTTPS feature had something to do with that.
I never really went near NS's advanced settings before, and only found out about the Force HTTPS setting while researching another Addon.
My own
personal suggestions for Advanced tab:
on Untrusted, checking all except "Hide <NOSCRIPT> elements".
Trusted: Uncheck all except "Show the <NOSCRIPT> element etc."
XSS: Remove all exceptions, but save them somewhere (in a text doc) in case they ever apply to you.
Over the years, the XSS checker has been refined more and more, reducing both false positives and necessities for exceptions.
If you do get an XSS warning, it is better to report it. Giorgio often has made further tweaks based on such reports.
I'm going to take a look next at the ABE sub-forum to see what I can pick up.
The
ABE FAQ is the best place to start, and once comfortable with that, the
ABE Rules .pdf has a slightly more technical discussion, still reasonably accessible. This should save a lot of forum-reading.
I came across this rule over at Wilders, but want to learn a little more first, before I mess with ABE.
-ABE (Application Bounderies Enforcer) A simple rule like:
Site http://
Deny INC from https://
will make it so that unencrypted third party objects will not be loaded.
Here's
a rule suggested by Giorgio to defeat a particular type of Web attack called "NAT pinning".
The tech details are interesting but unimportant, and it shouldn't cause any harm (you'll get an ABE message if it blocks something):
Code: Select all
# NAT Pinning blockage (blocks outbound HTTP traffic to unlikely ports)
Site ^https?://[^/]+:[0-35-7]
Deny
Add this to the top of the USER ruleset.
Thanks again, Tom, and hope you have a great weekend
,
RD.
You're welcome, and back atcha.
. Looks like RP will take some time to tame, but I'll stick with it.
), but will pass this along to (whomever)". No response from (whomever). But about three months later, the certificate was fixed. 
