Discussion: User Level Configuration Wizard

[GµårÐïåñ]

Giorgio, I know that you said you have made NS a last to enforce extension so that it allows Adblock and so on to catch stuff first and not interfere; however, I wanted to know that if someone (SAY ME) wants to make NS assert itself FIRST and FOREMOST which would be tremendously more beneficial to me than the current model, how would I make that change? Can we provide this option either via UI or even as a hidden setting to be modified through :config to set the order via integer or boolean (last/first)?

Additionally, can you setup and initial wizard with 3 bubbles (or buttons) labeled user levels 1. Beginner (least interference), 2. Moderate (some control), 3. Advanced (full control, most restrictive) and then depending on what they choose, set their initial level to the configurations matching those defaults. If I may propose the following model:

1. Beginner
*Allow sites opened through bookmarks (checked)
*Temporarily allow top-level sites by default (checked)
*Whitlist: the most common large resources that if broken would totally freak the new user out (.mandatory AND .defaults)
*Plugins: disable only the most incidious and dredful types
*Appearance: provide the most prominent type of link styles as to no confuse them
*Notification: show message bar on top for say 10 seconds and then go away and let META redirections go through, enable audio feedback
*Advanced:
untrusted: just check the webbugs and ping,
trusted: check allow local links, allow ping
XSS: add all the commonly encountered patters in the forum for common stuff

2. Moderate
*disable the temporarily allow top-level
*whitelist: just the ones relating to informaction stuff and maybe google/msn/yahoo/live (.defaults but NO mandatory)
*plugins: disable more of the active content stuff but leave some super common ones alone
*appearance: allow a couple of more levels that might be more useful
*notification: put it in on bottom for say 30 seconds and then go away and forbid meta redirections
*advanced:
untrusted: also forbid meta, fix links, forbid ping
trusted: same with no local links
xss: add only the large and prevalant service providers (so less than before)

3. Advanced (coincidentally my own configuration)
*No temporary top-level, no left clicking, auto reload, no site through bookmark, backup in bookmark, no globally (duh)
*whitelist: NOTHING, no defaults, no mandatory
*plugins: everything checked EXCEPT apply to trusted
*appearance: everything checked EXCEPT status bar label
*notification: no show message, no place, no hide, check xss, check fobid meta, no audio feedback, check clearclick
*advanced:
untrusted: check all EXCEPT hide <noscript> elements
trusted: check only show the <noscript> element
xss: check both and include only what is there now
jar: check, no exceptions
https: behavior: when using proxy, cookies: enable

This way you make all the beginners happier with more friendly settings that will hopefully increase their retention to the point where they will become more experienced and can change to more advanced options over time, giving them a learning curve. It will make the more advanced users happy by NOT shoving anything towards them which makes them think they are being treated like newbies and have more control.

Further consideration: If they pick advanced, give them the GUI tab for Untrusted menu? AND show the changelog page but otherwise keep the untrusted hidden and do not send them to changelog page after updating. This will so get many people off your ass its not even funny. I await your feedback.

[therube]

(Just a general comment & not a comment on your proposal. Though I would ask, why not post this in the general forums where all may comment?)

IMO if someone is going to use a tool, they need to invest a bit of time to learn how it works in order to gain the most benefit from it.

Take Comodo (firewall). They hear it is "the best". Download, install, then they'll have absolutely no idea what the HIPS is or how it works or how it should work or what to expect. So they say they get all these popups. Someone posts, well, just disable HIPS. They say, cool, that did it, no more popups nagging me . And they're happy.

Now who is the wiser one ?

[GµårÐïåñ]

You are always the most wise, oh great rube. The reason I put it here was to avoid the any comments from hit and run posts and have some mature thoughtful discussions about it and evaluate its worth and capacity for success before opening it up to the public. I absolutely agree with you on the need to invest time to learn and I have said this many times in the past and been accused of being elitist or suggesting novice users don't deserve security, which is something I have NEVER said. The fact remains that the biggest complaints are usually oh I wish it would be a bit easier and I figure why not provide the multi mode that shows up on torrent clients, even firewall/antivirus protections have various modes, and so on to accommodate a larger user base. That's all. Personally I am happy as it is because I know how to modify it to meet my needs and as soon as Giorgio tells me how to bring it to the front of the line for interceptions (instead of last) I am a happy camper. The rest was just to make the tool better, more useful to more people and maybe beef up its public image as an extension that tries to be novice user friendly and not something to be scared of as too restrictive or complicated.

[Giorgio Maone]

@GµårÐïåñ:
Currently priority can be only influenced by noscript.cp.last which forces, if true, NoScript's policy runs last.
Even if you set it to false, there's no assurance that NoScript do not runs last because there's no "order" in content policies (an overlooking in Geck design, I guess), therefore the above is obtained using a "dirty hack" which wouldn't be applicable to a more general "priority throttling".

Regarding a "configuration wizard" for newbies, this is already in my TODO list, thanks for the suggestion.

[GµårÐïåñ]

Ok, understood. Thanks for the explanation, I appreciate it very much. As for the suggestions, you are welcome, I figured as much but I wanted to offer some thoughts, if for nothing more than to make myself feel better Any help or need for testing, just point the way and you got it.

[Tom T.]

Additionally, can you setup and initial wizard with 3 bubbles (or buttons) labeled user levels 1. Beginner (least interference), 2. Moderate (some control), 3. Advanced (full control, most restrictive) and then depending on what they choose, set their initial level to the configurations matching those defaults.

G, I know your intentions are the best, as they always are, but IMHO, must respectfully disagree. This defeats the purpose of NS in two ways: 1) Giving the user control of the machine, not a third party (hmm, where have I heard that recently?) (2) Providing maximum possible safety, while the Beginner provides very little. False sense of security. Better to focus our efforts on making the tool as easy to use and understand as possible.

Some specifics:

1. Beginner
*Allow sites opened through bookmarks (checked) No. I go almost everywhere with bookmarks and most of them stay locked unless/until needed otherwise.

*Temporarily allow top-level sites by default (checked) No. Same as above. Just cuz I go to eBay or Yahoo or Google or whatever doesn't mean I automatically trust everything in them. What is the point of NS if everywhere you go is TA'd?

*Whitlist: the most common large resources that if broken would totally freak the new user out (.mandatory AND .defaults) The FAQ covers these. Wouldn't enlarge the list.

*Plugins: disable only the most incidious and dredful types And just what would those be? They're all in the list because all of them can be abused insidiously and dreadfully as well as used legitimately. We tell everyone (or at least, the NS Home Page and Beginner's Guide do) that the planet is blocked by default, and NS is (the BD's words) 'Whitelist-based, preemptive blocking". This suggestion undoes that completely and violates the fundamental, underlying principle. Keep everything blocked by default and keep working on our tutorials, FAQ, first-run guides, simplified UIs, whatever, but don't weaken the OOB tool.

*Appearance: provide the most prominent type of link styles as to no confuse them OK

*Notification: show message bar on top for say 10 seconds and then go away and let META redirections go through, enable audio feedback OK except why let META go through? This too can be used for evil, go to site you think is okay and get redirected to ... ?

*Advanced:
untrusted: just check the webbugs and ping, and META

trusted: check allow local links, allow ping WHY? How does it serve *me* to let the sites invade my privacy? What harm is there if a user who doesn't know what this is leaves it blocked?

XSS: add all the commonly encountered patters in the forum for common stuff My list has been blank, zero, null, void for ages (so has the JAR list). Never had a problem. I don't go everywhere, of course, but if someone is getting false positives, that's a Forum issue.

Enough comment for one post. Won't address the rest.

And now, before I embarrass myself in public with my ignorance, can anyone explain in plain dummy English what is a local link, and what is a bookmarklet? I've had them blocked, too, and never had a problem, so they must not be that necessary. Thanks.