Hello All,
Good Morning! My First Post here!!
I used to be NoScript/ABP user long time ago. And switched to uBlock Origin (Medium Blocking Mode + popup/remotefonts disabled), and Firefox configured (to block 3P cookies + click to play plugin content).
I switched for one single reason, is that i can do script/frame blocking + Content Filtering with one extension. However, i have one lingering question in mind, which i am not completely satisfied with the answers over the web. Henceforth, i am asking your input/advice on what i would loss interms of security by not having NSS. Anything i can configure natively in Firefox itself.
There is one i know, which is if i have site whitelisted in uBO, and if that site is compromised by XSS, i might be vulnerable there. Anything else?
Thanks in Advance. I am looking your input from technical standpoint, meaning i would be happy/satisfied if you people can give real uses cases I just want to understand the things better and probably little deeper. So, I can better gauge myself.
Thanks, Harsha.
NoScript usage on top of uBlock Origin
-
- Posts: 1
- Joined: Wed Mar 09, 2016 7:47 pm
NoScript usage on top of uBlock Origin
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586
Re: NoScript usage on top of uBlock Origin
Good evening (er, night) Welcome to the InformAction forums.harsha_mic wrote:Good Morning! My First Post here!!
I use NoScript + uBlock Origin + µMatrix concurrently, and here's why I don't think any one of those addons is enough on its own:harsha_mic wrote: I am looking your input from technical standpoint, meaning i would be happy/satisfied if you people can give real uses cases I just want to understand the things better and probably little deeper
- While NoScript's main point is script blocking, it has many "extra" security features (some hidden), such as XSS filter, ABE, ClearClick, inclusion type checking, etc. These things simply do not exist in vanilla Firefox, and I know from personal experience that this stuff is important. Saved me several times.
- µMatrix is useful for easy (IMO) per-site permissions as well as some generic content-type filtering (the latter being partially defense-in-depth with NoScript). For example I use it to restrict which sites can load content from "generic" CDNs such as cloudfront.net. However µMatrix does not have fine-grained blocking (it is a "Internet firewall" acting only on domains).
- uBlock Origin is useful largely for privacy protection & the like (µMatrix is cumbersome for that, and NoScript is a security tool not a privacy tool). It's also the best way to really fine-tune the other add-ons' permissions.
Anyway, hope this helps.
*Always* check the changelogs BEFORE updating that important software!
-
Re: NoScript usage on top of uBlock Origin
I second the view that uMatrix makes per-site permissions easy. The interface was initially confusing, with so many places to click (top and bottom of rows, columns, cells, plus scope changes), and the different shades of red and green, but eventually I realised that it's simple, elegant, and very powerful. And the ability to manually edit rules via the dashboard ices the cake. For me, it makes uBlock Origin redundant.
What barbaz said about the behind-the-scenes protections is true, although if you're quite strict about cross-site permissions with uMatrix, then you'll find that you're much less vulnerable to the attacks like XSS and clickjacking (uBO won't help you there). Still, NoScript has the edge in being able to specify protocols; you can choose to whitelist only the HTTPS version of a site, for example. And don't forget surrogate scripts, which can help to un-break sites whose scripts are blocked.
uBO Medium mode doesn't give you any protection against first-party scripts, by the way. If you inadvertently browse onto an attack site of some kind (eg if it was in search results), then it will get a shot at you. uBO is designed for privacy first, security second; NoScript is the other way around.
What barbaz said about the behind-the-scenes protections is true, although if you're quite strict about cross-site permissions with uMatrix, then you'll find that you're much less vulnerable to the attacks like XSS and clickjacking (uBO won't help you there). Still, NoScript has the edge in being able to specify protocols; you can choose to whitelist only the HTTPS version of a site, for example. And don't forget surrogate scripts, which can help to un-break sites whose scripts are blocked.
uBO Medium mode doesn't give you any protection against first-party scripts, by the way. If you inadvertently browse onto an attack site of some kind (eg if it was in search results), then it will get a shot at you. uBO is designed for privacy first, security second; NoScript is the other way around.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Re: NoScript usage on top of uBlock Origin
@harsha_mic: On this subject, viewtopic.php?f=18&t=20815 might help you?Thrawn wrote:The interface was initially confusing, with so many places to click (top and bottom of rows, columns, cells, plus scope changes), and the different shades of red and green, but eventually I realised that it's simple, elegant, and very powerful. And the ability to manually edit rules via the dashboard ices the cake.
True, but uBlock Origin does have a similar feature its $redirect filter option. While surrogate is more flexible and more customizable (for security reasons, custom $redirect target in uBlock Origin requires building a custom XPI).Thrawn wrote: And don't forget surrogate scripts, which can help to un-break sites whose scripts are blocked.
Likely, a "normal" user who doesn't care about custom JS and wants sites to "just work", won't really notice the difference between the two implementations.
*Always* check the changelogs BEFORE updating that important software!
-
Re: NoScript usage on top of uBlock Origin
So...
- uBO alone doesn't protect against first-party attacks or special attacks like XSS/CSRF (maybe clickjacking to some extent, by blocking frames; not comprehensive)
- NoScript alone doesn't give privacy-oriented control such as site-specific permissions (unless you want to spend a lot of time with ABE)
- uMatrix alone doesn't provide surrogates (or similar), or protocol-specific whitelisting (ie HTTPS only), nor can it block scripts in some special cases like data: URIs, and it will miss some special attacks like tabnapping.
- NoScript + uBO could cover everything, but the interface for third-party requests in uBO is less advanced than uMatrix.
- uBO + uMatrix covers most things, just not some special cases.
- NoScript + uMatrix is comprehensive, but will have a lot of double-handling unless you use something like cascading permissions.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Re: NoScript usage on top of uBlock Origin
Thrawn can you compare your "tests" with RequestPolicy Continued, please?
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0) Gecko/20100101 Goanna/20160220 PaleMoon/26.1.1
Re: NoScript usage on top of uBlock Origin
No, because a) these weren't tests, just theoretical assessments, and b) RP is a subset of what uMatrix does.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Linux i686; rv:38.9) Gecko/20100101 Goanna/2.0 Firefox/38.9 PaleMoon/26.1.1
-
- Junior Member
- Posts: 49
- Joined: Wed Feb 20, 2013 1:49 pm
Re: NoScript usage on top of uBlock Origin
It is worth noticing IMHO that uBO in advanced mode behaves more like uMatrix, and it will indeed blanket-block scripts as well as third-party stuff if you wish so: in fact, I think that people who can handle NoScript and/or uMatrix should only use uBlock in advanced mode, it is so much better and not that hard to figure out.Thrawn wrote: uBO Medium mode doesn't give you any protection against first-party scripts, by the way. If you inadvertently browse onto an attack site of some kind (eg if it was in search results), then it will get a shot at you. uBO is designed for privacy first, security second; NoScript is the other way around.
Mozilla/5.0 (X11; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2