Suggestion - Integrate WOT technology into NoScript

[jeffg]

The largest problem I see with Noscript is the filtering. It's either blocking everything and you selectively enable, or you allow scripts globally. I can't install this on my wife's or mother's computer without enabling global scripting. Heck I know many security professionals that enable scripts globally as it can become a pain.

The Solution:
I think Noscript should incorporate the WOT system for script filtering (http://www.mywot.com/).

The WOT system can tell you the Trustworthiness, Vendor reliability, and Privacy ratings for a site. Allow Noscript to filter based on these ratings. For example, allow scripts if the site is green, but disable if it is yellow, or red. This would provide some base level of protection for those that would otherwise run with global scripting on or (god forbid) without Noscript.

[Tom T.]

Various third-party sources have been proposed to provide such information. One cannot be sure of the reliability of each, or whether they would cover every site visited. The idea of NS is to keep that control yourself. For non-tech aware users such as your wife or mother, you might consider synchronizing their settings with your own, as per this sticky thread. Also, I hope to post sometime this evening, the Beginner's Quick Start Guide To NoScript, in an attempt to make NoScript more accessible to low-tech users. See this FAQ for more information on 'What is a Trusted Site?". This may be of use to your family. I hope that the above Guides (the second to be posted soon) will be of help.

It's difficult to picture a "security professional" who cannot work with NS, or who would knowingly sacrifice safety for a slight convenience.

[GµårÐïåñ]

Even though I personally evaluate WOT and find the concept great, there are ALOT of false positives and its based on an algorithm of reporting and grading from every day users. This is inherently unreliable as it could lead to false increases toward conservative marking or liberal marking based on the user base from which the data is collected and aggregated. So as much as the concept is great, to base the reputation of a solution almost entirely based on another that is yet to prove itself as a true time tested and without flaw would be a developmental mistake in my opinion. There are solutions similar to this that Giorgio is already working on and trying to implement that may or may not address your specific concern but we'll have to wait and see.

[Tom T.]

Of course, your family is free to use WOT, SiteAdvisor, or other similar services, to get information about whether to allow in NoScript, even though automatic integration of the two presents issues as described above.

[Vordreller]

The largest problem I see with Noscript is the filtering. It's either blocking everything and you selectively enable, or you allow scripts globally. I can't install this on my wife's or mother's computer without enabling global scripting. Heck I know many security professionals that enable scripts globally as it can become a pain.

I install and then allow all domains manually... seriously, if you're not willing to make 2 clicks, then that's being lazy.

2 clicks dammit, how hard is that?

And I do believe NoScript is a Web 2.0 tool, meaning that the people who understand how to use it efficiently are usually thoose who know how to use the internet efficiently.
Why are you installing this on your mother's computer? Does she visit that many sites which host bad javascript?

[GµårÐïåñ]

I agree, come on, its a simple enough procedure. Its an easy process.

[Steven Avery]

Hi Folks,

What might be helpful is an option to put "Allow all this page" closest to the Options button. Or second closest after "Allow domain". Often this is the real 2-click option and it can be here or up there -- requiring some searching and potentially making it more difficult, especially for the newbie.

It took me awhile to realize that was what I wanted when I wanted to say OK to two, three, four or a gazillion new widgets or what-nots. And the wording "Allow all this page" sounds like it is limited to a page in a domain rather than allowing those widgets and gadgets anywhere. I realize you don't want a long explanation, but that may take some reconsideration.

Shalom,
Steven Avery

[Tom T.]

Hi Folks,
What might be helpful is an option to put "Allow all this page" closest to the Options button.
Shalom,
Steven Avery

Hi Steven,
Not sure if I'm misunderstanding you, but if you click this thumbnail, it shows that my status bar menu does indeed have "Allow all this page" next to "Options".

Peace,
Tom T.

[Steven Avery]

Hi,

The reference is to the bottom "Options" button that you click. The best if is the the main allow clicks are right next to that button, in the same proportional place, as the main pair "Allow" and "Temporarily allow" are (but not the special all "allow all this page"). There are some complications on the sites with a dozen or so items where they go up and down but that rare case can be addresssed separately.

Shalom,
Steven

[GµårÐïåñ]

Mr. Avery, this has been discussed, answered and WOT, although a great idea, is extremely inaccurate and subjective at the moment. To allow it to make decisions for people who may not share the same behavior is irresponsible and against the philosophy based on which NoScript was created. The fact is that if we trusted others to make decisions for us, we wouldn't need to block their scripts now would we? So this is a personal choice to go through and decide what they trust and what they don't. Would you allow your landlord to decide who to let into your house when you are not around or is that something you choose for yourself? It may be a pain but nothing worth doing is usually any less. You ask 5 members of a family regarding how they feel about the same website and you will get 5 different answers, you think either one would be happy to have the position of a 6th person supercede them? Especially if they don't agree? What to do, where to go and so on, is a personal choice and it should remain that way.

[wizodd]

I agree that a major and growing problem is the sheer number of additional sites "required" by websites, and the mystery as to what each does when listed in the NS listing.

I also agree that WOT & etc. are, at this point, not good options to assist the resolution of this issue.

I'd like to see an option, which would permit you to open a separate window by site, which would search for references and ownership information, possibly configurable to check WOT & other rating sites.

This would solve many of the issues associated with using external rating sites:

1) It's would be an option to choose what site(s) and information to search.
2) It doesn't automatically perform any actions, thus not slowing down the system, and when it does perform actions, it does so site by site, allowing you to choose which ones to check.

I use the "untrusted" marking a LOT to avoid accessing websites, not because they are untrusted, but because they are eating my bandwidth to display advertising, monitor site access statistics and other actions which however much the webmaster might like the data, I am unwilling to slow my system down so that the site can collect statistics, so things like googleanalytics are tagged "untrusted" on my machines even though trust is not the issue.

[computerfreaker]

As a former WOT user, I can testify to its near-complete unreliability.
Torrent sites would come up with great ratings, while my school's site would come up gray or, in some categories, even yellow.
I was happy to note that Mozilla sites got extremely high ratings, but other perfectly legit sites frequently got yellowed or worse.

As result, I've installed WOT and quickly uninstalled it; I hate making hasty judgments, so I tried installing it a second time with the same inaccurate results. As a result, WOT no longer has a place in my browser and will not have a place in my browser.

Just my 2¢ worth; YMMV.

[Tom T.]

I read a recent article somewhere about people with a grudge against a web site making bad reports at WOT, or getting their friends to do so also -- "ballot-box stuffing" -- even though the site was as safe as any site can be and had done nothing wrong. Apparently, it takes very few bad comments to get a site marked as unsafe by WOT, and they obviously can't triage every site or comment themselves.

Good rule: If you don't need it, don't allow it.

Subscribe to a Hosts file service, like (for example, one of many) http://www.mvps.org/winhelp2002/hosts.htm. IIUC, the reports are submitted by volunteers, but *are* verified by the webmasters before being added, or they will add ones from known "trusted" contributors. This blocks the connection to an evil site anyway, but if you want to find out whether somesite.com is blacklisted in the Hosts file, it's easy and safe. In Windows, open your Windows folder > system32 > drivers > "etc". Right-click the Hosts file and open with Wordpad or Notepad. (Depending on your default settings, you might be able to just double-click the file to open it.) Use the "find" command to try to find the site in question. If it's in there, I'd certainly not allow their scripting. Of course, not being in there is no guarantee of goodness.

Close everything up. So long as you don't actually change anything, this operation is safe for low-tech users.

There just isn't any substitute for user investigation and judgment, IMHO. Every time someone suggests taking humans out of the loop, I always think of the 1983 movie, "WarGames". Food for thought.

[noscuser]

Please make it easier for people to look up information about sites that they are unfamiliar with (as has been suggested in this thread).

Currently it is needlessly complicated to find out about sites that are serving scripts at you.
You have to bring up the noScript menu and read the site name, then type the name into the search box or into another tool, and open another window/tab to investigate the site. And repeat for each of the sites in the noScripts menu. The business of reading and copying the web address should be automated.

It would be nice to integrate with something like Flagfox - which has several sources to gather information about unknown sites.

The focus of this tool shouldn't necessarily be on gathering information about scripting sites, or even on knowing where to look to investigate such sites, but it would be nice if it had a clean way of handing off a web site to other tools that are focused on researching what a site is (anything from a general search engine, to a whois, to the various rating sites (WOT, Site Adviser, Safe Web, etc.), possibly create a new forum/rating system for scripting sites (to indicate what scripting site does and will the using site work without the third party scripting site).

First steps in that direction would be a way to copy site information from NoScript, so one could paste it into search bar or into another tool.

A second step in this direction might be to allow NoScript to send the site address in question to a pre-configured search engine.

Even better - give a way to send it to the tool of the users chosing (possibly opening in a new tab or new window).

Making it easier for people to research the sources of scripts might also improve security, since people might be less likely to just accept it in order to get something to work (too much bother to make an informed choice).