InformAction Forums

Giorgio Maone wrote:Sorry for the difference with the beta channel, but AMO's signing process is still quite buggy and among other bugs there's one which makes pushin betas for automatic updates way more difficult than doing this for stable versions (quite the opposite of what should be).
Anyway, latest development build with the whitelist-related changes is on noscript.net, and I've asked AMO admins to manually push it for automatic update, but since many are traveling from their Whistler work-week I'm not sure it's gonna happen immediately.
Thanks for your patience.

You may want to consider verifying whether a domain / subdomain on the said list is valid per:

https://news.ycombinator.com/item?id=9795103

They're referencing this topic:
http://thehackerblog.com/the-noscript-m ... ndcdn-net/

It seems someone was trying to check out the security of noscript and their timing was perfect. They found this thread, but they failed to realize that the URL on this thread and the URL now on NoScript is indeed a typo as someone else on HN noticed. The actual domain / subdomain that should of been white listed: vjs.zencdn.net what was white listed: vjs.zenDcdn.net

I highly recommend verifying domains and subdomains actually exist before adding them because if I can just buy a domain on the white list then all of a sudden I can target multiple attacks towards noscript users.

Edit:

Realized someone else reported the typo at least. Sorry for missing that post. But I still think it should be considered to check domains before they're added, considering how big of a flop it would be if the wrong person got a domain based on a typo.

giancarlos wrote:It seems someone was trying to check out the security of noscript and their timing was perfect. They found this thread, but they failed to realize that the URL on this thread and the URL now on NoScript is indeed a typo as someone else on HN noticed.

Whose timing? This issue had been there for a long time.
We (NoScript users) are lucky it was caught at all...

I still have vjs.zend.net in my whitelist, NoScript 2.6.9.30rc1 ?

therube wrote:I still have vjs.zend.net in my whitelist, NoScript 2.6.9.30rc1 ?

Because the removed domain is "vjs.zendcdn.net"

(Did you accidentally type the wrong domain in your post? If so, note that it would not be removed if you whitelisted it after the upgrade to 2.6.9.27/2.6.9.28rc1 or later.)

I'm going wacko!

Not sure if I typo'd in my post above or not?
And now I'm not seeing any "zen" except for noscript.filterXExceptions.zendesk;true, which I also saw before?

... unless ...

He caches in memory, doesn't he?
So maybe when I looked... prefs.js. hadn't written yet... but then what would about:config show? cached or what was written to disk in prefs.js? eh, still confused...


(Oh & I have no *googleapis* at all. Didn't have it before I fired up, & don't have ajax.googleapis.com [added in] either?)

https://noscript.net/getit#devel wrote:v 2.6.9.30rc2
=============================================================
[...]
x Default whitelist maintenance: removed prototypejs.org,
cdnjs.cloudflare.com;

??
And they're getting retroactively removed from users' whitelists too...

I'm confused - I had thought cdnjs.cloudflare.com was a relatively "safe" site... unless it got removed because it's now one of those Cloudflare-enabled domains that bundles scripts from *everywhere* (including other domains) as one script, and serves it from its own origin? Or is it also dead now?
EDIT oh, it seems to have moved here. But why not replace it in people's whitelists, why remove it outright in this case?

barbaz wrote:But why not replace it in people's whitelists, why remove it outright in this case?

Because the process used to add and update libraries is community based and doesn't seem very abuse-proof.

Giorgio Maone wrote:

barbaz wrote:But why not replace it in people's whitelists, why remove it outright in this case?

Because the process used to add and update libraries is community based and doesn't seem very abuse-proof.

Thanks for that explanation (I'd assume it's something similar for prototypejs.org which still seems to be there as it was).

Giorgio Maone wrote:the process used to add and update libraries is community based and doesn't seem very abuse-proof.

https://github.com/cdnjs/cdnjs wrote:cdnjs will host any production version of any JavaScript/CSS library, subject to license permissions.

Eep!

giancarlos wrote:I highly recommend [..]

Yeah, you'd be able to affect two (2) people's computers - in total. xD