Jim Too wrote:tlu wrote:
Agreed. But let's face it: We - the NS users - are only a small minority. Most FF users don't know anything about NS. The question remains why its security features have not been implemented in the browser itself. That's good for you, of course
, but not for the bog standard user. Perhaps this is what RSnake was referring to.
One of the reasons that NS is so effective "out of the box" is that it operates in default deny, but default deny is a two edge sword. It takes awhile to "train" NS so that it allows scripts from the sites you normally visit. The "bog standard" user might get frustrated with the research and training that is necessary and either allow scripts globally or allow all scripts on the current page without looking.
Or, as many do, just uninstall it. Things which I believe are still on the "to-do" list are a first-run splash screen with the Beginner's Guide and a link to FAQ, and a compiled Help file so that NS will have a built-in online Help button (and/or F1) as many other apps do. These might increase both the adoption and retention rates, as per
this thread from a new user. It might also help convince Mozilla to include NS as part of a default install of Fx, a topic that's come up more than once before. Even if it were installed disabled by default, but with a splash screen advising of its capabilities and where to get the needed information, it would be an improvement. I'd prefer that it be enabled by default, again with the splash screen, and an "out" that users can "temprorarily" disable it until they've had a chance to learn about its use, features, and necessity.
The Internet is an unsafe place. No one gets in a car for the first time and drives off. You need to spend some time learning how to use this powerful tool first, or else endanger yourself and everyone else on the road. But people take a computer OOB, turn it on, and expect to drive the Internet Autobahn without care or fear. This is the *big* picture: If you want the convenience of a car or the Web, you must learn a little first. You don't need the high-tech stuff. You don't need to know how your car's engine works, only how to turn the key and start it. You don't need to know how the transmission works ....
You don't need to know all of the details of *how* NS does what it does, but you need to know what buttons to push when, just as in driving a car -- and what *not* to do.
The easier we can make this task for novices, the better the chance it will become a standard for Fx (and others in the industry -- Google is considering it). But the Internet is not a zero-knowledge tool, and users need to be educated to that fact. This is what RSnake and Jeremiah knew -- browsing in general isn't safe (this Web 2.0 stuff was a huge step backwards in that regard, IMHO, and it's getting worse, with "desktop applications" -- no, thank you) -- and it doesn't matter which browser, if the user is uneducated. The educated users, like, say, RSnake, use Firefox with NoScript and ABE, either of which defeat the exploit that was the subject of this part of the thread.
Even for sites that I do trust, I don't allow scripts to run from all the sites that a trusted site links to. An online whitelist might help in this regard and would also provide a mechanism for globally disallowing a compromised site. ....
How is the whitelist to be maintained, and by whom? Who will know when the site is compromised? Who will know when it's been repaired?
What if your standards of privacy or acceptable risk are different from mine?
NoScript's fundamental concept is taking your browser out of the hands of the Web 2.0 "architects" and giving control back to
you. Keep your whitelist as small as possible, and only for sites you visit frequently and trust completely. Use "temporarily allow", on a case-by-case and script-by-script basis, *only* when the function you need won't work otherwise (else why allow it, no matter how trusted? -- one more way of avoiding a possibly-compromised site and malicious script). Only *then* do you ask yourself, "Do I trust this site"? and, if so, TA only that which is needed.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard