InformAction Forums

Man in the middle attacks against http sites are easy and so is the execution of malicious scripts on the systems of everyone visiting http sites.

Having a policy or option to prevent the execution of scripts on http sites in general and not whitelisting any http sites by default would close this attack vector
It could also help to have the option to allow script for https sites only.
This would have the side effect of blocking unwanted scripts since most popular sites use https for interactive features while advertisement sites and tracker usually do not.

Therefore please consider including such an option/policy

Have you looked at everything under NoScript Options > Advanced > HTTPS?

The default is off, so the proposal would be to block http script execution by default and provide extra option in the context menu.

jeffz wrote:The default is off, so the proposal would be to block http script execution by default

jeffz, how often do you get MITM'd and what do they do?

NoScript already has a pretty steep learning curve for new users. And many people NEED to use sites that they can only access by plain http. When a new user can't get such a site working fast enough, they'll just disable NoScript instead. Not spend all day reading about HTTPS and going through settings.

And NoScript is supposed to be as newbie-friendly as possible.

This option is useful for people on proxies, Tor, some types of public access point, underhanded ISPs injecting malware ads, etc. Beyond that, do recall that most people are not Jason Bourne and do not actually need this feature. So why force it on everyone who doesn't change settings?

If MITM'ing is really so much of a problem for you, that you think NoScript needs to block plain http scripts by default... seriously, you have a much bigger problem than NoScript can handle.

barbaz wrote:

jeffz wrote:The default is off, so the proposal would be to block http script execution by default

jeffz, how often do you get MITM'd and what do they do?

Sorry but thats a really pointless argument. This is not about how often I or you experiment MITM attacks. It still is a growing concern that affects an increasing number of people.

But I agree that noscript should be easy to use and new users should not be presented with to much complexity.

But that does not prevent additional option that can be enabled in some "expert" mode.
And the option to disable scripts for all http sites is rather useless. What I had in mind was an optional button that allows scripts for https sites, and anotherone thet allows for http sites with a red warning or something.

That way, when a login site does not work becaus it need s javascript, I can activate all scripts for https sites without enabling the insecure http connections, that usually are used for advertisement.


I beliebe this to be a useful feature and one that amny would like. My intention was to mention this idea. If you don't agree, thats fine. I still wanted to contribute this idea though

jeffz wrote:

barbaz wrote:

jeffz wrote:The default is off, so the proposal would be to block http script execution by default

jeffz, how often do you get MITM'd and what do they do?

Sorry but thats a really pointless argument. This is not about how often I or you experiment MITM attacks.

Says the guy who wrote this in the opening post -

jeffz wrote:Man in the middle attacks against http sites are easy and so is the execution of malicious scripts on the systems of everyone visiting http sites.

Having a policy or option to prevent the execution of scripts on http sites in general and not whitelisting any http sites by default would close this attack vector
[...]
Therefore please consider including such an option/policy

NoScript deals with real-world attack scenarios, not some theoretical mumbo-jumbo. And the people for whom MITM attacks are a significant real-world problem have the options they need in order to deal with it. The types of NoScript users I mentioned above are not average computer users, this lot will find the settings.

So, how often you get MITM'd and what do they do? Not a hard question for someone who knows about this stuff.

jeffz wrote:And the option to disable scripts for all http sites is rather useless. What I had in mind was an optional button that allows scripts for https sites, and anotherone thet allows for http sites with a red warning or something.

That way, when a login site does not work becaus it need s javascript, I can activate all scripts for https sites without enabling the insecure http connections,

You didn't look at all the options, did you?

If you did, you would have seen NoScript Options > Advanced > HTTPS > Permissions, "Allow HTTPS scripts globally on HTTPS documents", wouldn't you?

Contributing ideas is fine, but even Giorgio's ideas don't get a free pass around here.

Also make sure that you go to Options-Appearance, where you can control the granularity of your whitelist. You can indeed choose to allow only the HTTPS version of a (specific) site.

barbaz wrote:

jeffz wrote:Man in the middle attacks against http sites are easy and so is the execution of malicious scripts on the systems of everyone visiting http sites.

Having a policy or option to prevent the execution of scripts on http sites in general and not whitelisting any http sites by default would close this attack vector
[...]
Therefore please consider including such an option/policy

NoScript deals with real-world attack scenarios, not some theoretical mumbo-jumbo. And the people for whom MITM attacks are a significant real-world problem have the options they need in order to deal with it. The types of NoScript users I mentioned above are not average computer users, this lot will find the settings.

So, how often you get MITM'd and what do they do? Not a hard question for someone who knows about this stuff.

If you consider MITM attacks to be mumbo jumbo, then I seem to have mistaken you for someone who has any idea about security.

barbaz wrote:

jeffz wrote:And the option to disable scripts for all http sites is rather useless. What I had in mind was an optional button that allows scripts for https sites, and anotherone thet allows for http sites with a red warning or something.

That way, when a login site does not work becaus it need s javascript, I can activate all scripts for https sites without enabling the insecure http connections,

You didn't look at all the options, did you?

If you did, you would have seen NoScript Options > Advanced > HTTPS > Permissions, "Allow HTTPS scripts globally on HTTPS documents", wouldn't you?

Contributing ideas is fine, but even Giorgio's ideas don't get a free pass around here.

The options provided do not allow what I have in mind.

Thrawn wrote:Also make sure that you go to Options-Appearance, where you can control the granularity of your whitelist. You can indeed choose to allow only the HTTPS version of a (specific) site.

Thank you for the hint. The options I discoverd so far did not quite what I intended.

One of the main use cases are sites that need javascript for login. Those sites usually use https while advertiser and tracker do not.

That means while at the moment many users would just (temporary) allow all scripts, they would benefit greatly it there was and option (maybe to be activated via the menu) to allow only https sites on that specific page.

jeffz wrote:If you consider MITM attacks to be mumbo jumbo, then I seem to have mistaken you for someone who has any idea about security.

Trolling or skim reading? -

barbaz wrote:NoScript deals with real-world attack scenarios, not some theoretical mumbo-jumbo. And the people for whom MITM attacks are a significant real-world problem have the options they need in order to deal with it. The types of NoScript users I mentioned above are not average computer users, this lot will find the settings.

jeffz wrote:The options provided do not allow what I have in mind.

Er, how are we to understand what you have in mind then? You have vacillated on whether this is about MITM countermeasures or ad blocking. You have made RFEs that accurately describe existing features, then gone on to say the existing features are inadequate. And you have refused to answer questions about how much of a real-world security problem this is for you.

How can anyone help you or even understand you in the face of that?

Continue like that and this thread will be locked.