InformAction Forums

I'm using 10.1.6.3rc5 and FF 57.0.4.

When I visit a website and click the NS icon, I get a list of websites and they all have a Default status. I pick one of the sites and click Trusted, and then change the red lock to a green one, and then click the Reload icon. I am expecting to see that my change has accepted, but NS still displays the Default status. If I do NOT change the red lock to a green lock, the change is accepted. Is this peculiar to the site that I picked?

The site I picked to change is http://www.toyotanation.com.

Changing the lock to green is not accepted because the connection is http, The red color of toyotanation in the NoScript menu tells you also that if you trust the domain, it ll have to be red lock.

Bo

bo elam wrote:Changing the lock to green is not accepted because the connection is http, The red color of toyotanation in the NoScript menu tells you also that if you trust the domain, it ll have to be red lock.

Bo

Now I'm thoroughly confused. I thought that if I trusted a domain, it should have a green lock so it could run scripts. And if I didn't completely trust a domain, I should change the lock to red so that it couldn't run scripts.

Going farther, I then navigated to www.toyota.com. NS shows that site (...toyota.com) as Default, so I clicked the Trusted icon. Then NS showed it with a green lock.

I don't understand why NS gives a green lock to some http sites site when I select Trusted, but doesn't allow the green lock on other http sites.

Skeezix wrote:

bo elam wrote:Changing the lock to green is not accepted because the connection is http, The red color of toyotanation in the NoScript menu tells you also that if you trust the domain, it ll have to be red lock.

Now I'm thoroughly confused. I thought that if I trusted a domain, it should have a green lock so it could run scripts. And if I didn't completely trust a domain, I should change the lock to red so that it couldn't run scripts.

See Giorgio's documentation at https://hackademix.net/2017/12/04/noscr ... utshell-2/ where he writes:

What about the "Match HTTPS only" green/red lock toggle? If green (locked), the toggle makes base domain entries (e.g. "..google.com") match themselves and all their subdomains, but only if their protocol is HTTPS (and therefore the traffic encrypted and not easily tampered with). Otherwise, if red and unlocked, both HTTP and HTTPS match: this has bad security implications especially on "hostile" networks where injecting malicious scripts directly in the unencrypted traffic is relatively easy, but is unfortunately needed for some sites to work. NoScript tries to gives you the "smartest" default for each site, i.e. green if the page is already served on HTTPS, red otherwise.

Skeezix wrote: Going farther, I then navigated to www.toyota.com. NS shows that site (...toyota.com) as Default, so I clicked the Trusted icon. Then NS showed it with a green lock.

I don't understand why NS gives a green lock to some http sites site when I select Trusted, but doesn't allow the green lock on other http sites.

Hi Skeezlx. toyota.com is https, you can see it is in the NoScript menu. Thats why when you allow it, goes green and stays green.

Bo

I'm sorry to be such a thick-head, please bear with me so I can better understand.

>>bo elam wrote:
Changing the lock to green is not accepted because the connection is http, The red color of toyotanation in the NoScript menu tells you also that if you trust the domain, it ll have to be red lock.<<

But the red lock means: "Otherwise, if red and unlocked, both HTTP and HTTPS match: this has bad security implications especially on "hostile" networks where injecting malicious scripts directly in the unencrypted traffic is relatively easy..."

Also, it sure seems like I could change a green lock (more secure) to a red lock (less secure) (and vice versa) at will on some sites. So if a red lock on a trusted site cannot be changed to a green lock, then why does NS let you do so for some sites, only to change it back to a red lock?

The more I get into this red lock - green lock business, the more don't understand. I guess I'll just have to futz around with each site until I stumble upon a configuration that works for me, and it that requires a red lock (less secure) to make the site usable, then I'll have to decide if it's worth it to me to have the red lock for the site I'm currently dealing with.

Skeezix wrote:I'm sorry to be such a thick-head, please bear with me so I can better understand.

>>bo elam wrote:
Changing the lock to green is not accepted because the connection is http, The red color of toyotanation in the NoScript menu tells you also that if you trust the domain, it ll have to be red lock.<<

But the red lock means: "Otherwise, if red and unlocked, both HTTP and HTTPS match: this has bad security implications especially on "hostile" networks where injecting malicious scripts directly in the unencrypted traffic is relatively easy..."

Also, it sure seems like I could change a green lock (more secure) to a red lock (less secure) (and vice versa) at will on some sites. So if a red lock on a trusted site cannot be changed to a green lock, then why does NS let you do so for some sites, only to change it back to a red lock?

The more I get into this red lock - green lock business, the more don't understand. I guess I'll just have to futz around with each site until I stumble upon a configuration that works for me, and it that requires a red lock (less secure) to make the site usable, then I'll have to decide if it's worth it to me to have the red lock for the site I'm currently dealing with.

There are two major protocols on the web.
Http and HttpS, Traffic to and from https sites is encrypted, traffic to and from http sites is not.
Some websites send information over both.

If you want to visit a site that only serves an http website, changing the rule to a greenlock creates a rule, but not for the content you wanted. It is a rule that applies to the https variant of that site, regardless of whether it exists or not.
Which is why on reload, it looks like no rules was created, because you are still visiting the http site, for which you did not make a rule.

This is a topic to read about outside of noscript, too.
any website you visit that starts with https is encrypted (and firefox shows this with a green lock in the address bar). which means that "normally" nobody between you and the site can "look inside your exchange".
Over http basically every one between you and them can read what you send and received, and even catch it and send something different on.

The function of no script is to block scripts. Which it does by default (although some active content is allowed), and you unblock it by changing a site from "default" to trusted or custom.
The colour of the lock is "proposed" automatically, depending on where the script is coming from. If it comes from an HTTP source it will show red (meaning you will allow this http traffic, and https also), if the source is an https source, it will by default only allow that https source.

The lock is basically a toggle that helps you to not fall for a spoof site or accidentally run scripts when you visit the http copy of a website when you didn't want to. (like your bank).
The lock is not the basic "allows script" button.

Pansa wrote: If you want to visit a site that only serves an http website, changing the rule to a greenlock creates a rule, but not for the content you wanted. It is a rule that applies to the https variant of that site, regardless of whether it exists or not.
Which is why on reload, it looks like no rules was created, because you are still visiting the http site, for which you did not make a rule.

It sounds to me, when I read it, that I when I change a red lock to a green lock, I am making a rule. But according to your last sentence, I did NOT make a rule??

I'll have to chew on this for awhile...

Skeezix wrote:It sounds to me, when I read it, that I when I change a red lock to a green lock, I am making a rule.

Yes, you are making a rule that says "Only trust this when it's served over HTTPS".

Skeezix wrote: But according to your last sentence, I did NOT make a rule...

... for the plain HTTP site. i.e. it's NOT served over HTTPS, so your rule does not apply to it.

Make sense now?

Skeezix wrote:

Pansa wrote: If you want to visit a site that only serves an http website, changing the rule to a greenlock creates a rule, but not for the content you wanted. It is a rule that applies to the https variant of that site, regardless of whether it exists or not.
Which is why on reload, it looks like no rules was created, because you are still visiting the http site, for which you did not make a rule.

It sounds to me, when I read it, that I when I change a red lock to a green lock, I am making a rule. But according to your last sentence, I did NOT make a rule??

I'll have to chew on this for awhile...

You made A rule, but not THE rule you wanted.

When you click temp trusted, trusted or custom, you already make the rule.
It is the rule that applies to whatever the lock is set to at that point.
You don't need to click the lock at all to make a rule.

If you click the lock, it changes the rule, and what it applies to. If you clicked on trusted, and it made a redlock rule (because it is an http site), that is a rule that applies to http and https.
If you then click the lock to change it to green, it means that rule only applies to that website when it uses https.
On reloading the http site, no script again checks if there is a rule for it.
And since you changed the rule to only apply to https (green lock), there is no rule for the http version anymore. That is what you did by changing it to the green lock. You said "I don't want this rule for http", and thus there isn't one when no script checks.