InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Whitelist Entry Comments

https://forums.informaction.com/viewtopic.php?t=2480

Page 1 of 1

Whitelist Entry Comments

Posted: Sat Aug 29, 2009 10:20 pm
by Foam Head
The longer I use NoScript, the bigger my Whitelist seems to grow. Unfortunately, as I look back at some of the older entries in the Whitelist, I can't remember why I added them. I hope we can all agree that stale entries you no longer visit could lead to bad things (the site could have been abandoned and then compromised, the site could have upgraded to newer technologies that you no longer trust, etc). NoScript supports comments to explain things in ABE rule sets, but I have to manually track this info for Whitelist entries -- which just seems silly.

En lieu of a full blown site/policy group model (like I proposed here), I'd like to see NoScript add a comment for every Whitelist entry. You can add a site to the Whitelist via several different mechanisms, but only one needs to support comments: the NoScript Options | Whitelist panel. Just add a way for me to see and modify a text comment for every entry.

To help illustrate why this would be useful, here's a sample with some comments I'd use:

Code: Select all

Address         | Comment
----------------+-------------------------------------------------------
10.0.0.1        | My router
10.0.0.25       | My media server
192.168.100.1   | My NVIDIA chipset configuration
216.12.34.56    | Yahoo mail attachments (IP address may change)
hotmail.com     | Microsoft mail
passport.com    | Microsoft mail login server
yahoo.com       | Yahoo mail
yahooapis.com   | Yahoo mail
yimg.com        | Yahoo mail images
youtube.com     | YouTube
ytimg.com       | YouTube images
With comments like this, if I stop using Yahoo mail or change media servers I can easily find and remove those entries.

Thanks,
-Foam

Re: Whitelist Entry Comments

Posted: Sat Aug 29, 2009 11:37 pm
by Alan Baxter
I'd find that feature useful too. Thank you for suggesting it.

Re: Whitelist Entry Comments

Posted: Sun Aug 30, 2009 6:26 pm
by luntrus
Hi Foam Head,

Also agree with Alan Baxter that this could be a useful feature, but use caution on whitelisting - keep it absolutely minimal in this sense for those sites that you cannot do without. I see you have adopted a very sensible policy.
Where you have sites whitelisted that could come under attack there we have to use caution as to what is whitelisted because of the altering malcode landscape, and the grand scale in which trusted and reputable sites are being infected.
I would like to keep it minimal and do it on an ad-hoc basis, the way I work NS usually, what about these extra clicks for security sake, it is not much trouble for added security. At the explosive rate of random infections of trusted and reputable sites, I would welcome the additional security of RequestPolicy where I can allow or disallow what could redirect once again. So with me everything is blacklisted until further notice - this not only for security reasons but also as a privacy measure (well as far as I can evade this). I only have my webmail site whitelisted in a specific browser, but with youtube I cleanse with the following extension: YouTube History Bleach - https://addons.mozilla.org/en-US/.../addon/5136
Furthermore after every computer session I cleanse temporal files with ATF-Cleaner and ClearProg,

luntrus

Re: Whitelist Entry Comments

Posted: Sun Aug 30, 2009 10:36 pm
by Foam Head
@luntrus: FWIW, I don't have YouTube in my Whitelist because I don't particularly trust it. It was just an example to illustrate that some services require multiple servers whose names are often unclear. In YouTube's case, ytimg.com may be discernible, but I don't expect anyone to remember a random 216.xx.yy.zz address is for Yahoo Mail or which local IPs correspond to which local devices/services.

-Foam
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited