Mozilla caring for popular Fx extensions?

[dhouwn]

Adblock+ is something like a Firebug, in that people evaluate "the browser that run adblock+".

Well, in this case I am running "the browser that run NoScript".

Recent perf blog by Wladimir helped a bunch, but people don't mind that much who's at fault. Can we expose better APIs for him?

Hopefully NoScript will also benefit.

[Giorgio Maone]

This was about Adblock Plus (at least when a filter subscription is enabled, which is the commonest case) imposing a noticeable and above average performance penalty (in the seconds magnitude) on Firefox startup.
NoScript have never suffered of this problem, and FlashGot underwent some drastic and very effective optimizations months ago to reduce its penalty in the hundredths of second range.

[luntrus]

Hi forum friends,

Mozilla is caring, I am caring, all our forum users are caring about NoScript security. But sometimes I am getting desperate, my dear forum friends, what can a malware fighter like I am do to further the general use of NoScript as a never to be beaten protection. On the penalty of being off-topic, I must have to have this off my heart...
But in general it is all about speed. And you will find so many young naive uneducated or careless users that want to take IE9 as their browser of choice, while maybe they are fully aware it will never have NS/RP extension protection, because it will not go with the general IE browser policy. Even on a security forum, see this thread here: http://forum.avast.com/index.php?topic=61084.0 I feel much like the proverbial prophet shouting out into the desert on the top of his lungs, singing all out about the benefits of script blocking but it all falls on deaf ears almost everywhere. Here in this case I have some more success: http://forum.avast.com/index.php?topic= ... #msg513158 so there will be a lot of Chinese users to install NoScript inside their browsers. Are we really finding ourselves in a small in-browser-security niche and when is the use of NS getting some real momentum, or do we think it will never reach the awareness of the masses? I will keep on trying.....

luntrus

[Tom T.]

This was about Adblock Plus (at least when a filter subscription is enabled, which is the commonest case) imposing a noticeable and above average performance penalty (in the seconds magnitude) on Firefox startup.
NoScript have never suffered of this problem, and FlashGot underwent some drastic and very effective optimizations months ago to reduce its penalty in the hundredths of second range.

The original AdBlock, which was updated by computerfreaker to be F3+ compatible as a personal favor to me, and now intended for public release when he is ready to stake his reputation on it, imposes no penalty at all, no more than the Fx Options menu config settings do. They''re just there, and they work silently. I look forward to it as a viable alternative, with no resource penalty. (Meanwhile, I still use F2 with Adblock Original. )

@ luntrus: We have an old proverb in the US: "You can lead a horse to water, but you can't make him drink". NS has received plenty of excellent and positive publicity in the tech press and elsewhere; see some listings on NS' home pages and on the "NoScript Sightings" thread. But fighting the publicity that M$ dollars can buy is indeed difficult. Most users just don't have a clue of what really goes on, what the dangers are, and how to prevent them. The jobs of prophet and reformer have always been the most difficult in any society; all we can do is our best.

Edit: Meant to mention that at one time, there was serious talk of including NS in Fx by default, even if it was off by default, perhaps with a first-run splash screen giving a brief description and inviting the user, "Turn it on", "Tell me more" (links to NS home pages, FAQ, NoScript Quick Start Guide, etc.) "No thanks, maybe later". Haven't heard anything about that in a long time. Perhaps that idea could be revived, in which case Fx *indisputably* becomes the safest browser on the market OOB, at least, if NS is turned on or on by default. Such overwhelming superiority, already supported by the US Dept. of Homeland Security's Computer Emergency Readiness Team, would be a *huge* selling point to the increasingly-scared public.

[luntrus]

Hi TomT,

I took that motto of yours about the horse led to the water and see what reactions we get, and why there is a big barrier between those that have come to an insight why to use NS and those that lack that insight partially or completely: http://forum.avast.com/index.php?topic= ... #msg516062
We keep blowing the NS horn and welcome everyone that has awoken to its call,

luntrus

[Tom T.]

Hi luntrus/polonus,

Very fine thread, and flattering that you used the proverb.
It was interesting to see the differences among:

1)Those already running NS;
2) Those who have become converted to it, no doubt due to your untiring efforts; and
3) Those who refuse to see the truth. (Other proverb: "There is none so blind as him who will not see" -- meaning, the blindest person is not the one with no eyesight, but the one who has sight and mind, but refuses to see the truth when it is right in front of them.)

"Convenience" -- a short learning curve, build a whiltelist, and sometimes TA some sites or objects. Yes, that takes a few more seconds than just browsing away without doing a thing. But do the "inconvenience" crowd have any idea of how inconvenient it is to have your machine infected, your bank account drained, your credit card numbers stolen and the maximum spent on them, and trying to get back your life and your credit rating back after your identity is stolen? It is *much* more inconvenient than a few extra clicks. But some people can't see past the immediate moment ....

Good proselytizing. By the way, of course you are free not only to link to any post here, but as for me, to quote my posts, either in whole or in part (so long as the meaning and context are clear on a partial quote), though of course it's common courtesy to attribute the source, e. g. "from Tom T., moderator at the NoScript Forum". ... and maybe links to our Forum, to encourage your readers to read ours also. Keep up the good fight.

Tom T.

[luntrus]

Hi Tom T.

But also see what controversy the use of NS can bring about: http://forum.avast.com/index.php?topic= ... #msg516385
I am even accused in above avast forum thread of being a security oriented "terrorist" just for simply propagating the use of NS inside a Mozilla browser.
How far did that "dollar-driven" brainwashing have gone? And more so what did it do with some users and the way in which they react?
They cannot discuss simple facts anymore just take a position and feel attacked,

luntrus aka polonus

[Tom T.]

Luntrus, it's well known that MS employees, or people acting for them, regularly edit Wikipedia articles to be more favorable to MS, or less critical of MS products. I think you have an MS agent in your forum. It's hard to see how any one person, who is apparently somewhat technical-minded, could be that wrong about that many things in one post.

One example only: MS updates regularly include ActiveX "kill bits" when a vuln is discovered in one, either their own or a third party's, so that IE cannot instantiate that object. When I took IE off the machine, I thought I might as well clean up the Registry of all of those kill bits. There were between 13,000 and 14,000 entries! (no, I didn't count each one.) What does *that* say about this technology?

[therube]

What does *that* say about this technology?

Only that their method of controlling it is ass backwards. They are using a blacklist approach.

(I have no idea how many ActiveX items MS blacklists, I have seen MS (monthly) updates come through with them, but my impression is that they are only a handful? SpywareBlaster & Spybot Search & Destroy do have extensive ActiveX related blacklists.)

[Tom T.]

What does *that* say about this technology?

Only that their method of controlling it is ass backwards. They are using a blacklist approach.

Exactly. It should be defaut-deny, like NS. You can set that in IE, but then the user gets a zillion prompts, and "how are they to decide" -- since the prompt does not tell you what domain is trying to d/l the AX object. (Based on 6. Might have changed in 7-8-9.)
And even if a trusted domain, the issue is that the technology is unusually prone to buffer overruns, so you could be pwned by a malformed AX control from a trusted site. And AX has 100% privilege on the entire machine.

We see users harmed by allowing malicious scripts, but only very rarely by a script from a trusted source that was just poorly written. And while JS can certainly do damage, a lot of that is in the browser itself. If it tries to alter system files, etc., AV or firewall might catch it.

(I have no idea how many ActiveX items MS blacklists, I have seen MS (monthly) updates come through with them, but my impression is that they are only a handful?

I must have very large hands! .... If you add up the monthly number over the past -- what, 10-12 years or more that it's been out there -- well, it was about 6-800 k of registry entries @ about 200 bytes per entry, plus the headers and stuff involved in the backup I made before deleting this key, so that estimate was on the low side.

SpywareBlaster & Spybot Search & Destroy do have extensive ActiveX related blacklists.)

Fx has the best of all -- no native support. Just don't add it, and poof - no problem. I've rarely missed it, as more and more sites are getting away from it, or at least, writing the site so that the significant market share who runs Fx can use the site. One of my local govt. agencies introduced an AX-based feature on their web site. I wrote a blistering letter, first to the head of the agency, which was ignored. Then to the Commissioners, which also received no reply. But a year later, they unveiled their new site design, with a big, starred headline "No longer requires Active X!"

As for the dozen or two that were part of the Win OS, I was able to get rid of all but one, as in this thread. Cheers.

[luntrus]

Hi Tom T.,

Just see where the thread on the avast general forum is going: http://forum.avast.com/index.php?topic= ... #msg517702
Well singing here to the choir is an easy enough task, but in accepting the use of NS there also is an emotional component at play!
People believe the ly that is told over and over again that the Internet is a relative safe and secure place and going online with a browser out of the box is just a fun thing to do.
They haven't grasped yet that the Internet is "broken" for quite some time now and security threats may lure everywhere like sharks in the ocean...
Just freeing users of that mistaken conception is such a hard task, my good forum friend, especially when they were untaught to think for themselves,

your NoScript using friend,

luntrus