InformAction Forums

So, I'm a Ghostery user. I got to thinking: isn't this a duplication of effort?

Could NoScript be extended to accommodate blacklist import, export, subscriptions, or all of the above? In addition to not wanting to be tracked, I don't want some bizarre, 3rd-party JS--which the site owner may have zero control over, much less real understanding of--weakening my browser security posture. I especially hate when tracking scripts get injected into "secure" web pages, such as most major e-banking sites (in my experience).

I'm not especially trusting of a "subscription whitelist" idea, although I wouldn't argue against it, so long as I could elect not to use one. But a blacklist? I'd love to be able to take advantage of one. Any JS (or other content) that is *known* to not be needed to render / display / use a page or site sounds like a good thing to drop on the floor before it can tell someone what buttons I'm clicking in my "secure" Internet banking session.

At present, I'm checking Ghostery's "list of trackers detected on this page", which lists the URLs of the offending content, and then going and marking the serving hosts as untrusted in NoScript. Having that automated for me would be wonderful.

(Being able to block at the levels of domain, host, and URL sub-string would be great, too.)

Thanks for all the great work on NoScript!

This has come up before, many times. One problem is that you may *want* to allow an advertising script at myfavoritesite.com, to help support their free site with ad revenue, while still not wanting to run anywhere else.

I share your disgust at online financial sites loading outside scripts. One was doing it under their own domain name, in https. I hollered long enough and loudly enough that eventually it got through to their IT department, and they stopped that.

Some users choose to use the HOSTS file to block all contact with many known malware, spyware, data-mining, or advertising sites. One such free service is at
http://www.mvps.org/winhelp2002/hosts.htm

Please note that we can't endorse or offer support for others' products, or accept liability for your use of them. But speaking personally only, I find this very helpful in doing what you said, and the outgoing request is blocked before leaving the machine. Even if you try to reach these sites, you can't. If badsite.com is blocked. and you type it in the address bar, you'll get a "Unable to connect" message.

Food for thought.

Tom T. wrote:This has come up before, many times. One problem is that you may *want* to allow an advertising script at myfavoritesite.com, to help support their free site with ad revenue, while still not wanting to run anywhere else.

Took me some time to cogitate on that. Here's my new request, which would probably enable this one.

Just to point out, there is nothing to stop a user or group of users from coming together & "making a list" & using it themselves & offering it to others to use.

So if it is not done "officially", & you want something like that, Just do it (as Nike would say).

therube wrote:Just to point out, there is nothing to stop a user or group of users from coming together & "making a list" & using it themselves & offering it to others to use.

So if it is not done "officially", & you want something like that, Just do it (as Nike would say).

The missing piece is some minor(?) automation to check one or more user-specified servers and see if one or more lists has been updated. If so, download. (git would be ideal, bandwidth-wise--I think. And it could be hosted on github!)

I'm tempted to try to learn enough XUL to make something like that, but I have a fair idea how many platform--Is that right, or should I say Gecko?--bugs Giorgio's exposed, worked around, filed bugs against, etc. The idea of trying to bolt something onto NoScript, with zero prior extension-making experience, isn't an ideal prospect. I can "code" a mean userstyle, and I can wield bash like no one's business, but that's as close as I get to real coding, these days.

Anyway. Without the above, it doesn't look/sound very appealing. What I *might* do is see if I can stick my fangs into Ghostery's client-local DB and extract a useful list of Evul domains to mistrust. ...not that that helps when, as above, even supposedly PCI-compliant (HA!) banks are injecting Omniture and what have you into their own "secure" sites. But it would turn the red widget a friendlier blue/white/grey.

aloishammer wrote:The missing piece is some minor(?) automation to check one or more user-specified servers and see if one or more lists has been updated. If so, download. (git would be ideal, bandwidth-wise--I think. And it could be hosted on github!)...<snip>
What I *might* do is see if I can stick my fangs into Ghostery's client-local DB and extract a useful list of Evul domains to mistrust. ...not that that helps when, as above, even supposedly PCI-compliant (HA!) banks are injecting Omniture and what have you into their own "secure" sites. But it would turn the red widget a friendlier blue/white/grey.

"useful list of Evil domains" is a perfect description of the HOSTS file service that I mentioned. Updated about monthly; you may find other services that update more often. (in the interim, deny or investigate an unknown new source.) You can open it in text form to search for an evil site, but on its own, it blocks about 16,000 (ATM) known malware, spyware, adware, and generally-annoying or privacy-invading sites.

If evil.com is listed in a blocking HOSTS file, your browser cannot connect to it, even if you type evil.com in the address bar.

If you find bank.com running evil.com scripting, just add evil.com to the HOSTS file, mapping it to 0.0.0.0 or 255.255.255.0. Problem solved.

Does this not accomplish what you are trying to do?

Please note that this is not a NoScript issue, so this is a personal opinion only, and not endorsement by this forum, its Admin/Developer, or anyone else. Choose your own service carefully, as we cannot provide support or be responsible for your use of it.

aloishammer wrote:I'm tempted to try to learn enough XUL to make something like that,

With "something like that" you mean an extension that manages NoScript's whitelist by extending it with entries from an external location? You could try to realise everything without an UI first, so no need for XUL. Have a look at the add-on sdk, bookmark the appropriate documentation pages, forums and IRC channels, and start hacking.
Please let us (or at least me) know once your project takes shape.

dhouwn wrote:

aloishammer wrote:I'm tempted to try to learn enough XUL to make something like that,

With "something like that" you mean an extension that manages NoScript's whitelist by extending it with entries from an external location? You could try to realise everything without an UI first, so no need for XUL. Have a look at the add-on sdk, bookmark the appropriate documentation pages, forums and IRC channels, and start hacking.
Please let us (or at least me) know once your project takes shape.

Whoa, there. I am *so* not a developer. I don't know if I can find the time, esp. with me trying to learn Python, which is probably a much more marketable skill than XUL. I'm a sysadm/syseng by trade. Code is something people hand off to me to load onto a server. --unless it's shellcode, in which case I'm either automating something, or hacking around the developers' code.

The only reason I mention XUL is that I Iove Firefox for its intense customisability, and sometimes there's this little need I'd like to fill, that there's no extension or userscript for; and I can't handle it with CSS or keyconfig or whatever.

I guess my microphone isn't working... oh well.

Tom T. wrote:I guess my microphone isn't working... oh well.

I heard you:

aloishammer wrote: ...not that that helps when, as above, even supposedly PCI-compliant (HA!) banks are injecting Omniture and what have you into their own "secure" sites.

That was intended to be both a direct reference and, actually, an unspoken reference to my own experience with Citibank. Their massive card breach earlier this year was actually down to a horrifying if-you-have-a-valid-account-you-can-view-any-account site coding misfeature, but injecting foreign-vendor behaviour-tracking into a "secure" site doesn't give me warm fuzzies, either.

I'll look into it, but first I'm going to see if anyone's providing a fast, trustworthy DNS service of some kind that I can make use of. BIND and/or Unbound--I'm working on replacing the former with the latter--is considerably more useful, more elegant, and potentially faster than hosts file implementations.

Under "elegant", it would also be considerably more manageable. I already have custom hosts files for several reasons on multiple machines across two or--technically?--three OSes, and that's just at home. I'd rather not resort to shellcode and that to periodically regenerate /etc/hosts .

Tom T. wrote:I guess my microphone isn't working... oh well.

Incidentally, now that I've gone to look: wow, that's a darn big file. As of right now, Ghostery's list is reporting 681 "bugs", which I suspect translates to a roughly equivalent number of domains. From a year of using it, and periodically double-checking its accuracy, I would have said it was extremely comprehensive. Is this hosts file thing including "known malware" domains and that?

aloishammer wrote:Incidentally, now that I've gone to look: wow, that's a darn big file. As of right now, Ghostery's list is reporting 681 "bugs", which I suspect translates to a roughly equivalent number of domains. From a year of using it, and periodically double-checking its accuracy, I would have said it was extremely comprehensive. Is this hosts file thing including "known malware" domains and that?

I'm glad I didn't reply before your second post. My current HOSTS file has 16,346 lines, a few of which are overhead, so 16,000+ unique web sites.

Since you were kind enough to look at the file, perhaps look at the page?

MVPS HOSTS now includes most major parasites, hijackers and unwanted Adware/Spyware programs!

Editors Note: As time has progressed the focus of this project has changed from just blocking ads/banners to protecting the user from the many parasites that now exist on the Internet. It doesn't serve much purpose if you block the ad banner from displaying as most other HOSTS files do, but get hijacked by a parasite from an evil exploit or download contained on the web site.

Please note that that is their claim, not mine.
And that no list can *possibly* be all-inclusive; if you published one this minute, more evil sites would spring up in the next few minutes, surely.

However, that certainly is a lot more than your Ghostery file. I'd suggest downloading this or another HOSTS blocking-file of your choice, but saving to the desktop rather than using the built-in installer that puts it in \etc\. Then choose some random entries in Ghostery file, and do a search for them in Hosts. If Hosts contains most or all of Ghostery plus 15,000 more, wouldn't that be an epic win?

Also, browse randomly through it. You could also do a DOS file compare between the two, etc.

I used to use a freeware tool called SpywareBlaster, until I realized it was essentially a Hosts file wrapped in a pretty GUI (nothing wrong with that, of course.)

Banks: I had a similar experience, as said previously, with another financial institution running third-party data-mining scripting, something like media6degrees.com. (Isn't it terrible that of all web sites, banks seem to have the worst security?) In addition to complaining loudly, I added it to my Hosts file -- many flavors of it are now included in the current release. The only way the bank could circumvent that would be to change the source to their own domain name, or to break the page if you don't allow it. Either one sounds like a good reason to change banks and complain to the regulatory authorities.

Also, many of the data-miners have Surrogate Script that run by default when you block the original, or leave it default-denied. These surrogates make the page happy, but return no useful data to the miners. To see the current list of sources for which surrogates are provided, open about:config, type in the Filter bar
surr
which is enough to auto-complete. The list will populate.

And Giorgio has been very willing to write new surrogates when someone finds new evil.

I hope you find it a useful source, even as a text list vs. an actual functioning Hosts. And again, shop around -- there are a number of such services.