InformAction Forums

I'm not a computer tech so will describe this as best I can. Since installing Firefox 7, my NoScript add on isn't cooperating very well and I am wondering if this is widespread or just with me.

When I select to temporarily allow all this site, I can see that it releases more of the site, but I might have to make that selection 2, 3 and occasionally even 4 times before the entire page is active and I can get to what I need to. Before all it ever took was one click. Can someone advise me on this?

What you are seeing is normal & expected.
See, why doesn't "temporarily allow" do that?

Ok, I got it, but wonder why it never worked that way before.

If it's new and improved, it sure can take a lot of work and messing around to get a page to display correctly. I'm all for safety, but sure seems like something could be improved here.

Still don't understand why it never worked this way before.

Thanks for your time.

Nikilet wrote:Ok, I got it, but wonder why it never worked that way before.

If it's new and improved, it sure can take a lot of work and messing around to get a page to display correctly. I'm all for safety, but sure seems like something could be improved here.

Still don't understand why it never worked this way before.

Thanks for your time.

It's been that way for a long time, in my experience, still using Firefox 3.6. I don't think it's related to browser version, but to an ugly (IMHO) trend on the web.
May I try to explain it a little more?

You visit goodsite.com and allow it. You find that it needs to temp-allow siteA.com, siteB, and siteC. You temp-allow them.
The page reloads, and once the scripts from siteA.com are allowed to run, they call scripts from siteX.com, siteY.com, and siteZ.com.
This is what I call "cascading scripts" - probably not official terminology. (Hey, it should be. )

The reason NoScript doesn't automatically allow that third tier of scripts to run is that you presumably made a decision that A, B, and C were trustworthy. But you didn't know that X, Y, and Z would follow. Maybe you don't trust them. At least, you should have a chance to decide for yourself, look them up in mywot, check here, check other sources, etc.

Unfortunately, there's nothing to stop X or Y or Z from calling additional scripts, maybe from evil.com (It's happened, and a user got infected.) You would have to vet them or TA them, too. It's annoying, but NoScript is giving you full control, protecting your safety at the price of a bit of inconvenience. Blame the annoyance on sites that use this type of garbage, rather than on the tool that protects you from it. In other words, don't shoot the messenger.

If you truly want all scripts coming to that site to be enabled, you can go to NS menu > General and check "Scripts Globally Allowed (dangerous)". Then don't forget to uncheck it before going elsewhere. Personally, I'd rather run as few scripts as possible, so rather than temp-allow every generation of these cascading scripts, I'd just TA one at a time until I find what the page really *needs* to run. Then you'll know for the future.

Most of the later scripts are data-miners, ad agencies, marketers, connections to Facebook and other social sites that you might not want running at the moment, etc. I share your dismay at the inconvenience, but this is the way the Web is going, and it's vital to have NoScript to prevent these resource-hogging, privacy-invasive, and possibly malicious scripts from running.

If you have an example of a site that you think has changed since your use of Fx 7, post it, and I'll see what is the minimum to allow.

Thank you for the explanation. It actually makes perfect sense to me. No need to go further with it.

Wish you could help and explain that darned IE9. That thing is terrible! Sometimes when you select to turn off ActiveX filtering, it doesn't turn it off and I know of nothing further one can do to accomplish that. There are other things too that are just nuts.

Anyway, thanks again!

Nikilet wrote:Thank you for the explanation. It actually makes perfect sense to me. No need to go further with it.

You're very welcome. I should have added that when you don't allow these data-miners and some others, there are Surrogate Script set to run by default, to keep the page happy while protecting your privacy. So you should be able to mark them Untrusted, which means they'll never show up in the menu again. Makes for a much shorter menu list. If you ever actually need the real script (rare), you can still point to Untrusted in NS menu and temp-allow.

To see the list of script sources that have NoScript surrogates, open about:config and type surrogate in the Filter bar.

Wish you could help and explain that darned IE9.

No one can explain IE. Not even MS.

That thing is terrible! Sometimes when you select to turn off ActiveX filtering, it doesn't turn it off and I know of nothing further one can do to accomplish that.

Are you saying, when you want to *allow* AX, or *forbid* it? FWIW, most sites are adapting to non-AX versions, as Firefox and other browsers surpass IE in market share. I haven't found a single site that suffers from the lack of AX, except for MS Update, and you can even get those with Firefox, if you're willing to do a bit of vetting. (I like to vet the MS Updates anyway, as not all have been, uh, "necessary".) Here's the info, and it prevents MS's AX tool from sniffing around in your machine.
http://forums.informaction.com/viewtopi ... 753#p31753

There are other things too that are just nuts.

So why use it at all?

Anyway, thanks again!

Again, you're welcome, and if you have a particular site or two in mind that is too contorted, the offer to vet it for minimal scripts is still good, subject to time constraints. (We're all volunteers, donating whatever time we can.)

I'd like to explain myself. One of the main reasons I am using IE at all is because of the HP Smart Print, which I can not use in Firefox. I was using HP Smart Web Printing before this version 7, but it's no longer compatible. Also, I have RoboForm and Firefox has not done what is necessary to make RoboForm compatible with the newest version. I know there are many, many out there who have bought and paid for RoboForm and can't imagine why Firefox isn't taking that into consideration.

However, these things aside I am really tired of messing with all the kinks in IE and have made Firefox my default browser. I have also installed LastPass on it, altho in view of their recent security breech, this leaves me with a bit of worry.

What you referred me to about Surrogate Scripts ... Well, the truth is I just didn't really understand it. I got the concept behind it but after reading the page, I still wouldn't know what I need to do.

Once again, I thank you for all the time you've spent clarifying things for me.

Nikilet wrote:[...] RoboForm and Firefox has not done what is necessary to make RoboForm compatible with the newest version. I know there are many, many out there who have bought and paid for RoboForm and can't imagine why Firefox isn't taking that into consideration.[..]

You are a bit misinformed it seems and confused as to what's involved. RoboForm (I am a user myself and I have the latest version of both that AND Fx) works just fine. The compatibility and adaptability of RF functionality in Fx is due to the adapter that RF adds, nothing to do with Fx. Although in theory RF should be able to communicate and attach to the browser even with the adapter not there, but works better if it has that surrogate chrome hook. As much as I am disappointed in Fx and would love to lay the blame at their door, this is not their job to make a third party software compatible, its the developers of that app that need to keep up, specially that you are paying for it and you need to get that support maintenance. If you have any more questions or concerns on RoboForm aspect of it, talk to me, I will help you with it, as I am a LONG time user myself and contributor to the project and I can resolve most of the user end issues and should a feature or function be limited, I can push the fix or at least the request to the dev team a bit easier. Although using their support channel would get you the same effect, just would require you stick with it.

Which version of RF are you using? Your adapter version? 7.5.3 which is what I am using right now, is the version for both the app and also the adapter and the compatibility was added quickly and as of now set to go through any Fx release ending with 8.0 so it should remain compatible for a while. They also stay on top of beta or alpha development of the next trunk and usually have a patch ready to go as soon as its pushed out finally after finalization.

I agree with what you said about it being RoboForm's responsibility to keep their product updated to work with the latest browsers, etc. Maybe mine isn't working with FX because I am not using the latest version of RoboForm. I feel they were dishonest with their customers when they charged for the v7 update. When I purchased the program it was supposed to be a one-time charge, and frankly, I'm really not interested in hearing any excuses because it is what it is. My version is 6.10.2.0.

To be honest, I was trying to decide what I was going to do because I am one who does not like to be running outdated versions of programs. I was pretty close to going with the paid version of LastPass, and then they had that security issue so it kind of stopped me. Now that I've downloaded the free version and have been using it, I think it has some nice features that my version of RF does not have. Perhaps the newer version of RF also has those features.

What is your feeling on this? I see my security program, Avast, also offers a password manager now.

I know, I was upset with that as well. Many customers who contacted them via support and expressed that got a free license upgrade, you might want to check into that and talk to them about it, especially that you are having compatibility issues. But at the very least, you can download the stand alone adapter for Rf from the site, and that should make the middle man connection a bit smoother and hopefully resolve your issue. Look into that by contacting support and they should be able to send you the link or the xpi for that.

Nikilet wrote:To be honest, I was trying to decide what I was going to do because I am one who does not like to be running outdated versions of programs. I was pretty close to going with the paid version of LastPass, and then they had that security issue so it kind of stopped me. Now that I've downloaded the free version and have been using it, I think it has some nice features that my version of RF does not have. Perhaps the newer version of RF also has those features.

IMHO, for something as important as a password manager (considering that this is the only way to access your password) I would be less inclined to use proprietary software for a number of reasons, one of them being that you are probably dependent on the goodwill of the developers to easily access and use what is important to you.

What about KeePass? I personally have no experience with it (I prefer generating my passwords through hashing of a master password combined with the page domain OTF) but there seems to be at least one extension working with the latest Firefox version for it: https://addons.mozilla.org/firefox/search/?q=keepass

The free and open-source Password Safe is strictly self-contained, and can even be put on a USB flash drive, which can then be used on any Windows machine anywhere, without leaving any clues on the host machine about your passwords, etc. About 1.5 MB. You can back up all your passwords by simply copying the always-encrypted password file to a flash drive or whatever.

Cryptography by world-class cryptographer Bruce Schneier. And no need to contact any third-party web site.
I've been using it for years, and have found no need to use proprietary software, and it's safer not to depend on third parties or their servers. IMHO. YMMV.

Gave kind of a rushed response before; wanted to elaborate.

Password Safe uses just a single small file to store your user/pass, plus a place to store "security question" answers, PINs, etc. This file is presently a mere 16 kb for me, and that's with 63 u/p entries. That one file is *all* that you ever need to back up. If your hard drive dies or whatever, just do a reinstall of that tiny program, and replace the default file with your backup file. All of your data will be available, and you're "back up" (sorry!) and running.

It will auto-browse to the selected site for you with one click, and will auto-enter user/pass and submit with another single click. It also has a built-in crypto-strength password generator, which can be set to whatever yours and the site's policies are. E. g., number of characters, only alphanumerics if that's all the site will allow, minimum # of upper case or lower case characters, minimum # of numerals, keyboard characters if allowed, minimum # of those to use. Or hex only, if required. Or only easy-to-read characters, e. g. not lower case "L" and numeral "1", because they are too easy to confuse.

Many more options and configurations to your taste. But the point is, you are not dependent on any company, including the PWS developers. Once you set it up, you never need to visit their site. If they go out of business tomorrow, you're good for the rest of your life (barring some monstrous change in access to Fx login boxes, of course). Currently supports Windows 2000 through 7, in both 32 and 64 bits. And since I last looked, has been ported to Linux.

No need to worry about database breaches like LastPass, because they don't have your creds. YOU, and you alone, have them, in this small file that is always encrypted, and can live on your own hard drive, Flash drive, whatever. You need to remember only a single master password to open the "safe". Write it down or otherwise store it, in a *very* safe place -- not near your computer, please! -- in case you ever forget it. With a proper, strong master PW, no one else can ever open it. I doubt NSA could (at least, *mathematically* ). I'll send mine to anyone who wants to try.

According to Steve Gibosn's brute-force analyzer, the total number of possibilities for my own master pw is
4.93 x 10^27.

Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second) 1.57 thousand trillion centuries

Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 15.67 million centuries

Massive Cracking Array Scenario: (NSA or other Gov? - Tom T.)
(Assuming one hundred trillion guesses per second) 15.67 thousand centuries

I have used this for several years, wouldn't live without it, and wouldn't consider anything else.

DISCLAIMER: The above is my own personal opinion, based on my own experience and research, and does not represent the views of, or endorsement by, this forum, its Admin/Developer, or any other person but myself. I have no personal or financial connection to Password Safe, and it's freeware, anyway. However, because I cannot control the product itself, nor how you use it, I cannot accept any responsibility or liability for your use of it, nor for any consequences of your use of it. IF YOU DO NOT ACCEPT THESE TERMS, DO NOT CONSIDER, HEED, OR USE THIS OPINION.

Nikilet wrote:What you referred me to about Surrogate Scripts ... Well, the truth is I just didn't really understand it. I got the concept behind it but after reading the page, I still wouldn't know what I need to do.

Nothing. That's the beauty of it. Just leave all unwanted scripts blocked by default, as the entire universe is when you first install NS. Mark the pesky, frequent ones as Untrusted, to shorten the length of the menu considerably, and not be bothered by ever seeing them again. NS will automatically run the surrogate for you, making the page happy while sending no actual information to the data-miners and ad agencies.

The only time you would need to do something is if for some reason you want to allow one of the real scripts to run at some site. You do just as before: click Temp-Allow in the menu, or if it's in Untrusted, point to Untrusted, then click the one(s) you want to TA. But why? -- when the page is happy?

I just wanted to add one thing before I stop watching this topic. I went with the free version of LastPass and you couldn't drag me back to RoboForm. There are one or two small areas in RF where it might be a bit better, but I am really enjoying LastPass and highly recommend it.

Thanks to everyone who took time to post to my concerns.

Nikilet wrote:I just wanted to add one thing before I stop watching this topic. I went with the free version of LastPass and you couldn't drag me back to RoboForm. There are one or two small areas in RF where it might be a bit better, but I am really enjoying LastPass and highly recommend it.

Even though they had one security breach before, and could again? ... It takes only a minute to dowloand Password Safe, and a couple of minutes to set up and to enter your data. You could try this out *without* giving up LastPass, since they don't conflict. (PWS doesn't contact the Internet at all, since it's all stored on your machine or flash drive.) But if you're happy, we're happy.

Nikilet wrote:Thanks to everyone who took time to post to my concerns.

You're quite welcome.