PDA

View Full Version : FF NoScript ext.


davidh
February 11th, 2007, 11:09 PM
I am running FF 2.0 on Win 98 500Mhz K6

Seems like it's better to allow scripts temporarily on sites unless I intend to visit them often. Otherwise, the actual enabling of scripts eventually becomes very slow. I assume this is because the management of the list of enabled sites by the NoScript extension might be implemented in some kind of interpreted script language instead of compiled fast machine code.

DH

ndebord
February 14th, 2007, 10:33 PM
I am running FF 2.0 on Win 98 500Mhz K6

Seems like it's better to allow scripts temporarily on sites unless I intend to visit them often. Otherwise, the actual enabling of scripts eventually becomes very slow. I assume this is because the management of the list of enabled sites by the NoScript extension might be implemented in some kind of interpreted script language instead of compiled fast machine code.

DH

David,

The NoScript thing, now in use as a toggle in some versions of K-Meleon and available as extensions in SeaMonkey and FireFox, is a chancy thing. When it works, it works well, the rest of the time it is frustration city imo.

davidh
February 15th, 2007, 10:34 AM
The NoScript thing, now in use as a toggle in some versions of K-Meleon and available as extensions in SeaMonkey and FireFox, is a chancy thing. When it works, it works well, the rest of the time it is frustration city imo.

Seems to me that there's enough zero-day exploits in the wild that it's probably worth running NoScript. There's no way that I can see that I would never click, either by accident or intentionally, on a site that doesn't use a script to spread an exploit. Resident virus scanner and spy-ware blocker could well be useless against a zero-day exploit.

After deleting all my permitted sites and starting over by enabling scripts only on sites that I intend to visit regularly, it seems to run faster.

There's more than a few sites that require javascript and/or flash to view any thing at all, otherwise they appear blank or nearly blank. Rather stupid design IMO, but to be expected, more or less.

The earlier versions of NoScript seemed to give me trouble on the earlier (before 2.0) versions of FF on Win 98 on some sites such as Yahoo mail, but it's now ok. I use the old Yahoo mail, not the new beta (requires XP).

DH

P.S.
It seems that this forum software does NOT require scripts enabled in browser to post msgs in non-enhanced mode.

davidh
February 15th, 2007, 10:36 AM
But apparently javascript must be enabled to get thread view here.

DH

ndebord
February 15th, 2007, 11:40 AM
David,

DH>> Seems to me that there's enough zero-day exploits in the wild that it's probably worth running NoScript. There's no way that I can see that I would never click, either by accident or intentionally, on a site that doesn't use a script to spread an exploit. Resident virus scanner and spy-ware blocker could well be useless against a zero-day exploit.

Could you explain this possible exploit? I've not followed the debate closely in the past.

Tks,

davidh
February 15th, 2007, 08:36 PM
David,

DH>> Seems to me that there's enough zero-day exploits in the wild that it's probably worth running NoScript. There's no way that I can see that I would never click, either by accident or intentionally, on a site that doesn't use a script to spread an exploit. Resident virus scanner and spy-ware blocker could well be useless against a zero-day exploit.

Could you explain this possible exploit? I've not followed the debate closely in the past.

Tks,

I think that zero-day is a general term. Basically meaning that
1. your virus scanner or maybe everybody's virus scanners do not have a "signature" to detect it.
2. heuristic scanning can't detect it
3. a patch has not been released yet for the software in which the hole exists

It seems to be a trend that Microsoft is not patching some holes for one or more months, even though exploits are in the wild (running loose on the net).

Therefore it's probably wise to use additional protection, beyond virus killers and spyware killers and firewalls, such as:
1. NoScript in FF (or set security high in MS IE and put frequently used sites in "trusted zone")
2. Use SiteHound or McAfee SiteAdvisor
3. FlashBlock
4. disable auto viewing of images in email
etc.

Of course, even the suggested multiple levels of protection mentioned will still not protect your system 100% in the case where you download (by email or web) a zero-day file that is not yet detectable by signature or heuristics.

However, at least the disabling of javascript (or active-X - security high in IE) will put a significant barrier against exploits that can attack your PC instantaneously with no user intervention more than merely viewing a URL or an email.

DH

P.S.
There is no safe haven. Even text-only network clients (web, email, telnet, etc.) in LINUX/UNIX are somewhat vulnerable to exploits unless your UNIX system is fully patched.

I read the RSS feeds from Internet Storm Center almost daily.

ndebord
February 15th, 2007, 11:09 PM
David,

I have NoScript and AdBlock in KM, but don't use either. Found some sites where the stuff I added (or perhaps the defaults) made the sites semi-unworkable. I prefer to use the toggle icon in KM to turn javascript off and on. I also have a kill flash icon that I use, but that is not the same as a toggle for flash.

I'll have to look at this much more closely.

Tks,

Gary Maltzen
February 15th, 2007, 11:43 PM
With the increasing adoption of AJAX - the "J" meaning "Javascript" - the problem is that you really do not want JS turned off generally, but a JS that is securely sandboxed.

vBulletin(here, DTP) and IkonBoard(Snarkish) make substantial use of JS to improve the user experience by transferrring functionality down to the client.

davidh
February 16th, 2007, 09:09 AM
David,

I have NoScript and AdBlock in KM, but don't use either. Found some sites where the stuff I added (or perhaps the defaults) made the sites semi-unworkable. I prefer to use the toggle icon in KM to turn javascript off and on. I also have a kill flash icon that I use, but that is not the same as a toggle for flash.

I'll have to look at this much more closely.

Tks,
To me, it's annoying to have to tell NoScript to enable js on a site. And the chances of getting hit on any given day are low. But then I think of how many hours of work it would take if my system got clobbered by the bad guys.

As Gary pointed out elsewhere in this thread the annoyance will probably increase in future because of AJAX, but I'll probably keep putting up with it.

DH

davidh
February 19th, 2007, 04:56 PM
BTW FYI NoScript would probably protect against this javascript attack on router DNS:

http://www.tapcis.com/forums/showthread.php?t=4476

provided that one's FF trusted sites themselves did not get infected/hacked.

I suppose some ISP's might NOT want you to change the factory default router password, so that they could do remote support? (Don't really know about that, no experience.)

DH

Mike
February 20th, 2007, 12:56 AM
I suppose some ISP's might NOT want you to change the factory default router password, so that they could do remote support? (Don't really know about that, no experience.)
That would also require that one turn on that ability, and every router that I've seen has that feature turned off by default.