Firefox Add-on: NoScript
4 posters
Page 1 of 1
Firefox Add-on: NoScript
https://addons.mozilla.org/en-US/firefox/addon/722
Who here uses NoScript for Firefox? I haven't mentioned it in my security setup/approach, but I have been using NoScript for several years. It almost feels wrong to surf the internet without NoScript.
demoneye was just chatting to me about scripted keyloggers ( http://www.sandboxie.com/index.php?DetectingKeyLoggers#script ) that could steal information that you type in etc. I'm realising now that NoScript will most likely block all these out. And we're not talking about just keyloggers either - we're talking about web-sites contaminated by screenloggers, clipboard loggers etc etc. In my opinion, NoScript is very powerful indeed.
Also, it suits my security setup/approach perfectly - as I implied, I use Firefox as my main browser, and it is forced sandboxed with Sandboxie. NoScript alone would protect me from script keyloggers. I then use IE 8 as my browser for sensitive browsing - anything I do is completely removed once I close IE 8, since I have configured Sandboxie to automatically delete when IE 8 closes. This means that any script keyloggers (or any malware for that matter) I may have picked up with IE 8 are completely deleted.
To conclude, against script keyloggers, my Firefox browser is protected by NoScript, while my IE browser is protected by the "security approach" of always deleting the sandbox on exiting.
Who here uses NoScript for Firefox? I haven't mentioned it in my security setup/approach, but I have been using NoScript for several years. It almost feels wrong to surf the internet without NoScript.
demoneye was just chatting to me about scripted keyloggers ( http://www.sandboxie.com/index.php?DetectingKeyLoggers#script ) that could steal information that you type in etc. I'm realising now that NoScript will most likely block all these out. And we're not talking about just keyloggers either - we're talking about web-sites contaminated by screenloggers, clipboard loggers etc etc. In my opinion, NoScript is very powerful indeed.
Also, it suits my security setup/approach perfectly - as I implied, I use Firefox as my main browser, and it is forced sandboxed with Sandboxie. NoScript alone would protect me from script keyloggers. I then use IE 8 as my browser for sensitive browsing - anything I do is completely removed once I close IE 8, since I have configured Sandboxie to automatically delete when IE 8 closes. This means that any script keyloggers (or any malware for that matter) I may have picked up with IE 8 are completely deleted.
To conclude, against script keyloggers, my Firefox browser is protected by NoScript, while my IE browser is protected by the "security approach" of always deleting the sandbox on exiting.
Re: Firefox Add-on: NoScript
I'm using NoScript - a must have addon for Firefox.
Ruhe- Valued Member
- Posts : 261
Join date : 2010-04-16
Location : Germany
Re: Firefox Add-on: NoScript
Indeed. I think Firefox with NoScript makes it the safest browser of them all.
Furthermore, I don't see the need for Chrome's sandboxing technology, given I always use Sandboxie.
Furthermore, I don't see the need for Chrome's sandboxing technology, given I always use Sandboxie.
Guess who is coming ......
SSJ,
Please have a look at this Wilders thread. http://www.wilderssecurity.com/showthread.php?t=272374 this puts claims of Firefox being the safest browser in perspective
Extract
Until recently Firefox was way behind the competition, they really made up ground recently
- cross site scripting = implemented in 3.6
- prevent installling add-ons in installation directory directly = component lockdown feature in 3.6
- mime enforcing = planned somewhere in 3.6.?
- out of process executon of plug-in/add-ons = planned in 3.6.4 (electrolysis first steps)
Sandboxing (like chrome) not planned in FF V4
Regards Kees
Please have a look at this Wilders thread. http://www.wilderssecurity.com/showthread.php?t=272374 this puts claims of Firefox being the safest browser in perspective
Extract
Until recently Firefox was way behind the competition, they really made up ground recently
- cross site scripting = implemented in 3.6
- prevent installling add-ons in installation directory directly = component lockdown feature in 3.6
- mime enforcing = planned somewhere in 3.6.?
- out of process executon of plug-in/add-ons = planned in 3.6.4 (electrolysis first steps)
Sandboxing (like chrome) not planned in FF V4
Regards Kees
Guest- Guest
Re: Firefox Add-on: NoScript
Thanks Kees. I don't think people were generally saying Firefox was the safest browser, but that it was safer than IE 6. With NoScript (something that I have become so used to using and don't feel right browsing without it), as well as numerous other optional security add-ons, Firefox can become a very secure browser.
Regardless, I always sandbox both my browsers (Firefox 3.6 and IE 8) whenever I use them - in fact, Sandboxie forces them to open sandboxed.
Oh and finally, I was a long time Opera user (used Opera versions 6 through 8), then got sick of the incorrect rendering that never seemed to get fixed. Eventually moved to Firefox 3.0 and I've never looked back.
Regardless, I always sandbox both my browsers (Firefox 3.6 and IE 8) whenever I use them - in fact, Sandboxie forces them to open sandboxed.
Oh and finally, I was a long time Opera user (used Opera versions 6 through 8), then got sick of the incorrect rendering that never seemed to get fixed. Eventually moved to Firefox 3.0 and I've never looked back.
Re: Firefox Add-on: NoScript
Well,
To be honest I was surprised on how much ground FF had made up. Anyway when using Sandboxie, SafeSpace, BufferZone, GeSWall, or DefenseWall it really is a non issue which browser you are using. Even IE6 will be save with that kind of protection.
Regards
To be honest I was surprised on how much ground FF had made up. Anyway when using Sandboxie, SafeSpace, BufferZone, GeSWall, or DefenseWall it really is a non issue which browser you are using. Even IE6 will be save with that kind of protection.
Regards
Guest- Guest
Re: Firefox Add-on: NoScript
On my case NoScript is the reason why Firefox is the browser that I use
for everything except Windows update. I feel like you ssj100, that I don't
feel right browsing without it. To me NoScript and Sbxie are a must for all
browsing and I feel at ease only if I am using them.
Bo
for everything except Windows update. I feel like you ssj100, that I don't
feel right browsing without it. To me NoScript and Sbxie are a must for all
browsing and I feel at ease only if I am using them.
Bo
bo.elam- Member
- Posts : 18
Join date : 2010-06-04
Re: Firefox Add-on: NoScript
bo.elam wrote:On my case NoScript is the reason why Firefox is the browser that I use
for everything except Windows update. I feel like you ssj100, that I don't
feel right browsing without it. To me NoScript and Sbxie are a must for all
browsing and I feel at ease only if I am using them.
Bo
Welcome to the world of software security addiction/dependence!
Re: Firefox Add-on: NoScript
Well,
IMO you either use strict policy managemnt of the OS and use group pplicy to harden your setup (e.g. protecting IE8, disabling autorun, etc) or use a policy management software (DefenseWall or GeSWall) or use application sandboxing (SBIE or BufferZone). So no discussion on your SBIE choice.
But lets get real:
Difference between FF + Noscript and Chrome is that you can set it on a per script basis (chrome allows script blocking per site).
When scripts can not be blocked by Anti Virus companies (webfiltering is code examination with IP and executable blacklisting), most advanced feature is realtime script analysis: how in the world can anyone determine on a SCRIPT basis what is good or wrong?
You would need Sandbuster analysis features on SCRIPTS to determine this by yourself or run every script with AE2 and afterwards allow it.
Considering the useability implication I can't believe anyone being so paranoid. Maybe professional malware fighters will do this selectively (doing their job analysing the code flow of events).
So why use FF + Npscript in stead of Chrome (or Chromium without id tracking) out of the box?
Regards Kees
IMO you either use strict policy managemnt of the OS and use group pplicy to harden your setup (e.g. protecting IE8, disabling autorun, etc) or use a policy management software (DefenseWall or GeSWall) or use application sandboxing (SBIE or BufferZone). So no discussion on your SBIE choice.
But lets get real:
Difference between FF + Noscript and Chrome is that you can set it on a per script basis (chrome allows script blocking per site).
When scripts can not be blocked by Anti Virus companies (webfiltering is code examination with IP and executable blacklisting), most advanced feature is realtime script analysis: how in the world can anyone determine on a SCRIPT basis what is good or wrong?
You would need Sandbuster analysis features on SCRIPTS to determine this by yourself or run every script with AE2 and afterwards allow it.
Considering the useability implication I can't believe anyone being so paranoid. Maybe professional malware fighters will do this selectively (doing their job analysing the code flow of events).
So why use FF + Npscript in stead of Chrome (or Chromium without id tracking) out of the box?
Regards Kees
Guest- Guest
Re: Firefox Add-on: NoScript
Kees1958 wrote:Well,
IMO you either use strict policy managemnt of the OS and use group pplicy to harden your setup (e.g. protecting IE8, disabling autorun, etc) or use a policy management software (DefenseWall or GeSWall) or use application sandboxing (SBIE or BufferZone). So no discussion on your SBIE choice.
But lets get real:
Difference between FF + Noscript and Chrome is that you can set it on a per script basis (chrome allows script blocking per site).
When scripts can not be blocked by Anti Virus companies (webfiltering is code examination with IP and executable blacklisting), most advanced feature is realtime script analysis: how in the world can anyone determine on a SCRIPT basis what is good or wrong?
You would need Sandbuster analysis features on SCRIPTS to determine this by yourself or run every script with AE2 and afterwards allow it.
Considering the useability implication I can't believe anyone being so paranoid. Maybe professional malware fighters will do this selectively (doing their job analysing the code flow of events).
So why use FF + Npscript in stead of Chrome (or Chromium without id tracking) out of the box?
Regards Kees
I find NoScript fun also because it reduces the page loading time! Haha. Seriously though, why load extra scripts when all you want to do is read the text on a web-site.
Oh and also Chrome doesn't have a Firefox add-on supplied by my ISP which tells me how much data I've used so far per month (yes, the country I live in either charges you a lot for "unlimited" internet usage, or gives you a data cap per month).
Also, there are many other reasons people like using Firefox including usability and flexibility.
Also:
bellgamin wrote:Google Chrome is not something I will use or ever again install. Here are just a few of many reasons why Chrome is a no-way for me...
1- It gives you NO choice as to which folder you want to install it in.
2- Instead of installing it in C:\Program Files like most every other program, Google puts Chrome, without notification or asking permission, into C:\Documents and Settings.
3- It updates directly to its own folder, instead of allowing you to download the update file so that you can scan it, save it for back-up, etc.
4- When you uninstall Chrome, it leaves behind Google's updater. My firewall notified me that the bugger was trying to call home.
5- There is no way within Chrome's user-interface to set the cache size or location.
6- It silently auto-updates Flash-Player
OTOH, I dearly looove Chrome+. It has NONE of Chrome's bad habits and ALL of Chrome's benefits.
Re: Firefox Add-on: NoScript
The reasons for using FF are fair.
I am just reacting to the lack of script blocking, becasue Chrome has the ability to block on website level.
When you install Chrome from the Google pack, it installs in the Program Fiiles directory, which makes it possible to apply policy management on ALL files.
Chrome installing through website request installs in C:\Documents and Settings, which requires you to allow dll's in your SRP policy. Now that is a BIG reason not to choose for Chrome IMO
I am just reacting to the lack of script blocking, becasue Chrome has the ability to block on website level.
When you install Chrome from the Google pack, it installs in the Program Fiiles directory, which makes it possible to apply policy management on ALL files.
Chrome installing through website request installs in C:\Documents and Settings, which requires you to allow dll's in your SRP policy. Now that is a BIG reason not to choose for Chrome IMO
Guest- Guest
Re: Firefox Add-on: NoScript
http://www.raymond.cc/blog/archives/2010/10/16/noscript-protects-and-speeds-up-web-browsing/
Raymond (finally) discovers the power of Firefox NoScript!
Raymond (finally) discovers the power of Firefox NoScript!
Re: Firefox Add-on: NoScript
Although I use NoScript myself (no exceptions configured at all, default whitelist removed) I would be very, very carefull, looking at NoScript as a security tool. It's just a content filter, nothing more, and it can be used only against bad guys who
1) have never heard about it (very unlikely) and
2) are too lazy to code around it.
I don't even trust it to block plugins - I just REMOVED all plugins from Firefox, which is an idiot-proof measure.
There are some potential risks I'd like to point out:
1) You should keep in mind that, as a rule, behavior blockers, anti-executables, SRP, Parental Controls, etc. don't block extensions (.xpi files). They just don't regard them as executables.
2) Extensions are mainly written by non-professionals.
3) All extensions have the same rights within the browser. Even worse: they have the same rights as the browser itself. I hope the potential consequences are clear. One extension may disable or hamper the others. You've probably heard about the browser crashing because of incompatible extensions.
4) As soon as you whitelist a site in NoScript (even temporarily), you are potentially in trouble. It helps to use full addresses and not the default 2nd domain settings. But on a subdomain there might be one good script and a bad one, which will be both allowed.
That's where Default Deny (default block filter = *) in Adblock Plus comes in: you can even block seperate scripts on one and the same subdomain and allow only the elements you really need.
Elements blocked by Adblock Plus:
* script
* image
* background
* stylesheet
* object
* xbl bindings
* ping
* xmlhttprequest
* object-subrequest
* dtd
* subdocument (e.g. frames)
* document (=the page itself)
* miscellaneous types of requests
More info about the potential risks with extensions here: Abusing Firefox Extensions (PDF document; 1.82MB)
Paul
1) have never heard about it (very unlikely) and
2) are too lazy to code around it.
I don't even trust it to block plugins - I just REMOVED all plugins from Firefox, which is an idiot-proof measure.
There are some potential risks I'd like to point out:
1) You should keep in mind that, as a rule, behavior blockers, anti-executables, SRP, Parental Controls, etc. don't block extensions (.xpi files). They just don't regard them as executables.
2) Extensions are mainly written by non-professionals.
3) All extensions have the same rights within the browser. Even worse: they have the same rights as the browser itself. I hope the potential consequences are clear. One extension may disable or hamper the others. You've probably heard about the browser crashing because of incompatible extensions.
4) As soon as you whitelist a site in NoScript (even temporarily), you are potentially in trouble. It helps to use full addresses and not the default 2nd domain settings. But on a subdomain there might be one good script and a bad one, which will be both allowed.
That's where Default Deny (default block filter = *) in Adblock Plus comes in: you can even block seperate scripts on one and the same subdomain and allow only the elements you really need.
Elements blocked by Adblock Plus:
* script
* image
* background
* stylesheet
* object
* xbl bindings
* ping
* xmlhttprequest
* object-subrequest
* dtd
* subdocument (e.g. frames)
* document (=the page itself)
* miscellaneous types of requests
More info about the potential risks with extensions here: Abusing Firefox Extensions (PDF document; 1.82MB)
Paul
p2u- Valued Member
- Posts : 211
Join date : 2010-12-14
Re: Firefox Add-on: NoScript
Hi p2u, thanks for yet another informative post.
As I've said before, I mainly use NoScript to block out "junk" content so web-sites can potentially load faster etc. Also, I feel that it could potentially block malicious logging (keylogging, clipboard logging etc) in the form of a malicious script while I browse with my sandboxed "ordinary" browser. I mean, even though I call it "ordinary" browsing, I'm still having to input usernames and passwords for eg. e-mail accounts etc.
For online banking etc, I use a separate browser that is forced sandboxed, and this sandbox always automatically empties when the browser closes.
Of course, in general, the use of Sandboxie makes a mockery of discussions like this - if you use it with a good security approach, NoScript (and everything else for that matter) is essentially useless from a security point of view. With Sandboxie, the user stops caring about what file extensions could run etc - not only will malicious processes struggle to run in a tightly configured sandbox, but deleting the sandbox flushes everything away anyway.
But for argument's sake, let's take Sandboxie out of the picture here (after all, not everyone uses it). I have a few questions regarding NoScript and Adblock Plus (some questions will probably have over-lapping answers, and also you've probably mostly answered them in your previous post, but bear with me please!):
1. What exactly are the differences with these two from a security perspective?
2. Why would you use both (you have implied in your previous post that you use both)?
3. If you had to choose only one, which would be better from a security perspective?
4. What exactly are the differences between Adblock and Adblock Plus (from a security perspective)?
To be honest, I always felt that NoScript was generally more powerful than Adblock (security-wise) - I've never actually played around much with Adblock, but I may do so in the near future (depending on your answers to the above questions).
Thanks!
As I've said before, I mainly use NoScript to block out "junk" content so web-sites can potentially load faster etc. Also, I feel that it could potentially block malicious logging (keylogging, clipboard logging etc) in the form of a malicious script while I browse with my sandboxed "ordinary" browser. I mean, even though I call it "ordinary" browsing, I'm still having to input usernames and passwords for eg. e-mail accounts etc.
For online banking etc, I use a separate browser that is forced sandboxed, and this sandbox always automatically empties when the browser closes.
Of course, in general, the use of Sandboxie makes a mockery of discussions like this - if you use it with a good security approach, NoScript (and everything else for that matter) is essentially useless from a security point of view. With Sandboxie, the user stops caring about what file extensions could run etc - not only will malicious processes struggle to run in a tightly configured sandbox, but deleting the sandbox flushes everything away anyway.
But for argument's sake, let's take Sandboxie out of the picture here (after all, not everyone uses it). I have a few questions regarding NoScript and Adblock Plus (some questions will probably have over-lapping answers, and also you've probably mostly answered them in your previous post, but bear with me please!):
1. What exactly are the differences with these two from a security perspective?
2. Why would you use both (you have implied in your previous post that you use both)?
3. If you had to choose only one, which would be better from a security perspective?
4. What exactly are the differences between Adblock and Adblock Plus (from a security perspective)?
To be honest, I always felt that NoScript was generally more powerful than Adblock (security-wise) - I've never actually played around much with Adblock, but I may do so in the near future (depending on your answers to the above questions).
Thanks!
Re: Firefox Add-on: NoScript
My main concern is that filtering content could be unbeatable security, but it should actually be done on driver (=system) level. If you are talking about real security, then they are both equal: they may or may not prevent straightforward damage to the browser. You can also use them to prevent device fingerprinting and tracking. BUT: one browser crash and all your Adblock Plus rules may be gone (I had that happen to me once).ssj100 wrote:1. What exactly are the differences with these two from a security perspective?
On the content filtering level, you should understand that not all exploits need javascript to work and not all attacks are aimed against plugins. You can do really bad stuff with stylesheets, for example. Adblock Plus is able to block separate stylesheets on one and the same subdomain (which NoScript just can't do) and in general, it just allows for more precise settings (=blocking).
See above.ssj100 wrote:2. Why would you use both (you have implied in your previous post that you use both)?
I would probably choose NoScript. Adblock Plus with the default deny filter * is very powerful, BUT as I said before, I once had a browser crash and all my Adblock Plus rules were gone (the end of my so-called 'security'), while NoScript was still there.ssj100 wrote:3. If you had to choose only one, which would be better from a security perspective?
Paul
p2u- Valued Member
- Posts : 211
Join date : 2010-12-14
Re: Firefox Add-on: NoScript
There is (Open Adblock Plus. 'Filters' - 'Export custom filters'). You can save the filter list as a text document and import the filters anytime you want. I just wanted to point out how fragile everything is. Good security implies at least some degree of self-protection in the defending application.ssj100 wrote:So there's no way to export Adblock Plus rules?
Paul
p2u- Valued Member
- Posts : 211
Join date : 2010-12-14
Re: Firefox Add-on: NoScript
Thanks p2u. It sounds to me that if one could only choose between Adblock Plus and NoScript, one should go for Adblock Plus. This is unless you can reliably reproduce that crashing the browser will always render Adblock Plus useless, while NoScript is preserved. What do you think?
So to clarify, if Adblock Plus crashed exactly as often (or as infrequently) as NoScript, it would be useless having both add-ons installed from a security perspective?
So to clarify, if Adblock Plus crashed exactly as often (or as infrequently) as NoScript, it would be useless having both add-ons installed from a security perspective?
Re: Firefox Add-on: NoScript
Adblock Plus with the default deny filter * (allows only text) and configured rules only for needed domains is certainly stronger than NoScript. The trouble with the crash I had is probably the huge number of powercuts we have to face here in some regions around Moscow.ssj100 wrote:Thanks p2u. It sounds to me that if one could only choose between Adblock Plus and NoScript, one should go for Adblock Plus.
Paul
p2u- Valued Member
- Posts : 211
Join date : 2010-12-14
Re: Firefox Add-on: NoScript
Using the default deny filter * makes for a very limited internet experience!
Also, I like how with NoScript, you are able to very conveniently temporarily allow scripts without having to remember to disable them after (it resets back once you quit your browser).
However, Adblock Plus certainly has significant advantages, and I would probably switch to it (or use it in addition to NoScript) if I didn't have the luxury of Sandboxie. I like to keep things simple and have as few extensions as possible.
Also, I like how with NoScript, you are able to very conveniently temporarily allow scripts without having to remember to disable them after (it resets back once you quit your browser).
However, Adblock Plus certainly has significant advantages, and I would probably switch to it (or use it in addition to NoScript) if I didn't have the luxury of Sandboxie. I like to keep things simple and have as few extensions as possible.
Re: Firefox Add-on: NoScript
Depends on what you want. On most sites, settingssj100 wrote:Using the default deny filter * makes for a very limited internet experience!
- Code:
@@|http://example.com/$stylesheet,background,image
There are places where part of the 'interface' spreads through different domains. For example:
For this forum my whitelist rules are:
- Code:
@@|http://ssj100.forumotion.com/$stylesheet
@@|http://illiweb.com/$image
- Code:
@@|http://*.imgfast.net/$image
p2u- Valued Member
- Posts : 211
Join date : 2010-12-14
Re: Firefox Add-on: NoScript
Wow, that looks impressive, but it's probably a bit too much configuring for me (and probably 99.99% of everyone out there). I'm sticking with NoScript (and Sandboxie) for now.
However, if you ever get time, perhaps you could give us a tutorial on how exactly to manually implement those specific filters (probably best to pretend that you're explaining it to a 90 year old Grandmother who's never seen a PC before haha). For example, I have no idea what "@@" and "$" means...
However, if you ever get time, perhaps you could give us a tutorial on how exactly to manually implement those specific filters (probably best to pretend that you're explaining it to a 90 year old Grandmother who's never seen a PC before haha). For example, I have no idea what "@@" and "$" means...
Re: Firefox Add-on: NoScript
OK, I will do that really soon. It looks much more complicated than it really is.ssj100 wrote:However, if you ever get time, perhaps you could give us a tutorial on how exactly to manually implement those specific filters
"@@|http://" is automatically created when you work through the 'open blockable elements' interface; you don't need to write that. When you've decided where most of the interface elements come from, after the slash of that domain you delete the exact location of the element and you write '$', (which means 'exception') and then you set the type(s) of element(s). 'OK' and you're done.
P.S.: I forgot to point out another huge advantage: the phishing industry is out of business with such an approach. Suppose someone creates a fake site for this forum and sends me a fake e-mail notification in your name. When I act really stupidly and click on the link (something you should NEVER do in your e-mail client and/or messenger), the end result will be a blank page with only text. I'll know for sure that I've been had and won't try to log in, right? Since I also default-deny cookies from anywhere with Cookie Button, its icon will be a red cross, and not a green check-sign.
Paul
p2u- Valued Member
- Posts : 211
Join date : 2010-12-14
Similar topics
» Firefox plug-in NoScript 2.0 released
» Cloud Scanner Firefox add-on
» Firefox 3.6.4: plugin-container.exe
» HTTPS Everywhere (Firefox extension)
» Reducing permissions on Firefox extensions
» Cloud Scanner Firefox add-on
» Firefox 3.6.4: plugin-container.exe
» HTTPS Everywhere (Firefox extension)
» Reducing permissions on Firefox extensions
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|