Comments on: NoScript

By: Douglas Crockford, No Script, and IT Policy — nateirwin.net

Douglas Crockford, No Script, and IT Policy — nateirwin.net — Tue, 26 Apr 2011 23:48:59 +0000

[...] by the way, it looks like Jon Udell asked himself a similar question when he read Douglas’ [...]

By: nateirwin.net » Blog Archive » Douglas Crockford, No Script, and IT Policy

Sun, 02 Nov 2008 19:01:21 +0000

[...] by the way, it looks like Jon Udell asked himself a similar question when he read Douglas’ [...]

By: Luther von Ruckerson

Luther von Ruckerson — Wed, 21 Nov 2007 13:47:55 +0000

I’m a complete idiot and I’ve been using noscript for years. All I know is that it blocks crap I don’t need to see. When I want to see crap I just switch the thingy. Done and done.

By: Luther von Ruckerson

Luther von Ruckerson — Wed, 21 Nov 2007 13:46:49 +0000

I’m a complete idiot and I’ve been using noscript for years. All I know is that it blocks crap I don’t need to see. When I want to see crap I just switch the thingy. Done and done.

By: Mark

Mark — Fri, 09 Nov 2007 13:35:41 +0000

@Shital: this is nothing like “OMG cookies are malicious”. This is like “there’s a bug in QuickTime that allows remote sites to execute arbitrary applications on MY machine with no warning… unless you’re running NoScript.” (NoScript users were protected even on whitelisted sites.) Details here: http://www.gnucitizen.org/blog/0day-quicktime-pwns-firefox (The bug has since been corrected. Make sure you’re up to date on everything.)

By: Tim Chase

Tim Chase — Thu, 08 Nov 2007 12:15:21 +0000

“Would you say that strategy is equivalent to whitelisting those 30 sites in IE by placing them in the trusted zone?”

Certainly not. For one thing, anything in an IE Trusted Zone has very liberal access to what can be installed on your machine. Especially neferious ActiveX controls.

Additionally, it’s very easy to use NoScript to temporarily permit a site, but the next time you start your browser, it’s banned again. This is good for single-use instances but you don’t want to give carte blanch access for the site. On the other hand, adding a site to the Trusted Zone requires explicit revocation of those permissions, even if you only wanted to hit a one-off page.

Also, to also address the issue of “with so much AJAX out there, how can you survive without JS?”, it’s not all that hard. Good web developers plan for graceful degredation. The bad ones tend to make sites that are dysfunctional without it. Bad sites aren’t usually worth visiting. The small intersection wherein lie “good sites that are break without JS” are the handful that are in my whitelist. These include annoying bits of work-related sites, banking, Gmail, etc. where I’ve evaluated the risk and decided that it’s worth giving this site permission to run arbitrary JS code on my machine.

By: Simon Willison

Simon Willison — Thu, 08 Nov 2007 10:43:13 +0000

engtech / Shital Shah: the most important thing you are protecting yourself against is security bugs in the web applications that you use. A huge number of applications have either XSS or CSRF holes in them (definitions on Wikipedia) and such sites are open to a wide range of malicious attacks. Using NoScript means that even if a site you use has a security hole attackers will find it much harder to use it to exploit your acconut.

By: Shital Shah

Shital Shah — Thu, 08 Nov 2007 07:11:51 +0000

Good. Now developers and support people have to worry about one more variant. Since when JavaScript became malicious? If you could elaborate please… Yeah, page can get annoying and would automatically drive out visitors… but malicious? That’s different. If you are reffering to “malicious” as in “cooikies are malicious” then you are just firing off wrong alarms and adding lot of cost to lot of development shops and support people and waste of time on part of consumers.

By: Jon Udell

Jon Udell — Wed, 07 Nov 2007 23:04:25 +0000

“What’s the sell? What am I protecting myself from?”

Intrusive behaviors ranging from the merely annoying to the downright malicious.

By: Jon Udell

Jon Udell — Wed, 07 Nov 2007 23:01:55 +0000

“I never notice the lack of JavaScript, nor Java, nor Silverlight on websites when using my slimmed-down browser.”

Really? I guess it’s been a while since I tried that experiment. The latter two are low-percentage, but JavaScript? With all the AJAXy stuff going on these days? That’s interesting.

Also interesting: You’re in a position to notice the difference if something JavaScript-based went missing. Most civilians wouldn’t.

By: Jon Udell

Jon Udell — Wed, 07 Nov 2007 22:59:27 +0000

“There’s a notification about blocked scripts, but there’s also an option to turn it off which I did early in the game”

Would you say that strategy is equivalent to whitelisting those 30 sites in IE by placing them in the trusted zone?

By: engtech

engtech — Wed, 07 Nov 2007 21:27:50 +0000

Interesting idea… but I’ve never had a problem with javascript/java enabled web sites, so why bother? (especially from a civilian point of view). What’s the sell? What am I protecting myself from?

By: Scott Reynen

Scott Reynen — Wed, 07 Nov 2007 21:16:39 +0000

However, having just installed it, I find it to be a Java/Silverlight blocker and a Flash allower…Just curious: Why?

I suspect Flash has become too common as a content-delivery mechanism to turn off by default. I run one browser with none of the above, and another with all of it on. I never notice the lack of JavaScript, nor Java, nor Silverlight on websites when using my slimmed-down browser. But I often notice the lack of Flash and have to open things my other browser. No one’s really using Java much anymore, nor Silverlight yet, and JavaScript generally degrades gracefully, being used mostly for interface enhancement rather than content delivery. But if you want to watch a video on many sites (notably YouTube), Flash is the only option.

By: Mark

Mark — Wed, 07 Nov 2007 20:08:58 +0000

I have also used NoScript since its early days, but for me the best recommendation came from reading Planet Web Security. (You *are* reading Planet Web Security, aren’t you? http://planet-websecurity.org/ .) The hackers on PWS are the kind of people who find the bugs that result in new point releases of Firefox (and other browsers). They recommend NoScript, and in fact the NoScript author works with some of them to ensure that you are as protected as possible, even in the face of browser bugs. Running NoScript can sometimes protect you from security holes in the browser itself. It’s much more than just site-specific whitelisting.

By: Tim Chase

Tim Chase — Wed, 07 Nov 2007 19:41:15 +0000

I’ve used NoScript for years…I must be missing the prompts you’re talking about. There’s a notification about blocked scripts, but there’s also an option to turn it off which I did early in the game. I have about 30 sites or so (mostly work-related) that are white-listed, and every other site is prevented from using JavaScript. Most of the time it’s not a problem, and if I need JS temporarily, enabling it is just a click away. Almost all of the common browser vulnerabilities out there require JS which brings my exposure to a much more manageable level.