Firefox Add-on: NoScript

View previous topic View next topic Go down

Firefox Add-on: NoScript

Post by ssj100 on 19/4/2010, 13:58

https://addons.mozilla.org/en-US/firefox/addon/722

Who here uses NoScript for Firefox? I haven't mentioned it in my security setup/approach, but I have been using NoScript for several years. It almost feels wrong to surf the internet without NoScript.

demoneye was just chatting to me about scripted keyloggers ( http://www.sandboxie.com/index.php?DetectingKeyLoggers#script ) that could steal information that you type in etc. I'm realising now that NoScript will most likely block all these out. And we're not talking about just keyloggers either - we're talking about web-sites contaminated by screenloggers, clipboard loggers etc etc. In my opinion, NoScript is very powerful indeed.

Also, it suits my security setup/approach perfectly - as I implied, I use Firefox as my main browser, and it is forced sandboxed with Sandboxie. NoScript alone would protect me from script keyloggers. I then use IE 8 as my browser for sensitive browsing - anything I do is completely removed once I close IE 8, since I have configured Sandboxie to automatically delete when IE 8 closes. This means that any script keyloggers (or any malware for that matter) I may have picked up with IE 8 are completely deleted.

To conclude, against script keyloggers, my Firefox browser is protected by NoScript, while my IE browser is protected by the "security approach" of always deleting the sandbox on exiting.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Firefox Add-on: NoScript

Post by Ruhe on 19/4/2010, 14:33

I'm using NoScript - a must have addon for Firefox.
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: Firefox Add-on: NoScript

Post by ssj100 on 23/4/2010, 12:10

Indeed. I think Firefox with NoScript makes it the safest browser of them all.

Furthermore, I don't see the need for Chrome's sandboxing technology, given I always use Sandboxie.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Guess who is coming ......

Post by Guest on 18/5/2010, 03:04

SSJ,

Please have a look at this Wilders thread. http://www.wilderssecurity.com/showthread.php?t=272374 this puts claims of Firefox being the safest browser in perspective

Extract

Until recently Firefox was way behind the competition, they really made up ground recently
- cross site scripting = implemented in 3.6
- prevent installling add-ons in installation directory directly = component lockdown feature in 3.6
- mime enforcing = planned somewhere in 3.6.?
- out of process executon of plug-in/add-ons = planned in 3.6.4 (electrolysis first steps)

Sandboxing (like chrome) not planned in FF V4

Regards Kees

Guest
Guest


Back to top Go down

Re: Firefox Add-on: NoScript

Post by ssj100 on 18/5/2010, 09:30

Thanks Kees. I don't think people were generally saying Firefox was the safest browser, but that it was safer than IE 6. With NoScript (something that I have become so used to using and don't feel right browsing without it), as well as numerous other optional security add-ons, Firefox can become a very secure browser.

Regardless, I always sandbox both my browsers (Firefox 3.6 and IE 8) whenever I use them - in fact, Sandboxie forces them to open sandboxed.

Oh and finally, I was a long time Opera user (used Opera versions 6 through 8), then got sick of the incorrect rendering that never seemed to get fixed. Eventually moved to Firefox 3.0 and I've never looked back.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Firefox Add-on: NoScript

Post by Guest on 18/5/2010, 12:30

Well,

To be honest I was surprised on how much ground FF had made up. Anyway when using Sandboxie, SafeSpace, BufferZone, GeSWall, or DefenseWall it really is a non issue which browser you are using. Even IE6 will be save with that kind of protection.

Regards

Guest
Guest


Back to top Go down

Re: Firefox Add-on: NoScript

Post by bo.elam on 5/6/2010, 08:02

On my case NoScript is the reason why Firefox is the browser that I use
for everything except Windows update. I feel like you ssj100, that I don't
feel right browsing without it. To me NoScript and Sbxie are a must for all
browsing and I feel at ease only if I am using them.
Bo

bo.elam
Member
Member

Posts : 18
Join date : 2010-06-04

View user profile

Back to top Go down

Re: Firefox Add-on: NoScript

Post by ssj100 on 5/6/2010, 08:48

bo.elam wrote:On my case NoScript is the reason why Firefox is the browser that I use
for everything except Windows update. I feel like you ssj100, that I don't
feel right browsing without it. To me NoScript and Sbxie are a must for all
browsing and I feel at ease only if I am using them.
Bo

Welcome to the world of software security addiction/dependence!

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Firefox Add-on: NoScript

Post by Guest on 5/6/2010, 13:25

Well,

IMO you either use strict policy managemnt of the OS and use group pplicy to harden your setup (e.g. protecting IE8, disabling autorun, etc) or use a policy management software (DefenseWall or GeSWall) or use application sandboxing (SBIE or BufferZone). So no discussion on your SBIE choice.


But lets get real:
Difference between FF + Noscript and Chrome is that you can set it on a per script basis (chrome allows script blocking per site).

When scripts can not be blocked by Anti Virus companies (webfiltering is code examination with IP and executable blacklisting), most advanced feature is realtime script analysis: how in the world can anyone determine on a SCRIPT basis what is good or wrong?

You would need Sandbuster analysis features on SCRIPTS to determine this by yourself or run every script with AE2 and afterwards allow it.

Considering the useability implication I can't believe anyone being so paranoid. Maybe professional malware fighters will do this selectively (doing their job analysing the code flow of events).

So why use FF + Npscript in stead of Chrome (or Chromium without id tracking) out of the box?

Regards Kees

Guest
Guest


Back to top Go down

Re: Firefox Add-on: NoScript

Post by ssj100 on 5/6/2010, 13:46

Kees1958 wrote:Well,

IMO you either use strict policy managemnt of the OS and use group pplicy to harden your setup (e.g. protecting IE8, disabling autorun, etc) or use a policy management software (DefenseWall or GeSWall) or use application sandboxing (SBIE or BufferZone). So no discussion on your SBIE choice.


But lets get real:
Difference between FF + Noscript and Chrome is that you can set it on a per script basis (chrome allows script blocking per site).

When scripts can not be blocked by Anti Virus companies (webfiltering is code examination with IP and executable blacklisting), most advanced feature is realtime script analysis: how in the world can anyone determine on a SCRIPT basis what is good or wrong?

You would need Sandbuster analysis features on SCRIPTS to determine this by yourself or run every script with AE2 and afterwards allow it.

Considering the useability implication I can't believe anyone being so paranoid. Maybe professional malware fighters will do this selectively (doing their job analysing the code flow of events).

So why use FF + Npscript in stead of Chrome (or Chromium without id tracking) out of the box?

Regards Kees

I find NoScript fun also because it reduces the page loading time! Haha. Seriously though, why load extra scripts when all you want to do is read the text on a web-site.

Oh and also Chrome doesn't have a Firefox add-on supplied by my ISP which tells me how much data I've used so far per month (yes, the country I live in either charges you a lot for "unlimited" internet usage, or gives you a data cap per month).

Also, there are many other reasons people like using Firefox including usability and flexibility.

Also:

bellgamin wrote:Google Chrome is not something I will use or ever again install. Here are just a few of many reasons why Chrome is a no-way for me...

1- It gives you NO choice as to which folder you want to install it in.

2- Instead of installing it in C:\Program Files like most every other program, Google puts Chrome, without notification or asking permission, into C:\Documents and Settings.

3- It updates directly to its own folder, instead of allowing you to download the update file so that you can scan it, save it for back-up, etc.

4- When you uninstall Chrome, it leaves behind Google's updater. My firewall notified me that the bugger was trying to call home.

5- There is no way within Chrome's user-interface to set the cache size or location.

6- It silently auto-updates Flash-Player

OTOH, I dearly looove Chrome+. It has NONE of Chrome's bad habits and ALL of Chrome's benefits.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Firefox Add-on: NoScript

Post by Guest on 6/6/2010, 11:39

The reasons for using FF are fair.

I am just reacting to the lack of script blocking, becasue Chrome has the ability to block on website level.

When you install Chrome from the Google pack, it installs in the Program Fiiles directory, which makes it possible to apply policy management on ALL files.

Chrome installing through website request installs in C:\Documents and Settings, which requires you to allow dll's in your SRP policy. Now that is a BIG reason not to choose for Chrome IMO

Guest
Guest


Back to top Go down

Re: Firefox Add-on: NoScript

Post by ssj100 on 24/10/2010, 01:17


_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Firefox Add-on: NoScript

Post by p2u on 19/12/2010, 14:21

Although I use NoScript myself (no exceptions configured at all, default whitelist removed) I would be very, very carefull, looking at NoScript as a security tool. It's just a content filter, nothing more, and it can be used only against bad guys who
1) have never heard about it (very unlikely) and
2) are too lazy to code around it.
I don't even trust it to block plugins - I just REMOVED all plugins from Firefox, which is an idiot-proof measure.

There are some potential risks I'd like to point out:
1) You should keep in mind that, as a rule, behavior blockers, anti-executables, SRP, Parental Controls, etc. don't block extensions (.xpi files). They just don't regard them as executables.
2) Extensions are mainly written by non-professionals.
3) All extensions have the same rights within the browser. Even worse: they have the same rights as the browser itself. I hope the potential consequences are clear. One extension may disable or hamper the others. You've probably heard about the browser crashing because of incompatible extensions.
4) As soon as you whitelist a site in NoScript (even temporarily), you are potentially in trouble. It helps to use full addresses and not the default 2nd domain settings. But on a subdomain there might be one good script and a bad one, which will be both allowed.

That's where Default Deny (default block filter = *) in Adblock Plus comes in: you can even block seperate scripts on one and the same subdomain and allow only the elements you really need.
Elements blocked by Adblock Plus:
* script
* image
* background
* stylesheet
* object
* xbl bindings
* ping
* xmlhttprequest
* object-subrequest
* dtd
* subdocument (e.g. frames)
* document (=the page itself)
* miscellaneous types of requests

More info about the potential risks with extensions here: Abusing Firefox Extensions (PDF document; 1.82MB)

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Firefox Add-on: NoScript

Post by ssj100 on 19/12/2010, 15:43

Hi p2u, thanks for yet another informative post.

As I've said before, I mainly use NoScript to block out "junk" content so web-sites can potentially load faster etc. Also, I feel that it could potentially block malicious logging (keylogging, clipboard logging etc) in the form of a malicious script while I browse with my sandboxed "ordinary" browser. I mean, even though I call it "ordinary" browsing, I'm still having to input usernames and passwords for eg. e-mail accounts etc.

For online banking etc, I use a separate browser that is forced sandboxed, and this sandbox always automatically empties when the browser closes.

Of course, in general, the use of Sandboxie makes a mockery of discussions like this - if you use it with a good security approach, NoScript (and everything else for that matter) is essentially useless from a security point of view. With Sandboxie, the user stops caring about what file extensions could run etc - not only will malicious processes struggle to run in a tightly configured sandbox, but deleting the sandbox flushes everything away anyway.

But for argument's sake, let's take Sandboxie out of the picture here (after all, not everyone uses it). I have a few questions regarding NoScript and Adblock Plus (some questions will probably have over-lapping answers, and also you've probably mostly answered them in your previous post, but bear with me please!):

1. What exactly are the differences with these two from a security perspective?
2. Why would you use both (you have implied in your previous post that you use both)?
3. If you had to choose only one, which would be better from a security perspective?
4. What exactly are the differences between Adblock and Adblock Plus (from a security perspective)?

To be honest, I always felt that NoScript was generally more powerful than Adblock (security-wise) - I've never actually played around much with Adblock, but I may do so in the near future (depending on your answers to the above questions).

Thanks!

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Firefox Add-on: NoScript

Post by p2u on 19/12/2010, 16:40

ssj100 wrote:1. What exactly are the differences with these two from a security perspective?
My main concern is that filtering content could be unbeatable security, but it should actually be done on driver (=system) level. If you are talking about real security, then they are both equal: they may or may not prevent straightforward damage to the browser. You can also use them to prevent device fingerprinting and tracking. BUT: one browser crash and all your Adblock Plus rules may be gone (I had that happen to me once).

On the content filtering level, you should understand that not all exploits need javascript to work and not all attacks are aimed against plugins. You can do really bad stuff with stylesheets, for example. Adblock Plus is able to block separate stylesheets on one and the same subdomain (which NoScript just can't do) and in general, it just allows for more precise settings (=blocking).

ssj100 wrote:2. Why would you use both (you have implied in your previous post that you use both)?
See above.

ssj100 wrote:3. If you had to choose only one, which would be better from a security perspective?
I would probably choose NoScript. Adblock Plus with the default deny filter * is very powerful, BUT as I said before, I once had a browser crash and all my Adblock Plus rules were gone (the end of my so-called 'security'), while NoScript was still there.

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Firefox Add-on: NoScript

Post by ssj100 on 19/12/2010, 16:58

So there's no way to export Adblock Plus rules?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Firefox Add-on: NoScript

Post by p2u on 19/12/2010, 17:27

ssj100 wrote:So there's no way to export Adblock Plus rules?
There is (Open Adblock Plus. 'Filters' - 'Export custom filters'). You can save the filter list as a text document and import the filters anytime you want. I just wanted to point out how fragile everything is. Good security implies at least some degree of self-protection in the defending application. Wink

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Firefox Add-on: NoScript

Post by ssj100 on 20/12/2010, 01:09

Thanks p2u. It sounds to me that if one could only choose between Adblock Plus and NoScript, one should go for Adblock Plus. This is unless you can reliably reproduce that crashing the browser will always render Adblock Plus useless, while NoScript is preserved. What do you think?

So to clarify, if Adblock Plus crashed exactly as often (or as infrequently) as NoScript, it would be useless having both add-ons installed from a security perspective?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Firefox Add-on: NoScript

Post by p2u on 20/12/2010, 01:24

ssj100 wrote:Thanks p2u. It sounds to me that if one could only choose between Adblock Plus and NoScript, one should go for Adblock Plus.
Adblock Plus with the default deny filter * (allows only text) and configured rules only for needed domains is certainly stronger than NoScript. The trouble with the crash I had is probably the huge number of powercuts we have to face here in some regions around Moscow. Sad

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Firefox Add-on: NoScript

Post by ssj100 on 20/12/2010, 05:24

Using the default deny filter * makes for a very limited internet experience!

Also, I like how with NoScript, you are able to very conveniently temporarily allow scripts without having to remember to disable them after (it resets back once you quit your browser).

However, Adblock Plus certainly has significant advantages, and I would probably switch to it (or use it in addition to NoScript) if I didn't have the luxury of Sandboxie. I like to keep things simple and have as few extensions as possible.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Firefox Add-on: NoScript

Post by p2u on 20/12/2010, 10:44

ssj100 wrote:Using the default deny filter * makes for a very limited internet experience!
Depends on what you want. On most sites, setting
Code:
@@|http://example.com/$stylesheet,background,image
for the main domain is enough to see the site as it was probably intended. Even if the site gets hacked, no harm will be done to your computer and certainly no dll and/or binary planting will take place. Wink
There are places where part of the 'interface' spreads through different domains. For example:
For this forum my whitelist rules are:
Code:
@@|http://ssj100.fullsubject.com/$stylesheet
@@|http://illiweb.com/$image
and if I really really want to see users' avatars, then I would need to add
Code:
@@|http://*.imgfast.net/$image
Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Firefox Add-on: NoScript

Post by ssj100 on 20/12/2010, 11:25

Wow, that looks impressive, but it's probably a bit too much configuring for me (and probably 99.99% of everyone out there). I'm sticking with NoScript (and Sandboxie) for now.

However, if you ever get time, perhaps you could give us a tutorial on how exactly to manually implement those specific filters (probably best to pretend that you're explaining it to a 90 year old Grandmother who's never seen a PC before haha). For example, I have no idea what "@@" and "$" means...

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Firefox Add-on: NoScript

Post by p2u on 20/12/2010, 11:31

ssj100 wrote:However, if you ever get time, perhaps you could give us a tutorial on how exactly to manually implement those specific filters
OK, I will do that really soon. It looks much more complicated than it really is. Wink
"@@|http://" is automatically created when you work through the 'open blockable elements' interface; you don't need to write that. When you've decided where most of the interface elements come from, after the slash of that domain you delete the exact location of the element and you write '$', (which means 'exception') and then you set the type(s) of element(s). 'OK' and you're done.

P.S.: I forgot to point out another huge advantage: the phishing industry is out of business with such an approach. Suppose someone creates a fake site for this forum and sends me a fake e-mail notification in your name. When I act really stupidly and click on the link (something you should NEVER do in your e-mail client and/or messenger), the end result will be a blank page with only text. I'll know for sure that I've been had and won't try to log in, right? Since I also default-deny cookies from anywhere with Cookie Button, its icon will be a red cross, and not a green check-sign. Wink

Paul

p2u
Valued Member
Valued Member

Posts : 211
Join date : 2010-12-14

View user profile

Back to top Go down

Re: Firefox Add-on: NoScript

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum