Firefox Add-on: NoScript

https://addons.mozilla.org/en-US/firefox/addon/722

Who here uses NoScript for Firefox? I haven't mentioned it in my security setup/approach, but I have been using NoScript for several years. It almost feels wrong to surf the internet without NoScript.

demoneye was just chatting to me about scripted keyloggers ( http://www.sandboxie.com/index.php?DetectingKeyLoggers#script ) that could steal information that you type in etc. I'm realising now that NoScript will most likely block all these out. And we're not talking about just keyloggers either - we're talking about web-sites contaminated by screenloggers, clipboard loggers etc etc. In my opinion, NoScript is very powerful indeed.

Also, it suits my security setup/approach perfectly - as I implied, I use Firefox as my main browser, and it is forced sandboxed with Sandboxie. NoScript alone would protect me from script keyloggers. I then use IE 8 as my browser for sensitive browsing - anything I do is completely removed once I close IE 8, since I have configured Sandboxie to automatically delete when IE 8 closes. This means that any script keyloggers (or any malware for that matter) I may have picked up with IE 8 are completely deleted.

To conclude, against script keyloggers, my Firefox browser is protected by NoScript, while my IE browser is protected by the "security approach" of always deleting the sandbox on exiting.

I'm using NoScript - a must have addon for Firefox.

Indeed. I think Firefox with NoScript makes it the safest browser of them all.

Furthermore, I don't see the need for Chrome's sandboxing technology, given I always use Sandboxie.

SSJ,

Please have a look at this Wilders thread. http://www.wilderssecurity.com/showthread.php?t=272374 this puts claims of Firefox being the safest browser in perspective

Extract

Until recently Firefox was way behind the competition, they really made up ground recently
- cross site scripting = implemented in 3.6
- prevent installling add-ons in installation directory directly = component lockdown feature in 3.6
- mime enforcing = planned somewhere in 3.6.?
- out of process executon of plug-in/add-ons = planned in 3.6.4 (electrolysis first steps)

Sandboxing (like chrome) not planned in FF V4

Regards Kees

Thanks Kees. I don't think people were generally saying Firefox was the safest browser, but that it was safer than IE 6. With NoScript (something that I have become so used to using and don't feel right browsing without it), as well as numerous other optional security add-ons, Firefox can become a very secure browser.

Regardless, I always sandbox both my browsers (Firefox 3.6 and IE 8) whenever I use them - in fact, Sandboxie forces them to open sandboxed.

Oh and finally, I was a long time Opera user (used Opera versions 6 through 8), then got sick of the incorrect rendering that never seemed to get fixed. Eventually moved to Firefox 3.0 and I've never looked back.

Well,

To be honest I was surprised on how much ground FF had made up. Anyway when using Sandboxie, SafeSpace, BufferZone, GeSWall, or DefenseWall it really is a non issue which browser you are using. Even IE6 will be save with that kind of protection.

Regards

On my case NoScript is the reason why Firefox is the browser that I use
for everything except Windows update. I feel like you ssj100, that I don't
feel right browsing without it. To me NoScript and Sbxie are a must for all
browsing and I feel at ease only if I am using them.
Bo

bo.elam wrote:On my case NoScript is the reason why Firefox is the browser that I use
for everything except Windows update. I feel like you ssj100, that I don't
feel right browsing without it. To me NoScript and Sbxie are a must for all
browsing and I feel at ease only if I am using them.
Bo

Welcome to the world of software security addiction/dependence!

Well,

IMO you either use strict policy managemnt of the OS and use group pplicy to harden your setup (e.g. protecting IE8, disabling autorun, etc) or use a policy management software (DefenseWall or GeSWall) or use application sandboxing (SBIE or BufferZone). So no discussion on your SBIE choice.


But lets get real:
Difference between FF + Noscript and Chrome is that you can set it on a per script basis (chrome allows script blocking per site).

When scripts can not be blocked by Anti Virus companies (webfiltering is code examination with IP and executable blacklisting), most advanced feature is realtime script analysis: how in the world can anyone determine on a SCRIPT basis what is good or wrong?

You would need Sandbuster analysis features on SCRIPTS to determine this by yourself or run every script with AE2 and afterwards allow it.

Considering the useability implication I can't believe anyone being so paranoid. Maybe professional malware fighters will do this selectively (doing their job analysing the code flow of events).

So why use FF + Npscript in stead of Chrome (or Chromium without id tracking) out of the box?

Regards Kees

Kees1958 wrote:Well,

IMO you either use strict policy managemnt of the OS and use group pplicy to harden your setup (e.g. protecting IE8, disabling autorun, etc) or use a policy management software (DefenseWall or GeSWall) or use application sandboxing (SBIE or BufferZone). So no discussion on your SBIE choice.


But lets get real:
Difference between FF + Noscript and Chrome is that you can set it on a per script basis (chrome allows script blocking per site).

When scripts can not be blocked by Anti Virus companies (webfiltering is code examination with IP and executable blacklisting), most advanced feature is realtime script analysis: how in the world can anyone determine on a SCRIPT basis what is good or wrong?

You would need Sandbuster analysis features on SCRIPTS to determine this by yourself or run every script with AE2 and afterwards allow it.

Considering the useability implication I can't believe anyone being so paranoid. Maybe professional malware fighters will do this selectively (doing their job analysing the code flow of events).

So why use FF + Npscript in stead of Chrome (or Chromium without id tracking) out of the box?

Regards Kees

I find NoScript fun also because it reduces the page loading time! Haha. Seriously though, why load extra scripts when all you want to do is read the text on a web-site.

Oh and also Chrome doesn't have a Firefox add-on supplied by my ISP which tells me how much data I've used so far per month (yes, the country I live in either charges you a lot for "unlimited" internet usage, or gives you a data cap per month).

Also, there are many other reasons people like using Firefox including usability and flexibility.

Also:

bellgamin wrote:Google Chrome is not something I will use or ever again install. Here are just a few of many reasons why Chrome is a no-way for me...

1- It gives you NO choice as to which folder you want to install it in.

2- Instead of installing it in C:\Program Files like most every other program, Google puts Chrome, without notification or asking permission, into C:\Documents and Settings.

3- It updates directly to its own folder, instead of allowing you to download the update file so that you can scan it, save it for back-up, etc.

4- When you uninstall Chrome, it leaves behind Google's updater. My firewall notified me that the bugger was trying to call home.

5- There is no way within Chrome's user-interface to set the cache size or location.

6- It silently auto-updates Flash-Player

OTOH, I dearly looove Chrome+. It has NONE of Chrome's bad habits and ALL of Chrome's benefits.

The reasons for using FF are fair.

I am just reacting to the lack of script blocking, becasue Chrome has the ability to block on website level.

When you install Chrome from the Google pack, it installs in the Program Fiiles directory, which makes it possible to apply policy management on ALL files.

Chrome installing through website request installs in C:\Documents and Settings, which requires you to allow dll's in your SRP policy. Now that is a BIG reason not to choose for Chrome IMO

http://www.raymond.cc/blog/archives/2010/10/16/noscript-protects-and-speeds-up-web-browsing/

Raymond (finally) discovers the power of Firefox NoScript!

Although I use NoScript myself (no exceptions configured at all, default whitelist removed) I would be very, very carefull, looking at NoScript as a security tool. It's just a content filter, nothing more, and it can be used only against bad guys who
1) have never heard about it (very unlikely) and
2) are too lazy to code around it.
I don't even trust it to block plugins - I just REMOVED all plugins from Firefox, which is an idiot-proof measure.

There are some potential risks I'd like to point out:
1) You should keep in mind that, as a rule, behavior blockers, anti-executables, SRP, Parental Controls, etc. don't block extensions (.xpi files). They just don't regard them as executables.
2) Extensions are mainly written by non-professionals.
3) All extensions have the same rights within the browser. Even worse: they have the same rights as the browser itself. I hope the potential consequences are clear. One extension may disable or hamper the others. You've probably heard about the browser crashing because of incompatible extensions.
4) As soon as you whitelist a site in NoScript (even temporarily), you are potentially in trouble. It helps to use full addresses and not the default 2nd domain settings. But on a subdomain there might be one good script and a bad one, which will be both allowed.

That's where Default Deny (default block filter = *) in Adblock Plus comes in: you can even block seperate scripts on one and the same subdomain and allow only the elements you really need.
Elements blocked by Adblock Plus:
* script
* image
* background
* stylesheet
* object
* xbl bindings
* ping
* xmlhttprequest
* object-subrequest
* dtd
* subdocument (e.g. frames)
* document (=the page itself)
* miscellaneous types of requests

More info about the potential risks with extensions here: Abusing Firefox Extensions (PDF document; 1.82MB)

Paul

Hi p2u, thanks for yet another informative post.

As I've said before, I mainly use NoScript to block out "junk" content so web-sites can potentially load faster etc. Also, I feel that it could potentially block malicious logging (keylogging, clipboard logging etc) in the form of a malicious script while I browse with my sandboxed "ordinary" browser. I mean, even though I call it "ordinary" browsing, I'm still having to input usernames and passwords for eg. e-mail accounts etc.

For online banking etc, I use a separate browser that is forced sandboxed, and this sandbox always automatically empties when the browser closes.

Of course, in general, the use of Sandboxie makes a mockery of discussions like this - if you use it with a good security approach, NoScript (and everything else for that matter) is essentially useless from a security point of view. With Sandboxie, the user stops caring about what file extensions could run etc - not only will malicious processes struggle to run in a tightly configured sandbox, but deleting the sandbox flushes everything away anyway.

But for argument's sake, let's take Sandboxie out of the picture here (after all, not everyone uses it). I have a few questions regarding NoScript and Adblock Plus (some questions will probably have over-lapping answers, and also you've probably mostly answered them in your previous post, but bear with me please!):

1. What exactly are the differences with these two from a security perspective?
2. Why would you use both (you have implied in your previous post that you use both)?
3. If you had to choose only one, which would be better from a security perspective?
4. What exactly are the differences between Adblock and Adblock Plus (from a security perspective)?

To be honest, I always felt that NoScript was generally more powerful than Adblock (security-wise) - I've never actually played around much with Adblock, but I may do so in the near future (depending on your answers to the above questions).

Thanks!

ssj100 wrote:1. What exactly are the differences with these two from a security perspective?

My main concern is that filtering content could be unbeatable security, but it should actually be done on driver (=system) level. If you are talking about real security, then they are both equal: they may or may not prevent straightforward damage to the browser. You can also use them to prevent device fingerprinting and tracking. BUT: one browser crash and all your Adblock Plus rules may be gone (I had that happen to me once).

On the content filtering level, you should understand that not all exploits need javascript to work and not all attacks are aimed against plugins. You can do really bad stuff with stylesheets, for example. Adblock Plus is able to block separate stylesheets on one and the same subdomain (which NoScript just can't do) and in general, it just allows for more precise settings (=blocking).

ssj100 wrote:2. Why would you use both (you have implied in your previous post that you use both)?

See above.

ssj100 wrote:3. If you had to choose only one, which would be better from a security perspective?

I would probably choose NoScript. Adblock Plus with the default deny filter * is very powerful, BUT as I said before, I once had a browser crash and all my Adblock Plus rules were gone (the end of my so-called 'security'), while NoScript was still there.

Paul