Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: Noscript is not enough!

  1. #11
    Join Date
    Nov 2005
    Location
    Oz
    Beans
    4,408

    Re: Noscript is not enough!

    In the past I have read on the TOR site, their recommendations for people not to use NoScript. As they considered it too complex, & in their view, most people would be doing themselves more harm than good by using NoScript.

    That was some time ago, perhaps NoScript has developed beyond that complexity & become easier for people to set up correctly? I don't know.

    I just use Privoxy on IPCop & manually accept or reject every cookie I'm offered; all with java/javaScript turned on. I also use Scroogle to search the web, which I believe protects my personally identifiable data from Google's monstrous & ever growing database.

  2. #12
    Join Date
    Dec 2007
    Location
    /us/florida
    Beans
    357

    Re: Noscript is not enough!

    Quote Originally Posted by handy View Post
    In the past I have read on the TOR site, their recommendations for people not to use NoScript. As they considered it too complex, & in their view, most people would be doing themselves more harm than good by using NoScript.

    That was some time ago, perhaps NoScript has developed beyond that complexity & become easier for people to set up correctly? I don't know.

    I just use Privoxy on IPCop & manually accept or reject every cookie I'm offered; all with java/javaScript turned on. I also use Scroogle to search the web, which I believe protects my personally identifiable data from Google's monstrous & ever growing database.
    You use privoxy all the time? How does that affect your browsing speed?

    I use NoScript and manually accept/reject cookies and also use scroogle.

  3. #13
    Join Date
    Nov 2005
    Location
    Oz
    Beans
    4,408

    Re: Noscript is not enough!

    Quote Originally Posted by Pogeymanz View Post
    You use privoxy all the time? How does that affect your browsing speed?

    I use NoScript and manually accept/reject cookies and also use scroogle.
    I had used Privoxy on various desktops in the past, & there was a quite noticeable speed penalty.

    I have been using Privoxy via the Copfilter, IPCop add-on, which brings brilliant Privoxy configuration scripts & (most importantly) because it is running on the headless IPCop firewall/router, it does not slow our internet down. I don't really understand why there is no speed penalty running Privoxy this way, but that is how it is, & yes Privoxy is doing its job, very well.

    If you are interested have a look at the IPCop website? It is really quite quick & easy to set up, (depending on your background knowledge) & an old PII with 256MB RAM & 8GB HDD is all you need. I'm using a PIII Dell Optiplex from the local tip, it cost me $5-.

    Once installed you do other configuration & observation via a browser from a client.

    [Edit:] Here is a link or two that should quickly expand your understanding of IPCop:

    http://ubuntuforums.org/showpost.php...4&postcount=29

    This page has the story & useful links in it:

    http://ubuntuforums.org/showthread.php?t=1005192
    Last edited by handy; September 29th, 2009 at 02:24 AM.

  4. #14
    Join Date
    May 2005
    Location
    US
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Noscript is not enough!

    Do you define enough as making your computer invincible? If so, then obviously nothing is "enough."

    But if enough means protection against 99.9% of browser exploits (present and future), then NoScript is enough... probably more than enough.

    There is no such thing as invincibility or absolute security. There are, however, best practices and good balances between usability and security.

  5. #15
    Join Date
    Dec 2006
    Beans
    217

    Re: Noscript is not enough!

    Quote Originally Posted by aysiu View Post
    But if enough means protection against 99.9% of browser exploits (present and future), then NoScript is enough... probably more than enough.
    Actual My point is it provides very little actual security because its very hard to judge if a website is safe or not. Malicious sites do not give you a warning and non-malicious sites often get exploited! It's much better to allow a safe subset of JS to operate on most sites than 0 or 100% depending on if you trust the domain.

  6. #16
    Join Date
    May 2005
    Location
    US
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Noscript is not enough!

    Quote Originally Posted by Xbehave View Post
    Actual My point is it provides very little actual security because its very hard to judge if a website is safe or not.
    It gives you a choice to decide after you've visited the site. No pop-up is going to surprise me before I even realize it.

    Someone who just whitelists everything is obviously going to get no protection from it. It's a tool, and the tool has to be used properly. But for those of us who do use it properly, it allows you to enable JavaScript functionality only when it is needed.

    There are plenty of sites I "trust" that I visit often... that are also still not whitelisted on NoScript. Why? Because I had no need to whitelist them. JavaScript (or Flash, or whatever else) is unnecessary to those sites' functionalities.

    And many sites contain other websites' embedded stuff (Flash animation ads). So even if ad.doubleclick.net gets compromised, at least you only whitelisted abc.com. If abc.com gets compromised, well, then you're screwed, of course. But that doesn't mean NoScript has no use.

    If you assume that even trusted websites will get compromised, then the only safe thing to do is not visit any websites.

  7. #17
    Join Date
    Dec 2006
    Beans
    217

    Re: Noscript is not enough!

    It is a PITA to go round whitelisting ever site before you use it (even if its just temp) and how on can you tell if a site is trust worthy without manually inspecting every site you go to's code?

    Quote Originally Posted by aysiu View Post
    If you assume that even trusted websites will get compromised, then the only safe thing to do is not visit any websites.
    No my point is that for sites that only use simple JS, e.g ubuntuforums, reddit, etc (i suspect 90% of sites use at most simple JS) you can allow just a subset of JS that is safe, so when they get exploited they can't do any damage or exploit any holes in your browser!

    Think of it like only giving a user rbash because its enough for their work while protecting you from potential holes in bash or the kernel settings to execute only safe untrusted bytecode. The practice of using safe subsets when you can is well established and much more effective in real world use than yes/no choices.

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •