Hi, I got really tired of the manual tuning needed to run noscript / scriptsafe so I uninstalled them but I was wondering is it safe to browse the web without noscript / scriptsafe ?

I use uBlock Origin and Ghostery. I found noscript required too much manual intervention. I'll sometimes have to whitelist sites using Ghostery, especially commercial sites with video players.

Ublock Origin and adblock plus were already installed. Just installed Ghostery.

I also tried noscript but soon removed it as it was just too much trouble.

I do, however, use uBlock-Origin, which in my opinion is much better and needs fewer resources than adblock, and always take great care where I go on the web

Hi, I got really tired of the manual tuning needed to run noscript
Did you try running NoScript with Scripts Globally Allowed or cascading permissions mode (https://forums.informaction.com/viewtopic.php?p=76550#p76550)?

Either mode is safer than not using NoScript at all - https://forums.informaction.com/viewtopic.php?p=84755#p84755

Did you try running NoScript with Scripts Globally Allowed or cascading permissions mode (https://forums.informaction.com/viewtopic.php?p=76550#p76550)?

Either mode is safer than not using NoScript at all - https://forums.informaction.com/viewtopic.php?p=84755#p84755

Lately I have started using Chromium much more than Firefox. Is there an equivalent setting for ScriptSafe ?

Script Safe: https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf?hl=en-US

ScriptBlock: https://chrome.google.com/webstore/detail/scriptblock/hcdjknjpbnhdoabbngpmfekaecnpajba?hl=en

Extension
uMatrix: https://chrome.google.com/webstore/detail/umatrix/ogfcmafjalglgifnmanfmnieipoejdcf
I prefer uMatrix...suits my needs

uBlock Origin: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm

Lately I have started using Chromium much more than Firefox. Is there an equivalent setting for ScriptSafe ?
For Chromium I would recommend using uMatrix, as suggested by 1fallen, instead of using Script Safe.

People make it seem like running "naked" is a sure way to get compromised. It's not.

IMO it's more important to vet the sites you visit. Stay off of questionable sites and think about security. At that point it's no different browsing on Linux or on a mac.

If you want to browse porn or download tons of crap from questionable file sharing sites or talk to the friendly guys trying to give you money from Nigeria, then you probably need something extra. I don't do that stuff.

I do devote a lot of attention to things like tripwire, and I have an outgoing firewall and I occasionally look at the sites in my dns cache. I block some of the more irritating ad sites.

I am surely more at risk than someone running one of these NoScript equivalents, but the point of having Internet access is to be able to use the Internet.

People make it seem like running "naked" is a sure way to get compromised. It's not.

IMO it's more important to vet the sites you visit. Stay off of questionable sites and think about security.
So how do you vet all the sites you visit - before ever visiting them - such that, even if you were to disable all this stuff...

I do devote a lot of attention to things like tripwire, and I have an outgoing firewall and I occasionally look at the sites in my dns cache. I block some of the more irritating ad sites.
... you know for sure you will not be compromised?

So how do you vet all the sites you visit - before ever visiting them - such that, even if you were to disable all this stuff...


You've heard of search engines? Surely there is at least one you trust? Really I have a limited number of places I visit. Most of them are "frequent flier" sites. If there's a new site I want to visit, I'll research it first.



... you know for sure you will not be compromised?

That's the point. You never know, no matter how careful you are. You could choose to never connect to the Internet, but the software on your system may already have malware. The only way you know for sure is to not use anything with a cpu. No computer, no cell phone, no smart watch, no microwave oven, no TV, no modern automobile. nothing.

All people concerned with safe browsing need to decide what level of security they consider to be rational. Hopefully that decision is made through informed research and rational thought. It surely requires that a person decide what they think is important enough for them to look at on the Internet.

Edit: For me, this rational level allows use of Javascript and similar things that people on this forum panic about, with the caveat that I avoid what I consider to be risky or disreputable sites.

You've heard of search engines? Surely there is at least one you trust?
Yep, I've heard of search engines, and there are a few I trust. But I haven't used them to vet websites for "safeness", so I'm not quite sure how that would work reliably.

(When I think vetting sites without visiting them, I tend to think along the lines of third-party services, e.g. what WOT used to be. They're usually decent, but...definitely not as reliable as I like for security.)

How do you use your favorite search engine to vet sites? What do you look for in the results?


That's the point. You never know, no matter how careful you are.
...
All people concerned with safe browsing need to decide what level of security they consider to be rational. Hopefully that decision is made through informed research and rational thought.
Agreed 100%. But when finding that level of security, the sorts of sites you visit matters surprisingly little.

Time and again, friends of mine have used unprotected browsers on the Internet. They aren't visiting dodgy sites - they only visit a few sites they know. Like, official sites of various organisations.

Those friends kept getting malware. Because every so often, their known, regular sites would load something that delivered malware.

So I learned from their mistake and hardened my own browser, even though I wasn't sure how necessary it was for the sites I visit. And I haven't had a malware infection, and I'm sure that's not just luck.

Now, different people will have different experiences. And being stricter about sites you consider risky or disreputable is certainly helpful for security (see TheFu's post here (https://ubuntuforums.org/showthread.php?t=2332044&p=13523897&viewfull=1#post13523897)). But my friends' experiences showed me there's no way to always know in advance when extra security will be needed - so, I thought, it's better to have as much browser security as feasible, even if you think you can trust the sites you're visiting.


In the end, the best browser security, IMO, is when you have applied every hardening measure you feel you can reasonably handle.

For Chromium I would recommend using uMatrix, as suggested by 1fallen, instead of using Script Safe.

I'm interested in why you recommend this extension, it looks like the Switchboard (?) extension that I used to use but don't recollect why I stopped using it, if indeed it is the same extension. I currently use ScriptSafe but don't completely like it.

Time and again, friends of mine have used unprotected browsers on the Internet. They aren't visiting dodgy sites - they only visit a few sites they know. Like, official sites of various organisations.

Yes, one has to remember that the ads on legit-looking sites (say, newspapers or blogs) are not controlled by the site owners but by independent agencies. This gives the black hats a prime vector of attack, because people visiting these sites are less aware of the risk.

I recommend trying the old-school browser Links2. There is no need for script blocking using a plug-in (which can be malware in itself) because the browser does not interpret javascript and other kinds of scripting. Links2 is much less capable than Chromium and Firefox but it's an interesting supplement.

According to the developer (https://github.com/gorhill/uMatrix/wiki/Changes-from-HTTP-Switchboard), uMatrix is the successor to HTTP-Switchboard:
uMatrix and uBlock are both spin-off of HTTP Switchboard ("HTTPSB"). They both improve significantly on HTTPSB. Essentially, HTTPSB is the fancy prototype, proof of concept to test many ideas. uMatrix and uBlock are the final products.

uMatrix inherited the task of matrix-based filtering, while uBlock inherited the task of pattern-based filtering.

Yep, I've heard of search engines, and there are a few I trust. But I haven't used them to vet websites for "safeness", so I'm not quite sure how that would work reliably.

(When I think vetting sites without visiting them, I tend to think along the lines of third-party services, e.g. what WOT used to be. They're usually decent, but...definitely not as reliable as I like for security.)

How do you use your favorite search engine to vet sites? What do you look for in the results?


I start with example.com malware and then trade malware for virus, reputation, whatever I can think of. The 'malware' keyword seems to work more reliably than others. I hate to say it but Google tends to pick this up better than the engines I like.

This is hardly a reliable technique but it does get the scarier sites out of my face.

I found this article that's interesting. http://www.makeuseof.com/tag/websites-likely-infect-malware/ although they focus on the type of site rather than specific site names. Not what I expected.



Agreed 100%. But when finding that level of security, the sorts of sites you visit matters surprisingly little.

Time and again, friends of mine have used unprotected browsers on the Internet. They aren't visiting dodgy sites - they only visit a few sites they know. Like, official sites of various organisations.

Those friends kept getting malware. Because every so often, their known, regular sites would load something that delivered malware.

So I learned from their mistake and hardened my own browser, even though I wasn't sure how necessary it was for the sites I visit. And I haven't had a malware infection, and I'm sure that's not just luck.

Now, different people will have different experiences. And being stricter about sites you consider risky or disreputable is certainly helpful for security (see TheFu's post here (https://ubuntuforums.org/showthread.php?t=2332044&p=13523897&viewfull=1#post13523897)). But my friends' experiences showed me there's no way to always know in advance when extra security will be needed - so, I thought, it's better to have as much browser security as feasible, even if you think you can trust the sites you're visiting.


In the end, the best browser security, IMO, is when you have applied every hardening measure you feel you can reasonably handle.

Not sure where you're getting your information about it not mattering what sort of website you visit, there's a ton of evidence to the contrary. And sometimes your senses can tell you in the same way you can detect a snake oil salesman. If you're going to click on a link in Facebook for example, you can instead copy the link location, paste it into some text editor and look at the domain name. If it says "abcnews.co" or similar, posing as a mainstream news site but with a different country code domain, then you can be pretty sure they're either trying to infect your computer with malware or trying to infect your brain with misinformation.

My wife is one of those people you're talking about who get lots of viruses. When we met she would get a virus on her Windows laptop almost every time she used it. I would boot off an anti-malware cd and let that go for a few hours, then give her a supposedly clean box back. 3 days later it's too slow to use again, in spite of antivirus software running all the time. She would run games on facebook. As I used facebook on my Linux box concurrently with her experiences I can only suggest that her using these games or clicking on ads (another thing I never do) is how she got exposed so badly.

My job is developing custom web applications for accounting. I don't block scripts because my applications use scripts to do what they have to do. There is a certain level of functionality you can reach without browser-side scripts, but you can't rapid-key data in a manner akin to what's used in Excel without some sort of browser-side code. I literally can't turn off scripts, can't run noscript, or I can't do my job.

I have done things from time to time to harden my browser without affecting my ability to run scripts, such as ad blockers. I have and still do run a private dns server so I can block the really obnoxious ad sites. I do not use parental filters because there's no real need to, but it would be nice to be able to hook into that mechanism if I had a server for the information on my network.

Frankly though, with as little as I do in terms of blocking things on web pages, I rarely get a problem. I monitor inbound and outbound traffic on my network, and see nothing suspicious, and I haven't had in-your-face malware problems (slowness, dos attack, that sort of thing) and if there's anything in the background it's not sending emails or using websites I don't use myself.

I'm interested in why you recommend this extension, it looks like the Switchboard (?) extension that I used to use but don't recollect why I stopped using it, if indeed it is the same extension. I currently use ScriptSafe but don't completely like it.
I've had good success running uMatrix in SeaMonkey and Chromium. It's reliable and the interface isn't that hard to understand. And it's quite flexible - you can choose how strict you want it to be. You can even fine-tune permissions for different sites. If you've used its predecessor, you probably already know all this.

In contrast, Script Safe is not intuitive at all, nor can I even understand all the options. (I am a fairly serious NoScript user.)
Fortunately the documentation is pretty good. But I wouldn't have figured it out without that documentation.
Even with the documentation, I don't see a way to fine-tune permissions like in uMatrix.

The extra options that Script Safe offers over uMatrix look more privacy-oriented than security-oriented. Some of them, like the WebRTC blocking and "Antisocial", are included in uBlock Origin, which we all recommend anyway, and/or its companion extension uBlock Origin Extra.

So if security is the main issue, I would recommend going for better flexibility and more ease of use.


I start with example.com malware and then trade malware for virus, reputation, whatever I can think of. The 'malware' keyword seems to work more reliably than others. I hate to say it but Google tends to pick this up better than the engines I like.

This is hardly a reliable technique but it does get the scarier sites out of my face.

I found this article that's interesting. http://www.makeuseof.com/tag/websites-likely-infect-malware/ although they focus on the type of site rather than specific site names. Not what I expected.
Thanks for the info! :KS


Not sure where you're getting your information about it not mattering what sort of website you visit,
Mostly experience. I've seen malware infections loaded from just about every type of site I've seen. Not the most scientific way to go about it, I know.

Then again, I don't know how much of that was malvertising. Judging by the article you linked, I would guess probably most of it is, but likely not all.

All I've ever used is Adblock Plus and now ublock origin (advanced mode). I'm unaware of being affected by malware. My bank account and my portfolio hasn't seen any unusual activity and that is all I'm bothered about ;)

All I've ever used is Adblock Plus and now ublock origin (advanced mode). I'm unaware of being affected by malware. My bank account and my portfolio hasn't seen any unusual activity and that is all I'm bothered about ;)

Similar situation. I am using ublock, adblock plus and ghostery.

Marking this thread as solved.

All I've ever used is Adblock Plus and now ublock origin
Same here.
I'm currently using uBlock Origin and it is an impressive piece, you'll need nothing else in terms of security/ad-blocking.
Keep in mind that it has a learning curve, but the Wiki is exhaustive (https://github.com/gorhill/uBlock/wiki).

I can't praise this program highly enough.

All I've ever used is Adblock Plus and now ublock origin (advanced mode). I'm unaware of being affected by malware. My bank account and my portfolio hasn't seen any unusual activity and that is all I'm bothered about ;)

+1 here. I recently got a full credit report, it shows nothing suspicious.

...
I prefer uMatrix...suits my needs
...
I tried that yesterday but I found it quite difficult to understand. I guess people who have used HTTP Switchboard will find it easier. But I hadn't used that either. So it's ublock origin for me with global blocking and exceptions as needed. All the supplied filters are in use as well.

Plus ublock origin has an element blocker/hider built-in which is quite convenient.

The first image is of my settings for this forum and the second is of the default. As an aside, the default setting blocks auto-play HTML5 videos which is useful if you want just the written word without having to install a third-party extension (https://chrome.google.com/webstore/detail/disable-html5-autoplay/efdhoaajjjgckpbkoglidkeendpkolai). Flash is set on "Ask first".

@vasa1

Those default settings would be overkill for me :)
Medium blocking mode (https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode) and default filters is a balanced compromise.

By the way, there's something called uBO-Extra. I came across it in this Wilders Security post (https://www.wilderssecurity.com/threads/ublock-a-lean-and-fast-blocker.365273/page-106#post-2667290). It linked to the developer's page: https://github.com/gorhill/uBO-Extra

A companion extension to uBlock Origin: to gain ability to foil early anti-user mechanisms working around content blockers or even a browser privacy settings.

The extension is useful only for Chromium-based browsers. There is no need for such an extension so far on Firefox, and thus there is no version for Firefox.

I am getting this ublock related error. Dont know what is means.

274536

The text is too small to read :(

Okay, looks like a conflict with Ghostery.

The text is too small to read :(

Okay, looks like a conflict with Ghostery.

274537

Not so much an error as a warning informing that another extension dealt with something that Ublock Origin wanted to deal with :)

I think which extension displays the warning depends on the order in which you install them, so had you installed them the other way round it would have been Ghostery that would be complaining about Ublock Origin. This is one of the reasons I limit my blocking extensions pretty much to one that I deem to be best in class.

I think you can prevent that error if you want, and keep both extensions. In uBlock Origin options > Settings, check "I am an advanced user". There will appear a gears icon to the right of that checkbox. Click that.

Then in the page that comes up, try setting ignoreRedirectFilters to true

Does it work?


Keep in mind this change will probably affect uBlock Origin's ability to unbreak sites that would be broken by the blocking.

@linuxyogi, both Adblock and ublock origin have more recent versions than what is seen in your image.

Not so much an error as a warning informing that another extension dealt with something that Ublock Origin wanted to deal with :) This is one of the reasons I limit my blocking extensions pretty much to one that I deem to be best in class.

I am uninstalling ghostery.


@linuxyogi, both Adblock and ublock origin have more recent versions than what is seen in your image.

I installed them by going to Settings>Extensions>Get more extensions. How do I update them to the latest version ?

...
I installed them by going to Settings>Extensions>Get more extensions. How do I update them to the latest version ?
Good question!

There doesn't seem to be an option that I could see. Have you, by any chance, locked your profile folder or changed permissions?

As far as ublock origin goes, it was updated to the current version just on the 13th of this month.

Edit
I googled "how to update google chrome extensions" and got this:
To manually update your add-ons, just head to chrome://extensions in your address bar and click the Developer Mode button on the right side of the header. From there, you should see the "Update Extensions Now" button pop right up.May 25, 2011Even though it's from 2011, it still is applicable. Just checked!

To manually update your add-ons, just head to chrome://extensions in your address bar and click the Developer Mode button on the right side of the header. From there, you should see the "Update Extensions Now" button pop right up.May 25, 2011

When I did ^^ that only adblock got updated.

274548

When I did ^^ that only adblock got updated.
...
Disable all extensions except ublock origin and try again. It could be that one of your extensions is blocking the update process.

Which is why I don't like the more, the merrier as far as extensions go.

Edit: it may just be that I'm seeing a newer ublock origin because I'm on Chrome 59. I doubt that's the reason but thought I'd mention it.

Disable all extensions except ublock origin and try again. It could be that one of your extensions is blocking the update process.

Tried that same thing Ublock wont update.





Which is why I don't like the more, the merrier as far as extensions go.

Since I am using Ublock do you think its okay to uninstall Adblock Plus ?




Edit: it may just be that I'm seeing a newer ublock origin because I'm on Chrome 59. I doubt that's the reason but thought I'd mention it.

I am using Version 57.0.2987.98 Built on Ubuntu , running on Ubuntu 17.04 (64-bit). How/from where did you install ver. 59 ? I want to upgrade too.

Tried that same thing Ublock wont update.
...
Since I am using Ublock do you think its okay to uninstall Adblock Plus ?
...
I am using Version 57.0.2987.98 Built on Ubuntu , running on Ubuntu 17.04 (64-bit). How/from where did you install ver. 59 ? I want to upgrade too.
I use only ublock origin. Nothing else.

I normally use google-chrome-stable but there are a couple of fixes available in the dev version that are important to me. I'm also participating in the relevant bug threads. I wouldn't suggest changing to the dev version unless one is willing to accept some "breakage":
From http://www.chromium.org/getting-involved/dev-channel:
Dev channel: Want to see what's happening quickly, then you want the Dev channel. The Dev channel gets updated once or twice weekly, and it shows what we're working on right now. There's no lag between major versions, whatever code we've got, you will get. While this build does get tested, it is still subject to bugs, as we want people to see what's new as soon as possible.
I'll probably revert to stable once the fixes reach the stable version.

I'll probably revert to stable once the fixes reach the stable version.

No need to revert.
You can install and run all three branches as separate entities.
As long as you have the chrome repos you can install stable beta or unstable.
Each uses it's own profile located at ~/.config.

No need to revert.
You can install and run all three branches as separate entities.
As long as you have the chrome repos you can install stable beta or unstable.
Each uses it's own profile located at ~/.config.Actually, I have google-chrome-stable as well. While it's true that the dev version creates it's own folder, ~/.config/google-chrome-unstable, there's also ~/.config/google-chrome. I took the precaution of renaming the original ~/.config/google-chrome to something else so that my google-chrome-stable profiles are unaffected.

The new ~/.config/google-chrome has just the one profile, Default. My original has a Default as well as another two profiles (which I have for specific purposes).

Since I am using Ublock do you think its okay to uninstall Adblock Plus ?
uBlock is sufficient on its own, It'll do all others do and more, make sure you read the Wiki (https://github.com/gorhill/uBlock/wiki), the program has a learning curve but it's worth it.
Medium Blocking Mode (https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode) is probably where most users want to be; pay particular attention to how Dynamic Filtering (https://github.com/gorhill/uBlock/wiki/Dynamic-filtering) works.

Late to this party, but I'm curious why more people don't use mörgæs's method—Links2? If you are visiting an unknown or suspect site for the first time, why would you visit with a script-capable browser at all? Using Links2, there's no need to install any third-party script blocker, since the browser is not capable of running scripts. Practically speaking, I've found this far more convenient than dickering around with whitelists and fine-tuning script-blocking settings (though I use those add-ons for FF/Chromium anyway). If the site checks out, you can visit it next time with a more mainline browser.

I go one step further by doing all general browsing in a VM that is completely sandboxed from my host, my LAN and my servers. Host FF & Chromium are strictly reserved for very limited number of sites that I know to be okay, like banking and government. Nothing else. And this, only because I need LAN access for some sites.

I realize that many would roll their eyes at my level of paranoia and the extent I take things for peace of mind, but FWIW, I've never understood the practice of—on the one hand—installing tons of add-ons, blockers, etc on your browser, while—on the other hand—allowing that browser to run on your host with full access to your most sensitive stuff. Seems to me like trying to push and pull at the same time.

I second uBlockOrigin. I heard about it in a forum and deleted AdBlockPlus. It's such a much better program...and it doesn't allow companies to track you by default! My two cents on the issue of browsing is to make sure you have at the very least uBlockOrigin and NoScript. The second program will greatly help to stop the spread of malvertising that's hit even mainstream websites. Read this Wikipedia article to learn more: https://en.wikipedia.org/wiki/Malvertising
So it's not just a matter of going to legitimate websites, because even their ad networks have been compromised. I know it can be pain to get some websites to work correctly, but I'd rather deal with that than get some kind of malware on my computer just because I felt like reading the news. NoScript is great for that because you can selectively block the potentially dangerous ads and allow the active content you want to enable to watch a video or whatever you want to do. But as some have said, it all just depends on what level of inconvenience you're willing to live with to ensure your safety. Personally, I run the aforementioned add-ons, plus Ghostery, HTTPS Everywhere, and Blur, another ad tracking blocker (it used to be called DoNotTrack).