Noscript is not enough!

[handy]

In the past I have read on the TOR site, their recommendations for people not to use NoScript. As they considered it too complex, & in their view, most people would be doing themselves more harm than good by using NoScript.

That was some time ago, perhaps NoScript has developed beyond that complexity & become easier for people to set up correctly? I don't know.

I just use Privoxy on IPCop & manually accept or reject every cookie I'm offered; all with java/javaScript turned on. I also use Scroogle to search the web, which I believe protects my personally identifiable data from Google's monstrous & ever growing database.

[Pogeymanz]

In the past I have read on the TOR site, their recommendations for people not to use NoScript. As they considered it too complex, & in their view, most people would be doing themselves more harm than good by using NoScript.

That was some time ago, perhaps NoScript has developed beyond that complexity & become easier for people to set up correctly? I don't know.

I just use Privoxy on IPCop & manually accept or reject every cookie I'm offered; all with java/javaScript turned on. I also use Scroogle to search the web, which I believe protects my personally identifiable data from Google's monstrous & ever growing database.

You use privoxy all the time? How does that affect your browsing speed?

I use NoScript and manually accept/reject cookies and also use scroogle.

[handy]

You use privoxy all the time? How does that affect your browsing speed?

I use NoScript and manually accept/reject cookies and also use scroogle.

I had used Privoxy on various desktops in the past, & there was a quite noticeable speed penalty.

I have been using Privoxy via the Copfilter, IPCop add-on, which brings brilliant Privoxy configuration scripts & (most importantly) because it is running on the headless IPCop firewall/router, it does not slow our internet down. I don't really understand why there is no speed penalty running Privoxy this way, but that is how it is, & yes Privoxy is doing its job, very well.

If you are interested have a look at the IPCop website? It is really quite quick & easy to set up, (depending on your background knowledge) & an old PII with 256MB RAM & 8GB HDD is all you need. I'm using a PIII Dell Optiplex from the local tip, it cost me $5-.

Once installed you do other configuration & observation via a browser from a client.

[Edit:] Here is a link or two that should quickly expand your understanding of IPCop:

http://ubuntuforums.org/showpost.php...4&postcount=29

This page has the story & useful links in it:

http://ubuntuforums.org/showthread.php?t=1005192

[aysiu]

Do you define enough as making your computer invincible? If so, then obviously nothing is "enough."

But if enough means protection against 99.9% of browser exploits (present and future), then NoScript is enough... probably more than enough.

There is no such thing as invincibility or absolute security. There are, however, best practices and good balances between usability and security.

[Xbehave]

But if enough means protection against 99.9% of browser exploits (present and future), then NoScript is enough... probably more than enough.

Actual My point is it provides very little actual security because its very hard to judge if a website is safe or not. Malicious sites do not give you a warning and non-malicious sites often get exploited! It's much better to allow a safe subset of JS to operate on most sites than 0 or 100% depending on if you trust the domain.

[aysiu]

Actual My point is it provides very little actual security because its very hard to judge if a website is safe or not.

It gives you a choice to decide after you've visited the site. No pop-up is going to surprise me before I even realize it.

Someone who just whitelists everything is obviously going to get no protection from it. It's a tool, and the tool has to be used properly. But for those of us who do use it properly, it allows you to enable JavaScript functionality only when it is needed.

There are plenty of sites I "trust" that I visit often... that are also still not whitelisted on NoScript. Why? Because I had no need to whitelist them. JavaScript (or Flash, or whatever else) is unnecessary to those sites' functionalities.

And many sites contain other websites' embedded stuff (Flash animation ads). So even if ad.doubleclick.net gets compromised, at least you only whitelisted abc.com. If abc.com gets compromised, well, then you're screwed, of course. But that doesn't mean NoScript has no use.

If you assume that even trusted websites will get compromised, then the only safe thing to do is not visit any websites.

[Xbehave]

It is a PITA to go round whitelisting ever site before you use it (even if its just temp) and how on can you tell if a site is trust worthy without manually inspecting every site you go to's code?

If you assume that even trusted websites will get compromised, then the only safe thing to do is not visit any websites.

No my point is that for sites that only use simple JS, e.g ubuntuforums, reddit, etc (i suspect 90% of sites use at most simple JS) you can allow just a subset of JS that is safe, so when they get exploited they can't do any damage or exploit any holes in your browser!

Think of it like only giving a user rbash because its enough for their work while protecting you from potential holes in bash or the kernel settings to execute only safe untrusted bytecode. The practice of using safe subsets when you can is well established and much more effective in real world use than yes/no choices.