13 replies to this topic

[sinnead]

Someone just recommended a product called NoScript to me, since I do all my banking, etc. online. I was wondering if anyone here uses it, and what you think of it. I understand it can be a bit of a pain until you've used it for a while, and all your usual sites are recognized. Here it is: http://noscript.net/

[Abydos]

Hi Sinnead

I use Noscript in my browser, and wouldn't be without it. Besides functioning as a potent popup blocker / Ad blocker (since they
are usually scripted) it also provides a good layer of protection versus driveby attacks.

Yes it can be a pain to learn how to use, but once one gets the hang of it, its a bless. Webpages usually also loads faster, since no load time is spend on ad's and commercials etc.

alittle reading: http://en.wikipedia.org/wiki/Noscript and the official forum: http://forums.inform...ewforum.php?f=3


Regards

[sinnead]

I'm just reading up on it! Thanks for the forum links especially. I just hope I can figure it out when I download it

[Abydos]

Hi Sinnead Otherwise, if your in doubt about anything, you just ask, and I'll try to answer to the best of my knowledge. regards

[John B..]

Abydos, don't you think NoScript is a little too protective? I have tried using it a couple of times but if an add-on blocks things at every webpage, which means I must allow things on every webpage, would that not make me do it even when bad things are listed? I mean that you must allow things so much that maybe I would even allow something when it would be bad just because I always have to. Is it just me or is it something that has to be configured in another way?

[Ztruker]

You're not alone John. I tried it and dumped as being way to intrusive.

[sinnead]

So far, I've not had too much trouble with it. It is intrusive, but since I don't allow everything on every page, I'm actually hoping it will give me another level of protection.

[Abydos]

Abydos, don't you think NoScript is a little too protective?

Hmmm, yes and no. I'll explain that cryptic answer of course.

When you enter a webpage, you can opt to only allow only the parent site. Anything else will be barred.
Say, you enter What The Tech with noscript on. I only allow the parent What The Tech site, which means
any other sites links / listings etc. are blocked. I don't see the Google ad's, nor am I registered by Google
analytics. What The tech still functions normally for me despite that. I don't have to allow anything else than
the parent site(!)

But the main important feature in Noscript that many overlook, is that even if you allow scripting globally
(A setting that allows all normal scripting for any pages) it will still block XSS automatically!!

http://noscript.net/features#xss

So there is a good protection in Noscript, even if you allow global scripting.

On the other hand, yes, the initial allowance period where you are whitelisting your favorite pages, can be
tedious, and many abandon it for this reason. I am so used to it now, that I hardly take notice of the two
seconds I have to spend to allow the parent site, and maybe one more if they are featuring a video of sorts
from another site. In reality, it is two clicks with the mouse to allow a page. If it is a site you trust fully, like WTT,
you'll never see the popup again, unless one remove it from the whitelist.


Regards

Edited by Abydos, 04 April 2009 - 08:26 PM.

[John B..]

Hi,

even if you allow scripting globally

Do you mean Java Script or not? Where can I find this option?

If I allow a website, does it also allow the other things it found (like google-analytics.com)?

I am really willing to give this add-on a fair chance but I still think that people, especially not advanced users, will be scared away by the amount of things it blocks when they first enable it.

Regards,
John.

[Abydos]

Do you mean Java Script or not? Where can I find this option?

Yes. The option will appear among the options you choose from regarding allowance. Its the little S thingy in the
bottom right of the browser. Clicking on it once, will give you a menu. That setting nullifies all script blocking, but
still protects vs. XSS.

If I allow a website, does it also allow the other things it found (like google-analytics.com)?

No. Have a look on this little screenshot taken from Geeks To Go!(My browser is in Danish, but its fairly easy to see what is going on)



Any entries with a blue "S" or "S" with clock, is allow (whitelisting them) or temporarily allow. Temporarily allowance is nullified once you close your browser, these entries are not yet allowed.

Entries with "S" and red bar, is pages I have allowed in whitelisting, by given them allowance always, therefore I only get the option to untrust them. Any status, can be nullified under NoScripts settings.

The top section is where, one have the option to:
1. Allow Scripting Globally (Which enables all Java scripting for all pages, like Noscript isn't there) XSS protection still in function.
2. Allow the whole page. Which will also allow any other pages linking through that site, like Google.Ads.
3. Temporarily allow the whole page. As above, but permission is re-invoked upon closure of the browser.

Hopes this explains it a little further

I am really willing to give this add-on a fair chance but I still think that people, especially not advanced users, will be scared away by the amount of things it blocks when they first enable it.

Agreed. The maker behind NoScript is aware of this, but also says, that if it were to be simplified, it would strip NoScript of its power.
So its a choice between two evils.

Regards

Edited by Abydos, 05 April 2009 - 04:59 AM.

[John B..]

Thanks Abydos! Have been using NoScript today and it seems like one thing that I always forgot to do is after restricting something that you also must go to untrusted and mark it there. Then the bar will disappear.

[Abydos]

Np John

One thing tho, there is no need to mark pages as untrusted. By default any page you haven't
whitelisted, will be untrusted until you change the status. If I get the meaning right about this:

I always forgot to do is after restricting something that you also must go to untrusted and mark it there. Then the bar will disappear

If you with bar, you mean the little popup bar at the bottom, that one can be eliminated in settings if you
don't want it. I have disabled it entirely, only using click on the "S". Under messages I have unchecked /
unticked "Show message about blocked Scripts", this will disable that, for me, little annoying popup


Cheers

[John B..]

This is what I mean:

As you can see I have already forbidden buysellads but when I go to 'onbetrouwbaar' (untrusted) I have to mark 'buysellads als onbetrouwbaar markeren' (mark buysellads as untrusted) to make the bar go away.

[Abydos]

Ahhh, now I get what you mean. If you untrust a page, its basically blacklisting the page. The next time you encounter, say Google Ad's, it will still be untrusted. I usually don't blacklist pages, I just don't allow them But thats also because I have the little popup notification disabled, as mentioned in my last post. Cheers