Avast WEBforum
Other => Non-Avast security products => Topic started by: polonus on November 14, 2017, 05:23:02 PM
-
Sad day for NoScript and Giorgio Maone, firefox now steered away from this beautiful script blocking tool.
Read: https://addons.mozilla.org/nl/firefox/addon/noscript/
The all new Firefox Quantum version does not allow a NoScript installation.
AFAIK there is no alternative that works on the new Firefox engine.
Will you go on using ScriptSafe or uMatrix in the new Firefox browser or leave that browser without NoScript?
Firefox fearing the advertising world there, going to be more and more of a Google Chrome klone now,
using the same extension engine and api engine.
Are you continuing to use the Firefoix Quantum or will this be the demise of the browser?
polonus
-
Well I saw this coming before I even heard the term Firefox Quantum.
Firefox, has written a long suicide note, a couple of months ago that they will no longer support Legacy Add-ons. At this point in time I see no move by existing developers to upgrade their Legacy add-ons. Some/many people may look in another direction for their browser.
Virtually all of my add-ons bar one, are Legacy add-ons. My only saving grace is that I have the ESR version of FF on this XP system and that will support them for longer.
-
Hi DavidR,
You will be good on firefox palemoon, all your legacy add-ons continued there.
Palemoon, a browser with somewhat more privacy in mind.
polonus
I had a problem with Malware Script Detector v.1.1 add-on, no longer running on firefox.
I run it now as a seperate user script running under Tampermonkey, well under Google chrome.
So you can have an extension running, you only have to run and dance through several more hoops.
Life is not always easy, it is not!
D
-
There will be a big upgrade to NoScript 10 from NoScript 5 for firefox Quantum,
only NoScript will loose certain functions because Webextensions in Firefox won't support these yet.
Interesting to learn what NoScript lost on the firefox with webextensions?
polonus
-
A little better news than there would be no NoScript in Firefox Quantum.
I will be very interested to see what other Add-ons make it to Firefox Quantum as the greatest majority of add-ons are Legacy. I believe the reason why many people are using firefox are the add-ons, lose those and firefox will have lost a lot of users.
The same thing happened when they transitioned to signed add-ons only they kept having to push the date back as there were woefully few signed add-ons as the deadline got closer.
-
Hi guys, see: https://hackademix.net/2017/11/14/double-noscript/
-
Hi guys, see: https://hackademix.net/2017/11/14/double-noscript/
A little more good news :)
-
NoScript 10.1.1 Quantum Powerball Finish... and Rebooting
https://hackademix.net/2017/11/21/noscript-1011-quantum-powerball-finish-and-rebooting/
-
NoScript 10.1.1 Quantum Powerball Finish... and Rebooting
https://hackademix.net/2017/11/21/noscript-1011-quantum-powerball-finish-and-rebooting/
Thanks - Just added it now to find my way around it.
-
NoScript 10.1.1 Quantum Powerball Finish... and Rebooting
https://hackademix.net/2017/11/21/noscript-1011-quantum-powerball-finish-and-rebooting/
Thanks - Just added it now to find my way around it.
You're welcome Dave, good luck. (I'll stay on ESR with V5 as long as possible...)
-
Hi Asyn,
Re: https://noscript.net/getit
Why Maone, when he ported it to a webextension version, did not make it available to Google Chrome the same time?
That would have ended the discussion and also would have meant the end of firefox, that I still expect to happen soon.
Firefox will go the way of the flock browser. The new NoScript only extends it's death struggle. (In Holland only 6% of the overall userbase on fx now :o ).
polonus
-
When it said Legacy Add-ons would no longer be supported after 56.0, along comes FF 57 Quantum and over 80% of my add-ons no longer work. That Mozilla decision was a long suicide note, akin to when unsigned add-ons wouldn't work (some time ago). That however, was small beer compared to the effort to completely rewrite their Add-on.
I can't see the add-on developers being prepared to put in the required work (for nothing).
Add to that I'm less than impressed with 57.0 Quantum on my win10 system, I don't like the layout and it is no where close to being as configurable as previous FF versions. Its meant to be quicker, I can't tell if it is or not, it simply isn't noticeable.
I haven't even checked its resource use as I have 8GB of fast RAM and a relatively quick CPU on an SSD drive.
-
Hi DavidR,
Also read here: https://palant.de/2017/11/11/on-web-extensions-shortcomings-and-their-impact-on-add-on-security
And with Quantum this is the list of issues you have to fix in the settings to make it a tad more secure:
Below you find a list of settings, to get the best privacy settings as possible.
N.B. we have to go under the browser hood, and that means you change this settings so at your own risk.
In the address bar give in: about:config and then directly push the Return button.
Read the warning first and then proceed.
This list is a first starter and telemetry does not come included, but one feels more comfy this way.
Privacy Settings Firefox.
1. privacy.firstparty.isolate = true
* A result of the Tor Uplift effort, this preference isolates all browser identifier sources (e.g. cookies) to the first party domain, with the goal of preventing tracking across different domains.
2. privacy.resistFingerprinting = true (personally I would not use this, it resolves to a smaller version of FF)
* A result of the Tor Uplift effort, this preference makes Firefox more resistant to browser fingerprinting.
3. privacy.trackingprotection.enabled = true
* This is Mozilla’s new built in tracking protection. It uses Disconnect.me filter list, which is redundant if you are already using uBlock Origin 3rd party filters, therefore you should set it to false if you are using the add-on functionalities.
4. browser.cache.offline.enable = false
* Disables offline cache.
5. browser.safebrowsing.malware.enabled = false
* Disable Google Safe Browsing malware checks. Security risk, but privacy improvement.
6. browser.safebrowsing.phishing.enabled = false
* Disable Google Safe Browsing and phishing protection. Security risk, but privacy improvement.
7. browser.send_pings = false
* The attribute would be useful for letting websites track visitors’ clicks.
8. browser.sessionstore.max_tabs_undo = 0
* Even with Firefox set to not remember history, your closed tabs are stored temporarily at Menu -> History -> Recently Closed Tabs.
9. browser.urlbar.speculativeConnect.enabled = false
* Disable preloading of autocomplete URLs. Firefox preloads URLs that autocomplete when a user types into the address bar, which is a concern if URLs are suggested that the user does not want to connect to.
10. dom.battery.enabled = false
* Website owners can track the battery status of your device.
11. dom.event.clipboardevents.enabled = false
* Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
12. geo.enabled = false
* Disables geolocation.
13. media.navigator.enabled = false
* Websites can track the microphone and camera status of your device.
14. network.cookie.cookieBehavior = 1
* Disable cookies
* 0 = Accept all cookies by default
* 1 = Only accept from the originating site (block third party cookies)
* 2 = Block all cookies by default
15. network.cookie.lifetimePolicy = 2
* cookies are deleted at the end of the session
* 0 = Accept cookies normally
* 1 = Prompt for each cookie
* 2 = Accept for current session only
* 3 = Accept for N days
16. network.http.referer.trimmingPolicy = 2
* Send only the scheme, host, and port in the Referer header
* 0 = Send the full URL in the Referer header
* 1 = Send the URL without its query string in the Referer header
* 2 = Send only the scheme, host, and port in the Referer header
17. network.http.referer.XOriginPolicy = 2
* Only send Referer header when the full hostnames match. (Note: if you notice significant breakage, you might try 1 combined with an XOriginTrimmingPolicy tweak below.)
* 0 = Send Referer in all cases
* 1 = Send Referer to same eTLD sites
* 2 = Send Referer only when the full hostnames match
18. network.http.referer.XOriginTrimmingPolicy = 2
* When sending Referer across origins, only send scheme, host, and port in the Referer header of cross-origin requests.
* 0 = Send full url in Referer
* 1 = Send url without query string in Referer
* 2 = Only send scheme, host, and port in Referer
19. webgl.disabled = true
* WebGL is a potential security risk. (source anonymous poster at security dot nl)
And a more official variant here:
https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/
polonus (volunteer website security analyst and website error-hunter)
-
This whole issue is a bloody nightmare, Mozilla not content with having shot themselves in the foot are now looking down the barrel to see if the gun is still loaded.
Users shouldn't have to jump through hoops like this to protect their privacy/security.
-
Hi DavidR,
Completely and utterly agree with you there.
The end-user interwebs infrastructure should be safe by default for all- server side and client side alike.
The problem is we do not live in an ideal world, and that shows from all sides, server side and client side,
what we discuss here in this thread is where the seams of the fabric come apart and insecurity shows most.
But we here the avast support community do what we can, educationally, voluntarily and on a support basis.
The road we have to go is long, but it always starts with a first step.
Who never starts out on that road will have to suffer the consequences thereoff, and others will soon play tricks on them.
polonus
-
For as long as it may works use the old add-ons:
Navigate to about:config
Search for the extensions.legacy.enabled pref and change the value to true
New extension via Have I Been Pnwd to bring data-breach alerts to Mozilla browsers.
https://github.com/nhnt11/BreachAlerts
polonus
-
@ polonus
That is certainly an option for a time.
I'm finding what add-ons that are available for Quantum are a shadow of there former selves. I have 8 so far, but the one I really want security wise is RequestPolicy (RP). There is requestblock add-on but that isn't a patch on RP and is only temp permissions, but I have found it to be a pain in the backside (currently disabled) as sites aren't displaying correctly even if you give temporary permission to 'all this page'.
NoScript for Quantum is also awkward to use compared to the previous incarnation.
My concern would be if you make the change to FF prefs for legacy add-ons, how that would impact on any quantum add-ons that you do have. I would have thought it would be all or nothing (quantum add-ons or legacy no mix) or there could be possible conflict.
-
Hi DavidR,
I do not think you will meet problems there, as that advice came from Github redactors. Github is the best known developers environment, where I often look for all my coding ideas and check-ups. If they say so, they certainly know it from the developer incrowd, the horses' mouth, so to speak. Believe me.
If you feel unhappy with the new NoScript then uMatrix is a good alternative to learn to toggle. Specially crafted as an alternative for Google Chrome when Maone did not know how to bring his add-on to that browser because of the limited access in the lower realms, what limitations it shares now unfortunately with Firefox Quantum.
polonus
-
Hi DavidR,
I do not think you will meet problems there, as that advice came from Github redactors. Github is the best known developers environment, where I often look for all my coding ideas and check-ups. If they say so, they certainly know it from the developer incrowd, the horses' mouth, so to speak. Believe me.
If you feel unhappy with the new NoScript then uMatrix is a good alternative to learn to toggle. Specially crafted as an alternative for Google Chrome when Maone did not know how to bring his add-on to that browser because of the limited access in the lower realms, what limitations it shares now unfortunately with Firefox Quantum.
polonus
Whilst it may not directly cause an issue, I have found something that may not have been considered.
I have firefox on three systems and they are synced and FF 57.0 is only on my win10 but will end up on my win7 system when I get around to updating FF on that. I have already seen some crossovers to my XP System with Firefox 52.4.0 ESR.
I saw that having installed requestblock on the win10 FF 57.0 and subsequently disabled it because of the hassles, I then found it (also disabled) on winXP Firefox 52.4.0 ESR. So I had to uninstall it, which removed it from both synced systems.
I also see that my usual gTranslate (Legacy add-on) wasn't Quantum ready, so I had also the Quantum To Google Translate 2.2 add-on, not a patch on the legacy add-on. This is what I'm finding the alternative quantum add-on if it exists isn't as good (read flexible/configurable, etc.) as the legacy add-on.
When you add (excuse the pun) FF 57.0 in itself is nowhere as flexible/configurable, I'm not enjoying this experience at all.
-
Hi DavidR,
Do not forget to rename the browser as FireFixed after you solved all these issues with the newer versions of firefox. ;)
Remember the average n00b won't care anyway, he/she/it will just look at it being fast and looking "licked". :'(
Average people will get the browser they deserve, an all tracking and profiling one with limited access. :D
polonus
-
Hi DavidR,
Do not forget to rename the browser as FireFixed after you solved all these issues with the newer versions of firefox. ;)
Remember the average n00b won't care anyway, he/she/it will just look at it being fast and looking "licked". :'(
Average people will get the browser they deserve, an all tracking and profiling one with limited access. :D
polonus
1. Whilst I'm more than capable of looking after myself, I often ask my self is all this hassle worth while. In this case I'm close to saying it isn't worth the time and hassle.
I rather doubt I'm alone in that thought, I see Mozilla Firefox losing a large part of its user base, give most are there because of the availability of add-ons and its flexibility and it has lost a lot of ground in those regards.
2. In all honesty, I don't know where they get this ' being fast'(er), on my win10 system FF 57.0 version I certainly don't see it .
I'm not seeing it using much less memory, but for me there is little point in having memory if you aren't going to use it. This is something I will have to monitor as firefox had the habit of RAM usage creeping steadily upwards. At the moment it is in excess of 1GB with 8 instances of firefox running, not what I would call frugal but I would say it is lower than I have seen it previously.
EDIT: Images added.
EDIT2 This modification of the post timed out twice, don't know what was responsible FF or the forums.
-
Even the more where Mozilla is now copying more of Google Chrome's ways: https://www.thesslstore.com/blog/chrome-data-url-phishing/
Read: https://blog.mozilla.org/security/2017/11/27/blocking-top-level-navigations-data-urls-firefox-58/
At present a lot of power-users use uMatrix in stead of now crippled No Script.
Also blocks unwanted/undesired scripts and a lot more - and after some practice - works in a similar fashion.
A combination of uBlock Origin and uMatrix is a very effective one. Very adjustable at that as well.
Also import som third party filters into uBlock Origin, like for instance: http://cinsscore.com/list/ci-badguys.txt & http://www.networksec.org/grabbho/block.txt & https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset
Against bitcoin mining scripts uMatrix is also an effective blocker.
Only allow that into/onto uMatrix what one needs to have the loaded website function properly
for you inside your browser client of choice, be it firefox or Google chrome etc.
You need no rocket science abilities to do this,
it can be easily achieved with a bit of persistent excercise and good will.
polonus
-
It is looking like I will have to get rid of NoScript (NS) not because of what you mention, but because of my firefox synchronisation on my three installations.
There is duplication between NS and uMatrix, so I'm having to do things twice and even when that is done I'm getting what appears to be weird interaction/s, were the page just doesn't load correctly.
I would however, rather have RequestPolicy as that isn't so complex as uMatrix, far quicker, simpler to use than uMatrix and possibly more effective.
-
More misery to show that Mozilla Quantum broswer is on it's way to completely going down the drain:
Unsolliceted extension installed: https://support.mozilla.org/en-US/kb/lookingglass
https://www.reddit.com/r/firefox/comments/7jh9rv/what_is_looking_glass/dr6fiaz/
This might completely suit the needs of Mr. and Mrs. nitwit-Average and their Main Stream click-go-happy-kids,
but is giving the traditional Firefox power-users, like little old me, the creeps.
I now have the feeling that the Firefox browser has completely and utterly capitulated
to be like all the other main browsers, Google Chrome, Blue-e Edge, etc.",
meaning mass consumption instruments for Big Multinational Corps to thrive,
like everything in this world to-day. >:(
66 very useful legacy type extensions "murdered" in the process.
I hope this will mean the end of frefox,
and we can switch to another concept like Brave etc.
Gone are the days of flock, or of in browser security.
Quantum a hand-out to the needs of Big Tech trackers and profilers,
and suiting Big Gov's Surveillance better.
Sad days, for the more aware :-[
polonus
-
For now FF ESR still works for me... Cheers
-
I wish you a good Advent, Asyn,
Good users also have Palemoon (fx before version 29) and for the tor browser,
the more traditional firefox flaw will never go away. ;D
Quantum equals Edge and/or Google Chrome.
Damian
-
More misery to show that Mozilla Quantum broswer is on it's way to completely going down the drain:
Unsollicetd extension installed: https://support.mozilla.org/en-US/kb/lookingglass
No such beast on my win10 system with firefox 57.0.2, but then again I wouldn't have expected it. As mentioned in your link "No changes will be made to Firefox unless you have opted in to this Alternate Reality Game." I haven't, so no changes, nor have I received any other unsolicited add-ons.
However, I don't see Firefox Quantum lasting long and it isn't for this, it is for the pathetic number of add-ons that are available for it.
-
I wish you a good Advent, Asyn...
Thanks Damian, same to you and yours. :)
-
It would be great if the ADD-ON DEVELOPERS update their product and not just mozilla fixing the problem on their side.
-
It would be great if the ADD-ON DEVELOPERS update their product and not just mozilla fixing the problem on their side.
I think you are losing the track here.
Firefox have fixed nothing, they have implemented a policy when FF 57.0 was released that all add-ons would be under a different API/Language (not just a simple update to the existing add-on). That at a stroke made over 80% of add-ons on my win10 firefox 57.0 installation redundant.
The developers would have to devote the time to rewrite these add-ons (which by all accounts isn't straight forwards), they also aren't paid for this work unless they get voluntary donations.
-
Hi Evanna456,
As my good forum-friend, DavidR explains to you.
This is not very likely that developers will again develop their extensions/add-ions for another extension-engine, from now once and now left xpi-extention engine to the webextension engine of Google's Chrome. In a lot of cases the access needed to the browser does not exist anymore, because Google does not allow it to that extent (because of their main line of business prtection) and firefox followed this pattern. That is why NoScript in Quantum is a miserable 'undressed' version of the once xpi add-on.
So jumping through all the hoops you mentioned is not that easy at all, and sometimes completely impossible. I hope you understand now that so many power users and folks that understand browser code a tad more, so strongly protest(ed).
To jump onto the Google bandwaggon of tracking and profiling probably was more profitable to firefox heads of development.
polonus
-
Firefox will get an option to mark all, you read it right, all http sites as insecure!
More security through obscurity coming to firefox on a browser near you:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1310447 -
This is the big green padlock means safe site misconception.
A green padlock does not by definition guarantee a website is safe or secure,
it merely states the connection to it is safe and secure.
Now the public has a completely wrong idea, when clicking their way through the Interwebs.
With a green padlock there, they think they are out of harm's way. Wrong thought,
thanks to those that wanna profile and track you secretely and hidden over https and in the cloud.
You'd better not find what they are up to, isn't it now?
Thanks to the https-everywhere actions led by Google et al. we now have such misconceptions in the world.
polonus (volunteer website security analyst and website error-hunter)
O.K. And still no way to keep your zoom settings in the new Quantum browser. ???
D
-
Yes, if https was safe, why would avast have gone to the trouble of having the web shield scan https content :)
-
I never knew thats the case. Mozilla should fix it then like using another engine(?) i hope. Its not like they cant do it because in the early versions of firefox, addons are running fine. Its not impossible but troublesome considering they are a non-profit organization just like the addon developers, they dont earn much from their work.
So far my addons runs good as it should be. Also i dont use noscript in firefox, it breaks some of the pages and its been a hassle on my part to set it up. I just let avast web shield do the script blocking and thats it.
I do use noscript from an another firefox browser, the tor browser.
I use both of the browsers differently, carefree and full browser experience in firefox and stealthy attitude for tor.
Im not a power user like everyone else but i really hope things will go sort themselves out.
-
Hi Evanna456,
You, as a n00b user, could be better off using uBlock Origin in combination with uMatrix add-ons in firefox.
There is less toggling that way to make webpages function allowing blocked functionality (3rd party scripts).
polonus
-
tnx for the suggestion, ill try that in the near future. :D
-
Another reason not to like new firefox browser: https://arstechnica.com/information-technology/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/
Badly isolation creates the extensions reuse vulnerability!
polonus
-
Hello im still using Firefox 56, was using NoScript + RequestPolicy + Ublock Origin in it.
What do you recommend me doing now? wait a bit more or try using Quantum with new NoScript? though there is no RequestPolicy in it :(
-
There is now RequestPolicy Light. But the newer extensions, also NoScript, have been hampered by coppying of the Chrome extension model, that leaves developers less access to the browser (apparently here Google's kernel business dictates) and
there is really no alternative, well there is Brave (with inbuilt protection).
polonus
-
There is now RequestPolicy Light. But the newer extensions, also NoScript, have been hampered by coppying of the Chrome extension model, that leaves developers less access to the browser (apparently here Google's kernel business dictates) and
there is really no alternative, well there is Brave (with inbuilt protection).
polonus
Hum i see, for now will keep using version 56 then
wonder how long should i use this browser though... since it will be outdated/abandoned eventually
so will keep checking the news here and what to do in the future...
-
Actually NoScript already went Legacy on Firefox 56 while 57 is a big security hole >_<
great way to start new year 2018 lol...