Pale Moon NoScript 'crisis'

[polonus]

Read: https://forum.palemoon.org/viewtopic.php?t=17619

Scripts can import all sort of functionality into a browser, but they are also easily abused by malcreants to inject all sorts of malcode into your browser.  This is where the crisis stems from NoScript has now being blacklisted and is being blocked as an extension, while it apparently breaks webpages (in the hands of the uninformed and non-tech-savvy).

This means a victory for the general dumbed down click-sh**ple, facebook's Mr. M.Z. is so fond of, his dumb f-word+s!
We have the following dilemma: Blocking scripts creates disfunctionality, allowing (all) threats and risks.

For the non-tech-savvy the in between is no option. Who looks under the *hood aka in the browser developer's console can see what (s)he/it blocks or not (but it only seems polonus and a few other's are capable of deciding what to block and what not).

This is one part of the story, the other is it conflicts with the demands of Big Silicon Valley Tech firms ad-launching circus and Deep State Surveillance, so root it out, block it, make it no longer available, much of that seen also in the Russian Federation now with encrypted chat-apps being officially blocked. The going gets narrow, Internet freedom and your last vestiges of privacy are at stake.

Is everybody blind to what is happening?  (info credits go to security dot nl's Aha)

polonus

[DavidR]

Well NoScript had previously shot itself in the foot, by adding a great number of sites to load scripts in their default allow list/s and this apparently was more revenue related than not an issue.

At that point many dropped NoScript in favour of uBlock Origin.

With all ad blockers there is an overhead, the user really has to be in control (time and hassle) of what is allowed and what should remain blocked and not just allow all. If they are going to do that, then there is little point in having an ad blocker.

Also, should users go the extra step and control 3rd party site access, Request Policy (of old) and uMatrix.  In combination with ad blockers, these can but a crimp in the bad guys activities.  But it also puts a load on the user in what they allow and as mentioned these ad-ons can break site layout when scripts can't format the layout or import content. 

However, when a browser developer effectively blocks the use of ad blockers just because they could break some site code (by not allowing it to run), this should be (IMHO) an informed choice for the user and not browser developers.

[Asyn]

Hi guys, I only had a quick look at the PM thread, but it seems they just say that they won't provide support for NS issues.
IMO, that's OK, as it's an add-on after all and has its own support forum (https://forums.informaction.com/viewforum.php?f=3).

Well NoScript had previously shot itself in the foot, by adding a great number of sites to load scripts in their default allow list/s and this apparently was more revenue related than not an issue. At that point many dropped NoScript in favour of uBlock Origin.

Hi Dave, are you mixing up NS with ABP..!?

[DavidR]

<snip>

Well NoScript had previously shot itself in the foot, by adding a great number of sites to load scripts in their default allow list/s and this apparently was more revenue related than not an issue. At that point many dropped NoScript in favour of uBlock Origin.

Hi Dave, are you mixing up NS with ABP..!?

That is quite a possibility, as I no longer have NoScript or ABP, which is probably where the confusion reigns.  Mozilla has stopped the Legacy extensions/add-ons in the regular FF release stream, I couldn't see any point in keeping it in the FF ESR builds when I have Synchronise Now in my Firefox browser settings.

[polonus]

As an alternative in Iridium for instance I now run uMatrix  x uBlock origin (with special lists) x new Privacy Possum x Block Referer extensions, on Android I run mask and Brave browser (to cull unwanted ads and scripts) and regularly delete all of the Android browser cache and memory through the general settings.

But the going gets narrower all the time! We have been manipulated into a position where we have to competely fence for ourselves.

(The same as with original av no longer is protecting against all modern hacker attacks (white, grey, black hackers and state sp**ks and state actors). You are constantly in an "after the facts" position and lucky not to trod on a zero-day or non-documented state spyware or being under drag-net surveillance.

What did not help either was the identical browser engines for all major browser's mono-culture and developers going more and more for "single page applications". Also with the smart TV, smartphone, notebook and laptop experience  all becoming more and more identical & similar accross various platforms, it is all being taken out of the hands of the end-user and overseen and steered elsewhere into a certain direction, of which we can easily guess the outcome when you live in to-day's world.   

After doing away with WHOIS and working towards doing away with anything outside the non-public cloud (http, full e2e encryption), what will there  be left of protection of our last vestiges of privacy and individuality?

polonus (volunteer website security analyst and website error-hunter)

[Asyn]

1. The same as with original av no longer is protecting against all modern hacker attacks (white, grey, black hackers and state sp**ks and state actors). You are constantly in an "after the facts" position and lucky not to trod on a zero-day or non-documented state spyware or being under drag-net surveillance.

2. After doing away with WHOIS and working towards doing away with anything outside the non-public cloud (http, full e2e encryption), what will there  be left of protection of our last vestiges of privacy and individuality?

1. Avast does.
2. Well, advanced users will always find ways to protect themselves - the unaware masses were always easy prey for the bad guys.

[polonus]

Hi Asyn,

Agree with you where avast is concerned, I would not be here if that was not so. 

NoScript is unsafe in some respects, not everyone understands the workings of it, so for instance the as default settings in the tor browser is set wrong.

There is also dangerous features, like looking up info with NoScript (Shift+click on host name, and pull up info on trustability from NoScript.net database). But also functionality other script blockers miss:  XSS protection and CSRF protection and clearclick. Things that are not there in uMatrix. Also ABE and SABER firewall like feature.

Also there are no zero-days for NoScript it can even block the script threats from the near and far future, the concept is great.
Alas handling the tool for the non-tech-savvy easily goes awfully wrong, and many leave it to "rot". There it is a two-sided sword really.

polonus (volunteer website security analyst and website error-hunter)

[polonus]

One could still use NoScript by taking off the tag at "disable".

Support for the old add-ons in Firefox ESR 52 ends coming August (2018),
so the amount of Legacy add-ons will certainly deminish round that time.

Also this will disappear: https://addons.mozilla.org/nl/firefox/

polonus

[Asyn]

Also this will disappear: https://addons.mozilla.org/nl/firefox/

Hi, it certainly won't disappear in Firefox - no idea about Pale Moon, though.

[DavidR]

One could still use NoScript by taking off the tag at "disable".

Support for the old add-ons in Firefox ESR 52 ends coming August (2018),
so the amount of Legacy add-ons will certainly deminish round that time.
<snip>

1.  I don't see the point of doing that, when there are other options that cover much of what NoScript does.

2.  Considering we are already on Firefox ESR version 52.8.0 (32-bit), come August 2018, we will have passed ESR version 52.0.  Since many will be on the mainstream version/s of firefox, Legacy add-ons are already dead.  At a very rough guess I would say 80% or possibly more are Legacy add-ons on the Mozilla site.

When Mozilla announced the death of Legacy add-ons outside of the ESR version, I said it was the longest suicide note for a browser I had seen. 

If people can't get the add-ons that they need/want, then what attraction does firefox hold, not much.  I liked the configurability and multitude of add-ons that attracted me to firefox, well than and IE was cr4p and I didn't like Opera.

[Asyn]

1.  I don't see the point of doing that, when there are other options that cover much of what NoScript does.
2.  Considering we are already on Firefox ESR version 52.8.0 (32-bit), come August 2018, we will have passed ESR version 52.0.  Since many will be on the mainstream version/s of firefox, Legacy add-ons are already dead.  At a very rough guess I would say 80% or possibly more are Legacy add-ons on the Mozilla site.
3. When Mozilla announced the death of Legacy add-ons outside of the ESR version, I said it was the longest suicide note for a browser I had seen. 

Hi Dave,

1. I haven't found anything as configurable/powerful as NoScript yet.
2. Agreed, but 80%+ of these add-ons were also (more or less) useless slowdowns...
3. Well, many devs have updated their products meanwhile, so the most important ones are covered.

PS: We're getting slightly OT here, as Pol is referring to Pale Moon in this thread...

[Avast Eagle]

One could still use NoScript by taking off the tag at "disable".

Support for the old add-ons in Firefox ESR 52 ends coming August (2018),
so the amount of Legacy add-ons will certainly deminish round that time.
<snip>

1.  I don't see the point of doing that, when there are other options that cover much of what NoScript does.

2.  Considering we are already on Firefox ESR version 52.8.0 (32-bit), come August 2018, we will have passed ESR version 52.0.  Since many will be on the mainstream version/s of firefox, Legacy add-ons are already dead.  At a very rough guess I would say 80% or possibly more are Legacy add-ons on the Mozilla site.

When Mozilla announced the death of Legacy add-ons outside of the ESR version, I said it was the longest suicide note for a browser I had seen. 

If people can't get the add-ons that they need/want, then what attraction does firefox hold, not much.  I liked the configurability and multitude of add-ons that attracted me to firefox, well than and IE was cr4p and I didn't like Opera.

Been trying to get as much feedback possible to why NoScript would be considered unsafe now.

Can you give me more detail? also what else you keep planning to use along the browser.

[polonus]

The very reason that add-ons (extensions) like NoScript exist, is gaping holes in the browser, and the fact that less and less is to run on the server-side nowadays and more and more is to run inside the client (aka the browser in this case).

Misleading news and titles like: https://www.reddit.com/r/linux/comments/55n860/noscript_is_harmful_and_promotes_malware/

This could pop-up everywhere and is the real reason: the title should be Malware Delivery Networks (aka ADNs) are harmful and distribute malware, not the means to not having to meet them or being confronted with malscript.

Whenever ad-launchers cannot guarantee a malware free ad-experience, I will contiunue to use ad- & script-blockers just for that very reason, and no one from the industry can tell me that is immoral behavior. 

The tenure goes on from javascript developers like: "really, why should we support you if you’re not willing to support us by displaying ads?".  Ok, but self-regulation did not even help here, see the cybercriminal crypto-jacking boom.

Well I do not want mal-script, I want the script that you developed and others acquire retired as soon as it becomes vulnerable or outdated or left code. (example for a jQuery javascript libary here: https://publicwww.com/websites/%22%2Fjquery%2Fjquery-1.8.3.min.js%22/ and the number of webpages that might be affected and therefore should be blocked as unwanted 3rd party code links on potentially over 1700 websites -> example:
https://publicwww.com/websites/%22%2Fjquery%2Fjquery-1.8.3.min.js%22/ ).

Same storylines are being told about adblockers like ABP & Ghostery. I am not going to browse naked, because it better suits Google's or facebook's or whatever's core-business monopoly selling off all of my private data and later comes to micro-target me with tergeted ads based on their algorithms, I haven't asked for that.

The above is why NoScript became integrated for instance inside the tor browser,and the main reason for why it is frowned upon by the "forces that be", because it empowers you as an end-user and that should not be.

polonus

[Avast Eagle]

The very reason that add-ons (extensions) like NoScript exist, is gaping holes in the browser, and the fact that less and less is to run on the server-side nowadays and more and more is to run inside the client (aka the browser in this case).

Misleading news and titles like: https://www.reddit.com/r/linux/comments/55n860/noscript_is_harmful_and_promotes_malware/

This could pop-up everywhere and is the real reason: the title should be Malware Delivery Networks (aka ADNs) are harmful and distribute malware, not the means to not having to meet them or being confronted with malscript.

Whenever ad-launchers cannot guarantee a malware free ad-experience, I will contiunue to use ad- & script-blockers just for that very reason, and no one from the industry can tell me that is immoral behavior. 

The tenure goes on from javascript developers like: "really, why should we support you if you’re not willing to support us by displaying ads?".  Ok, but self-regulation did not even help here, see the cybercriminal crypto-jacking boom.

Well I do not want mal-script, I want the script that you developed and others acquire retired as soon as it becomes vulnerable or outdated or left code. (example for a jQuery javascript libary here: https://publicwww.com/websites/%22%2Fjquery%2Fjquery-1.8.3.min.js%22/ and the number of webpages that might be affected and therefore should be blocked as unwanted 3rd party code links on potentially over 1700 websites -> example:
https://publicwww.com/websites/%22%2Fjquery%2Fjquery-1.8.3.min.js%22/ ).

Same storylines are being told about adblockers like ABP & Ghostery. I am not going to browse naked, because it better suits Google's or facebook's or whatever's core-business monopoly selling off all of my private data and later comes to micro-target me with tergeted ads based on their algorithms, I haven't asked for that.

The above is why NoScript became integrated for instance inside the tor browser,and the main reason for why it is frowned upon by the "forces that be", because it empowers you as an end-user and that should not be.

polonus

Ah ok i missunderstood the first post xD