Author Topic: You can lead a horse to the water, but you cannot make it use NoScript..  (Read 57107 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Hi SafeSurf,

But development of browsers is into quite another direction, which is clearest demonstrated by the development of GoogleChrome, and the general trend is move it out of the hands of the user into that of the developer, also a nice Web2 browser like flock has decided to go on like a GoogleChrome clone rather than further develop the Mozilla variant. Plug-in being there ready installed and maintained by Google: http://blog.chromium.org/2010/06/enabling-adobe-flash-player-support-in.html , why not move on into the direction of HTML5 and let Flash with all the insecurities involved die a silent death.
This is part of GoogleChrome's project "pepper" where all plug-ins will go soon, they just started with Adobe's.

See, what you get is a pre-defined browser, that gets harder and harder to tweak for just those aspects where Google does not want you to take the browser under user control (that is why SRWare's Iron was developed, a Chrome-clone without the privacy issues of the Google one). It went even to such an extent that vital parts of the Chrome code were left out to make NS implementation for instance impossible, and turn the Google browser application in one very fast clicking user-tracking and ad-launching application. It brought some good also because the tabs run under separate processes (look in your task manager), CPU-consuming processes can be halted, so the rest of the browser won't crash (Fx copied these features in their latest test versions) and moreover a benefit is that the sandboxed browser has become very hard to hack.
But that is not what I want to go on about here, I want to tweak a browser to my specific individual security needs, In the browser I want to decide about rendering Google-Analytics and Google Search Engine scripts etc.. etc. for instance, to enable obfuscated script by "Bubbleclick" (also acquired by Google), sending all sort of web bug (hidden, but put you mouse over and you will send an identifiable code to the coders of the web bug) info to profilers and trackers, block iFrame all completely or under certain condition, run block lists inside the browser extentions not have to view pop-unders, pop-overs and pop-in-betweens, I want to see bug reported and errors (well Google has that), but in a nutshell you see the difference between a browser that can be made secure by a user that understands the threats and the click-machine that comes fit for the masses, and where no one have to think anymore, we decided what is good for you (eh for us) and everything is super-secure so click at ease and we will further earn on your browser history and sell your profile.
Yes for some this is a preferred way of things to develop, they stopped thinking for themselves long ago, they take the general opinion as a holy standard of what the world is all about (information and misinformation gently mixed to please their needs), and has left all desire for individuality and self-realization. If you want to be "click-cattle", do expect to be treated that way, you will be browser sheeple always, and that is why I am glad there is NoScript, RequestPolicy, ghostery, and those kind of extensions. And even if I can have such a plug-in in Chrome, I have lost the functionality after every silent download and upgrade or patch of the GoogleChrome browser, because I have to re-install the settings over and over again,

polonus
« Last Edit: July 01, 2010, 05:12:03 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48616
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Damian,
Not all of us (probably most of us) are interested in tearing things apart and "improving" it.
I personally use the software, including the Chrome browser, with a few personal tweaks as it's
delivered to me.
The fact that someone knows which websites I frequent, really means little to me.
For me the built in flash player function means that it will not be tampered with.
I didn't think that was such a bad idea.
Peace, friend.
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v24H2 64bit, 32 Gig Ram, 1TB SSD, Avast Free 24.4.6112, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Hi bob3160,

i appreciate that and I can understand that for you these matters do not count, because you apparently feel no need for it. And then there is no issue and let it not hamper the way you live with browsers.
For those that know what the versatility of a browser could be and how to fine-tune it's security, it is a sad thing these features do not come with certain browsers and have become for various reasons under fire and under threat. And let us not talk about the why's, etc, because that is less important.
I am not alone in my point of view and you are not alone in yours either.
But does not it take a bit of the fun and adventure out of life, when there is nothing anymore to "tinker"with. We have been made afraid for the wrong reasons, we have lost a lot of freedoms we once had or these freedoms became and become  more and more frowned upon by the commercial restricters (resource engineering, testing, etc. and those that wanna have full control over our use of browsers.)

And human beings are willing to learn and while learning are being "tinkerbells" really. And that has brought the world forward, alas the conservative think differently there and also are on the side of vested interests.

If everybody would take your position, bob, browser development would stand still, bug reports weren't written anymore, script injections could not been thwarted any longer. "I don't mind, give me the appz, if I can go on clicking and it pleases me, no further questions. attached".

What I like to do, is make some additional rules for my firekeeper extension, translate them from Snort and apply them in my special blacklist, go and read the developments of NS on my good friend Giorgio Maone's NoScript web forums, ask questions about certain script threats (or go looking for them online), read reports from browser malware experts, check with jsunpack, URLvoid, malware search (also a neat Fx extension - did not see that one for GoogleChrome), see what mischief the adversary script kiddies are into with their ready-made kits (also too lazy to think it out themselves) and find ways to help browser users to find protection and apply protection.
Happy for me, I am not alone in this desire, and I hope that will be for a long, long time to come. NS-users of all lands, unite!

polonus

P.S. There is something going for the pepper project, bob, just look here:
hxtp://www.exploit-db.com/exploits/13787/  (do not try the POC would immediately crash the browser)
and this Adobe threat news: http://blog.bkis.com/en/adobe-fix-still-allows-escape-from-pdf/

« Last Edit: July 01, 2010, 06:52:17 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

DukeNukem

  • Guest
Hi bob3160,

i appreciate that and I can understand that for you these matters do not count, because you apparently feel no need for it. And then there is no issue and let it not hamper the way you live with browsers.

For those that know what the versatility of a browser could be and how to fine-tune it's security, it is a sad thing these features do not come with certain browsers and have become for various reasons under fire and under threat.

If everybody would take your position, bob, browser development would stand still,
bug reports weren't written anymore, script injections could not been thwarted any longer. "I don't mind, give me the appz, if I can go on clicking and it pleases me, no further questions. attached".

polonus


Polonus, you are free to do what you wish. Use what makes you feel safer, use what works for you.

That applies both ways, I am free to use what I wish, what makes me happy and feel safe and works.

I quoted your post as I do not like the patronising attitude, please lose it.

Remember, you are in no position to assert the measures or security practices you adopt are safer or better than others.

I should not have to point this out!

And your comment towards bob, is completely untrue. The majority of people that do take bob's position are known as the end user.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Hi DukeNukem,

bob3160 and I are good friends, and good friends may have different visions on in-browser-security measures, and our difference of opinion can only be helping the discussion.
I have nowhere read (from experts and browser security researchers that are in a position to know) that NS is not doing its job as it should and it has been qualified by them as one of the best  security extensions ever developed for the Fx browser, and it is a shame it could not be brought in other browser flaws. I haven't heard anyone in this thread say anything to the contrary, they argued on other arguments, because they could not beat this one.

As I stated elsewhere I would welcome it that NoScript would finally get an all-browser-wide adherence. I am not patronizing, I just repeat a general opinion on an extension. I am no party in this.
I also know that the opposition against it comes from a lot of folks that have never used it and talk on a hearsay basis or handling the browser extension features and settings are just beyond their scope. I want to leave that aspect out of the discussion. If you better feel on automation you won't have gears... Fine with me.

I just like what Giorgio Maone has developed and I have seen what it can do. I asked the man on his forums many times "and does NS protect here, and does it protect here?". And on all accounts he stated it always did. I wanted to hand down this experience to our user base here, and if it falls on deaf ears here or people for whatever reason do not want t hear it, that is OK with me, go with the second best in-browser protection there is which is a combination of reputation scanning (not reliable in various cases), block listing (always running after the facts) or the use of a scanning proxy - sort of IDS which is provided by the avast shields (we are so lucky as avast users to have these but is is depending on the fact the recognition of malscript must be excellent, and it misses some out).

I am not talking about browsers, I am not talking about in-browser-security in general, I am just talking about the unique quality of the NoScript plug-in which makes the Mozilla browser the most secure,  alas without the NoScript extension it falls back to a third place or even worse and is not the most secure browser there is at all and must let for instance GoogleChrome sandboxed go first, but there one made that NS cannot be implemented.

When flock started years ago I was part of their browser security, and been a Fx test pilot for quite some time, I just wanted to pass on my experience for years now with browsers and browser code,

polonus
« Last Edit: July 03, 2010, 12:29:21 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48616
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Quote
bob3160 and I are good friends, and good friends may have different visions on in-browser-security measures
Totally agree Damien. Damien and I and our wives even had the opportunity to meet last year thanks to Avast.  :)
Having said that, I still like Chrome more than Firefox. If however NoScript where available as an add-in for Chrome, I'd gobble it up.
Till that happens, I'll rely on avast! and my good sense and an excellent backup/restore system.  :) 
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v24H2 64bit, 32 Gig Ram, 1TB SSD, Avast Free 24.4.6112, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet