Internet Explorer 9, which Microsoft released earlier this year, is by far the fastest and most advanced version of IE (it rivals Chrome in the speed with which it loads Web pages). IE9 also includes new security features, such as enhanced memory protection and Microsoft’s SmartScreen Application Reputation engine, designed to alert users when they try to download files from locations on the Web with an unknown or dodgy history.
NotScript is a chrome extension that mimics the functionality of firefox NoScript. I’ve been using it for a few days and I’m impressed. Like you I’ve always preferred NoScript, but chrome is just so much faster and cleaner.
I’ve been using NotScripts for a while now on the occasions I use Chrome. It seems to work well, but I’ve been experiencing issues lately (that I think are Chrome-related, though they could be NotScripts) where pages will download, but simply won’t render.
I also migrated to Chrome when NotScript came out. The lack of a NoScript-type extension for Chrome was the only thing that kept me from using it for a while.
NotScript gets the job done, but it does have some limitations when compared to NoScript. For example:
* There’s no option to not automatically reload affected pages when you choose to allow a particular script. For example, if you have 20 tabs open and you allow a script that affects 5 of those tabs then all 5 reload. That can be annoying on slower connections.
* NotScript will not show some scripts until some scripts are allowed. For example, you may go to site example.com that is embedding content from a.com, b.com, and c.com. NotScript does not seem to recognize that a.com, b.com, and c.com exist until example.com is allowed. This results in having to sometimes reload a page 3 or 4 times to see the content that you want.
I suspect the first point is just a feature. I think the second point is probably related to the way that NotScript has to use HTML5 storage caching to work around the way Chrome handles extensions, but I’m not 100% sure of that.
+1 for NotScripts in Chrome. Link for simplicity
NoAds is an extension for Opera browser which has the same functions as NoScript in FireFox.
I would also recommend RequestPolicy addon for Firefox. From its website: “[…] giving you control over when cross-site requests are allowed by webpages you visit.” RequestPolicy operates in the same fashion as NoScript in that it allows you to selectively pick which sites have temporary or permanent permissions for cross site access. I find that the use of NoScript plus RequestPolicy gives me quite a bit of security. Also, I do throw in AdBlock Plus for good measure.
What do you think of the options available in a fresh default Opera installation?
Is this a question of doing what I say rather than what I do?
The incongruity is evident in your own words:
If you are as concerned about privacy and security as I believe you are, your own site should not be an example of how privacy and security can be abused.
My site is abusing your security and threatening your privacy? Really?
This blog includes code that keeps track of how often people visit. Nearly every site on the Internet maintains similar code. I’ve been up front about the fact that my blog is supported in large part by advertising.
I’ve also not spent a lot of time writing about privacy concerns because I find many claims about privacy invasion on the web to be vague and full of FUD. When I do write about privacy issues, it is generally in the context of encouraging people not to give away personal information that they don’t want everyone else to know or find out.
Can you please explain what it is that you feel is so potentially dangerous about reading the content on this site?
I’m not sure what’s wrong with tracking or advertising. Sure, it can be taken too far, but this blog doesn’t do that.
Right now I’m reading this in Chrome with NotScript enabled. I have Kreb’s, addthis, youtube, wordpress, and google-analytics allowed. Those four 3rd party sites were already enabled for other reasons.
I have topsy, quantserv, and fmpub blocked at the moment. I don’t have any reason to allow them so I’m not going to go out of my way to whitelist them.
That’s the whole purpose of add-ons like NoScript. If you don’t like the third party content then just block it. Blacklist it by default then just allow what you need and you’ll never have to worry about it. I doubt the author has a problem with you doing it on his Web site since he’s the one promoting the add on.
You can’t possibly be really believing what your saying… An even if you do… Your a savy user and undoubtedly using the very security measures that Krebs is talking about. If so the site will work fine for you with the exception of the Youtube video… Which you could never have seen anyway with your rigid personal security policy. So I don’t see the downside here…
Kreb’s touts a security mechanism, “yes” that would create a centric in which even the trust relationship with his own site would be subject to scrutiny. An you’d have to say “Allow Scripting from krebsonsecurity.com” but that makes me trust him more not less. If my Bank tells me to check for SSL, “do I trust them less?”, No. Even if they acknowledge there’ve been malicious certs issued lately, an you should check the certs carefully or update your browser. I appreciate every layer to the onion of security an praise to the man who advocates a policy that would inherently break portions of his site; because he trusts you to trust him enough to re-enable scripting for his site… or if not… he doesn’t hinder you from reading his articles.
I much prefer a blocking hosts file that works at the Operating System level instead of an application specific function. To me, noscript is an administrative nightmare and blocks a lot of useful functionality. Well, that and on a personal preference, no other browser matches the functionality of IE 8’s Favorites Center or has a convenient command line function (to use in a batch file) to clear history, cookies, temporary Internet files, etc. Also, I’m a huge keyboard shortcut user and have found no other browser matches keyboard shortcuts as intuitively as IE. I also don’t care for the User Interface of many other browsers, even IE9! But, I digress, getting off topic.
yes its the betterway
to stop sites on the front door and not on the 2-3 door.
I’ve used the Verify Redirect add-on for Firefox and like it very much. I’ve been trying out RequestPolicy as a possible replacement for Verify Redirect (at the recommendation of forum participants, here). Its interface and options are similar to NoScript.
I just tried the NotScript add-on for Chrome. This, too, like others above, was keeping me from using Chrome. I like the NotScript interface — cleaner than NoScript. Now, I just need to locate a cross-site blocker for Chrome, similar to Verify Redirect. 🙂
I too, as Brian notes above, have long been frustrated that when I enable Java via NoScript, the page reloads and usually info that I’ve filled in vanishes, forcing me to fill in the forms all over again. I lately installed Lazarus, a form recovery add-on for Firefox, which has worked the few times I’ve used it. It’s in Beta for Chrome and Safari. You can install it via add-ons in Firefox, and read about it here: http://lazarus.interclue.com/
I think the real issue is commercial providers forgetting what their core business is. I can live with advertisement support work like this blog, what I have a hard time with is when the prime business is selling (movie tickets come to mind) and instead of focusing on that core business most of the script and content is focused on cross-selling (including my information) to the highest bidder, no matter how far removed from the core business. When I count more then 10 script providers that have nothing to do with the transaction engine or the brand owner and enabling any of these leeches is a prerequisite of doing business, I am not coming back.
Would having so many cross links be a reason to blacklist these offenders, as having inherent security risks and clearly not the customer in mind? I do think so.
Eventually I gave up and uninstalled it.
I need another option. Something that detects good from bad. Something like AddBlocker’s whitelist.
Could always try a DNS solution. Such As OpenDNS with an elevated security setting. They maintain a list, blacklist, of site to block. You browser can’t even resolve the IP for the Domain. An you can block DNS you don’t want your users going too. I’d imagine they have an inverse model where you could block everything except what you whitelist. but if you blacklisted doubleclick and a handfull of ad companies I’d say you break 90% of javaxcript ad engines which refer too those domains.
Another Flash security warning:
“Adobe Flash Player CVE-2011-0628 Remote Integer Overflow Vulnerability”
I have no objection to them displaying ads that pay for the content I get for free. But some of the flashing ads look like they’re capable of inducing seizures in susceptible people. Thank you, Noscript, for suppressing that crap.
I rarely if ever see ads when using a blocking hosts file (ex. MVPS). =)
Although it blocks ads, its primary function is blocking (blacklisting) known bad sites. I swear it alone has kept malware from getting to my system while browsing the far reaches of the Internet. Also, as I said earlier, it works regardless of what application you use to access the Internet as it works at the OS level.
I agree with you – the MVPS Hosts File is awesome. And to make updating as easy as possible, I now use the HostsMan hosts file manager and have it automatically update MVPS Hosts, Peter Lowe’s Adserver List, and Zeustracker (which I manually added by placing http://www.abuse.ch/zeustracker/blocklist.php?download=domainblocklist into the source list).
-Very- timely Brian – for all of us…
Fake VirusTotal site serves malware
“… the website looks the same way as the original**. However, hidden in the source the parameters needed to infect the system through a java applet through which discharge completely silent malware…”
(Screenshot at the URL above.)
Useless report – they don’t provide any information regarding the URL of the fake site, so what good does this do me? I don’t have a way of blocking it.
Brian is showing you how to take control of your browsing. He’s showing you a choice.
For my choice I use a fully tweaked/locked down NoScript and AdBlock Plus with filters in Firefox 4. That is my choice on how I interact with the web.
I’ll chip in.
I use NoScript Firefox 4, with OpenDNS, and a hosts file I just inherited from CCleaner or one of those. Oh an FlashBlock & Certificate Patrol (As recommended on SecurityNow).
David, I might be mistaken, but I believe having Flashblock and NoScript on the same browser is unnecessary. NoScript blocks Flash objects for sites on which you have not allowed scripting. Unless this has changed with FF4, but I know the Noscript and Flashblock authors sometime read this blog, so perhaps one of them can straighten me out.
I was waiting for someone to mention ABP as the perfect compliment to NoScript.
I dont think it can be said enough but thanks for the heads up anyways.I do use Java script but im remain very aware of how folks can exploit it.
While some block it entirely ,i simply wont be scared away because of what MIGHT happen.Still that being said ,be aware of it which is the jist i get from this post.
I love NoScript. In addition to thwarting all kinds of nasties from ads to malware, it raises awareness about how lazy site administrators use external script sources and thus provide nice data mining opportunities (read: Analytics, scriptaculous etc.).
In Firefox, you’ll be almost always protected if you are using an updated or patched JS. Updating is easy and it’s typically automatic.
My second line of defense is also NoScript. I’ve been using this program for several months now and it works wonders. I also use it to open webpages and websites (with tons of unnecessary flash-based and JS-based ads) to load faster. It’s great if you only want the site’s text to appear – awesome of news, blogs, ezine articles, forums, etc…
I don’t think Firefox auto-updates Java without the user’s consent. I stopped using it in favor of Chrome a while back though so it’s possible it’s a new feature or option that I missed.
One thing I like about Chrome is that it will block any plugins from running if they are out of date. With Chrome you’re prompted to update the plugin every time you try to run it. It’s a great way to nag people into updating. You are still given the option to manually allow it to run on a case by case basis as you browse.
Just FYI, Mac users can have built-in per-site Java Script preferences with the free OmniWeb.
No association, et al
“Linux kernel runs inside web browser
It runs in both Firefox 4 and Chrome 11.