Firefox is generally regarded as being safer than IE. Not so much in the vulnerability count but by the fact that they are corrected sooner. A common addition to using this alternative browser is NoScript. It blocks all sites from using Javascript (and others) by default and only allows sites which are on a whitelist compiled by you.
None of this is news, it's been around for ages. But how good is this combination? Would you venture yourself in dark web territory with these two? For investigating sites which are probably malware infested do they offer enough protecting power?
I don't have the expertise to setup something like VMware but I wanted to have something which was at least sufficient to take a peek.
Full Version: Firefox + NoScript
...from the This Security is 'Gonna Kill Us All dept....
IMHO they're not good enough, but they are what I use. Another nifty add-on is Stop Autoplay.
Yes, web pages have the equivalent of the Windows "autoinfect" (autoplay), so in order to guard against this we must "break the web." Your anti-malware app may not (is likely not to) have the description or definition of what the crimeware gurus have embedded in that Yahoo! or Bank of America or whatever page.
The caveat seems to be unless scripts are running it doesn't block:
"Due to Bug 236839, you have to enable JavaScript to make Stop Autoplay to work."
So here is the drill: You go to a new website. NoScript blocks scripts. You select from the list in NoScript what sites you want to allow once, or always if you trust the site. Now Stop Autoplay will stop the media on the page from running until you allow it. Or something like that.
I guess five minutes to load a web page beats seven years to get your ID back, if ever.
Stop Autoplay links:
https://addons.mozilla.org/firefox/1765/
http://hemiolapei.free.fr/divers/sap/sap-en.html
NoScript:
http://noscript.net/
http://noscript.net/getit
"Important advisory: You're strongly encouraged to enable the Forbid Flash, Forbid Silverlight and Forbid other plugins settings of the NoScript Options|Plugins panel, in order to prevent attacks based on known and unknown yet plugin vulnerabilities like the QuickTime bug currently exploited in the wild. You will still able to enjoy multimedia content pieces on trusted sites or by enabling them individually, as explained here."
--CF
"My security only has to be good enough to make someone else's system look like a more economical target." (Salvatore Stolfo of Columbia University's Darwinian view of making malware unprofitable; economics key to slowing hackers down.)
IMHO they're not good enough, but they are what I use. Another nifty add-on is Stop Autoplay.
Yes, web pages have the equivalent of the Windows "autoinfect" (autoplay), so in order to guard against this we must "break the web." Your anti-malware app may not (is likely not to) have the description or definition of what the crimeware gurus have embedded in that Yahoo! or Bank of America or whatever page.
The caveat seems to be unless scripts are running it doesn't block:
"Due to Bug 236839, you have to enable JavaScript to make Stop Autoplay to work."
So here is the drill: You go to a new website. NoScript blocks scripts. You select from the list in NoScript what sites you want to allow once, or always if you trust the site. Now Stop Autoplay will stop the media on the page from running until you allow it. Or something like that.
I guess five minutes to load a web page beats seven years to get your ID back, if ever.
Stop Autoplay links:
https://addons.mozilla.org/firefox/1765/
http://hemiolapei.free.fr/divers/sap/sap-en.html
NoScript:
http://noscript.net/
http://noscript.net/getit
"Important advisory: You're strongly encouraged to enable the Forbid Flash, Forbid Silverlight and Forbid other plugins settings of the NoScript Options|Plugins panel, in order to prevent attacks based on known and unknown yet plugin vulnerabilities like the QuickTime bug currently exploited in the wild. You will still able to enjoy multimedia content pieces on trusted sites or by enabling them individually, as explained here."
--CF
"My security only has to be good enough to make someone else's system look like a more economical target." (Salvatore Stolfo of Columbia University's Darwinian view of making malware unprofitable; economics key to slowing hackers down.)
Kim might test if for us in her VM and see how it goes.
I havent tested it against any live malware sites, havent done any testing for awhile now, but I do like no script.
Something else though, if you do go visiting sites without a VM and you just have everything blocked and nothing loads, isn't that just the same as not visiting it all ?
You should never really test live sites on your good system no matter how much protection you have, it might only take one new undiscovered exploit to screw things up for you.
At least on a test system you can nuke it and move on when things get out of hand. Running a VM isnt really that hard and you can use the VM server for free or the free VM appliance thing.
The real fun is visiting a garbage infested site unprotected or with minimal protection for monitoring purposes and seeing it destroy your whole system in a few minutes then try and fix it
, or at least go bug hunting and see what you got.
If I was using someone else's computer, sure , but on my own system I still wouldn't feel safe without at least something like processguard though.
I havent tested it against any live malware sites, havent done any testing for awhile now, but I do like no script.
Something else though, if you do go visiting sites without a VM and you just have everything blocked and nothing loads, isn't that just the same as not visiting it all ?
You should never really test live sites on your good system no matter how much protection you have, it might only take one new undiscovered exploit to screw things up for you.
At least on a test system you can nuke it and move on when things get out of hand. Running a VM isnt really that hard and you can use the VM server for free or the free VM appliance thing.
The real fun is visiting a garbage infested site unprotected or with minimal protection for monitoring purposes and seeing it destroy your whole system in a few minutes then try and fix it
, or at least go bug hunting and see what you got. QUOTE
Would you venture yourself in dark web territory with these two? For investigating sites which are probably malware infested do they offer enough protecting power?
If I was using someone else's computer, sure
, but on my own system I still wouldn't feel safe without at least something like processguard though.
Those are all very good points. Thanks.
I see this now as a matter of my own expertise; the more I get it the closer I can get to the source and the less I have it the more space I want to put in between.
I see this now as a matter of my own expertise; the more I get it the closer I can get to the source and the less I have it the more space I want to put in between.
I've used the combination (+ AdBlock plus) for over a year now and I like it. The fun part is to be able to see "the good stuff" on the web without having to load all of the Flash and Shockwave media that clutters the screen...
Today I'm only able to use my own computer for surfing the web - I just can't stand all that crap blipping and blinking when I surf on my friends computers.
One thing that scares me is where you end up finding google and instadia and all kinds of tracking scripts. Sure don't like that!!
//Brandis
Today I'm only able to use my own computer for surfing the web - I just can't stand all that crap blipping and blinking when I surf on my friends computers.
One thing that scares me is where you end up finding google and instadia and all kinds of tracking scripts. Sure don't like that!!
//Brandis
As Brandis, I've used ABPlus, along with Noscript, PG2, Mcaffe Siteadvisor and FFox for some time now and recommend these to anyone Im helping out with there PC. Alright, contents reduced, but so is loading times on a lot of pages heavy with flash etc, and it's easy enough to whitelist the scripts you want to let run.
It's been a long time since I've had any unintentional
malware outbreaks on my PC.
I also use Sandboxie too, which means I can let anyone browse the web on my admin account without having to look over there shoulder every 2 mins or log em out to a LUA account.
It's been a long time since I've had any unintentional
malware outbreaks on my PC.I also use Sandboxie too, which means I can let anyone browse the web on my admin account without having to look over there shoulder every 2 mins or log em out to a LUA account.
Noscript is awesome.
But it does require constantly allowing pages.
It's worse than a firewall when you first install it.
I'd like to see a whitelist manager for it.
Even a few hundred sites like amazon, ebay, major banks, microsoft.com, bluetack.....
This would greatly reduce the time and frustration.
I've done a bunch of searches and read the noscript faq, nothing so far.....
But it does require constantly allowing pages.
It's worse than a firewall when you first install it.
I'd like to see a whitelist manager for it.
Even a few hundred sites like amazon, ebay, major banks, microsoft.com, bluetack.....
This would greatly reduce the time and frustration.
I've done a bunch of searches and read the noscript faq, nothing so far.....
This security is gonna kill us all...
I've noticed a tendency for users to just click "allow" xyz.com rather than "temporarily allow" xyz.com. And there's that "allow scripts globaly" option.
And a "temporarily allow all this page" for the really impatient.
Go to one of your users computers and export their whitelist (NoScript Options -> Whitelist - export) and you may see what I mean.
Maybe funkytoad of ZonedOut fame would be up to such a coding task? (whitelist manager for NoScript)
I'll ask...
Update: He got back to me right away. (He uses Opera.)
Over at the mozillaZine forum it appears there is a "Site Manager" UI in the works (http://forums.mozillazine.org/viewtopic.php?p=3272305)
As some script management is built into Opera this wouldn't be such a big deal for Opera, but such a central management tool might make a great widget for Opera as well.
--CF
I've noticed a tendency for users to just click "allow" xyz.com rather than "temporarily allow" xyz.com. And there's that "allow scripts globaly" option.
And a "temporarily allow all this page" for the really impatient.Go to one of your users computers and export their whitelist (NoScript Options -> Whitelist - export) and you may see what I mean.
Maybe funkytoad of ZonedOut fame would be up to such a coding task? (whitelist manager for NoScript)
I'll ask...
Update: He got back to me right away. (He uses Opera.)
Over at the mozillaZine forum it appears there is a "Site Manager" UI in the works (http://forums.mozillazine.org/viewtopic.php?p=3272305)
As some script management is built into Opera this wouldn't be such a big deal for Opera, but such a central management tool might make a great widget for Opera as well.
--CF
Sweet, thanks from everyone.
One of my friend used to say that you can get a better security than "NoScript" by just switching off your MODEM. No connection, no threat.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.