"The NoScript Misnomer"

[InactiveUser 185]

I consider The NoScript Misnomer to be a very important article.

By "exploiting" an entry on NoScript's whitelist, the author shines light on several pitfalls that not every NoScript user might be fully aware of:

• NoScript comes with a default, enabled whitelist.
• whitelists are inherently flawed, even more so if you don't even maintain them yourself
• if you use a security tool without fully understanding its operation and configuration, you lull yourself into a false sense of security
• blocking all malicious scripts is unrealistic - you will need to think about defense in depth and sandboxing

I personally use NoScript in combination with uBlock Origin in its advanced dynamic filtering mode. I also sandbox applications like Firefox, Thunderbird, Pidgin using Firejail, a small application that provides a convenient interface to built-in Linux kernel features (seccomp, namespaces, caps).

 

Ideally, I would be using Qubes OS for better isolation, but it's not like hypervisors are somehow magically flawless, either.

[OpenSourcerer 1359]

Thank you for the link to the blog. Wasn't aware of the whitelist containing sites that doesn't exist. When I install NoScript, I always delete all (deletable) entries.

[zhang888 1065]

Totally true. This whitelist wasn't there a few years ago when NoScript was small, efficient and not commercial

But as it became popular, with some distros pushing it by default, they started to find ways to make profits.

This is almost the same way Adblock did.

 

That whitelist can be divided in 3 groups:

1) Companies that paid (those CDNs)

2) Users that were too much complaining about sites that were broken (yahoo and friends)

3) Author's personal preferece (like maone.net and others)

[rickjames 106]

The noScript defaults are pretty weak. Its kind of sad people just install it and assume everything's kosher.

 

The JS Switch addon is also really nice. It just adds a little button in the browser that disables js completely.

 

The settings I use:

My whitelist only has a few sites I actually work with. Everything else was deleted.

[OpenSourcerer 1359]

But the JS Switch does not protect against Clickjacking and XSS.

 

(Sent via Tapatalk - this generally means I'm not sitting in front of my PC)

[rickjames 106]

But the JS Switch does not protect against Clickjacking and XSS.

 

 

If the jacking attempt was done via js and js was disabled via JS Switch then one could say it does.

 

Everyone's surfing habits are different, and mine rarely require js. But when its needed I just press js switch then allow whats needed in noScript.

[zhang888 1065]

As a JS security researcher I also have a small disagreement with @giganerd.

With 3d party block of JS, whether using NoScript (meh) or uBlock Origin (good), you have a total control of your

JS Same-Domain-Origin-Policy, or shortly SOP.

Today with modern HTML5 and JS, Browsers slowly gave up those agreed policies with all the fancy compatibility things.

When you are aware of the domain you are currently focused on, in other words, the active tab, and you use uBlock with 3d

party JS disabled, you have zero risk of clickjacking (UI redressing attack) and XSS.

Both above attacks require you to run 3d party scripts that will either send the contents of your current domain cookies or DOM

data to 3d parties. While blocking 3d party domains JS, you break those exploitation attemts.

The only successful way to exploit it in this case, would be planting JS code in the content of the same domain. But in this case,

it gives the attacker much more privileges, rendering client-side attacks less effective.

[rickjames 106]

@sheivoko

Thanks for the uBlock tip. Its impressive as hell. TYVM.

[NbK 4]

ya uBlock is amazing.   ty for posting this thread, had no idea of its existence