Is pluggins like No-Script really needed?

While I can clearly understand the need for something like Adblock Plus, seeing as it totally prevents malicious ad's from coming up. I cant help but wonder if I actually need No-Script. Sure it does prevent scripts, which can be used to install malware on my system, but at the same time it also prevents good scripts that can improve my browsing experiance.

Also unlike Ad-Block, no-script totally lacks predefined self-updating whitelists, meaning its very time consuming to set up to work properly and there is really no way of telling which sites are safe and which ones are not. Meaning if you WANT to see the content, you have to blindly enable scripts on that page... its like literally playing Russian roulette with your system. Furthermore, there is a rumor floating around that no-scripts creator added in a script that modifys ad-block to allow his ad's. Being as smart as they are, surely this would be the first thing hackers would take advantage of in order to get malware on your system.

Finally, if you have a fairly decent antivirus like MSE, is script blocking really that important? Isnt mozilla and most other major web browser developers fairly up to date about patching script exploits? After all, Google Chrome didn't have pluggins like Adblock and no-script for quite a while, and yet I didn't hear about browsing based viral infections being a problem.

That being said... I have been re-evaluating my security set up, and I am wondering if no-script is worth the added resource usage. At this point it just seems to be a digital placebo. If anything no-script is actually a hole in my browser based security, if the rumor is true that is...

I have also been curious about trying out google chrome, it seems to have gotten alot better than it was at release, but as I said, it appears to totally lack things like ad-block and no-script. Would I be at a greater risk using chrome than I am now with firefox + addons? Because in the end, isn't it the antivirus that determines how "safe" your system is? Surely as long as I have MSE running, and do daily scans my system should be just as safe with chrome as it is with firefox now. Right?

In practice, at least in my case, there isn't much ongoing maintenance needed with NoScript. There is an initial period where you need to whitelist domains to get your commonly used websites to work properly. I haven't found it difficult in general to guess which domains need to be whitelisted. You may find that websites load faster when using NoScript, because unnecessary scripts are not being processed.

From the NoScript FAQ:

You may ask, what if site I really trust gets compromised? Will I get infected as well because I've got it in my whitelist, ending to sue as you said?
No, you won't, most probably. When a respectable site gets compromised, 99.9% of the times malicious scripts are still hosted on a different domain which is likely not in your whitelist, and gets just included by the pages you trust. Since NoScript blocks 3rd party scripts which have not been explicitly whitelisted themselves, you're still safe, with the additional benefit of an early warning :)

Anti-malware software is a layer that can filter out some malware, but it's not 100% effective.

Google Chrome has a sandbox built in.

reluttr said:

While I can clearly understand the need for something like Adblock Plus, seeing as it totally prevents malicious ad's from coming up. I cant help but wonder if I actually need No-Script. Sure it does prevent scripts, which can be used to install malware on my system, but at the same time it also prevents good scripts that can improve my browsing experiance.

Also unlike Ad-Block, no-script totally lacks predefined self-updating whitelists, meaning its very time consuming to set up to work properly and there is really no way of telling which sites are safe and which ones are not. Meaning if you WANT to see the content, you have to blindly enable scripts on that page... its like literally playing Russian roulette with your system. Furthermore, there is a rumor floating around that no-scripts creator added in a script that modifys ad-block to allow his ad's. Being as smart as they are, surely this would be the first thing hackers would take advantage of in order to get malware on your system.

Finally, if you have a fairly decent antivirus like MSE, is script blocking really that important? Isnt mozilla and most other major web browser developers fairly up to date about patching script exploits? After all, Google Chrome didn't have pluggins like Adblock and no-script for quite a while, and yet I didn't hear about browsing based viral infections being a problem.

That being said... I have been re-evaluating my security set up, and I am wondering if no-script is worth the added resource usage. At this point it just seems to be a digital placebo. If anything no-script is actually a hole in my browser based security, if the rumor is true that is...

I have also been curious about trying out google chrome, it seems to have gotten alot better than it was at release, but as I said, it appears to totally lack things like ad-block and no-script. Would I be at a greater risk using chrome than I am now with firefox + addons? Because in the end, isn't it the antivirus that determines how "safe" your system is? Surely as long as I have MSE running, and do daily scans my system should be just as safe with chrome as it is with firefox now. Right?

Reluttr Hi and welcome

Is No-Script necessary? Yes

Adblock blocks some scripting (ADS) No-script blocks all of them. Yes it is a PITA., Yes it takes time to get the whitelist set up, but like a clean install it is worth the effort.
Your statement "if you want to see the content you have to blindly..... If you didnt have no script it would already be infected.

No-script isnt perfect, far from it. It is just one more layer of protection, and frankly it has saved my system many times.

Is script blocking all that important ?????? thats almost the only way you get infected


I dont let rumors define my system security for if I did I might believe MS has a backdoor for their data collection.


Question. How is something that stops either ALL or most (if you believe the rumors) worse than nothing at all? Is a poor AV worse than none?

reluttr said:

While I can clearly understand the need for something like Adblock Plus, seeing as it totally prevents malicious ad's from coming up. I cant help but wonder if I actually need No-Script. Sure it does prevent scripts, which can be used to install malware on my system, but at the same time it also prevents good scripts that can improve my browsing experiance.

Also unlike Ad-Block, no-script totally lacks predefined self-updating whitelists, meaning its very time consuming to set up to work properly and there is really no way of telling which sites are safe and which ones are not. Meaning if you WANT to see the content, you have to blindly enable scripts on that page... its like literally playing Russian roulette with your system. Furthermore, there is a rumor floating around that no-scripts creator added in a script that modifys ad-block to allow his ad's. Being as smart as they are, surely this would be the first thing hackers would take advantage of in order to get malware on your system.

Finally, if you have a fairly decent antivirus like MSE, is script blocking really that important? Isnt mozilla and most other major web browser developers fairly up to date about patching script exploits? After all, Google Chrome didn't have pluggins like Adblock and no-script for quite a while, and yet I didn't hear about browsing based viral infections being a problem.

That being said... I have been re-evaluating my security set up, and I am wondering if no-script is worth the added resource usage. At this point it just seems to be a digital placebo. If anything no-script is actually a hole in my browser based security, if the rumor is true that is...

I have also been curious about trying out google chrome, it seems to have gotten alot better than it was at release, but as I said, it appears to totally lack things like ad-block and no-script. Would I be at a greater risk using chrome than I am now with firefox + addons? Because in the end, isn't it the antivirus that determines how "safe" your system is? Surely as long as I have MSE running, and do daily scans my system should be just as safe with chrome as it is with firefox now. Right?

I never used No-Script when I used Firefox and I have never gotten a virus/malware from web browsing. I gave it a try but found it to be too intrusive to browsing the web. I'd have to add practically every website to the white list because most websites use scripts for a more involved experience.

The people that use it are either so scared of the world that they won't even go outside and get some sunlight or are browsing the most dangerous parts of the internet (ie illegal) to warrant such an extreme. If they are that scared then they should honestly switch to Linux.

I find NoScript essential. It is the first extension I add when I put Firefox on a new system. It is mildly inconvenient when I go to new sites, but I usually hang around the same couple thousand sites. When I visit a new site that needs to run scripts from a dozen other domains before it gives me the first hint of what they have worth viewing, I question whether I want to have them count my eyeballs, and they are not revisited. I dont use AdBlock because advertising pays for my web surfing experience, I just leave the scripts turned on for the major advertising companies unless thay get distracting. The irritating ads seem seems avoided by preventing their scripts from running.

I thought it was a little extreme when the NoScript author turned off the AdBlock, but he turned that feature off pretty quickly, and I dont use that extension anyway.

malexous said:

Downloading illegal content can be a sure fire way of obtaining malware but is simply visiting the websites any more dangerous than others?
Malware delivered by Yahoo, Fox, Google ads | InSecurity Complex - CNET News
Trojan attacks now almost solely from legitimate websites - The H Security: News and Features
Incidents - News - page 1 - Softpedia

Oddly enough I have been visiting only legitimate websites and never used No-Script and I don't have any malware.

Not sure if I trust an AV company who would most likely try to spread FUD in order to sell product.