Is pluggins like No-Script really needed?

reluttr · Jul 25, 2010

While I can clearly understand the need for something like Adblock Plus, seeing as it totally prevents malicious ad's from coming up. I cant help but wonder if I actually need No-Script. Sure it does prevent scripts, which can be used to install malware on my system, but at the same time it also prevents good scripts that can improve my browsing experiance.

Also unlike Ad-Block, no-script totally lacks predefined self-updating whitelists, meaning its very time consuming to set up to work properly and there is really no way of telling which sites are safe and which ones are not. Meaning if you WANT to see the content, you have to blindly enable scripts on that page... its like literally playing Russian roulette with your system. Furthermore, there is a rumor floating around that no-scripts creator added in a script that modifys ad-block to allow his ad's. Being as smart as they are, surely this would be the first thing hackers would take advantage of in order to get malware on your system.

Finally, if you have a fairly decent antivirus like MSE, is script blocking really that important? Isnt mozilla and most other major web browser developers fairly up to date about patching script exploits? After all, Google Chrome didn't have pluggins like Adblock and no-script for quite a while, and yet I didn't hear about browsing based viral infections being a problem.

That being said... I have been re-evaluating my security set up, and I am wondering if no-script is worth the added resource usage. At this point it just seems to be a digital placebo. If anything no-script is actually a hole in my browser based security, if the rumor is true that is...

I have also been curious about trying out google chrome, it seems to have gotten alot better than it was at release, but as I said, it appears to totally lack things like ad-block and no-script. Would I be at a greater risk using chrome than I am now with firefox + addons? Because in the end, isn't it the antivirus that determines how "safe" your system is? Surely as long as I have MSE running, and do daily scans my system should be just as safe with chrome as it is with firefox now. Right?

Dinesh · Jul 25, 2010

Some scripts are really useful so I dont use No Script add on. However, ads are totally useless hence I use Ad Block Plus.

thathagat · Jul 25, 2010

hi...
1)An addon simply adds convinience to security in a supported browser.So its more of a layer in your security setup.
2)Scripting attacks/driveby's/redirects are easily avoided by addons like noscript or disabling java script in a browser like opera.This is specially good for pc's running an av which lacks a web scanner.
3)If you run with UAC maxed,web scanner enabled av,sandboxie then you can give up the trouble of clicking allow/block/block temporarily etc and enjoy the WILD world of web without the speedbreakers like noscript.

MrBrian · Jul 25, 2010

In practice, at least in my case, there isn't much ongoing maintenance needed with NoScript. There is an initial period where you need to whitelist domains to get your commonly used websites to work properly. I haven't found it difficult in general to guess which domains need to be whitelisted. You may find that websites load faster when using NoScript, because unnecessary scripts are not being processed.

From the NoScript FAQ:

You may ask, what if site I really trust gets compromised? Will I get infected as well because I've got it in my whitelist, ending to sue as you said?
No, you won't, most probably. When a respectable site gets compromised, 99.9% of the times malicious scripts are still hosted on a different domain which is likely not in your whitelist, and gets just included by the pages you trust. Since NoScript blocks 3rd party scripts which have not been explicitly whitelisted themselves, you're still safe, with the additional benefit of an early warning

Anti-malware software is a layer that can filter out some malware, but it's not 100% effective.

Google Chrome has a sandbox built in.

zigzag3143 · Jul 25, 2010

reluttr said:
While I can clearly understand the need for something like Adblock Plus, seeing as it totally prevents malicious ad's from coming up. I cant help but wonder if I actually need No-Script. Sure it does prevent scripts, which can be used to install malware on my system, but at the same time it also prevents good scripts that can improve my browsing experiance.

Also unlike Ad-Block, no-script totally lacks predefined self-updating whitelists, meaning its very time consuming to set up to work properly and there is really no way of telling which sites are safe and which ones are not. Meaning if you WANT to see the content, you have to blindly enable scripts on that page... its like literally playing Russian roulette with your system. Furthermore, there is a rumor floating around that no-scripts creator added in a script that modifys ad-block to allow his ad's. Being as smart as they are, surely this would be the first thing hackers would take advantage of in order to get malware on your system.

Finally, if you have a fairly decent antivirus like MSE, is script blocking really that important? Isnt mozilla and most other major web browser developers fairly up to date about patching script exploits? After all, Google Chrome didn't have pluggins like Adblock and no-script for quite a while, and yet I didn't hear about browsing based viral infections being a problem.

That being said... I have been re-evaluating my security set up, and I am wondering if no-script is worth the added resource usage. At this point it just seems to be a digital placebo. If anything no-script is actually a hole in my browser based security, if the rumor is true that is...

I have also been curious about trying out google chrome, it seems to have gotten alot better than it was at release, but as I said, it appears to totally lack things like ad-block and no-script. Would I be at a greater risk using chrome than I am now with firefox + addons? Because in the end, isn't it the antivirus that determines how "safe" your system is? Surely as long as I have MSE running, and do daily scans my system should be just as safe with chrome as it is with firefox now. Right?

Reluttr Hi and welcome

Is No-Script necessary? Yes

Adblock blocks some scripting (ADS) No-script blocks all of them. Yes it is a PITA., Yes it takes time to get the whitelist set up, but like a clean install it is worth the effort.
Your statement "if you want to see the content you have to blindly..... If you didnt have no script it would already be infected.

No-script isnt perfect, far from it. It is just one more layer of protection, and frankly it has saved my system many times.

Is script blocking all that important ?????? thats almost the only way you get infected

I dont let rumors define my system security for if I did I might believe MS has a backdoor for their data collection.

Question. How is something that stops either ALL or most (if you believe the rumors) worse than nothing at all? Is a poor AV worse than none?

malexous · Jul 25, 2010

When I used NoScript, I didn't find it cumbersome after the initial first week.

It provides a very good layer to your security approach (there are many other layers you can use as well or instead). MSE is very good but like all anti-virus, it doesn't catch everything.

When I used NoScript, I didn't use any adblocking software (which we are not supposed to type about as per the forum rules). NoScript prevented the ads I found intrusive such as pop-ups, flash ads, etc.

During my years of NoScript, it alerted me twice. The first was to a clickjacking attempt and the second was a cross-site scripting attack.

Google Chrome does have ablocking add-ons but they aren't as good because Google Chrome doesn't support them very well (Google's business is based around ads after all). It also protects against clickjacking and cross-site scripting out-of-the-box.

If anything no-script is actually a hole in my browser based security, if the rumor is true that is...

Add-ons in general are (I don't suggest staying away from them entirely: just be careful as always). Add-on security vulnerability announcement « Mozilla Add-ons Blog

I'm thinking about using NoScript again, mainly because "websites load faster".

JonM33 · Jul 25, 2010

reluttr said:
While I can clearly understand the need for something like Adblock Plus, seeing as it totally prevents malicious ad's from coming up. I cant help but wonder if I actually need No-Script. Sure it does prevent scripts, which can be used to install malware on my system, but at the same time it also prevents good scripts that can improve my browsing experiance.

Also unlike Ad-Block, no-script totally lacks predefined self-updating whitelists, meaning its very time consuming to set up to work properly and there is really no way of telling which sites are safe and which ones are not. Meaning if you WANT to see the content, you have to blindly enable scripts on that page... its like literally playing Russian roulette with your system. Furthermore, there is a rumor floating around that no-scripts creator added in a script that modifys ad-block to allow his ad's. Being as smart as they are, surely this would be the first thing hackers would take advantage of in order to get malware on your system.

Finally, if you have a fairly decent antivirus like MSE, is script blocking really that important? Isnt mozilla and most other major web browser developers fairly up to date about patching script exploits? After all, Google Chrome didn't have pluggins like Adblock and no-script for quite a while, and yet I didn't hear about browsing based viral infections being a problem.

That being said... I have been re-evaluating my security set up, and I am wondering if no-script is worth the added resource usage. At this point it just seems to be a digital placebo. If anything no-script is actually a hole in my browser based security, if the rumor is true that is...

I have also been curious about trying out google chrome, it seems to have gotten alot better than it was at release, but as I said, it appears to totally lack things like ad-block and no-script. Would I be at a greater risk using chrome than I am now with firefox + addons? Because in the end, isn't it the antivirus that determines how "safe" your system is? Surely as long as I have MSE running, and do daily scans my system should be just as safe with chrome as it is with firefox now. Right?

I never used No-Script when I used Firefox and I have never gotten a virus/malware from web browsing. I gave it a try but found it to be too intrusive to browsing the web. I'd have to add practically every website to the white list because most websites use scripts for a more involved experience.

The people that use it are either so scared of the world that they won't even go outside and get some sunlight or are browsing the most dangerous parts of the internet (ie illegal) to warrant such an extreme. If they are that scared then they should honestly switch to Linux.

malexous · Jul 25, 2010

Downloading illegal content can be a sure fire way of obtaining malware but is simply visiting the websites any more dangerous than others?
Malware delivered by Yahoo, Fox, Google ads | InSecurity Complex - CNET News
Trojan attacks now almost solely from legitimate websites - The H Security: News and Features
Incidents - News - page 1 - Softpedia

periboob · Jul 25, 2010

I find NoScript essential. It is the first extension I add when I put Firefox on a new system. It is mildly inconvenient when I go to new sites, but I usually hang around the same couple thousand sites. When I visit a new site that needs to run scripts from a dozen other domains before it gives me the first hint of what they have worth viewing, I question whether I want to have them count my eyeballs, and they are not revisited. I dont use AdBlock because advertising pays for my web surfing experience, I just leave the scripts turned on for the major advertising companies unless thay get distracting. The irritating ads seem seems avoided by preventing their scripts from running.

I thought it was a little extreme when the NoScript author turned off the AdBlock, but he turned that feature off pretty quickly, and I dont use that extension anyway.

JonM33 · Jul 25, 2010

malexous said:
Downloading illegal content can be a sure fire way of obtaining malware but is simply visiting the websites any more dangerous than others?
Malware delivered by Yahoo, Fox, Google ads | InSecurity Complex - CNET News
Trojan attacks now almost solely from legitimate websites - The H Security: News and Features
Incidents - News - page 1 - Softpedia

Oddly enough I have been visiting only legitimate websites and never used No-Script and I don't have any malware.

Not sure if I trust an AV company who would most likely try to spread FUD in order to sell product.

noobvious · Jul 25, 2010

JonM33 said:
.

I never used No-Script when I used Firefox and I have never gotten a virus/malware from web browsing. I gave it a try but found it to be too intrusive to browsing the web. I'd have to add practically every website to the white list because most websites use scripts for a more involved experience.

The people that use it are either so scared of the world that they won't even go outside and get some sunlight or are browsing the most dangerous parts of the internet (ie illegal) to warrant such an extreme. If they are that scared then they should honestly switch to Linux.

You're just a bundle of sunshine in every thread, aren't you? :huh:

malexous · Jul 25, 2010

JonM33 said:
Oddly enough I have been visiting only legitimate websites and never used No-Script and I don't have any malware.

Not sure if I trust an AV company who would most likely try to spread FUD in order to sell product.

I visit all websites and I don't have any malware.

A lot of the affected domains were legitimate: Over 62,000 New URLs Serving Exploit Cocktail - Vulnerable visitors get infected with backdoors and info stealing trojans - Softpedia

You can find many supposedly legitimate websites listed on host files.

JonM33 · Jul 25, 2010

noobvious said:
You're just a bundle of sunshine in every thread, aren't you? :huh:

It depends on the subject. Sorry, maybe I was harsh on the terminology there. No offense intended.

malexous said:
I visit all websites and I don't have any malware.

A lot of the affected domains were legitimate: Over 62,000 New URLs Serving Exploit Cocktail - Vulnerable visitors get infected with backdoors and info stealing trojans - Softpedia

You can find many supposedly legitimate websites listed on host files.

If I search Google for that string I get a whopping 1,400 (not 62,000) results, most just asking questions.

I wonder what websites were actually effected?

malexous · Jul 25, 2010

If I search for that string without quotes I receive 32,600 results. With quotes 158,000.

The article is nearly a year old.

I found one website still containing the code (I only checked a few). The domain hosting the script is thankfully down.

Edit: According to http://siteanalytics.compete.com one of the legitimate affected websites had 150,000 unique visits during August 2009.

JonM33 · Jul 25, 2010

malexous said:
If I search for that string without quotes I receive 32,600 results. With quotes 158,000.

The article is nearly a year old.

I found one website still containing the code (I only checked a few). The domain hosting the script is thankfully down.

Edit: According to Site Profile Search | Compete one of the legitimate affected websites had 150,000 unique visits during August 2009.

Without quotes in Google I get 1,440 hits. With quotes I get 10,200 hits. MOST of these are all people asking about it, not actual websites with the embedded script.

When digging I could only find portal/forum based websites as these are most susceptible, the DotNetNuke portal for example: Script Injection on DNN 4.9.4 - Administration and Configuration - DotNetNuke

Of course people running portals and forums should be protecting themselves against SQL injections anyway but it doesn't seem like any real (or major) websites were affected.

malexous · Jul 25, 2010

I was searching at Google.ie | I get the same results as you at Google.com

The most major affected website was probably feedzilla.com (it's clean now).

Many major websites have been or are vulnerable to different attacks.

Google, Symantec, Ebay, Intel, MPAA, Kaspersky, Avast, ESET, RIAA, U.S. Bank, Bank of America, McAfee, AVG, F-Secure, Avira, Paypal, etc.

Thanks to Team Elite.

Other major websites have been exploited maliciously and non-maliciously. Incidents - News - page 1 - Softpedia

Edit: I remember reading about a news site being attacked. This is probably it: Mass Web attack hits Wall Street Journal, Jerusalem Post

JonM33 · Jul 26, 2010

malexous said:
I was searching at Google.ie | I get the same results as you at Google.com

The most major affected website was probably feedzilla.com (it's clean now).

Many major websites have been or are vulnerable to different attacks.

Google, Symantec, Ebay, Intel, MPAA, Kaspersky, Avast, ESET, RIAA, U.S. Bank, Bank of America, McAfee, AVG, F-Secure, Avira, Paypal, etc.

Thanks to Team Elite.

Other major websites have been exploited maliciously and non-maliciously. Incidents - News - page 1 - Softpedia

Edit: I remember reading about a news site being attacked. This is probably be it: Mass Web attack hits Wall Street Journal, Jerusalem Post

Curious...I'm no hacker but I do have experience on websites, primarily using PHP based portals with SQL backends.

How is a SQL injection (adds information into database) going to modify HTML code of a website? HTML (or even PHP) is generally stagnant and permissions are set so that you'd need something like FTP permission to modify them. I have experience with an SQL injection a couple times on a website I ran. It forced me to use NukeSentinel on top of my web portal. After I installed that the SQL attacks stopped (NS can ban IP addresses attempting scripts against your website) so then my website was DDOSed.

Anyway, I'm confused at the articles pointing to SQL injections modifying HTML code.

I guess the debate would be whether you trust the admin of the website you are visiting? Did they go the extra mile to protect their databases?

Borg 386 · Jul 28, 2010

I think it's your choice to have it or not.

But, every little bit of protection helps. If it stops even one bug from getting on your system, then it's been worth it.

Is pluggins like No-Script really needed?

New member

My Computer

Wonder Man

My Computer

Devil's advocate

My Computer

Banned

My Computer

Account closed by request

My Computer

New member

My Computer

Expelled

My Computer

New member

My Computer

New member

My Computer

Expelled

My Computer

R.I.P. June 2nd 2014

My Computer

New member

My Computer

Expelled

My Computer

New member

My Computer

Expelled

My Computer

New member

My Computer

Expelled

My Computer

ADHD Senior Member

My Computer