
NoScript is harmful and promotes malware - angry-hacker
https://liltinkerer.surge.sh/noscript.html
======
AdmiralAsshat
Alternative: uMatrix

[https://github.com/gorhill/uMatrix](https://github.com/gorhill/uMatrix)

Made by the same developer of uBlock Origin, allows blocking of Javascript and
other aspects of the site.

I switched awhile back and found it somewhat more usable than NoScript,
insofar as it usually allows Javascript on the _local_ site by default, while
automatically blocking JS on third-party domains. There are some growing pains
associated with it, as there are with NS. Some of the drawbacks I've noticed:

\- It will take about three or four refreshes before you can whitelist
everything necessary to get Youtube working. First youtube, then s.ytimg.com,
then googlevideo.com, THEN you might finally get a video.

\- Any page with a Google Captcha on it will take several refreshes to
completely let them through. This is particularly irritating if there's a
captcha on a form.

\- Anything which needs to reach out to jquery, ajax, etc. will fail. But you
should be able to whitelist those once then add them to your permanent
whitelist.

\- I have yet to find a good tutorial for uMatrix yet on how to make some pre-
defined rules for common sites. That would greatly reduce the learning curve.

~~~
pmoriarty
You say uMatrix is _" somewhat more usable than NoScript, insofar as it
usually allows Javascript on the local site by default, while automatically
blocking JS on third-party domains"_

But that's exactly the default I do _not_ want. One of the main reasons I use
NoScript in the first place is to protect against Javascript vulnerabilities.
If the default is to enable Javascript, that defeats that protection.

~~~
copperx
How much of the 2016 Web is usable without JS?

~~~
hackuser
It depends what you do on the web. To use web applications, obviously you need
JavaScript. To read text, you generally don't. Also, even when you do need
JavaScript, you generally need it from the original host and maybe one other
(e.g., googleapis.com); you don't need it from the analytics and advertising
hosts, for example.

Buying things with security add-ons installed sometimes can be tricky: When
you click 'buy', the host site sometimes contacts destinations that were
previously unknown to your browser (payment processors, etc.), meaning you
wouldn't know to enable them. You may hesitate to reconfigure NoScript/uMatrix
and reload because you don't know if you are making multiple payments or
placing multiple orders.

On the positive side, uMatrix and NoScript can remember what you enabled to
get that page working, so you configure them the first time you visit the site
and then forget it. NoScript's configurations are less granular, however,
which may discourage permanently allowing some things:

[https://news.ycombinator.com/item?id=12624628](https://news.ycombinator.com/item?id=12624628)

(But NoScript has many more security features:

[https://news.ycombinator.com/item?id=12624596](https://news.ycombinator.com/item?id=12624596)
)

~~~
pmlnr
> To read text, you generally don't.

This is becoming less and less true unfortunately, thanks to stupidly designed
(eg: not progressively designed ) JS frameworks.

------
Vindicis
Here's the site that ad on noscript.net takes you to:
uniblue.com/cm/deletedcmunits/speedupmypc/spdeletedcmunits/download/?aff=3257&x-at=noscriptt1
After 4-5 clicks, the exe finally downloaded. Seems like a lot of work to
download malware doesn' it?

So I downloaded the exe and uploaded it to Kaspersky's online scanner
[https://scan.kaspersky.com/Home/Result](https://scan.kaspersky.com/Home/Result)
and it says the file is safe.

It almost seems like he has an axe to grind or something. Maybe I'm just
reading too much into such a terrible article, and it's just that though.

~~~
consto
Upload to virus total, passing one scanner isn't enough.

~~~
Vindicis
I did that, and, it seems that although it fails some virus scanners, it would
be what I like to call a false positive.

Just to link a description of what one of them found:
[https://www.symantec.com/security_response/writeup.jsp?docid...](https://www.symantec.com/security_response/writeup.jsp?docid=2014-071815-0057-99&tabid=2)

Basically it could be an unwanted application that "The application reports an
exaggerated number of problems."

Shitty software? Sure. Malware? Not to me. YMMV.

Here's a screen shot of the ones it failed from that total scanner:
[https://i.imgur.com/vwy9sXY.jpg](https://i.imgur.com/vwy9sXY.jpg)

------
user5994461
Summary of the article:

The noscript website is showing ads which are installing malware. (typical
clean your computer [with a trojan] bullshit)

Bonus: The extension goes the extra mile to disable specific adblock filters
during its installation + the website is displayed automatically on every
extension update.

~~~
nine_k
What to use instead? Having scripts disabled by default saves battery life
significantly.

~~~
PeCaN
uMatrix! It's a brilliant addon that lets you control what gets run at a
pretty fine-grained level (per domain, per subdomain, whitelists can be local
to a site, etc) without being at all clunky (easier to use than NoScript in
spite of being more flexible).

------
tunap
Damn! I took the click-bait. For more on the so-called harm, here's a good
summary of giorgio & wlad's pissing contest:

[http://www.dedoimedo.com/computers/adblock-
noscript.html](http://www.dedoimedo.com/computers/adblock-noscript.html)

------
jasonkostempski
Maybe Mozilla could take a few days off from Flash and PDF and build in some
good white-listing features. It's the last feature browsers actually need.
After that it's nothing but speed and security.

~~~
TD-Linux
Like this, released last week?
[https://testpilot.firefox.com/experiments/tracking-
protectio...](https://testpilot.firefox.com/experiments/tracking-protection)

~~~
digi_owl
That do not seem to offer the detailed control that noscript does.

~~~
TD-Linux
Nor would I expect it to - that's what extensions are for. This is a one-click
tool.

------
Stratoscope
Another sleazy thing...

The NoScript site calls the code "open source" and "Free Software" (complete
with a link to the FSF), but nowhere on the site can I find the source code.

I searched GitHub and didn't find any source code from the NoScript author
there either.

As far as I can tell, the only way to get the source code is to actually
_install_ the extension and then extract the code from there.

It appears that GitHub user 'avian2' did exactly that:

[https://github.com/avian2/noscript](https://github.com/avian2/noscript)

Thanks avian2! And no thanks to the NoScript author.

~~~
quesera
An XPI is just a zip file. You can download it without installing it.

Not as convenient as a github repo, but equally open source.

~~~
digi_owl
Yeah we should not forget that Firefox extensions became popular because most
of the UI was made out of XML and JS.

------
zerognowl
I prefer to turn JavaScript off in the browser itself. NoScript just increases
the attack surface and also increases browser fingerprintability. There has to
be a small subset of users who disable embeddings in the NoScript config, or
turning off IFRAMEs, and even a smaller subset of people creating custom
whitelists, which can all be checked for.

~~~
necessity
But disabling it on the browser doesn't allow you to whitelist certain
websites, which is the general use case for NoScript. I wish the web didn't
break without JS, but that's just not the reality we live in.

~~~
zerognowl
> I wish the web didn't break without JS, but that's just not the reality we
> live in.

Every time you temporarily enable JavaScript / whitelist a website you are
performing a micro violation of your own privacy. In some cases even
performing a large violation of your own privacy. Sure, there are some cases
where I absolutely must have JavaScript turned on, but those cases are so rare
that having JS permanently turned off is preferable in most cases.

~~~
ordinary
_you are performing a micro violation of your own privacy_

You cannot violate your own privacy. My privacy is mine to control. And give
up, if I so choose.

~~~
zerognowl
Inadvertently violating, or compromising your own privacy then?

------
digi_owl
From a blog with two entries, with an attached twitter that looks more like
bot spam than someone actually using it, and a github account that is all
about messing with adblockers(?). Why do this feel like a schoolyard pissing
match between "1337 haxors"?

------
VertexRed
1\. You'd have to actually click and willingly install the software to be
infected.

2\. Even though he's able to randomize the banner code the redirect to the
advertiser's site will most likely be caught by ad blockers.

\---

Still it's a pretty hypocritical thing to do when you're the creator of a
plugin which aims to increase the user's security.

~~~
wbkang
"1\. You'd have to actually click and willingly install the software to be
infected." This is how most Windows malware/unwanted software are installed
today, not via some rare zero-day Chrome exploits.

------
nickphx
PUP != malware. PUP = potentially unwanted software. It's no more aggressive
than the typical scareware tactics anti-virus companies use..

~~~
carterehsmith
So they mention, among others, "Trojan.Win32.Generic!BT"

So I Googled that, and no, not a pup, more like a trojan that hijacks your pc
and joins a botnet.

------
svenfaw
Relevant Tor ticket:
[https://trac.torproject.org/projects/tor/ticket/19280](https://trac.torproject.org/projects/tor/ticket/19280)

------
Svip
So what's the alternative to NoScript? And I don't mean an adblocker, I mean
an extension that allows one to disable/enable JavaScript execution by domain.

~~~
XzetaU8
"uMatrix" [https://addons.mozilla.org/nn-
NO/firefox/addon/umatrix/](https://addons.mozilla.org/nn-
NO/firefox/addon/umatrix/)

~~~
digi_owl
I get the impression that while noscript operates around a default-
deny/whitelist scheme, umatrix is more default-allow/blacklist.

~~~
bigcheesegs
It all depends on how you configure it. I use it in 1st party allowed and all
others white-listed approach.

~~~
digi_owl
Yeah, but out of the proverbial box noscript is at first appearance more
secure.

~~~
gorhill
uMatrix is default-deny by default, except 1st-party scripts. It also comes
with an extensive lists of hosts files enabled (representing 10s of thousands
hostnames and their subdomains) by default for which scripts won't be allowed
at all, even as 1st-party.

NoScript is default-deny by default, except for its preset list of whitelisted
hostnames for which scripts are allowed to execute.

In both cases, with a few clicks one can reconfigure to their liking, to
further restrict or relax existing rules.

Here is my thinking on this: between blocking everything and allowing
everything, there is a point I consider optimal, which is what I picked for
uMatrix. Not blocking enough out of the box will defeat the primary purpose of
the tool. Blocking too much out of the box will _discourage_ many users from
using the tool at all -- they will uninstall.

My goal is for as many people to protect themselves, and this won't be
accomplished if I set uMatrix's default to cause too much work out of the box
that they uninstall it out of tediousness.

Blocking everything 3rd-party by default except images/css is what I
personally identified as the optimal -- this would correspond to "medium mode"
on the graph at that page: [https://github.com/gorhill/uBlock/wiki/Blocking-
mode](https://github.com/gorhill/uBlock/wiki/Blocking-mode)

Again regarding the tediousness factor, another important aspect of a tool
such as uMatrix is how easy it is to set rules to block/allow things,
including on a per-site basis: one can easily change default settings after
install, but how easy/difficult it is to set/remove rules is something which
can't be changed. To dismiss the ease to create rules and other core features
in uMatrix because one personally disagree with its (easily changed) default
settings out of the box does not make much sense to me.

If the end result is that the aggregate number of stuff blocked by all users
of uMatrix with default settings is higher than the aggregate number of stuff
blocked by all users of uMatrix with hardcore settings, then i reached my
goal.

In any case, as said, the defaults can be changed easily with a few clicks,
there is no "hidden" settings, what is blocked or not is up front and visible
right after install by just looking at the popup panel matrix.

One thing I would like people to keep in mind: uMatrix is not NoScript or
RequestPolicy, it is its own thing.

------
ryanmccullagh
For what my comment is worth, I ended up removing NoScript and doing and clean
install of Debian after noticing that the the NoScript extension would seem to
auto-update often, and then would launch an instance of the noscript.net
website each time I opened firefox. It did sketch me out, and I can't
recommend installing this.

~~~
driverdan
Why would you reinstall your OS for an extension that updates frequently?

~~~
wtallis
More importantly, why would you be distressed by _security software_ updating
frequently?

~~~
ryanmccullagh
I was exaggerating quite a bit, but I did end up installing another OS, but
not really because of NoScript.

------
oridecon
I'll wait for the NoScript origin fork.

uMatrix is too weird for me (I love uBlock though).

~~~
gorhill
What is "weird" about uMatrix, specifically?

The logic of the matrix is completely straightforward, once you get the basic
rule that narrower rules override broader ones, all interactions with the
matrix will become obvious, easy to understand in advance what will happens
when adding/removing a specific rule -- and in any case, the visual feedback
when adding/removing a rule through the popup panel matrix should be obvious
enough to understand what will end up blocked/allowed.

------
SamuelAdams

      Especially to Windows users. Every time NoScript updates itself, the users are shown the homepage of the extension.
    

Options > Notifications > Uncheck "Display the release notes on updates".

I get that this sucks but there is an easy way to mitigate this problem
without changing to another extension.

------
leeoniya
switched to uMatrix + uBlock Origin and never looked back.

------
revanx_
For how long has that malware link been on the update page?

The article mentions the author has a history of doing shady things, can
someone provide more background into this?

~~~
angry-hacker
Disabling adblock filters to whitelist himself. Easy to find on Google.

------
necessity
As I mentioned on /r/netsec it's valid to point out the author does shady
shit, but the title is clickbaity at best - the NoScript website advertises
malware, there is no evidence that NoScript itself is harmful to the user. And
btw you shouldn't let your extensions auto-update on Firefox anyway, specially
if you use Tor, as it's vulnerable to MITM as someone posted here a few days
ago. I might switch to uMatrix, but I don't really have the time right now to
learn it.

~~~
shapov
> there is no evidence that NoScript itself is harmful

The article states that every time the plugin updates, it automatically opens
up a webpage that serves malware. So technically the article is not wrong.
NoScript forces your browser to open a malicious page, therefore it can be
considered itself harmful.

~~~
josefx
> serves malware

It opens a page with an advertisement link for "Speedup My PC", not even the
article claims that it serves malware, just that it "promotes" it. Going by
the description of the detected malware signatures Speedup My PC isn't even
harmfull by itself, it just is snake oil with no real use bejoind selling its
own license.

Unless you click the link, download the exe, install it, fall for the detected
issues notification and then proceed to buy a license nothing will happen.

~~~
Houshalter
Some users will fall for it though. The author wouldn't do it if they didn't
make money from it. I think it's wrong to support such shady stuff that will
harm some percent of its users.

~~~
Dylan16807
Even "harm" is a bit of an overstatement if josefx is right, because if anyone
pays money they do so on purpose, and they get value back in the form of the
extension.

------
gcb0
response: [https://hackademix.net/2009/05/04/dear-adblock-plus-and-
nosc...](https://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-
users-dear-mozilla-community/)

it wasn't circumventing the filters just to show ads. It was circumventing the
filters because the filter were blocking everything, including the install
extension button.

------
lbstr_ftw
The article never substantiates the claim that "NoScript is harmful". They
talk about NoScript's website serving questionable software, not NoScript
itself.

------
tarancato
A honest thought: the typical user of NoScript won't fall for those ads, I
think.

~~~
JabavuAdams
There's no reason to believe that. How many people install NoScript on
friends' and family's machines?

~~~
serf
very few i'm betting, it takes hours to build a usable white-list for
NoScript, and it breaks everything by default.

------
bbcbasic
Clickbaity title

------
Kenji
Phew, for a moment there I thought it was a drive-by installer. I am mortified
of these as it already happened to me while casually browsing the web. Nah,
it's just a plain old exe you download and execute if you're dumb.

~~~
daenney
That people are dumb, for whatever definition of dumb we feel like adhering to
today, does little against the fact that someone promoting their extension as
a security mechanism goes above and beyond to try and get you to install some
malware.

~~~
Kenji
The difference between drive-by viruses and downloadable exe viruses that have
to be manually executed is like the difference between someone who pretends to
be your relative to convince you to give him money and someone who robs you at
gunpoint. You're immune to one thing if you're not gullible and dumb, but
completely powerless against the other, all it takes is unfortunate
circumstances. Now, both are bad, of course, but one is vastly more concerning
and hard to protect oneself against.

------
ladzoppelin
I recently had to go back to NoScript after browsing with UBlock for a month.
I was on a random webpage and all of sudden the browser would not close, and
some lady was telling me "to call this number my computer is infected". I
seriously doubt the author of NoScript was trying to infect people with
malware. He might of made sure you see adds by disabling filters but the
malware is problem with adds in general. In other words, browsing without
Noscript is risky.

Edit: It was UBlock orgin. NoScript is the only thing that works but I have no
idea if the guy is shady or not. Keep in mind I install the DEV addition so
this has never happened to me.

~~~
kodr
UBlock or UBlock Origin? They aren't the same.

------
Fiahil
TLDR: NoScript's website display shady ads.

Something that is only happening because we let ads networks and advertisers
push all the shit they want on our webpages. How long before we actually start
vetting (for nuisance and performance) what is put bellow users' eyes?

~~~
Klathmon
This ad in particular is hard coded by the author.

This isn't a case of someone using a shitty ad network, the author is
knowingly pushing malware to the users of their application.

~~~
pbhjpbhj
Hmm, not sure really where to go with this - I certainly don't want to support
malware, but what's the "speedupmypc.exe" actually do that's malicious.

I ran it through online tools:

* [https://www.virustotal.com/en/file/3d9e6b1e9f1296e0ce85061e0...](https://www.virustotal.com/en/file/3d9e6b1e9f1296e0ce85061e0a6a0b571a1361565fc2924a22940d27bd2a2ebb/analysis/1475446511/) (17/57)

* [https://www.metadefender.com/#!/results/file/5fd5ceb2e10942d...](https://www.metadefender.com/#!/results/file/5fd5ceb2e10942d4873220572503b173/regular/analysis) (5/42)

* [http://scanthis.net/scan/f74a94435ae047770b0fb26c4752d43b](http://scanthis.net/scan/f74a94435ae047770b0fb26c4752d43b) (result pending)

a lot of the big name antivirus companies don't report this as a malicious
file (according to these tools).

e.g. looking at the first scan results Ad-Aware, Avast, BitDefender, Symantec,
etc., etc., all find no problem with the file.

The obfuscation would be needed to load ads for the market that NoScript is
targetting. To get ad revenue they would need some system to load the ads [as
if] from the local server or they'll get blocked. Indeed isn't this what
people often ask for from adverts that they won't use external providers in
order to improve page-load times. If you look at the source for the page at
noscript.net you see that the section is tagged _as if_ it's included code
from an automated script. So yes, he's clearly gone to trouble to hide the ad,
but that's because it's an ad and not necessarily because it's malicious.

So, it hinges on whether the speedupmypc.exe is truly malicious IMO. Cnet &
Tucows endorse it, not sure that tells us much ... installing the app (on a
vbox) it looks like reasonably useful app after the type of PC-decrapifier or
CC or whatever. I got a freemium app which gave a scan (results looked kosher)
and offered a £20 unlock to fix the issues found.

Not the greatest software but not quite what I'd call malware. Perhaps
oversold-stuff-people-dont-really-need-ware??

Unless, like I said, there's a hidden payload?

~~~
Klathmon
Fair enough. It is classified as "potentially unwanted software" by many, so
calling it malware was probably wrong.

And that was the major issue I had with it (the fact that it was called
malware by the blog post).

If that's not the case, then its not nearly as large of a problem than it
looked.

Thanks for doing the research, you should repost this as a top level comment!

