Hacker News new | past | comments | ask | show | jobs | submit login

I do a lecture at local hackerspaces about basic security for the common person and anonymity is far down on the list.

Much higher on the list are basic protection from dangers on the internet, like browser based exploits. So Noscript is one major selling point for Firefox due to most browser based exploits using Javascript. Even if you whitelist all the sites you're still more secure with noscript than without simply because it blacklists the unknown sites you don't know about, the ones that e-mail links open or pop-ups force your browser to load through various tricks.

I wonder if there's any demand for a pre-built whitelist for NoScript that includes stuff like Amazon, Google, Apple, banks, and most other popular sites. The admin would err on the side of allowing scripts to run, while the default-block rule would still block unknown and ad/tracker domains. It would obviously be less secure than an intelligent user making all their own decisions, but it would make the barrier to using NoScript much lower.

Edit: While I'm musing on this, I wonder if NoScript could use a UI overhaul. A little icon that says "Something broken? Try activating these domains" with some heuristics e.g. first try allowing the current domain, then stuff on common CDNs, then maybe digging into DNS records or SSL certs for common ownership...

I'm finding uMatrix is useful, and have deployed it with ongoing support for non-technical users.

It's possible to whitelist (and blacklist) specific targets, including local site, and a set of specified third-party targets.

That said, overall, it's a bit of a complexity bunghole, and may not be for the general public. But then, computers in general aren't, in many ways, either.

There is and I've given that so much thought. I've gone as far as to sync my own Noscript lists. Since Firefox Sync will not sync noscript whitelists I have to do that myself. So that's a major feature request from me right now.

Not only to have pre-built lists but also to share your own list between devices.

I used to wonder this as well, but the problem is then you have to trust whoever submitted it set the rules up properly.

We (disclaimer i'm a co-founder) does exactly this with our Blur product which includes a "tracker blocker". We crowdsource and test for problems because of 'improperly implemented' tracking code and blockers and dynamically allow just those trackers on key sites. More here: https://www.abine.com/suggestions/

I have done a number of "Internet Safety and Security" classes in my position as a public librarian. My focus is not so much on anonymity, as much as understanding the problem of identity. I explain the certificate system and how a hacker might actually target you. Phishing -- probably the biggest security risk I see on a day to day basis -- is a problem of identity, giving money to someone you do not know and cannot verify.

I also cover basics like using better passwords, not reusing them and ways to keep them safe (keepass, last pass, a password memo book, etc.). And I emphasize over and over again to keep your software up to date. Let companies that have experts on staff do the work for you. Update Windows, your web browser and all Internet connect applications regularly (also applicable to iOS, the App Store and the Play Store).

Finally, I cover basic anonymity tools like ad-blockers and Disconnect.

The final paragraph loses a lot of my clientele, so NoScript is a non-starter for them.

Until my aging mother can use NoScript and still understand why many websites just don't seem to work, it isn't covering the majority use cases.

This comment alludes to a UI/UX goal commonly voiced as an obstacle, that of some 'ware not being market-ready until it's "Grandmother operable". This thread, however, is a discussion of matters of digital defense. Just as with physical defense, it is the pietous responsibility of the more savvy and agile offspring to shield their elders from harm (presuming no malice by the senior party emancipates one from such duty).

Have you explained to her that NoScript intentionally breaks websites, making them not operate as the designer intended, so that the website (and by extension the underlying computer) only does what you want it to do, and not the (potentially nefarious) activities planned by the designer?

When I try explaining this to other people, even other engineers, they usually tangent into a discussion about how paranoia and an inability to trust are unhealthy. And they stand their ground in the face of mounting evidence, insisting the designer is a humble, well-meaning person like themselves, and would have no reason for doing such evil things.

True and this is also what I always mention, Noscript is really an advanced topic and everytime I've tried to make friends use it they've eventually given up.

But people who come to these lectures or cryptoparties usually have a desire to do something about their personal IT-security so hopefully they can find the motivation.

I do similar talks for regular users* and I try to explain how to prioritize risks, and why they might not be focused on what's really important. Purchasing an anti-virus suite and identity theft protection and worrying about online banking are way overrated.

Strong consumer protections exist in many developed nations which limit your liability, it is the banks who stand to lose. No doubt it can be a hassle if your credit card number is stolen, But that card is the bank's property. You just report any fraudulent transactions and get a new card if necessary. The more important thing to protect is your private data, you can't get that privacy back.

Also, NoScript is awesome and I highly recommend people try it. It can be fiddly to get working at first but a surprisingly high percentage of websites work better without having to white-list anything. It also helps with privacy by blocking trackers like Google Analytics, especialy on sites like Troy's which lack a privacy policy and do not provide any warning at all about third-party trackers to site visitors. Pretty new site redesign, same lack of transparency as before.

* By 'regular users' I mean when I say "Try an ad-blocking extension with your browser, add it from the menu" and they say "What is the menu?" and we build their knowledge up from there... . It can be frustrating for all but I highly recommend it as it keeps you grounded and provides balance for the HN bubble I sometimes find myself in.

I've been installing NoScript, and instructing how to use it, on "regular" users' browsers for years. The sad inevitability is I end up instructing most of them on how to enable "Allow scripts globally(Dangerous)" option to help quell the flood of phone calls concerning their "broken internets". Many just can't be bothered &/or don't care enough to learn. Free will can be such a bitch, sometimes.

The big problem with noscript, and this has already been mentioned on here, is that it requires a certain level of experience with the web to operate.

You almost have to be an experienced webdev to recognize which domains are necessary and which aren't.

But this is also why I emphasize that you can freely use the global whitelisting option and still be much safer than without noscript. Simply because the sites that will get you are often the sites that open unexpectedly. Unknown domains that you did not request.

I'm at the point where I refer people to an ad-blocker and Disconnect. Not perfect, but a whole lot better than nothing.

I've found the Ghostery extension for Safari to require very little fiddling, breaking almost no sites and blocking ads and third-party trackers.

> anonymity is far down on the list

Is that your choice or user demand?

Confidentiality is one of the pillars of security, and beyond a doubt the most common attack on user security is on confidentiaility by commercial and government organizations.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact