- It will take about three or four refreshes before you can whitelist everything necessary to get Youtube working. First youtube, then s.ytimg.com, then googlevideo.com, THEN you might finally get a video.
- Any page with a Google Captcha on it will take several refreshes to completely let them through. This is particularly irritating if there's a captcha on a form.
- Anything which needs to reach out to jquery, ajax, etc. will fail. But you should be able to whitelist those once then add them to your permanent whitelist.
- I have yet to find a good tutorial for uMatrix yet on how to make some pre-defined rules for common sites. That would greatly reduce the learning curve.
* Shift+click on host name, and pull up info on trustability from NoScript.net database
* Filters WebGL, XSLT, @font-face
* Sophisticated XSS protection: Look up XSS on these pages:
* CSRF protection
* Clearclick: Detects invisible elements which cover clicked visible elements
* A pretty sophisticated firewall in your browser, Application Boundaries Enforcer (ABE), where you can even write your own policies:
"Living inside the browser, the ABE component can take advantage of its privileged placement for enforcing web application boundaries, because it always knows the real origin of each HTTP request"
"Many of the threats NoScript is currently capable of handling, such as XSS, CSRF or ClickJacking, have one common evil root: lack of proper isolation at the web application level."
"The idea behind the Application Boundaries Enforcer (ABE) module is hardening the web application oriented protections ... by delivering a firewall-like component running inside the browser ... specialized in defining and guarding the boundaries of each sensitive web application"
More here: https://noscript.net/abe/
Also, there's a project to create a GUI for just the ABE component, called SABER
The irony of that is staggering given NoScript being busted for spreading malware in this story.
> Any page with a Google Captcha on it will take several refreshes to completely let them through. This is particularly irritating if there's a captcha on a form.
> Anything which needs to reach out to jquery, ajax, etc. will fail. But you should be able to whitelist those once then add them to your permanent whitelist.
These should all be one time deals though. You can whitelist some or all of this stuff in the global scope so it applies to all web pages (if you want to do this). For example you can whitelist the youtube stuff in the global scope so that any page which has imbedded youtube videos will show them. This should be a safe practice as the google domains should generally be trustable.
Or don't do this. And whitelist it on a site by site basis. The choice is yours.
My rationale is that I've chosen to go to a site, and most JS dangers are served from ad networks and trackers. Not typically from the site itself.
Of course, as long as we don't try to force our preferences on each other, we can both browse the web however we like.
uMatrix comes with many hosts files enabled, so even if working in allow-all/block-exceptionally, most trackers/ads and whatnot will still be blocked.
There is no pre-whitelisted (aka "trusted") 3rd-party hostnames in uMatrix, that will be for you to decide.
The default in uMatrix, in full view in the popup panel, can be changed with a few clicks from the main popup panel, and you can also remove all the default whitelisted hostnames in NoScript.
 entries are translated into `* hostname * block`.
Buying things with security add-ons installed sometimes can be tricky: When you click 'buy', the host site sometimes contacts destinations that were previously unknown to your browser (payment processors, etc.), meaning you wouldn't know to enable them. You may hesitate to reconfigure NoScript/uMatrix and reload because you don't know if you are making multiple payments or placing multiple orders.
On the positive side, uMatrix and NoScript can remember what you enabled to get that page working, so you configure them the first time you visit the site and then forget it. NoScript's configurations are less granular, however, which may discourage permanently allowing some things:
(But NoScript has many more security features:
This is becoming less and less true unfortunately, thanks to stupidly designed (eg: not progressively designed ) JS frameworks.
Usually sites work well enough by enabling 1st party JS and sometimes not even all of them. I lose all the code from tracking and monitoring services, which I really don't care about. I gain a much faster browsing experience.
Some news organizations implement their paywalls with JS. It gets rid of a lot of annoying ads and scroll-behavior modifications. It actually makes some sites subjectively better.
Yes but when visiting a website with JS turned off, the site can still be progressively enhanced similar to how an electric stairs still works when the power is switched off. Users of the stairs still get to climb it, but now they have to put in extra effort.
Or combine this with uMatrix, giving yourself a global blocklist with 3rd party granularity on the sites you do clearlist.
All 0 of them?
Code is sandboxed, processes are isolated, OS-level security is used on top of that. The few CVEs that show up are reported quickly via browser bounties or in-house testing. People claim bounties are ineffective, but how many exploits have we really seen emerge from "black markets" or other sources?
I ran without JS for a few years and then realized it was making my online experience more miserable than it needed to be. I can't remember the last time I actually saw a computer "infected" just from visiting a website, and not through social engineering. Can you?
The bottom line is that the margin for being compromised via JS is so small that it might as well not exist. If you disable it because privacy or surveillance or whatever else, that's your prerogative. But the security issue is completely overstated and largely misinformed.
NoScript can do this too BTW. The web is almost unusable without that setting enabled.
The drawbacks you identified are exactly the same on NoScript so they should not be used as a reason to pick one over the other.
It takes a LONG time to get a good list of whitelisted sites, now that mine is more or less usable I don't intend to switch - especially since I disabled the "show webpage with ads" thing on NoScript, so I don't have the problem in the article.
That is, in NoScript you can only filter based on the destination. For example, if you allow one site to run scripts from cloudfront.net, every site can. Effective the rules are,
DENY * *
ALLOW * cloudfront.net
DENY * *
ALLOW mybank.com cloudfront.net
DENY * *
EDIT: Add, improve examples
You've referred to it as a regression, but let me give you an example like Twitter. Would it make sense to have the server generate the HTML for each and every request, and then send that as a new page whenever you click a link? It's actually much faster to instead have the client send a small AJAX request (give me tweet #3242565), the server respond with that data, and then the client to update the page with it.
In the case of Twitter, you're still dependent on the server for info either way. But this lets you conserve data, reduces server load, and yields a faster client interaction.
As I said, the web isn't static documents anymore. We've moved beyond that and it's actually pretty great. HN's overall position on this subject disappoints me for that reason.
So I downloaded the exe and uploaded it to Kaspersky's online scanner https://scan.kaspersky.com/Home/Result and it says the file is safe.
It almost seems like he has an axe to grind or something. Maybe I'm just reading too much into such a terrible article, and it's just that though.
> Only a few scan engines detected this file as a threat. If you think it might be a false positive, find out how to contact the engine vendor on our blog.
That is one hell of a "definitely". The only specific entry has it as "Riskware/SpeedUpMyPC" which, after a quick google, states it is "unwanted software". Pro tip: if you don't want it, don't install it, NoScript certainly does not force or trick you to install it.
Just to link a description of what one of them found:
Basically it could be an unwanted application that "The application reports an exaggerated number of problems."
Shitty software? Sure. Malware? Not to me. YMMV.
Here's a screen shot of the ones it failed from that total scanner: https://i.imgur.com/vwy9sXY.jpg
The noscript website is showing ads which are installing malware. (typical clean your computer [with a trojan] bullshit)
Bonus: The extension goes the extra mile to disable specific adblock filters during its installation + the website is displayed automatically on every extension update.
This isn't a case of someone using a shady ad network, this is a case of the noscript author knowingly trying to get their users to download and install malware.
Edit: As another user pointed out lower in this submission. The software isn't exactly malware, and does do what it says on the box.
If that's the case, this isn't really an issue to me. It's just an ad for software that I have no need for.
NoScript has a checkbox to disable displaying the page on updates.
Even if this page was never shown during install/updates, it would still be an issue.
Is it really too much to ask that the author of a security/privacy related application not try to push malware?
Really the worst thing you can say about that app is that it's overpriced. It's doing nothing that ccleaner doesn't do for free.
I would regardless ask the question in the punchline of the article: "why would you trust a security suite when they pull tricks like that"? (not verbatim)
What browsers still actually need is a really good way of dealing with certificates. The current mess is a sad joke.
I've tried things like Certificate Patrol, but that has tremendous problems in everyday usage. Browsers do a little bit of pinning, but security for the vast majority of sites is still dependent on the non-malfeasance of each and every one of the hundreds of certificate authorities that are trusted by default.
IMO that is problem #1, and it's been problem #1 for a decade or more. Mozilla takes in about $300 million a year, but I guess certificates are just too difficult a problem to solve properly with such a paltry sum of money.
The Chrome extension also lacks what the old Opera had.
The NoScript site calls the code "open source" and "Free Software" (complete with a link to the FSF), but nowhere on the site can I find the source code.
I searched GitHub and didn't find any source code from the NoScript author there either.
As far as I can tell, the only way to get the source code is to actually install the extension and then extract the code from there.
It appears that GitHub user 'avian2' did exactly that:
Thanks avian2! And no thanks to the NoScript author.
Not as convenient as a github repo, but equally open source.
You cannot violate your own privacy. My privacy is mine to control. And give up, if I so choose.
The same is true every time you access a site, even without JS.
2. Even though he's able to randomize the banner code the redirect to the advertiser's site will most likely be caught by ad blockers.
Still it's a pretty hypocritical thing to do when you're the creator of a plugin which aims to increase the user's security.
So I Googled that, and no, not a pup, more like a trojan that hijacks your pc and joins a botnet.
NoScript is default-deny by default, except for its preset list of whitelisted hostnames for which scripts are allowed to execute.
In both cases, with a few clicks one can reconfigure to their liking, to further restrict or relax existing rules.
Here is my thinking on this: between blocking everything and allowing everything, there is a point I consider optimal, which is what I picked for uMatrix. Not blocking enough out of the box will defeat the primary purpose of the tool. Blocking too much out of the box will discourage many users from using the tool at all -- they will uninstall.
My goal is for as many people to protect themselves, and this won't be accomplished if I set uMatrix's default to cause too much work out of the box that they uninstall it out of tediousness.
Blocking everything 3rd-party by default except images/css is what I personally identified as the optimal -- this would correspond to "medium mode" on the graph at that page: https://github.com/gorhill/uBlock/wiki/Blocking-mode
Again regarding the tediousness factor, another important aspect of a tool such as uMatrix is how easy it is to set rules to block/allow things, including on a per-site basis: one can easily change default settings after install, but how easy/difficult it is to set/remove rules is something which can't be changed. To dismiss the ease to create rules and other core features in uMatrix because one personally disagree with its (easily changed) default settings out of the box does not make much sense to me.
If the end result is that the aggregate number of stuff blocked by all users of uMatrix with default settings is higher than the aggregate number of stuff blocked by all users of uMatrix with hardcore settings, then i reached my goal.
In any case, as said, the defaults can be changed easily with a few clicks, there is no "hidden" settings, what is blocked or not is up front and visible right after install by just looking at the popup panel matrix.
One thing I would like people to keep in mind: uMatrix is not NoScript or RequestPolicy, it is its own thing.
Next go to about:addons again and "preferences" of NoScript, on the "Notifications" tab uncheck "Display the release notes".
My 2¢ is that it certainly does appear to offer updates more often than one might expect (a bit like browsers themselves) but I have these two settings so I don't really notice. I choose to update manually because I don't like stuff breaking automatically (and am happy to keep on top of security warnings and such).
uMatrix is too weird for me (I love uBlock though).
The logic of the matrix is completely straightforward, once you get the basic rule that narrower rules override broader ones, all interactions with the matrix will become obvious, easy to understand in advance what will happens when adding/removing a specific rule -- and in any case, the visual feedback when adding/removing a rule through the popup panel matrix should be obvious enough to understand what will end up blocked/allowed.
Especially to Windows users. Every time NoScript updates itself, the users are shown the homepage of the extension.
I get that this sucks but there is an easy way to mitigate this problem without changing to another extension.
The article mentions the author has a history of doing shady things, can someone provide more background into this?
The article states that every time the plugin updates, it automatically opens up a webpage that serves malware. So technically the article is not wrong. NoScript forces your browser to open a malicious page, therefore it can be considered itself harmful.
It opens a page with an advertisement link for "Speedup My PC", not even the article claims that it serves malware, just that it "promotes" it. Going by the description of the detected malware signatures Speedup My PC isn't even harmfull by itself, it just is snake oil with no real use bejoind selling its own license.
Unless you click the link, download the exe, install it, fall for the detected issues notification and then proceed to buy a license nothing will happen.
Now, the question is, do I trust a plugin that serves ads for malware?
BTW any info on when did they start doing that?
If I were to personally inspect every software (and hardware where possible) I use I would barely be up to date on 1995 versions of computing.
I outsource this trust to an aggregation of online communities I believe in. This post dramatically lessens my trust in NoScript.
You have to disconnect from the internet, restart Firefox, let it fail to load the page, then go to the settings menu and uncheck the box.
This was fixed in Tor Browser 6.0.5 and Firefox 49. Worth noting that the attack required a publicly-trusted certificate for addons.mozilla.org, which makes this a bit harder than just a run-of-the-mill MitM attack, though certainly possible for nation-state actors and the likes.
In the most narrow sense. Since I can't in good conscience recommend it to normal people I am considering it harmful.
You can't really recommend it to normal people even without considering the author's advertising practices. NoScript is a tool for power users who understand a few things about how the web works.
uMatrix allows more fine-grained control than NoScript. It's basically based on three contexts (scopes): host, domain and global, but my experience is I only ever use the global and domain scopes. I would recommend starting by globally white-listing the popular CDNs (so scripts on all sites delivered e.g. through Google's CDN are always executed and <script> snippets to integrate Google widgets work).
Then, for a majority of trusted sites it's enough to just white-list the local domain (allow executing scripts from example.com when you are visiting example.com sites). Scripts included on foobar.org from example.com still remain blocked – this is the crucial difference between global and local scopes that NoScript doesn't lend to.
I would recommend always allowing XHR and iframes in the site-local scope. IIRC this is not in the default config but since XHR anyway requires scripting you can then easily control both XHR / scripting by just white-listing the site for scripting. So this is my uMatrix base configuration currently and a good starting point for migrating from NoScript:
* * * block
* * css allow
* * image allow
* 1st-party cookie allow
* 1st-party frame allow
* 1st-party xhr allow
it wasn't circumventing the filters just to show ads. It was circumventing the filters because the filter were blocking everything, including the install extension button.
Everyone should get CS degree to operate a computer. /s
Edit: It was UBlock orgin. NoScript is the only thing that works but I have no idea if the guy is shady or not. Keep in mind I install the DEV addition so this has never happened to me.
Given the symptoms you describe, it seems you went to a site which launched popups. This is usually addressed by filters in the default block lists (EasyList, etc.), but when there is no filter, unwanted popups may occur. One solution is to report to block lists maintainers, so that they can add a filter. There is also a per-site switch in uBO to unconditionally block all popups for a given site -- so no need to wait for a filter.
uBO works well with NoScript, and many people use it in concert with NoScript, they consider they complement well each others.
Something that is only happening because we let ads networks and advertisers push all the shit they want on our webpages. How long before we actually start vetting (for nuisance and performance) what is put bellow users' eyes?
This isn't a case of someone using a shitty ad network, the author is knowingly pushing malware to the users of their application.
I ran it through online tools:
* https://www.virustotal.com/en/file/3d9e6b1e9f1296e0ce85061e0... (17/57)
* https://www.metadefender.com/#!/results/file/5fd5ceb2e10942d... (5/42)
* http://scanthis.net/scan/f74a94435ae047770b0fb26c4752d43b (result pending)
a lot of the big name antivirus companies don't report this as a malicious file (according to these tools).
e.g. looking at the first scan results Ad-Aware, Avast, BitDefender, Symantec, etc., etc., all find no problem with the file.
The obfuscation would be needed to load ads for the market that NoScript is targetting. To get ad revenue they would need some system to load the ads [as if] from the local server or they'll get blocked. Indeed isn't this what people often ask for from adverts that they won't use external providers in order to improve page-load times. If you look at the source for the page at noscript.net you see that the section is tagged as if it's included code from an automated script. So yes, he's clearly gone to trouble to hide the ad, but that's because it's an ad and not necessarily because it's malicious.
So, it hinges on whether the speedupmypc.exe is truly malicious IMO. Cnet & Tucows endorse it, not sure that tells us much ... installing the app (on a vbox) it looks like reasonably useful app after the type of PC-decrapifier or CC or whatever. I got a freemium app which gave a scan (results looked kosher) and offered a £20 unlock to fix the issues found.
Not the greatest software but not quite what I'd call malware. Perhaps oversold-stuff-people-dont-really-need-ware??
Unless, like I said, there's a hidden payload?
And that was the major issue I had with it (the fact that it was called malware by the blog post).
If that's not the case, then its not nearly as large of a problem than it looked.
Thanks for doing the research, you should repost this as a top level comment!