Made by the same developer of uBlock Origin, allows blocking of Javascript and other aspects of the site.
I switched awhile back and found it somewhat more usable than NoScript, insofar as it usually allows Javascript on the local site by default, while automatically blocking JS on third-party domains. There are some growing pains associated with it, as there are with NS. Some of the drawbacks I've noticed:
- It will take about three or four refreshes before you can whitelist everything necessary to get Youtube working. First youtube, then s.ytimg.com, then googlevideo.com, THEN you might finally get a video.
- Any page with a Google Captcha on it will take several refreshes to completely let them through. This is particularly irritating if there's a captcha on a form.
- Anything which needs to reach out to jquery, ajax, etc. will fail. But you should be able to whitelist those once then add them to your permanent whitelist.
- I have yet to find a good tutorial for uMatrix yet on how to make some pre-defined rules for common sites. That would greatly reduce the learning curve.
Another alternative: uBlock Origin with "advanced mode" enabled. You can tell it to globally block "inline scripts", "1st-party scripts", "3rd-party scripts", and "3rd-party frames", and selectively undo that block when needed. See https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-qu... for an explanation with screenshots.
uMatrix provides a more fine grained approach to blocking and has an interface to match this. uBlock's interface can be easier for a more coarse grained approach (see dynamic filtering, medium mode).
I never tried uMatrix. uBlock has the ability to block a particular set of links e.g. abc.com/min/* and whitelist some links within that set e.g. abc.com/min//.png. I think that's a fine grain approach. Can uMatrix do things like this?
Here is a quick tutorial showing what uMatrix can do https://github.com/gorhill/uMatrix/wiki/Very-bare-walkthroug.... As you can see, it gives you an easier way to have fine-grained control of each individual type of resource. It also allows you to configure third-party domain resources globally, or per domain. This allows you to do something like allow youtube embedding (js + xhr) on all websites at once.
* A pretty sophisticated firewall in your browser, Application Boundaries Enforcer (ABE), where you can even write your own policies:
"Living inside the browser, the ABE component can take advantage of its privileged placement for enforcing web application boundaries, because it always knows the real origin of each HTTP request"
"Many of the threats NoScript is currently capable of handling, such as XSS, CSRF or ClickJacking, have one common evil root: lack of proper isolation at the web application level."
"The idea behind the Application Boundaries Enforcer (ABE) module is hardening the web application oriented protections ... by delivering a firewall-like component running inside the browser ... specialized in defining and guarding the boundaries of each sensitive web application"
I do find it ironic that people assume that NoScript's only feature is the one that is the most hassle to use. The more passive always-on protections get overlooked, and people recommend as equivalent alternatives extensions that only provide a better UI for the domain-based script blocking, while not providing the defense in depth that NoScript has.
Not sure if this is considered bad practice, but I have uMatrix installed with noscript. I use uMatrix for script blocking and have noscript set to globally allow scripts, with ABE, XSS, clickjacking, etc protection enabled to cover the weak points of uMatrix.
For us tech-savvy people that might be an option. But for the average user it's not. Too many things don't work. I use Privacy Badger and install it on every system that I maintain. It's simple and clean, and set up by an organisation that doesn't need shady ads on its website.
> It will take about three or four refreshes before you can whitelist everything necessary to get Youtube working. First youtube, then s.ytimg.com, then googlevideo.com, THEN you might finally get a video.
> Any page with a Google Captcha on it will take several refreshes to completely let them through. This is particularly irritating if there's a captcha on a form.
> Anything which needs to reach out to jquery, ajax, etc. will fail. But you should be able to whitelist those once then add them to your permanent whitelist.
These should all be one time deals though. You can whitelist some or all of this stuff in the global scope so it applies to all web pages (if you want to do this). For example you can whitelist the youtube stuff in the global scope so that any page which has imbedded youtube videos will show them. This should be a safe practice as the google domains should generally be trustable.
Or don't do this. And whitelist it on a site by site basis. The choice is yours.
You say uMatrix is "somewhat more usable than NoScript, insofar as it usually allows Javascript on the local site by default, while automatically blocking JS on third-party domains"
But that's exactly the default I do not want. One of the main reasons I use NoScript in the first place is to protect against Javascript vulnerabilities. If the default is to enable Javascript, that defeats that protection.
Security is a sliding scale. I could stay home all day and wer big pads with sirens on saying "DONT TOUCH ME", but I choose to drive a car at 70mph, walk along-side busy roads and load 1st party JS from sites.
My rationale is that I've chosen to go to a site, and most JS dangers are served from ad networks and trackers. Not typically from the site itself.
I let JavaScript run, but not by default, so it's like "before getting in someone else's car for the first time, I check the brakes work before going 70mph".
Of course, as long as we don't try to force our preferences on each other, we can both browse the web however we like.
You can change this behavior in both NoScript and uMatrix. In uMatrix all you have to do is disable first party scripts in the global (*) profile. NoScript defaults to the opposite (don't allow any scripts) but the behavior can be changed to allow first party scripts by default.
How do I disable scripts for just one site? I tried to use uMatrix once as it was suggested as the alternative of noscript for chrome. I just wanted to get rid of those annoying anti-adblock popups on wired.com. However every setting I tried on the drop down menu failed to block javascript, or just blocked all content on the domain wired.com. I tried going deeper into the settings but I found the user interface confusing and nothing was labelled. It's definitely not a convenient alternative for noscript/javascript blocking. Even if it may be possible to achieve that with it.
uMatrix comes with many hosts files enabled[1], so even if working in allow-all/block-exceptionally, most trackers/ads and whatnot will still be blocked.
There is no pre-whitelisted (aka "trusted") 3rd-party hostnames in uMatrix, that will be for you to decide.
The default in uMatrix, in full view in the popup panel, can be changed with a few clicks from the main popup panel, and you can also remove all the default whitelisted hostnames in NoScript.
[1] entries are translated into `* hostname * block`.
It depends what you do on the web. To use web applications, obviously you need JavaScript. To read text, you generally don't. Also, even when you do need JavaScript, you generally need it from the original host and maybe one other (e.g., googleapis.com); you don't need it from the analytics and advertising hosts, for example.
Buying things with security add-ons installed sometimes can be tricky: When you click 'buy', the host site sometimes contacts destinations that were previously unknown to your browser (payment processors, etc.), meaning you wouldn't know to enable them. You may hesitate to reconfigure NoScript/uMatrix and reload because you don't know if you are making multiple payments or placing multiple orders.
On the positive side, uMatrix and NoScript can remember what you enabled to get that page working, so you configure them the first time you visit the site and then forget it. NoScript's configurations are less granular, however, which may discourage permanently allowing some things:
I'm using NoScript and I temporarily enable JS on sites.
Usually sites work well enough by enabling 1st party JS and sometimes not even all of them. I lose all the code from tracking and monitoring services, which I really don't care about. I gain a much faster browsing experience.
Then there are sites with CDNs, and I have to enable them to see some content. Or Disqus comments, must enable to read them. Then there are some sites that are like a puzzle and I can't understand what to enable. I either give up (lose-lose) or read them in a browser I use for that kind of sites (I lose, they win). Then there are sites with content embedded in the JavaScript (I really mean in the script, not loaded by the script) or in some invisible element that only JS can make visible. Forbes is one of them and the one I hate most. I did a short script to deobfuscate the content at a Forbes URL and display it in a brower.
By using NoScript I appreciate how useless is JavaScript on some sites: there is no reason not to serve basic content (text and most of the images) directly and use JS only to enhance it. Examples: to add comments, to zoom into images, to load the next article - which has it's own URL anyway.
A pretty good amount. For instance, HN is barely degraded at all. Voting causes a full page refresh, but that's about it.
Some news organizations implement their paywalls with JS. It gets rid of a lot of annoying ads and scroll-behavior modifications. It actually makes some sites subjectively better.
Most of the time you just enable the scripts with domain name and "cdn" in them. Sometimes, it's trial and error to find the fight combo but I usually get it in first guesses. I've found that the sites that were too much ttouble I just skip, momentarily irritated I didnt see the content, and then forget about that site. I can't say Ive lost anything major boycotting the worst offenders.
Yes but when visiting a website with JS turned off, the site can still be progressively enhanced similar to how an electric stairs still works when the power is switched off. Users of the stairs still get to climb it, but now they have to put in extra effort.
> Yes but when visiting a website with JS turned off, the site can still be progressively enhanced similar to how an electric stairs still works when the power is switched off.
It can, but sites often don't test that path (if they develop it at all), because it only applies to people who intentionally disable JavaScript.
Once upon a time, screen readers and similar accessibility software didn't work well with JavaScript, so better sites would pay attention to that case for accessibility. However, screen readers work fine with standard browsers and JavaScript now, which makes the "JavaScript disabled" case an incredibly tiny fraction of web users. (In fact, Mozilla found a few years ago that there were far more users with JavaScript accidentally disabled than people who actually wanted it disabled.) So, handling disabled JavaScript by just saying "you seem to have disabled JavaScript; you should fix that" really does seem appropriate for the proportional amount of time worth spending on that tiny subset of users.
That said, know your target audience. If you're building a mainstream consumer product, the proportional amount of time worth spending on running with JavaScript disabled rounds to zero. If you're building a product catering to a smaller subset of users, and you expect people with JavaScript disabled to represent a much larger fraction of your potential users, by all means take the extra development time to make that case work well.
Enabling first-party scripts makes most of it usable, but not all. Disabling first-part scripts means probably about 50% is still useful. The internet seems so much 'quieter' with NoScript installed...
You've received downvotes, but you're not wrong. Javascript security used to be a concern, but that's been effectively eliminated with modern browser design.
Code is sandboxed, processes are isolated, OS-level security is used on top of that. The few CVEs that show up are reported quickly via browser bounties or in-house testing. People claim bounties are ineffective, but how many exploits have we really seen emerge from "black markets" or other sources?
I ran without JS for a few years and then realized it was making my online experience more miserable than it needed to be. I can't remember the last time I actually saw a computer "infected" just from visiting a website, and not through social engineering. Can you?
The bottom line is that the margin for being compromised via JS is so small that it might as well not exist. If you disable it because privacy or surveillance or whatever else, that's your prerogative. But the security issue is completely overstated and largely misinformed.
> insofar as it usually allows Javascript on the local site by default
NoScript can do this too BTW. The web is almost unusable without that setting enabled.
The drawbacks you identified are exactly the same on NoScript so they should not be used as a reason to pick one over the other.
It takes a LONG time to get a good list of whitelisted sites, now that mine is more or less usable I don't intend to switch - especially since I disabled the "show webpage with ads" thing on NoScript, so I don't have the problem in the article.
One advantage of uMatrix: You can filter based on host-destination pairs.
That is, in NoScript you can only filter based on the destination. For example, if you allow one site to run scripts from cloudfront.net, every site can. Effective the rules are,
DENY * *
ALLOW * cloudfront.net
In uMatrix, you can write rules based on host-destination pairs, permitting scripts from, e.g., cloudfront.net to run on your bank's website but not on any others:
DENY * *
ALLOW mybank.com cloudfront.net
Finally, you can filter by host & destination & function:
Google, Bing, Gmail, Yahoo Mail, Facebook, Twitter, Reddit, HN, Slashdot, and Github all work with Javascript disabled. If a site does not (e.g., Office 365, Slack, Instagram), that tells me something about the competence of the developers they are willing to hire.
It could just post the current chat via plaintext up until that point. Yes, you'd have to manually refresh to see updates, etc, but if you are blocking JS, you should expect reduced functionality of web-apps.
It's the outdated notion that "the web is still a collection of hypertext documents". Yet the reality is that JS webapps have been the standard for some time now, and won't be going away any time soon.
I agree the trend is toward thick Javascript apps, but I call that the death of the web and a wholesale regression to client/server architecture where data is entombed and only usable by a single piece of software that you don't maintain.
That's a pretty harrowing view. I see the movement of logic from the server to the client as liberating, personally, as it gives me more control over it.
Javascript is open source by its very nature. So if I wanted to tweak how Slack works, for instance, I can do so via extensions or writing code myself. In the cases of completely client-side apps, I can even back them up for my own use, such as I've done with a regex testing tool.
You've referred to it as a regression, but let me give you an example like Twitter. Would it make sense to have the server generate the HTML for each and every request, and then send that as a new page whenever you click a link? It's actually much faster to instead have the client send a small AJAX request (give me tweet #3242565), the server respond with that data, and then the client to update the page with it.
Twitter on its face is pretty simply. There's only a few template pages it needs to know ahead of time (timeline, individual tweet). So by moving to a data passing model you actually send far less data. The "javascript payload" being too large can be mitigated by rendering on the server for the first view, as is done in React.
In the case of Twitter, you're still dependent on the server for info either way. But this lets you conserve data, reduces server load, and yields a faster client interaction.
As I said, the web isn't static documents anymore. We've moved beyond that and it's actually pretty great. HN's overall position on this subject disappoints me for that reason.
> The web is almost unusable without that setting enabled.
The web (i.e., the web of hypertext documents linked together) is perfectly usable with JavaScript disabled; what doesn't work are all the single-page apps which hijack the web's infrastructure in order to break it. This is somewhat like a medicine which does not interfere with the operation of human cells but which disrupts the replication of viruses.
Here's the site that ad on noscript.net takes you to:
uniblue.com/cm/deletedcmunits/speedupmypc/spdeletedcmunits/download/?aff=3257&x-at=noscriptt1
After 4-5 clicks, the exe finally downloaded. Seems like a lot of work to download malware doesn' it?
> Only a few scan engines detected this file as a threat. If you think it might be a false positive, find out how to contact the engine vendor on our blog.
That is one hell of a "definitely". The only specific entry has it as "Riskware/SpeedUpMyPC" which, after a quick google, states it is "unwanted software". Pro tip: if you don't want it, don't install it, NoScript certainly does not force or trick you to install it.
This is a disproportionate and unfair response, but whatever it is that our fellow users say, we don't make insulting accusations like “... reeks of misguided fanboyism.” Please don't comment like this here.
The noscript website is showing ads which are installing malware. (typical clean your computer [with a trojan] bullshit)
Bonus: The extension goes the extra mile to disable specific adblock filters during its installation + the website is displayed automatically on every extension update.
Important thing to note, the ad the article is talking about is hardcoded and always shows up to windows users.
This isn't a case of someone using a shady ad network, this is a case of the noscript author knowingly trying to get their users to download and install malware.
Edit: As another user pointed out lower in this submission. The software isn't exactly malware, and does do what it says on the box.
If that's the case, this isn't really an issue to me. It's just an ad for software that I have no need for.
Exactly. I find it bizarre that so many here seem to see this as no big issue. An application touting itself as something to keep you safe on the web uses its website to advertise malware, and the author of this application goes to great lengths to make its ad for this malware as difficult to block as possible - even for users who've gone to trouble of protecting themselves (ie. by installing an adblocker). Why anyone would want to downplay this or continue to use an application from someone who does this is beyond me.
I might be misinterpreting what you're saying. But it almost sounds like you're saying this is not such a bad thing.
I would regardless ask the question in the punchline of the article: "why would you trust a security suite when they pull tricks like that"? (not verbatim)
uMatrix! It's a brilliant addon that lets you control what gets run at a pretty fine-grained level (per domain, per subdomain, whitelists can be local to a site, etc) without being at all clunky (easier to use than NoScript in spite of being more flexible).
Maybe Mozilla could take a few days off from Flash and PDF and build in some good white-listing features. It's the last feature browsers actually need. After that it's nothing but speed and security.
That wasn't really released last week. It's been in Firefox and default-enabled in Private Browsing for probably a year already. This just enables it in normal browsing as well, and they've only published it via Test Pilot for testing, as you could already enable it in normal browsing before by setting "privacy.trackingprotection.enabled" in about:config to true.
What browsers still actually need is a really good way of dealing with certificates. The current mess is a sad joke.
I've tried things like Certificate Patrol, but that has tremendous problems in everyday usage. Browsers do a little bit of pinning, but security for the vast majority of sites is still dependent on the non-malfeasance of each and every one of the hundreds of certificate authorities that are trusted by default.
IMO that is problem #1, and it's been problem #1 for a decade or more. Mozilla takes in about $300 million a year, but I guess certificates are just too difficult a problem to solve properly with such a paltry sum of money.
The NoScript site calls the code "open source" and "Free Software" (complete with a link to the FSF), but nowhere on the site can I find the source code.
I searched GitHub and didn't find any source code from the NoScript author there either.
As far as I can tell, the only way to get the source code is to actually install the extension and then extract the code from there.
It appears that GitHub user 'avian2' did exactly that:
I prefer to turn JavaScript off in the browser itself. NoScript just increases the attack surface and also increases browser fingerprintability. There has to be a small subset of users who disable embeddings in the NoScript config, or turning off IFRAMEs, and even a smaller subset of people creating custom whitelists, which can all be checked for.
But disabling it on the browser doesn't allow you to whitelist certain websites, which is the general use case for NoScript. I wish the web didn't break without JS, but that's just not the reality we live in.
In Chrome, you can in fact white-list certain websites. It's actually quite nice. In Chrome, the advanced settings has an exceptions button that allows you to include websites that can bypass the rule.
How does that work for a site that imports JS from multiple domains, as is usual? Does adding the top domain mean that it can load JS from everywhere, or do you have to manually find out which domains it needs whitelisted to work? Neither solutions seem particularly attractive; NoScript allows you to enable JS for that domain and stuff like CDNs without having to allow other sutff.
> I wish the web didn't break without JS, but that's just not the reality we live in.
Every time you temporarily enable JavaScript / whitelist a website you are performing a micro violation of your own privacy. In some cases even performing a large violation of your own privacy. Sure, there are some cases where I absolutely must have JavaScript turned on, but those cases are so rare that having JS permanently turned off is preferable in most cases.
This depends on whether you're using an anonymous proxy. Either a single-hop VPN or a multi-hop one like TOR. Enabling JS can potentially compromise these because various identifying bits of information can be gathered like screen resolution, time zone, etc
From a blog with two entries, with an attached twitter that looks more like bot spam than someone actually using it, and a github account that is all about messing with adblockers(?). Why do this feel like a schoolyard pissing match between "1337 haxors"?
"1. You'd have to actually click and willingly install the software to be infected."
This is how most Windows malware/unwanted software are installed today, not via some rare zero-day Chrome exploits.
So what's the alternative to NoScript? And I don't mean an adblocker, I mean an extension that allows one to disable/enable JavaScript execution by domain.
uMatrix is default-deny by default, except 1st-party scripts. It also comes with an extensive lists of hosts files enabled (representing 10s of thousands hostnames and their subdomains) by default for which scripts won't be allowed at all, even as 1st-party.
NoScript is default-deny by default, except for its preset list of whitelisted hostnames for which scripts are allowed to execute.
In both cases, with a few clicks one can reconfigure to their liking, to further restrict or relax existing rules.
Here is my thinking on this: between blocking everything and allowing everything, there is a point I consider optimal, which is what I picked for uMatrix. Not blocking enough out of the box will defeat the primary purpose of the tool. Blocking too much out of the box will discourage many users from using the tool at all -- they will uninstall.
My goal is for as many people to protect themselves, and this won't be accomplished if I set uMatrix's default to cause too much work out of the box that they uninstall it out of tediousness.
Blocking everything 3rd-party by default except images/css is what I personally identified as the optimal -- this would correspond to "medium mode" on the graph at that page: https://github.com/gorhill/uBlock/wiki/Blocking-mode
Again regarding the tediousness factor, another important aspect of a tool such as uMatrix is how easy it is to set rules to block/allow things, including on a per-site basis: one can easily change default settings after install, but how easy/difficult it is to set/remove rules is something which can't be changed. To dismiss the ease to create rules and other core features in uMatrix because one personally disagree with its (easily changed) default settings out of the box does not make much sense to me.
If the end result is that the aggregate number of stuff blocked by all users of uMatrix with default settings is higher than the aggregate number of stuff blocked by all users of uMatrix with hardcore settings, then i reached my goal.
In any case, as said, the defaults can be changed easily with a few clicks, there is no "hidden" settings, what is blocked or not is up front and visible right after install by just looking at the popup panel matrix.
One thing I would like people to keep in mind: uMatrix is not NoScript or RequestPolicy, it is its own thing.
For what my comment is worth, I ended up removing NoScript and doing and clean install of Debian after noticing that the the NoScript extension would seem to auto-update often, and then would launch an instance of the noscript.net website each time I opened firefox. It did sketch me out, and I can't recommend installing this.
Go to about:addons, click the "more" text at the end of the NoScript description on the right and set auto-update to "off".
Next go to about:addons again and "preferences" of NoScript, on the "Notifications" tab uncheck "Display the release notes".
Done.
My 2¢ is that it certainly does appear to offer updates more often than one might expect (a bit like browsers themselves) but I have these two settings so I don't really notice. I choose to update manually because I don't like stuff breaking automatically (and am happy to keep on top of security warnings and such).
That bothers me about lots of extensions, and not just extensions. For example, the Newtonsoft.Json NuGet package opens up a web page after updating, and it bothers me every time. The higher the quality of the software, the more it bothers me when they stoop to such tactics.
The logic of the matrix is completely straightforward, once you get the basic rule that narrower rules override broader ones, all interactions with the matrix will become obvious, easy to understand in advance what will happens when adding/removing a specific rule -- and in any case, the visual feedback when adding/removing a rule through the popup panel matrix should be obvious enough to understand what will end up blocked/allowed.
As I mentioned on /r/netsec it's valid to point out the author does shady shit, but the title is clickbaity at best - the NoScript website advertises malware, there is no evidence that NoScript itself is harmful to the user. And btw you shouldn't let your extensions auto-update on Firefox anyway, specially if you use Tor, as it's vulnerable to MITM as someone posted here a few days ago. I might switch to uMatrix, but I don't really have the time right now to learn it.
> there is no evidence that NoScript itself is harmful
The article states that every time the plugin updates, it automatically opens up a webpage that serves malware. So technically the article is not wrong. NoScript forces your browser to open a malicious page, therefore it can be considered itself harmful.
It opens a page with an advertisement link for "Speedup My PC", not even the article claims that it serves malware, just that it "promotes" it. Going by the description of the detected malware signatures Speedup My PC isn't even harmfull by itself, it just is snake oil with no real use bejoind selling its own license.
Unless you click the link, download the exe, install it, fall for the detected issues notification and then proceed to buy a license nothing will happen.
Some users will fall for it though. The author wouldn't do it if they didn't make money from it. I think it's wrong to support such shady stuff that will harm some percent of its users.
Even "harm" is a bit of an overstatement if josefx is right, because if anyone pays money they do so on purpose, and they get value back in the form of the extension.
Absolutely. To the extent it's servicable. I however don't trust every app on Apples appstore merely for passing review. I wouldn't be too scared to still use NoScript, but if there are alternatives why would I?
When you first install it, you have to restart Firefox to complete the install and access the config menu. When you restart Firefox, it automatically loads the Noscript website to display.
You have to disconnect from the internet, restart Firefox, let it fail to load the page, then go to the settings menu and uncheck the box.
That's funny. I have never seen the ad, I think, because NoScript blocks it by default, can't imagine this self defeating practice yields any substantial income.
> And btw you shouldn't let your extensions auto-update on Firefox anyway, specially if you use Tor, as it's vulnerable to MITM as someone posted here a few days ago.
This was fixed in Tor Browser 6.0.5[1] and Firefox 49[2]. Worth noting that the attack required a publicly-trusted certificate for addons.mozilla.org, which makes this a bit harder than just a run-of-the-mill MitM attack, though certainly possible for nation-state actors and the likes.
> Since I can't in good conscience recommend it to normal people I am considering it harmful.
You can't really recommend it to normal people even without considering the author's advertising practices. NoScript is a tool for power users who understand a few things about how the web works.
I can second this. Recently migrated from NoScript to uMatrix. I was finally confident enough to put NoScript to "globally allow all" mode this week and use uMatrix alone for controlling scripting permissions. (After reading this disabled NoScript altogether.)
uMatrix allows more fine-grained control than NoScript. It's basically based on three contexts (scopes): host, domain and global, but my experience is I only ever use the global and domain scopes. I would recommend starting by globally white-listing the popular CDNs (so scripts on all sites delivered e.g. through Google's CDN are always executed and <script> snippets to integrate Google widgets work).
Then, for a majority of trusted sites it's enough to just white-list the local domain (allow executing scripts from example.com when you are visiting example.com sites). Scripts included on foobar.org from example.com still remain blocked – this is the crucial difference between global and local scopes that NoScript doesn't lend to.
I would recommend always allowing XHR and iframes in the site-local scope. IIRC this is not in the default config but since XHR anyway requires scripting you can then easily control both XHR / scripting by just white-listing the site for scripting. So this is my uMatrix base configuration currently and a good starting point for migrating from NoScript:
I.e. CSS / images allowed from all sources (except those blocked explicitly). Cookies, frames and XHR allowed from the same site you are currently visiting. Only scripting must be allowed per-site, just like with NoScript.
it wasn't circumventing the filters just to show ads. It was circumventing the filters because the filter were blocking everything, including the install extension button.
The article never substantiates the claim that "NoScript is harmful". They talk about NoScript's website serving questionable software, not NoScript itself.
Phew, for a moment there I thought it was a drive-by installer. I am mortified of these as it already happened to me while casually browsing the web. Nah, it's just a plain old exe you download and execute if you're dumb.
That people are dumb, for whatever definition of dumb we feel like adhering to today, does little against the fact that someone promoting their extension as a security mechanism goes above and beyond to try and get you to install some malware.
The difference between drive-by viruses and downloadable exe viruses that have to be manually executed is like the difference between someone who pretends to be your relative to convince you to give him money and someone who robs you at gunpoint. You're immune to one thing if you're not gullible and dumb, but completely powerless against the other, all it takes is unfortunate circumstances. Now, both are bad, of course, but one is vastly more concerning and hard to protect oneself against.
I recently had to go back to NoScript after browsing with UBlock for a month. I was on a random webpage and all of sudden the browser would not close, and some lady was telling me "to call this number my computer is infected". I seriously doubt the author of NoScript was trying to infect people with malware. He might of made sure you see adds by disabling filters but the malware is problem with adds in general. In other words, browsing without Noscript is risky.
Edit: It was UBlock orgin. NoScript is the only thing that works but I have no idea if the guy is shady or not. Keep in mind I install the DEV addition so this has never happened to me.
By default, uBlock Origin ("uBO") works with a set of block lists, it does not block javascript -- out of the box you can't compare NoScript to uBO, they are two different things, it's not a case of "which one to use?".
Given the symptoms you describe, it seems you went to a site which launched popups. This is usually addressed by filters in the default block lists (EasyList, etc.), but when there is no filter, unwanted popups may occur. One solution is to report to block lists maintainers, so that they can add a filter. There is also a per-site switch in uBO to unconditionally block all popups for a given site -- so no need to wait for a filter.
That said, you can block scripts by default with uBO if you want. It also allows to block specifically all inline script tags on a page without disabling all javascript.
uBO works well with NoScript, and many people use it in concert with NoScript, they consider they complement well each others.
Something that is only happening because we let ads networks and advertisers push all the shit they want on our webpages. How long before we actually start vetting (for nuisance and performance) what is put bellow users' eyes?
a lot of the big name antivirus companies don't report this as a malicious file (according to these tools).
e.g. looking at the first scan results Ad-Aware, Avast, BitDefender, Symantec, etc., etc., all find no problem with the file.
The obfuscation would be needed to load ads for the market that NoScript is targetting. To get ad revenue they would need some system to load the ads [as if] from the local server or they'll get blocked. Indeed isn't this what people often ask for from adverts that they won't use external providers in order to improve page-load times. If you look at the source for the page at noscript.net you see that the section is tagged as if it's included code from an automated script. So yes, he's clearly gone to trouble to hide the ad, but that's because it's an ad and not necessarily because it's malicious.
So, it hinges on whether the speedupmypc.exe is truly malicious IMO. Cnet & Tucows endorse it, not sure that tells us much ... installing the app (on a vbox) it looks like reasonably useful app after the type of PC-decrapifier or CC or whatever. I got a freemium app which gave a scan (results looked kosher) and offered a £20 unlock to fix the issues found.
Not the greatest software but not quite what I'd call malware. Perhaps oversold-stuff-people-dont-really-need-ware??
https://github.com/gorhill/uMatrix
Made by the same developer of uBlock Origin, allows blocking of Javascript and other aspects of the site.
I switched awhile back and found it somewhat more usable than NoScript, insofar as it usually allows Javascript on the local site by default, while automatically blocking JS on third-party domains. There are some growing pains associated with it, as there are with NS. Some of the drawbacks I've noticed:
- It will take about three or four refreshes before you can whitelist everything necessary to get Youtube working. First youtube, then s.ytimg.com, then googlevideo.com, THEN you might finally get a video.
- Any page with a Google Captcha on it will take several refreshes to completely let them through. This is particularly irritating if there's a captcha on a form.
- Anything which needs to reach out to jquery, ajax, etc. will fail. But you should be able to whitelist those once then add them to your permanent whitelist.
- I have yet to find a good tutorial for uMatrix yet on how to make some pre-defined rules for common sites. That would greatly reduce the learning curve.