Hacker News new | past | comments | ask | show | jobs | submit login
NoScript is harmful and promotes malware (surge.sh)
397 points by angry-hacker on Oct 2, 2016 | hide | past | web | favorite | 179 comments



Alternative: uMatrix

https://github.com/gorhill/uMatrix

Made by the same developer of uBlock Origin, allows blocking of Javascript and other aspects of the site.

I switched awhile back and found it somewhat more usable than NoScript, insofar as it usually allows Javascript on the local site by default, while automatically blocking JS on third-party domains. There are some growing pains associated with it, as there are with NS. Some of the drawbacks I've noticed:

- It will take about three or four refreshes before you can whitelist everything necessary to get Youtube working. First youtube, then s.ytimg.com, then googlevideo.com, THEN you might finally get a video.

- Any page with a Google Captcha on it will take several refreshes to completely let them through. This is particularly irritating if there's a captcha on a form.

- Anything which needs to reach out to jquery, ajax, etc. will fail. But you should be able to whitelist those once then add them to your permanent whitelist.

- I have yet to find a good tutorial for uMatrix yet on how to make some pre-defined rules for common sites. That would greatly reduce the learning curve.


Another alternative: uBlock Origin with "advanced mode" enabled. You can tell it to globally block "inline scripts", "1st-party scripts", "3rd-party scripts", and "3rd-party frames", and selectively undo that block when needed. See https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-qu... for an explanation with screenshots.


uMatrix provides a more fine grained approach to blocking and has an interface to match this. uBlock's interface can be easier for a more coarse grained approach (see dynamic filtering, medium mode).


I never tried uMatrix. uBlock has the ability to block a particular set of links e.g. abc.com/min/* and whitelist some links within that set e.g. abc.com/min//.png. I think that's a fine grain approach. Can uMatrix do things like this?


Here is a quick tutorial showing what uMatrix can do https://github.com/gorhill/uMatrix/wiki/Very-bare-walkthroug.... As you can see, it gives you an easier way to have fine-grained control of each individual type of resource. It also allows you to configure third-party domain resources globally, or per domain. This allows you to do something like allow youtube embedding (js + xhr) on all websites at once.


NoScript provides many features that uMatrix does not:

* Shift+click on host name, and pull up info on trustability from NoScript.net database

* Filters WebGL, XSLT, @font-face

* Sophisticated XSS protection: Look up XSS on these pages:

https://noscript.net/features

https://noscript.net/faq

* CSRF protection

* Clearclick: Detects invisible elements which cover clicked visible elements

https://hackademix.net/2008/10/08/hello-clearclick-goodbye-c...

* A pretty sophisticated firewall in your browser, Application Boundaries Enforcer (ABE), where you can even write your own policies:

"Living inside the browser, the ABE component can take advantage of its privileged placement for enforcing web application boundaries, because it always knows the real origin of each HTTP request"

"Many of the threats NoScript is currently capable of handling, such as XSS, CSRF or ClickJacking, have one common evil root: lack of proper isolation at the web application level."

"The idea behind the Application Boundaries Enforcer (ABE) module is hardening the web application oriented protections ... by delivering a firewall-like component running inside the browser ... specialized in defining and guarding the boundaries of each sensitive web application"

More here: https://noscript.net/abe/

Also, there's a project to create a GUI for just the ABE component, called SABER

https://forums.informaction.com/viewtopic.php?f=19&t=8059


I do find it ironic that people assume that NoScript's only feature is the one that is the most hassle to use. The more passive always-on protections get overlooked, and people recommend as equivalent alternatives extensions that only provide a better UI for the domain-based script blocking, while not providing the defense in depth that NoScript has.


Not sure if this is considered bad practice, but I have uMatrix installed with noscript. I use uMatrix for script blocking and have noscript set to globally allow scripts, with ABE, XSS, clickjacking, etc protection enabled to cover the weak points of uMatrix.


Why would it be bad practice?


Perhaps bad practice was the wrong word. Unnecessary might have been a better word.


Some of these features can be accomplished simply through blocking javascript.


Which ones are you thinking about?

Sometimes you want to enable JavaScript and still be protected from attacks.


For us tech-savvy people that might be an option. But for the average user it's not. Too many things don't work. I use Privacy Badger and install it on every system that I maintain. It's simple and clean, and set up by an organisation that doesn't need shady ads on its website.


"Shift+click on host name, and pull up info on trustability from NoScript.net database"

The irony of that is staggering given NoScript being busted for spreading malware in this story.


The report includes only links to third-party information, eg.: https://noscript.net/about/news.ycombinator.com;news.ycombin...


> It will take about three or four refreshes before you can whitelist everything necessary to get Youtube working. First youtube, then s.ytimg.com, then googlevideo.com, THEN you might finally get a video.

> Any page with a Google Captcha on it will take several refreshes to completely let them through. This is particularly irritating if there's a captcha on a form.

> Anything which needs to reach out to jquery, ajax, etc. will fail. But you should be able to whitelist those once then add them to your permanent whitelist.

These should all be one time deals though. You can whitelist some or all of this stuff in the global scope so it applies to all web pages (if you want to do this). For example you can whitelist the youtube stuff in the global scope so that any page which has imbedded youtube videos will show them. This should be a safe practice as the google domains should generally be trustable.

Or don't do this. And whitelist it on a site by site basis. The choice is yours.


You say uMatrix is "somewhat more usable than NoScript, insofar as it usually allows Javascript on the local site by default, while automatically blocking JS on third-party domains"

But that's exactly the default I do not want. One of the main reasons I use NoScript in the first place is to protect against Javascript vulnerabilities. If the default is to enable Javascript, that defeats that protection.


Security is a sliding scale. I could stay home all day and wer big pads with sirens on saying "DONT TOUCH ME", but I choose to drive a car at 70mph, walk along-side busy roads and load 1st party JS from sites.

My rationale is that I've chosen to go to a site, and most JS dangers are served from ad networks and trackers. Not typically from the site itself.


I let JavaScript run, but not by default, so it's like "before getting in someone else's car for the first time, I check the brakes work before going 70mph".

Of course, as long as we don't try to force our preferences on each other, we can both browse the web however we like.


You can change this behavior in both NoScript and uMatrix. In uMatrix all you have to do is disable first party scripts in the global (*) profile. NoScript defaults to the opposite (don't allow any scripts) but the behavior can be changed to allow first party scripts by default.


How do I disable scripts for just one site? I tried to use uMatrix once as it was suggested as the alternative of noscript for chrome. I just wanted to get rid of those annoying anti-adblock popups on wired.com. However every setting I tried on the drop down menu failed to block javascript, or just blocked all content on the domain wired.com. I tried going deeper into the settings but I found the user interface confusing and nothing was labelled. It's definitely not a convenient alternative for noscript/javascript blocking. Even if it may be possible to achieve that with it.


Make the script column for the host you want to block red/blue. Then make sure to save if it worked as intended.


Other default settings in uMatrix:

uMatrix comes with many hosts files enabled[1], so even if working in allow-all/block-exceptionally, most trackers/ads and whatnot will still be blocked.

There is no pre-whitelisted (aka "trusted") 3rd-party hostnames in uMatrix, that will be for you to decide.

The default in uMatrix, in full view in the popup panel, can be changed with a few clicks from the main popup panel, and you can also remove all the default whitelisted hostnames in NoScript.

[1] entries are translated into `* hostname * block`.


You can toggle it on both extensions.


How much of the 2016 Web is usable without JS?


It depends what you do on the web. To use web applications, obviously you need JavaScript. To read text, you generally don't. Also, even when you do need JavaScript, you generally need it from the original host and maybe one other (e.g., googleapis.com); you don't need it from the analytics and advertising hosts, for example.

Buying things with security add-ons installed sometimes can be tricky: When you click 'buy', the host site sometimes contacts destinations that were previously unknown to your browser (payment processors, etc.), meaning you wouldn't know to enable them. You may hesitate to reconfigure NoScript/uMatrix and reload because you don't know if you are making multiple payments or placing multiple orders.

On the positive side, uMatrix and NoScript can remember what you enabled to get that page working, so you configure them the first time you visit the site and then forget it. NoScript's configurations are less granular, however, which may discourage permanently allowing some things:

https://news.ycombinator.com/item?id=12624628

(But NoScript has many more security features:

https://news.ycombinator.com/item?id=12624596 )


> To read text, you generally don't.

This is becoming less and less true unfortunately, thanks to stupidly designed (eg: not progressively designed ) JS frameworks.


I'm using NoScript and I temporarily enable JS on sites.

Usually sites work well enough by enabling 1st party JS and sometimes not even all of them. I lose all the code from tracking and monitoring services, which I really don't care about. I gain a much faster browsing experience.

Then there are sites with CDNs, and I have to enable them to see some content. Or Disqus comments, must enable to read them. Then there are some sites that are like a puzzle and I can't understand what to enable. I either give up (lose-lose) or read them in a browser I use for that kind of sites (I lose, they win). Then there are sites with content embedded in the JavaScript (I really mean in the script, not loaded by the script) or in some invisible element that only JS can make visible. Forbes is one of them and the one I hate most. I did a short script to deobfuscate the content at a Forbes URL and display it in a brower.

By using NoScript I appreciate how useless is JavaScript on some sites: there is no reason not to serve basic content (text and most of the images) directly and use JS only to enhance it. Examples: to add comments, to zoom into images, to load the next article - which has it's own URL anyway.


A pretty good amount. For instance, HN is barely degraded at all. Voting causes a full page refresh, but that's about it.

Some news organizations implement their paywalls with JS. It gets rid of a lot of annoying ads and scroll-behavior modifications. It actually makes some sites subjectively better.


> For instance, HN is barely degraded at all.

HN isn't the 2016 web at all. Not that you fundamentally need JavaScript, but HN's HTML hearkens back to the pre-CSS table-driven web.


Most of the time you just enable the scripts with domain name and "cdn" in them. Sometimes, it's trial and error to find the fight combo but I usually get it in first guesses. I've found that the sites that were too much ttouble I just skip, momentarily irritated I didnt see the content, and then forget about that site. I can't say Ive lost anything major boycotting the worst offenders.


> HN isn't the 2016 web at all.

Yes but when visiting a website with JS turned off, the site can still be progressively enhanced similar to how an electric stairs still works when the power is switched off. Users of the stairs still get to climb it, but now they have to put in extra effort.


> Yes but when visiting a website with JS turned off, the site can still be progressively enhanced similar to how an electric stairs still works when the power is switched off.

It can, but sites often don't test that path (if they develop it at all), because it only applies to people who intentionally disable JavaScript.

Once upon a time, screen readers and similar accessibility software didn't work well with JavaScript, so better sites would pay attention to that case for accessibility. However, screen readers work fine with standard browsers and JavaScript now, which makes the "JavaScript disabled" case an incredibly tiny fraction of web users. (In fact, Mozilla found a few years ago that there were far more users with JavaScript accidentally disabled than people who actually wanted it disabled.) So, handling disabled JavaScript by just saying "you seem to have disabled JavaScript; you should fix that" really does seem appropriate for the proportional amount of time worth spending on that tiny subset of users.

That said, know your target audience. If you're building a mainstream consumer product, the proportional amount of time worth spending on running with JavaScript disabled rounds to zero. If you're building a product catering to a smaller subset of users, and you expect people with JavaScript disabled to represent a much larger fraction of your potential users, by all means take the extra development time to make that case work well.


Enabling first-party scripts makes most of it usable, but not all. Disabling first-part scripts means probably about 50% is still useful. The internet seems so much 'quieter' with NoScript installed...


A lot of it is unusable with JS, and progressively getting worse.


A more useful alternative may be disabling JavaScript globally, and maintaining a clearlist of sites allowed to run it.

Or combine this with uMatrix, giving yourself a global blocklist with 3rd party granularity on the sites you do clearlist.


Was this comment really so unhelpful as to merit a downvote?


>One of the main reasons I use NoScript in the first place is to protect against Javascript vulnerabilities

All 0 of them?


You've received downvotes, but you're not wrong. Javascript security used to be a concern, but that's been effectively eliminated with modern browser design.

Code is sandboxed, processes are isolated, OS-level security is used on top of that. The few CVEs that show up are reported quickly via browser bounties or in-house testing. People claim bounties are ineffective, but how many exploits have we really seen emerge from "black markets" or other sources?

I ran without JS for a few years and then realized it was making my online experience more miserable than it needed to be. I can't remember the last time I actually saw a computer "infected" just from visiting a website, and not through social engineering. Can you?

The bottom line is that the margin for being compromised via JS is so small that it might as well not exist. If you disable it because privacy or surveillance or whatever else, that's your prerogative. But the security issue is completely overstated and largely misinformed.


If you use Firefox, you could add https://addons.mozilla.org/de/firefox/addon/decentraleyes/ , it might make the common CDN stuff easier.



Another advantage is uMatrix on Firefox is already multiprocess compatible and NoScript is not.


> insofar as it usually allows Javascript on the local site by default

NoScript can do this too BTW. The web is almost unusable without that setting enabled.

The drawbacks you identified are exactly the same on NoScript so they should not be used as a reason to pick one over the other.

It takes a LONG time to get a good list of whitelisted sites, now that mine is more or less usable I don't intend to switch - especially since I disabled the "show webpage with ads" thing on NoScript, so I don't have the problem in the article.


One advantage of uMatrix: You can filter based on host-destination pairs.

That is, in NoScript you can only filter based on the destination. For example, if you allow one site to run scripts from cloudfront.net, every site can. Effective the rules are,

  DENY  * *
  ALLOW * cloudfront.net
In uMatrix, you can write rules based on host-destination pairs, permitting scripts from, e.g., cloudfront.net to run on your bank's website but not on any others:

  DENY  * *
  ALLOW mybank.com cloudfront.net
Finally, you can filter by host & destination & function:

  DENY  * *
  ALLOW mybank.com cloudfront.net JavaScript
... which would not allow plugins, images, CSS or anything else from cloudfront.net, only JavaScript.

EDIT: Add, improve examples


Google, Bing, Gmail, Yahoo Mail, Facebook, Twitter, Reddit, HN, Slashdot, and Github all work with Javascript disabled. If a site does not (e.g., Office 365, Slack, Instagram), that tells me something about the competence of the developers they are willing to hire.


> If a site does not (e.g., Office 365, Slack, Instagram), that tells me something about the competence of the developers they are willing to hire.

How exactly do you think Slack is supposed to work without JavaScript? It's probably the poster child of why web applications need JS.


It could just post the current chat via plaintext up until that point. Yes, you'd have to manually refresh to see updates, etc, but if you are blocking JS, you should expect reduced functionality of web-apps.


I think Slack can be forgiven for not catering to people who basically don't want a chat application to function as a chat application.


It's the outdated notion that "the web is still a collection of hypertext documents". Yet the reality is that JS webapps have been the standard for some time now, and won't be going away any time soon.


I agree the trend is toward thick Javascript apps, but I call that the death of the web and a wholesale regression to client/server architecture where data is entombed and only usable by a single piece of software that you don't maintain.


That's a pretty harrowing view. I see the movement of logic from the server to the client as liberating, personally, as it gives me more control over it.

Javascript is open source by its very nature. So if I wanted to tweak how Slack works, for instance, I can do so via extensions or writing code myself. In the cases of completely client-side apps, I can even back them up for my own use, such as I've done with a regex testing tool.

You've referred to it as a regression, but let me give you an example like Twitter. Would it make sense to have the server generate the HTML for each and every request, and then send that as a new page whenever you click a link? It's actually much faster to instead have the client send a small AJAX request (give me tweet #3242565), the server respond with that data, and then the client to update the page with it.

Twitter on its face is pretty simply. There's only a few template pages it needs to know ahead of time (timeline, individual tweet). So by moving to a data passing model you actually send far less data. The "javascript payload" being too large can be mitigated by rendering on the server for the first view, as is done in React.

In the case of Twitter, you're still dependent on the server for info either way. But this lets you conserve data, reduces server load, and yields a faster client interaction.

As I said, the web isn't static documents anymore. We've moved beyond that and it's actually pretty great. HN's overall position on this subject disappoints me for that reason.


Does Google Docs work without Javascript?


IIRC you can only view the document, which makes sense.


> The web is almost unusable without that setting enabled.

The web (i.e., the web of hypertext documents linked together) is perfectly usable with JavaScript disabled; what doesn't work are all the single-page apps which hijack the web's infrastructure in order to break it. This is somewhat like a medicine which does not interfere with the operation of human cells but which disrupts the replication of viruses.


Another alternative (for Mozilla-based browsers): LibreJS

https://www.gnu.org/software/librejs/ https://ftp.gnu.org/gnu/librejs/gnu_librejs-6.0.13-fx.xpi

- Blocks non-free Javascript


LibreJS is not a security tool, and the filtering it provides is fairly easy to bypass.


Here's the site that ad on noscript.net takes you to: uniblue.com/cm/deletedcmunits/speedupmypc/spdeletedcmunits/download/?aff=3257&x-at=noscriptt1 After 4-5 clicks, the exe finally downloaded. Seems like a lot of work to download malware doesn' it?

So I downloaded the exe and uploaded it to Kaspersky's online scanner https://scan.kaspersky.com/Home/Result and it says the file is safe.

It almost seems like he has an axe to grind or something. Maybe I'm just reading too much into such a terrible article, and it's just that though.


I tried with the https://www.metadefender.com and it is definitely malware - look at the whole result: https://www.metadefender.com/#!/results/file/e585b55af12e497...


> 3 / 42

> Only a few scan engines detected this file as a threat. If you think it might be a false positive, find out how to contact the engine vendor on our blog.

That is one hell of a "definitely". The only specific entry has it as "Riskware/SpeedUpMyPC" which, after a quick google, states it is "unwanted software". Pro tip: if you don't want it, don't install it, NoScript certainly does not force or trick you to install it.


Upload to virus total, passing one scanner isn't enough.


I did that, and, it seems that although it fails some virus scanners, it would be what I like to call a false positive.

Just to link a description of what one of them found: https://www.symantec.com/security_response/writeup.jsp?docid...

Basically it could be an unwanted application that "The application reports an exaggerated number of problems."

Shitty software? Sure. Malware? Not to me. YMMV.

Here's a screen shot of the ones it failed from that total scanner: https://i.imgur.com/vwy9sXY.jpg


[flagged]


This is a disproportionate and unfair response, but whatever it is that our fellow users say, we don't make insulting accusations like “... reeks of misguided fanboyism.” Please don't comment like this here.


Is that the old switcheroo you playing? No need to answer.


Virus Total is not a one-way stop. It only does some detection, not comparable to actually executing the malware itself. No results do not mean clean!


Summary of the article:

The noscript website is showing ads which are installing malware. (typical clean your computer [with a trojan] bullshit)

Bonus: The extension goes the extra mile to disable specific adblock filters during its installation + the website is displayed automatically on every extension update.


Important thing to note, the ad the article is talking about is hardcoded and always shows up to windows users.

This isn't a case of someone using a shady ad network, this is a case of the noscript author knowingly trying to get their users to download and install malware.

Edit: As another user pointed out lower in this submission. The software isn't exactly malware, and does do what it says on the box.

If that's the case, this isn't really an issue to me. It's just an ad for software that I have no need for.


> the ad the article is talking about is hardcoded and always shows up to windows users

NoScript has a checkbox to disable displaying the page on updates.


That doesn't change the fact that the ad is always displayed to any windows users that visit the website.

Even if this page was never shown during install/updates, it would still be an issue.

Is it really too much to ask that the author of a security/privacy related application not try to push malware?


Exactly. I find it bizarre that so many here seem to see this as no big issue. An application touting itself as something to keep you safe on the web uses its website to advertise malware, and the author of this application goes to great lengths to make its ad for this malware as difficult to block as possible - even for users who've gone to trouble of protecting themselves (ie. by installing an adblocker). Why anyone would want to downplay this or continue to use an application from someone who does this is beyond me.


As another user pointed out lower in this submission. The software isn't exactly malware, and does do what it says on the box.

If that's the case, this isn't really an issue to me. It's just an ad for software that I have no need for.


The software reportedly tells you there are problems with your computer when none actually exist. That's shady at best and fraudulent at worst.


Depends on what your definition of a problem is. Even a fresh Windows install is going to have deletable temp files.

Really the worst thing you can say about that app is that it's overpriced. It's doing nothing that ccleaner doesn't do for free.


It's still enabled by default.


I might be misinterpreting what you're saying. But it almost sounds like you're saying this is not such a bad thing.

I would regardless ask the question in the punchline of the article: "why would you trust a security suite when they pull tricks like that"? (not verbatim)


You're misinterpreting. I am simply giving the main points of the article so people can follow the news without reading everything.


In American English this is generally called a summary. Your use of "resume" confused me here as well.


Fixed.


What to use instead? Having scripts disabled by default saves battery life significantly.


uMatrix! It's a brilliant addon that lets you control what gets run at a pretty fine-grained level (per domain, per subdomain, whitelists can be local to a site, etc) without being at all clunky (easier to use than NoScript in spite of being more flexible).


uBlock Origin and uMatrix works great :)


YesScript


Damn! I took the click-bait. For more on the so-called harm, here's a good summary of giorgio & wlad's pissing contest:

http://www.dedoimedo.com/computers/adblock-noscript.html


Maybe Mozilla could take a few days off from Flash and PDF and build in some good white-listing features. It's the last feature browsers actually need. After that it's nothing but speed and security.



That wasn't really released last week. It's been in Firefox and default-enabled in Private Browsing for probably a year already. This just enables it in normal browsing as well, and they've only published it via Test Pilot for testing, as you could already enable it in normal browsing before by setting "privacy.trackingprotection.enabled" in about:config to true.


It tells me I need Javascript. Ironic, no?


That do not seem to offer the detailed control that noscript does.


Nor would I expect it to - that's what extensions are for. This is a one-click tool.


It's the last feature browsers actually need.

What browsers still actually need is a really good way of dealing with certificates. The current mess is a sad joke.

I've tried things like Certificate Patrol, but that has tremendous problems in everyday usage. Browsers do a little bit of pinning, but security for the vast majority of sites is still dependent on the non-malfeasance of each and every one of the hundreds of certificate authorities that are trusted by default.

IMO that is problem #1, and it's been problem #1 for a decade or more. Mozilla takes in about $300 million a year, but I guess certificates are just too difficult a problem to solve properly with such a paltry sum of money.


I for one would love if mozilla built in some javascript controls in by default.


The old Opera had javascript per-url white-listing built-in, and the same for the extensions, and I believe that the new Chromium based doesn't.

The Chrome extension also lacks what the old Opera had.


Another sleazy thing...

The NoScript site calls the code "open source" and "Free Software" (complete with a link to the FSF), but nowhere on the site can I find the source code.

I searched GitHub and didn't find any source code from the NoScript author there either.

As far as I can tell, the only way to get the source code is to actually install the extension and then extract the code from there.

It appears that GitHub user 'avian2' did exactly that:

https://github.com/avian2/noscript

Thanks avian2! And no thanks to the NoScript author.


An XPI is just a zip file. You can download it without installing it.

Not as convenient as a github repo, but equally open source.


Yeah we should not forget that Firefox extensions became popular because most of the UI was made out of XML and JS.


Ah, thank you. In that case, I stand corrected!


I prefer to turn JavaScript off in the browser itself. NoScript just increases the attack surface and also increases browser fingerprintability. There has to be a small subset of users who disable embeddings in the NoScript config, or turning off IFRAMEs, and even a smaller subset of people creating custom whitelists, which can all be checked for.


But disabling it on the browser doesn't allow you to whitelist certain websites, which is the general use case for NoScript. I wish the web didn't break without JS, but that's just not the reality we live in.


In Chrome, you can in fact white-list certain websites. It's actually quite nice. In Chrome, the advanced settings has an exceptions button that allows you to include websites that can bypass the rule.


How does that work for a site that imports JS from multiple domains, as is usual? Does adding the top domain mean that it can load JS from everywhere, or do you have to manually find out which domains it needs whitelisted to work? Neither solutions seem particularly attractive; NoScript allows you to enable JS for that domain and stuff like CDNs without having to allow other sutff.


There's also an extension to make it easier to do

https://github.com/maximelebreton/quick-javascript-switcher


> I wish the web didn't break without JS, but that's just not the reality we live in.

Every time you temporarily enable JavaScript / whitelist a website you are performing a micro violation of your own privacy. In some cases even performing a large violation of your own privacy. Sure, there are some cases where I absolutely must have JavaScript turned on, but those cases are so rare that having JS permanently turned off is preferable in most cases.


you are performing a micro violation of your own privacy

You cannot violate your own privacy. My privacy is mine to control. And give up, if I so choose.


Inadvertently violating, or compromising your own privacy then?


Every time you temporarily enable JavaScript / whitelist a website you are performing a micro violation of your own privacy.

The same is true every time you access a site, even without JS.


This depends on whether you're using an anonymous proxy. Either a single-hop VPN or a multi-hop one like TOR. Enabling JS can potentially compromise these because various identifying bits of information can be gathered like screen resolution, time zone, etc


Most scripts that aren't serving ads don't do anything to your privacy.


response: https://hackademix.net/2009/05/04/dear-adblock-plus-and-nosc...

it wasn't circumventing the filters just to show ads. It was circumventing the filters because the filter were blocking everything, including the install extension button.


From a blog with two entries, with an attached twitter that looks more like bot spam than someone actually using it, and a github account that is all about messing with adblockers(?). Why do this feel like a schoolyard pissing match between "1337 haxors"?


1. You'd have to actually click and willingly install the software to be infected.

2. Even though he's able to randomize the banner code the redirect to the advertiser's site will most likely be caught by ad blockers.

---

Still it's a pretty hypocritical thing to do when you're the creator of a plugin which aims to increase the user's security.


"1. You'd have to actually click and willingly install the software to be infected." This is how most Windows malware/unwanted software are installed today, not via some rare zero-day Chrome exploits.


PUP != malware. PUP = potentially unwanted software. It's no more aggressive than the typical scareware tactics anti-virus companies use..


So they mention, among others, "Trojan.Win32.Generic!BT"

So I Googled that, and no, not a pup, more like a trojan that hijacks your pc and joins a botnet.



So what's the alternative to NoScript? And I don't mean an adblocker, I mean an extension that allows one to disable/enable JavaScript execution by domain.



I get the impression that while noscript operates around a default-deny/whitelist scheme, umatrix is more default-allow/blacklist.


It all depends on how you configure it. I use it in 1st party allowed and all others white-listed approach.


Yeah, but out of the proverbial box noscript is at first appearance more secure.


uMatrix is default-deny by default, except 1st-party scripts. It also comes with an extensive lists of hosts files enabled (representing 10s of thousands hostnames and their subdomains) by default for which scripts won't be allowed at all, even as 1st-party.

NoScript is default-deny by default, except for its preset list of whitelisted hostnames for which scripts are allowed to execute.

In both cases, with a few clicks one can reconfigure to their liking, to further restrict or relax existing rules.

Here is my thinking on this: between blocking everything and allowing everything, there is a point I consider optimal, which is what I picked for uMatrix. Not blocking enough out of the box will defeat the primary purpose of the tool. Blocking too much out of the box will discourage many users from using the tool at all -- they will uninstall.

My goal is for as many people to protect themselves, and this won't be accomplished if I set uMatrix's default to cause too much work out of the box that they uninstall it out of tediousness.

Blocking everything 3rd-party by default except images/css is what I personally identified as the optimal -- this would correspond to "medium mode" on the graph at that page: https://github.com/gorhill/uBlock/wiki/Blocking-mode

Again regarding the tediousness factor, another important aspect of a tool such as uMatrix is how easy it is to set rules to block/allow things, including on a per-site basis: one can easily change default settings after install, but how easy/difficult it is to set/remove rules is something which can't be changed. To dismiss the ease to create rules and other core features in uMatrix because one personally disagree with its (easily changed) default settings out of the box does not make much sense to me.

If the end result is that the aggregate number of stuff blocked by all users of uMatrix with default settings is higher than the aggregate number of stuff blocked by all users of uMatrix with hardcore settings, then i reached my goal.

In any case, as said, the defaults can be changed easily with a few clicks, there is no "hidden" settings, what is blocked or not is up front and visible right after install by just looking at the popup panel matrix.

One thing I would like people to keep in mind: uMatrix is not NoScript or RequestPolicy, it is its own thing.


Just FYI (not flaming Firefox), it's a standard setting in Chrome.


For what my comment is worth, I ended up removing NoScript and doing and clean install of Debian after noticing that the the NoScript extension would seem to auto-update often, and then would launch an instance of the noscript.net website each time I opened firefox. It did sketch me out, and I can't recommend installing this.


Go to about:addons, click the "more" text at the end of the NoScript description on the right and set auto-update to "off".

Next go to about:addons again and "preferences" of NoScript, on the "Notifications" tab uncheck "Display the release notes".

Done.

My 2¢ is that it certainly does appear to offer updates more often than one might expect (a bit like browsers themselves) but I have these two settings so I don't really notice. I choose to update manually because I don't like stuff breaking automatically (and am happy to keep on top of security warnings and such).


Why would you reinstall your OS for an extension that updates frequently?


More importantly, why would you be distressed by security software updating frequently?


I was exaggerating quite a bit, but I did end up installing another OS, but not really because of NoScript.


or you can disable the popup after update by going to noscript options -> notifications -> display the release notes...


Worth noting that you can block this in advance of it opening. I put sites like this in my hosts file

    0.0.0.0 noscript.net
I typically prepare a browser before use so any gotchas like that are sorted out before a session.


Lots of extensions open a changelog after they update. I'm not sure why that would be the thing that bothers you.


That bothers me about lots of extensions, and not just extensions. For example, the Newtonsoft.Json NuGet package opens up a web page after updating, and it bothers me every time. The higher the quality of the software, the more it bothers me when they stoop to such tactics.


I'll wait for the NoScript origin fork.

uMatrix is too weird for me (I love uBlock though).


What is "weird" about uMatrix, specifically?

The logic of the matrix is completely straightforward, once you get the basic rule that narrower rules override broader ones, all interactions with the matrix will become obvious, easy to understand in advance what will happens when adding/removing a specific rule -- and in any case, the visual feedback when adding/removing a rule through the popup panel matrix should be obvious enough to understand what will end up blocked/allowed.


  Especially to Windows users. Every time NoScript updates itself, the users are shown the homepage of the extension.
Options > Notifications > Uncheck "Display the release notes on updates".

I get that this sucks but there is an easy way to mitigate this problem without changing to another extension.


switched to uMatrix + uBlock Origin and never looked back.


For how long has that malware link been on the update page?

The article mentions the author has a history of doing shady things, can someone provide more background into this?


Disabling adblock filters to whitelist himself. Easy to find on Google.


As I mentioned on /r/netsec it's valid to point out the author does shady shit, but the title is clickbaity at best - the NoScript website advertises malware, there is no evidence that NoScript itself is harmful to the user. And btw you shouldn't let your extensions auto-update on Firefox anyway, specially if you use Tor, as it's vulnerable to MITM as someone posted here a few days ago. I might switch to uMatrix, but I don't really have the time right now to learn it.


> there is no evidence that NoScript itself is harmful

The article states that every time the plugin updates, it automatically opens up a webpage that serves malware. So technically the article is not wrong. NoScript forces your browser to open a malicious page, therefore it can be considered itself harmful.


> serves malware

It opens a page with an advertisement link for "Speedup My PC", not even the article claims that it serves malware, just that it "promotes" it. Going by the description of the detected malware signatures Speedup My PC isn't even harmfull by itself, it just is snake oil with no real use bejoind selling its own license.

Unless you click the link, download the exe, install it, fall for the detected issues notification and then proceed to buy a license nothing will happen.


Some users will fall for it though. The author wouldn't do it if they didn't make money from it. I think it's wrong to support such shady stuff that will harm some percent of its users.


Even "harm" is a bit of an overstatement if josefx is right, because if anyone pays money they do so on purpose, and they get value back in the form of the extension.


It opens a webpage that has an ad link to malware that must be manually installed. That's not a malicious page.


Sure.

Now, the question is, do I trust a plugin that serves ads for malware?

BTW any info on when did they start doing that?


Source code for NoScript is available, if you manually update and compare the code you should be safe.


Sure, but trust is widely used in security, in exchange for dramatically higher usability/productivity.

If I were to personally inspect every software (and hardware where possible) I use I would barely be up to date on 1995 versions of computing.

I outsource this trust to an aggregation of online communities I believe in. This post dramatically lessens my trust in NoScript.


Do you place any trust in Mozilla's add-on review process, which NoScript is subjected to? https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Revie...


Absolutely. To the extent it's servicable. I however don't trust every app on Apples appstore merely for passing review. I wouldn't be too scared to still use NoScript, but if there are alternatives why would I?


the release notes page? there's a checkbox for "display the release notes on updates".


When you first install it, you have to restart Firefox to complete the install and access the config menu. When you restart Firefox, it automatically loads the Noscript website to display.

You have to disconnect from the internet, restart Firefox, let it fail to load the page, then go to the settings menu and uncheck the box.


That's funny. I have never seen the ad, I think, because NoScript blocks it by default, can't imagine this self defeating practice yields any substantial income.


> And btw you shouldn't let your extensions auto-update on Firefox anyway, specially if you use Tor, as it's vulnerable to MITM as someone posted here a few days ago.

This was fixed in Tor Browser 6.0.5[1] and Firefox 49[2]. Worth noting that the attack required a publicly-trusted certificate for addons.mozilla.org, which makes this a bit harder than just a run-of-the-mill MitM attack, though certainly possible for nation-state actors and the likes.

[1]: https://blog.torproject.org/blog/tor-browser-605-released

[2]: https://www.mozilla.org/en-US/security/advisories/mfsa2016-8...


> there is no evidence that NoScript itself is harmful to the user

In the most narrow sense. Since I can't in good conscience recommend it to normal people I am considering it harmful.


> Since I can't in good conscience recommend it to normal people I am considering it harmful.

You can't really recommend it to normal people even without considering the author's advertising practices. NoScript is a tool for power users who understand a few things about how the web works.


Takes about five minutes to learn. For NoScript equivalence, click the matrix and deselect the JavaScript column.


I can second this. Recently migrated from NoScript to uMatrix. I was finally confident enough to put NoScript to "globally allow all" mode this week and use uMatrix alone for controlling scripting permissions. (After reading this disabled NoScript altogether.)

uMatrix allows more fine-grained control than NoScript. It's basically based on three contexts (scopes): host, domain and global, but my experience is I only ever use the global and domain scopes. I would recommend starting by globally white-listing the popular CDNs (so scripts on all sites delivered e.g. through Google's CDN are always executed and <script> snippets to integrate Google widgets work).

Then, for a majority of trusted sites it's enough to just white-list the local domain (allow executing scripts from example.com when you are visiting example.com sites). Scripts included on foobar.org from example.com still remain blocked – this is the crucial difference between global and local scopes that NoScript doesn't lend to.

I would recommend always allowing XHR and iframes in the site-local scope. IIRC this is not in the default config but since XHR anyway requires scripting you can then easily control both XHR / scripting by just white-listing the site for scripting. So this is my uMatrix base configuration currently and a good starting point for migrating from NoScript:

  * * * block
  * * css allow
  * * image allow
  * 1st-party cookie allow
  * 1st-party frame allow
  * 1st-party xhr allow
I.e. CSS / images allowed from all sources (except those blocked explicitly). Cookies, frames and XHR allowed from the same site you are currently visiting. Only scripting must be allowed per-site, just like with NoScript.


uMatrix is one of the most brilliantly designed UIs I've used in a while. There's hardly any learning involved, it's simply a very usable thing.


NoScript is harmful because it keeps displaying the site in question to its users. The title is justified in my opinion.


Security is based on trust ..


The article never substantiates the claim that "NoScript is harmful". They talk about NoScript's website serving questionable software, not NoScript itself.


A honest thought: the typical user of NoScript won't fall for those ads, I think.


There's no reason to believe that. How many people install NoScript on friends' and family's machines?


very few i'm betting, it takes hours to build a usable white-list for NoScript, and it breaks everything by default.


Imagine the conversation with a none-tech savy person on how to use Noscript, jeeeezzz.


I am sure more sites would work with IE6 than with the default configuration of NoScript.


Clickbaity title


Phew, for a moment there I thought it was a drive-by installer. I am mortified of these as it already happened to me while casually browsing the web. Nah, it's just a plain old exe you download and execute if you're dumb.


That people are dumb, for whatever definition of dumb we feel like adhering to today, does little against the fact that someone promoting their extension as a security mechanism goes above and beyond to try and get you to install some malware.


The difference between drive-by viruses and downloadable exe viruses that have to be manually executed is like the difference between someone who pretends to be your relative to convince you to give him money and someone who robs you at gunpoint. You're immune to one thing if you're not gullible and dumb, but completely powerless against the other, all it takes is unfortunate circumstances. Now, both are bad, of course, but one is vastly more concerning and hard to protect oneself against.


> if you're dumb

Everyone should get CS degree to operate a computer. /s


[flagged]


So you mean we should be fine with this or what?


I recently had to go back to NoScript after browsing with UBlock for a month. I was on a random webpage and all of sudden the browser would not close, and some lady was telling me "to call this number my computer is infected". I seriously doubt the author of NoScript was trying to infect people with malware. He might of made sure you see adds by disabling filters but the malware is problem with adds in general. In other words, browsing without Noscript is risky.

Edit: It was UBlock orgin. NoScript is the only thing that works but I have no idea if the guy is shady or not. Keep in mind I install the DEV addition so this has never happened to me.


The article states that this ad is hardcoded, so the author fully knows the application that he/she is pushing on their users.


By default, uBlock Origin ("uBO") works with a set of block lists, it does not block javascript -- out of the box you can't compare NoScript to uBO, they are two different things, it's not a case of "which one to use?".

Given the symptoms you describe, it seems you went to a site which launched popups. This is usually addressed by filters in the default block lists (EasyList, etc.), but when there is no filter, unwanted popups may occur. One solution is to report to block lists maintainers, so that they can add a filter. There is also a per-site switch in uBO to unconditionally block all popups for a given site -- so no need to wait for a filter.

That said, you can block scripts by default with uBO if you want. It also allows to block specifically all inline script tags on a page without disabling all javascript.

uBO works well with NoScript, and many people use it in concert with NoScript, they consider they complement well each others.


UBlock or UBlock Origin? They aren't the same.


TLDR: NoScript's website display shady ads.

Something that is only happening because we let ads networks and advertisers push all the shit they want on our webpages. How long before we actually start vetting (for nuisance and performance) what is put bellow users' eyes?


This ad in particular is hard coded by the author.

This isn't a case of someone using a shitty ad network, the author is knowingly pushing malware to the users of their application.


Hmm, not sure really where to go with this - I certainly don't want to support malware, but what's the "speedupmypc.exe" actually do that's malicious.

I ran it through online tools:

* https://www.virustotal.com/en/file/3d9e6b1e9f1296e0ce85061e0... (17/57)

* https://www.metadefender.com/#!/results/file/5fd5ceb2e10942d... (5/42)

* http://scanthis.net/scan/f74a94435ae047770b0fb26c4752d43b (result pending)

a lot of the big name antivirus companies don't report this as a malicious file (according to these tools).

e.g. looking at the first scan results Ad-Aware, Avast, BitDefender, Symantec, etc., etc., all find no problem with the file.

The obfuscation would be needed to load ads for the market that NoScript is targetting. To get ad revenue they would need some system to load the ads [as if] from the local server or they'll get blocked. Indeed isn't this what people often ask for from adverts that they won't use external providers in order to improve page-load times. If you look at the source for the page at noscript.net you see that the section is tagged as if it's included code from an automated script. So yes, he's clearly gone to trouble to hide the ad, but that's because it's an ad and not necessarily because it's malicious.

So, it hinges on whether the speedupmypc.exe is truly malicious IMO. Cnet & Tucows endorse it, not sure that tells us much ... installing the app (on a vbox) it looks like reasonably useful app after the type of PC-decrapifier or CC or whatever. I got a freemium app which gave a scan (results looked kosher) and offered a £20 unlock to fix the issues found.

Not the greatest software but not quite what I'd call malware. Perhaps oversold-stuff-people-dont-really-need-ware??

Unless, like I said, there's a hidden payload?


Fair enough. It is classified as "potentially unwanted software" by many, so calling it malware was probably wrong.

And that was the major issue I had with it (the fact that it was called malware by the blog post).

If that's not the case, then its not nearly as large of a problem than it looked.

Thanks for doing the research, you should repost this as a top level comment!


Before providing a "tldr" please read the article.


What makes you think he or she didn't?




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: