tag:ask-leo.com,2009://3/tag:ask-leo.com,2009://3.3718- 2009-12-09T23:55:00Z Comments for NoScript - A Firefox addin that makes browsing safer. Movable Type 4.25 tag:ask-leo.com,2009://3.3718-comment:34760 Comment from Mike on 2009-05-12 Mike I don't find it a problem that I have to "allow" sites I want to use Javascript. What I'm worried about is when going to allow it, many times there are multiple sites are listed. I understand this is by design and not a bug in NoScript, but I don't know what should be allowed and shouldn't.

For example, NoScript lists for this very website four sites to possibly allow: ask-leo.com, pugetsoundsoftware.com, aweber.com, and kontera.com. Obviously, I want to allow ask-leo.com because that's the site I came to. But I don't know what the other ones are. I'm not saying they're malware; I'm only using them as an example. But as a web surfer, I only know that I want to allow ask-leo.com in this instance. I don't know what these other sites are and, if I allow them, would just be doing so blindly, negating the purpose of the add-on.

I view it as a matter of trust: if you trust the site you're visiting, then it's probably reasonable to trust the additional site that it includes. This is most commonly advertising related but in many cases additional functionality as well.

Let's use my site as an example:

- pugetsoundsoftware.com is my corporate/parent site, and where I have certain scripts that relate to commenting, content management and spam prevention.

- aweber.com is the email provider I use for my newsletters, and the scripts relate to the newsletter signup forms you'll find on my site

- kontera.com is an adverstising service that helps support the cost of running Ask Leo! - it's the one responsible for the double-underlined links in text.

There are occasionally others like various google domains for site search, advertising and analytics.

You don't have to enable them. The cost, of course, is that whatever it is they represent won't happen. You might not be able to comment, I might miss out on advertising revenue to help support the site, and you might not be able to search the site, for a few examples.

So I go back to trust: if I trust the site I'm visiting, I typically allow that trust to transfer to all the scripting sites that it pulls in. If I'm not sure, I'll only allow the site itself, and enable others on a case-by-case basis if things aren't working.

And of course if I don't trust the site - or just don't know - I trust, and enable, nothing.

- Leo
13-May-2009

]]>

A comment on: NoScript - A Firefox addin that makes browsing safer.

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

All content Copyright © 2009.

 2009-05-12T23:28:14Z tag:ask-leo.com,2009://3.3718-comment:34759 Comment from James on 2009-05-10 James http://unspecified I agree with JG: I have Firefox installed (though I prefer Opera) and NoScript. I thought NoScript great until I found how often I had to consider whether I could trust a site. One finds oneself allowing "all on this site" so frequently that it amplifies one's paranoia to the point of neurosis.

Besides, is it not the case that javascript implementations are pretty safe, apart from any unfixed vulnerabilities? And they mostly use a sandbox - see http://en.wikipedia.org/wiki/Javascript.

I find that the (minor) annoyance of deciding which sites to allow decreases dramatically over time as it remembers the settings for all sites you've been to at least once.

There is a small, but growing class of malware that leverages Javascript. While there are some things it cannot do, by virtue of the sandbox you mention, that should not lead you to believe it's always 100% safe. It can be used for malicious purposes as well.

- Leo
08-May-2009
]]>

A comment on: NoScript - A Firefox addin that makes browsing safer.

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

All content Copyright © 2009.

 2009-05-10T09:31:34Z tag:ask-leo.com,2009://3.3718-comment:34758 Comment from Thom on 2009-05-09 Thom Thanks for the tip on NoScript. I'm a computer consultant (for 25 years), and always searching for something new or for a customer. I often have to remove junk that wasn't expected from some sites. Hopefully, this will cut down on the trash.

]]>

A comment on: NoScript - A Firefox addin that makes browsing safer.

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

All content Copyright © 2009.

 2009-05-09T14:59:31Z tag:ask-leo.com,2009://3.3718-comment:34757 Comment from Graham Peters on 2009-05-06 Graham Peters JG makes a good point. Some users install protection and then negate it at every opportunity, rather like someone installing ZoneAlarm and then granting access to everything that asks for it. Punch enough holes in your defence wall, and it's no longer a wall, it's garden trellis!

]]>

A comment on: NoScript - A Firefox addin that makes browsing safer.

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

All content Copyright © 2009.

 2009-05-06T10:02:13Z tag:ask-leo.com,2009://3.3718-comment:34756 Comment from J G on 2009-04-30 J G I gave up on NoScript because if you visit many new sites you will be constantly clicking to allow javascript to run. Many, many sites use javascript. After a while you just click mindlessly negating the purpose of NoScript.

Also, many sites have several things that NoScript blocks. If the site doesn't work you have to enable them all or enable them sequentially to get things to work. Very time consuming.

Sometimes you won't notice that some feature of the site isn't working because NoScript is blocking it and you'll miss something important.

All in all, if you visit only mainstream sites I'd say the risk of infection because of a compromised site is not worth the trouble of using NoScript.

However, if you regularly visit "iffy" sites then I recommend using it and being very careful about what you enable.

]]>

A comment on: NoScript - A Firefox addin that makes browsing safer.

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

All content Copyright © 2009.

 2009-04-30T19:37:30Z tag:ask-leo.com,2009://3.3718-comment:34755 Comment from Mark on 2009-04-29 Mark I've read Google Chrome runs Java script in a sandbox and becauses of that is virtually safe from these attacks. Is that true?

]]>

A comment on: NoScript - A Firefox addin that makes browsing safer.

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

All content Copyright © 2009.

 2009-04-29T22:48:25Z tag:ask-leo.com,2009://3.3718-comment:34754 Comment from Minot Isok on 2009-04-29 Minot Isok I use NoScript also but users need to remember that your allowed sites may have malware in the future. Only allow sites that you always use or need. If you are just reading a particular site then you want to consider whether you want that site to allow scripts. NoScript doesn't allow you to act foolishly on the internet. It is a tool that helps make it safer.

]]>

A comment on: NoScript - A Firefox addin that makes browsing safer.

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

All content Copyright © 2009.

 2009-04-29T22:11:05Z tag:ask-leo.com,2009://3.3718-comment:34753 Comment from Dan Ullman on 2009-04-29 Dan Ullman One point about using NoScript. For the first few days it will be very annoying. Once you get the hang of it the add-on works great and is worth having.

]]>

A comment on: NoScript - A Firefox addin that makes browsing safer.

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

All content Copyright © 2009.

 2009-04-29T16:16:25Z