I think I’ve mentioned before that I run FireFox most of the time
instead of Internet Explorer. One of the reasons I run Firefox is the
wealth of addins that are available for it.
If, like me, you run FireFox, I strongly recommend that you consider
the NoScript plugin.
]]>
JavaScript is a programming language that is supported by most browsers and in turn used by many web pages. With JavaScript, web page authors can do more than just display text and pictures – they can write full featured programs that actually do things in your browser.
A great example is Google Docs. Their word processing program and spreadsheet program are handled entirely within your browser, and rely heavily on JavaScript. Many websites use JavaScript for various features, and some occasionally even require it to function.
But like any programming language, JavaScript can also be used with malicious intent.
I often talk about not visiting “malicious websites”, and what often makes them malicious is that they use JavaScript to fool, hack or otherwise gain access to things that you don’t want them to. It’s not necessarily easy, and it’s not necessarily so common as to be particularly scary, but it does exist, and is another way that hackers get into things they shouldn’t.
The browser pretty much lets you turn JavaScript on or off completely. That’s not a practical option since so many sites – sites we trust and use every day – actually require JavaScript to operate. So we pretty much need to turn JavaScript on … but then all sites, good or bad, can use it.
NoScript addresses this very simply. To quote their site:
… this free, open source add-on allows JavaScript, Java and Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank) …”
After installing NoScript, scripting is disabled on all sites you visit. Each time you then encounter a site that you trust that requires JavaScript you tell NoScript “this site is OK”. NoScript enables JavaScript for that site and remembers – you never have to tell it that site’s OK again.
When you encounter a site that is not on your trusted list, NoScript’s icon in the lower right of your browser window will change to indicate that scripts have been blocked, and a “Scripts Currently Forbidden” line is added:
You can then click on the NoScript icon (1) or the Options button (2) and NoScript will list the sources attempting to run JavaScript on the current web page. In this example, you would click on “Allow ask-leo.com” (3) to allow JavaScript that originates from ask-leo.com to be run.
You’ll note that JavaScript often originates from sites other than the page you’re looking at. In the example above. you can see that even though you are visiting ask-leo.com, JavaScript is also coming from kontera.com (4) and aweber.com. It’s not at all uncommon, but worth paying attention to. In this example, Kontera.com is an advertising provider, and aweber.com is my email newsletter provider. Enabling those individually will turn on additional functionality when you view the page. Third party scripts are, most frequently, advertising, but they can also be core functionality that’s required for the site to operate properly.
Once you’ve clicked on “Allow ask-leo.com”, or any of the other domains that can be allowed, scripts originating from those domains will be allowed and run from then on.
Over time, after you build up your list of allowed sites, you’ll rarely even think about NoScript unless or until you visit a site that is new, or has unexpectedly added scripting. This is where NoScript’s real value comes into play: scripts from new sources will not run. Any attempts to perform malicious actions via scripting will not be able to take place until you’ve had a chance to determine if the site is trustworthy or not.
With malicious attacks always seemingly on the rise, blocking scripting by default and allowing on an as-needed basis make a lot of sense.
NoScript – another tool for your security arsenal.
I recommend it.
One point about using NoScript. For the first few days it will be very annoying. Once you get the hang of it the add-on works great and is worth having.
I use NoScript also but users need to remember that your allowed sites may have malware in the future. Only allow sites that you always use or need. If you are just reading a particular site then you want to consider whether you want that site to allow scripts. NoScript doesn’t allow you to act foolishly on the internet. It is a tool that helps make it safer.
I’ve read Google Chrome runs Java script in a sandbox and becauses of that is virtually safe from these attacks. Is that true?
I gave up on NoScript because if you visit many new sites you will be constantly clicking to allow javascript to run. Many, many sites use javascript. After a while you just click mindlessly negating the purpose of NoScript.
Also, many sites have several things that NoScript blocks. If the site doesn’t work you have to enable them all or enable them sequentially to get things to work. Very time consuming.
Sometimes you won’t notice that some feature of the site isn’t working because NoScript is blocking it and you’ll miss something important.
All in all, if you visit only mainstream sites I’d say the risk of infection because of a compromised site is not worth the trouble of using NoScript.
However, if you regularly visit “iffy” sites then I recommend using it and being very careful about what you enable.
JG makes a good point. Some users install protection and then negate it at every opportunity, rather like someone installing ZoneAlarm and then granting access to everything that asks for it. Punch enough holes in your defence wall, and it’s no longer a wall, it’s garden trellis!
Thanks for the tip on NoScript. I’m a computer consultant (for 25 years), and always searching for something new or for a customer. I often have to remove junk that wasn’t expected from some sites. Hopefully, this will cut down on the trash.
I agree with JG: I have Firefox installed (though I prefer Opera) and NoScript. I thought NoScript great until I found how often I had to consider whether I could trust a site. One finds oneself allowing “all on this site” so frequently that it amplifies one’s paranoia to the point of neurosis.
Besides, is it not the case that javascript implementations are pretty safe, apart from any unfixed vulnerabilities? And they mostly use a sandbox – see http://en.wikipedia.org/wiki/Javascript.
There is a small, but growing class of malware that leverages Javascript. While there are some things it cannot do, by virtue of the sandbox you mention, that should not lead you to believe it’s always 100% safe. It can be used for malicious purposes as well.
08-May-2009
I don’t find it a problem that I have to “allow” sites I want to use Javascript. What I’m worried about is when going to allow it, many times there are multiple sites are listed. I understand this is by design and not a bug in NoScript, but I don’t know what should be allowed and shouldn’t.
For example, NoScript lists for this very website four sites to possibly allow: ask-leo.com, pugetsoundsoftware.com, aweber.com, and kontera.com. Obviously, I want to allow ask-leo.com because that’s the site I came to. But I don’t know what the other ones are. I’m not saying they’re malware; I’m only using them as an example. But as a web surfer, I only know that I want to allow ask-leo.com in this instance. I don’t know what these other sites are and, if I allow them, would just be doing so blindly, negating the purpose of the add-on.
Let’s use my site as an example:
– pugetsoundsoftware.com is my corporate/parent site, and where I have certain scripts that relate to commenting, content management and spam prevention.
– aweber.com is the email provider I use for my newsletters, and the scripts relate to the newsletter signup forms you’ll find on my site
– kontera.com is an adverstising service that helps support the cost of running Ask Leo! – it’s the one responsible for the double-underlined links in text.
There are occasionally others like various google domains for site search, advertising and analytics.
You don’t have to enable them. The cost, of course, is that whatever it is they represent won’t happen. You might not be able to comment, I might miss out on advertising revenue to help support the site, and you might not be able to search the site, for a few examples.
So I go back to trust: if I trust the site I’m visiting, I typically allow that trust to transfer to all the scripting sites that it pulls in. If I’m not sure, I’ll only allow the site itself, and enable others on a case-by-case basis if things aren’t working.
And of course if I don’t trust the site – or just don’t know – I trust, and enable, nothing.
13-May-2009
My website provider is btinternet.com and they provide a security service by McAfee. When looking at a website there is always a green McAfee sign to show it is safe to use or a warning when not to.
How do you know that the other sites use Fire Fox and NoScript? You tell FireFox to trust your Bank, and the Bank accesses third party software to verify your identity, but the Bank does’t use Fire Fox and NoScript. I just had an incident at work when I was online with the bank, and in my account, and reading their instructions on downloading my history to Money, etc. All of a sudden I noticed that my cursor was moving, and someone had taken over my pc; then I noticed that they had even changed from my account to another account. It freaked me out, and I immediately called the bank. They froze my account, and told me to call the fraud department. I called them, and they verified the secret questions on my account, and then said they had additional questions to ask me that was from a third party that they used which freaked me out. They wanted to know if I knew my Ex’s wife, then how old she was, and her birthday. I could have cared less when her birthday was. Of course I didn’t know. They told me that all of the answers were public information. They paid for access to all of this information. They asked me if I knew 3 foreigners whose names sounded like terrorist? They asked me if I new 259 S. Main Street, and I asked them which city and state. I use a bank on S. Main St, but I could care less what the street number is. I failed the test, and had to go into the bank to straighten out the mess. Can you believe all of this? They have not gotten back to me with an answer. My employer denies any problem on their end. How do I protect myself, when my employer has direct access to my pc to download upgrades to software, and to install new applications?
Scared
Reading this makes me grateful for having Opera – i don’t need an addon to get the same effect, it’s already embedded in it from the start – in the Edit Site Preferences.
I use WOT and Trend protect on IE8 to help me steer away from bad sites. WOT is community opinion and Trendprotect is an addon that looks for malicious script. They both don’t always agree on giving the green light for a page but that’s because they do different things.
Last night I wanted to watch a movie on one of those sights that list several streaming sites that have the movie.
I clicked on one of the sites to watch a movie and WOT listed the site in my tool bar as green which means it is safe as far as they are concerened. Then Trend also said that there were no malicious script on the page. So I’m trying to watch a movie and another web page keeps popping up from WOT saying that this site is not safe and that it has a bad reputation. The name of the site is different than the site I’m on. I’m not on this site it is listing. The site I’m on WOT has it listed as safe.
Now that I have read this article and understand the third party scripters it all makes sense.
I ran an online malware scanner after watching the movie because I recieved many a notice from WOT about a site I was not on. I went to sleep and when I awoke the scan had found 3 new adwares and 3 new trojans.
So I would have to dissagree with you leo when you said if you trust the main site it’s ok to allow the 2nd and 3rd party sites also.
Ironic, isn’t it, that I can’t comment on an article that advocates using NoScript, because NoScript has blocked comments on the page. :-)
13-Oct-2010
good idea to install noscipt for firefox as it give you more control on whats loading on pages you view
Noscript is too much trouble, I use Flashblock addon. It blocks all flash content, unless I double
click on it, or right click and select always allow flash on this site.
I love FireFox for the add ins too. Too bad those who provide them don’t keep up with the FireFox release cycle, even though they have more than fair warning that a new version (4.0) is on the horizon (are you listening Norton Toolbar?!).
Duty now, for the future.
Noscript, as with other programs like ZoneAlarm, are real boogers when you first start. Soon you will have it configured and goes unnoticed until….something out of the ordinary pops up. That’s when it shines because it’s doing exactly what it should do.
While McAfee & WOT provides “green light-red light” assistance, you need to know why a site is getting a red light. Example w/ WOT: a site I’ve used for years [myway.com] w/o any problems was a red light. Why? It had a “smiley icons” link at the bottom of the page [never click this link- adware/malware]. That was it. The page itself was fine. WOT is just very careful. But as far as McAfee’s “user based” input for site warnings, I found way too many false negatives for my liking. Sites I’ve used for years were cited as dangerous, although I never had ANY problem. Never.
I just had comment on the above. The best advice while visiting a new uncertain site – don’t click links that are not part of the main pages intention. Stay on the path brother & sisters – do not wander.
It may be a good recommendation, but my recent experiences with Firefox and plugins have been very frustrating. With a new so-called version coming out every 30 days or so, trying to keep my favorite plugins and add-ons working with the latest Firefox is an effort in futility.