Comments on: Plugin Security, Plug Insecurity

By: CHRIS

CHRIS — Wed, 26 Aug 2009 20:09:10 +0000

Hi,

Don’t know much about the threats you mentioned but I am glad to use your tools.
I feel more confident when my whole family surfes the web without paying attention to anything.

Thank you so much for the time you give contributing to a safer environment (yes even on our so-called virus-free Mac)
C.

By: hackademix.net » Browser Plugins, Add-Ons and Security Advisers

hackademix.net » Browser Plugins, Add-Ons and Security Advisers — Sat, 07 Feb 2009 17:02:20 +0000

[…] This can cause major security concerns, no doubt about that. They’ve accumulated lots of security issues of their own over the time, and the scriptable ones (like Flash or Java) are often used in combination with […]

By: hackademix.net » Firefox Users Are The Safest

hackademix.net » Firefox Users Are The Safest — Tue, 01 Jul 2008 18:08:24 +0000

[…] is that nothing could be said about browser plugins, universally recognized as an endless source of security pain. Even on this side, though, Firefox has some clear advantages: plugins can be disabled either […]

By: hackademix.net » Pwn2Own, the Winner is... NoScript!

hackademix.net » Pwn2Own, the Winner is... NoScript! — Mon, 31 Mar 2008 22:15:34 +0000

[…] OS X was taken because the high-level softwares it bundles (especially its web browser and multimedia plugins) are not as safe as its FreeBSD-derivative […]

By: hackademix.net » Merry XssMas

hackademix.net » Merry XssMas — Tue, 25 Dec 2007 16:45:09 +0000

[…] Register has also “discovered” Flash-based XSS, something that is surely old news in our circles: as you may remember, Sirdarkcat’s attack on RSnake was based on […]

By: Sven

Sven — Tue, 18 Dec 2007 18:46:35 +0000

I was fine with Flash and for example QuickTime movies being allowed. I don’t like this recent change in NoScript. Here’s why. Whenever NoScript blocks content I get the impression that I escaped a security risk and that I shouldn’t trust the webmaster of that respective site. However, similar to what former_ns_user said that is too paranoid for me now that it includes Flash and QuickTime. I liked the fact that NoScript blocks JavaScript (JS) by default. I’m convinced that there are JS features that a proper HTML or PHP website can deliver as well. Actually _forcing_ the visitor to have JS enabled looks like sloppy web design to me. That’s avoidable.

After I was done working on my own website today (it has Flash videos) I checked it online and found that the videos weren’t loading. I sat up straight, scratched my head and wondered when in the last days my own website had become a security risk to its visitors. At the same time I had other tabs open loading this week’s movie trailers. That particular website delivers trailers as QuickTime movies. I saw these tabs blocking content and again I wondered: when since my last visit had this website become a security risk?

Blocking JavaScript should stay enabled by default. I encourage that as I hardly ever see JavaScript contributing a unique feature to my browsing experience. However, blocking for example Flash and QuickTime movies gives the impression that I shouldn’t trust websites that I actually do trust. Websites I trust because I’m convinced they are harmless. My perception does not matter. NoScript knows better. If I were a visitor of my own website it’d be the other way round: I’d see blocked content and get the impression that the website is a security risk. At the very least I’d hesitate to click anywhere near the blocked content. Maybe I’d just turn tail. It would make me automatically suspicious of the webmaster’s intentions.

Next stop is my regular movie trailer website; too risky now. I should find a new one that NoScript approves of. When it comes to movie trailers, too, my perception does not matter. NoScript knows better. Since I like to see videos I should look for a website that delivers .gif animations. The current NoScript version doesn’t block them by default.

In my opinion NoScript overshot the mark in disabling these content types by default. They should be re-enabled by default.

By: NoScript Provides Additional Security — Woodruff Research

NoScript Provides Additional Security — Woodruff Research — Sun, 16 Dec 2007 00:17:09 +0000

[…] safe setup by unchecking the relevant Forbid preferences in the NoScript Options|Plugins panel. Read more about the security reasons behind these new default […]

By: Bill Wallace

Bill Wallace — Fri, 14 Dec 2007 11:59:11 +0000

I’m all for making the flash/silverlight/java/quicktime turned off by default in the next version. That is how I run things now, and it works just fine. My browsing is a lot faster, and I see far fewer adds. The very few times I want to download things, I can.
Could you also have an option to turn off sound? I only know of 1 old exploit in a sound format, but there isn’t any reason to expect we won’t see some in the future, and it is a pain to hear the computer start playing something unexpectedly. I’m not sure how to indicate sound existence, however.

By: Dan

Dan — Thu, 13 Dec 2007 18:30:20 +0000

Yeah, I support blocking all plugins by default. That IS how I use it after all. (I’m really paranoid about security, even though I only use OS X and Linux and haven’t touched Windows in about 3 or 4 months.)

I know that not all NoScript users know about the plugin blocking features, so if you were to block Flash by default, I would recommend using some sort of splash screen or a large notice on the NoScript home page that expressly mentions that Flash is turned off, explains why Flash is turned off, and explains how to turn Flash back on. Of course, since us techies are suggesting NoScript to our friends and family (I’ve completely lost track of the number of times I’ve recommended NoScript), it should be explained in a non-techie friendly way but without seeming too condescending.

By: nobody

nobody — Tue, 11 Dec 2007 12:56:54 +0000

Go ahead and disable active content by default.

Thanks for the good work!