Comments on: Plugin Security, Plug Insecurity

By: hackademix.net » Firefox Users Are The Safest

hackademix.net » Firefox Users Are The Safest — Tue, 01 Jul 2008 18:08:24 +0000

[…] is that nothing could be said about browser plugins, universally recognized as an endless source of security pain. Even on this side, though, Firefox has some clear advantages: plugins can be disabled either […]

By: hackademix.net » Pwn2Own, the Winner is... NoScript!

hackademix.net » Pwn2Own, the Winner is... NoScript! — Mon, 31 Mar 2008 22:15:34 +0000

[…] OS X was taken because the high-level softwares it bundles (especially its web browser and multimedia plugins) are not as safe as its FreeBSD-derivative […]

By: hackademix.net » Merry XssMas

hackademix.net » Merry XssMas — Tue, 25 Dec 2007 16:45:09 +0000

[…] Register has also “discovered” Flash-based XSS, something that is surely old news in our circles: as you may remember, Sirdarkcat’s attack on RSnake was based on […]

By: Sven

Sven — Tue, 18 Dec 2007 18:46:35 +0000

I was fine with Flash and for example QuickTime movies being allowed. I don’t like this recent change in NoScript. Here’s why. Whenever NoScript blocks content I get the impression that I escaped a security risk and that I shouldn’t trust the webmaster of that respective site. However, similar to what former_ns_user said that is too paranoid for me now that it includes Flash and QuickTime. I liked the fact that NoScript blocks JavaScript (JS) by default. I’m convinced that there are JS features that a proper HTML or PHP website can deliver as well. Actually _forcing_ the visitor to have JS enabled looks like sloppy web design to me. That’s avoidable.

After I was done working on my own website today (it has Flash videos) I checked it online and found that the videos weren’t loading. I sat up straight, scratched my head and wondered when in the last days my own website had become a security risk to its visitors. At the same time I had other tabs open loading this week’s movie trailers. That particular website delivers trailers as QuickTime movies. I saw these tabs blocking content and again I wondered: when since my last visit had this website become a security risk?

Blocking JavaScript should stay enabled by default. I encourage that as I hardly ever see JavaScript contributing a unique feature to my browsing experience. However, blocking for example Flash and QuickTime movies gives the impression that I shouldn’t trust websites that I actually do trust. Websites I trust because I’m convinced they are harmless. My perception does not matter. NoScript knows better. If I were a visitor of my own website it’d be the other way round: I’d see blocked content and get the impression that the website is a security risk. At the very least I’d hesitate to click anywhere near the blocked content. Maybe I’d just turn tail. It would make me automatically suspicious of the webmaster’s intentions.

Next stop is my regular movie trailer website; too risky now. I should find a new one that NoScript approves of. When it comes to movie trailers, too, my perception does not matter. NoScript knows better. Since I like to see videos I should look for a website that delivers .gif animations. The current NoScript version doesn’t block them by default.

In my opinion NoScript overshot the mark in disabling these content types by default. They should be re-enabled by default.

By: NoScript Provides Additional Security — Woodruff Research

NoScript Provides Additional Security — Woodruff Research — Sun, 16 Dec 2007 00:17:09 +0000

[…] safe setup by unchecking the relevant Forbid preferences in the NoScript Options|Plugins panel. Read more about the security reasons behind these new default […]

By: Bill Wallace

Bill Wallace — Fri, 14 Dec 2007 11:59:11 +0000

I’m all for making the flash/silverlight/java/quicktime turned off by default in the next version. That is how I run things now, and it works just fine. My browsing is a lot faster, and I see far fewer adds. The very few times I want to download things, I can.
Could you also have an option to turn off sound? I only know of 1 old exploit in a sound format, but there isn’t any reason to expect we won’t see some in the future, and it is a pain to hear the computer start playing something unexpectedly. I’m not sure how to indicate sound existence, however.

By: Dan

Dan — Thu, 13 Dec 2007 18:30:20 +0000

Yeah, I support blocking all plugins by default. That IS how I use it after all. (I’m really paranoid about security, even though I only use OS X and Linux and haven’t touched Windows in about 3 or 4 months.)

I know that not all NoScript users know about the plugin blocking features, so if you were to block Flash by default, I would recommend using some sort of splash screen or a large notice on the NoScript home page that expressly mentions that Flash is turned off, explains why Flash is turned off, and explains how to turn Flash back on. Of course, since us techies are suggesting NoScript to our friends and family (I’ve completely lost track of the number of times I’ve recommended NoScript), it should be explained in a non-techie friendly way but without seeming too condescending.

By: nobody

nobody — Tue, 11 Dec 2007 12:56:54 +0000

Go ahead and disable active content by default.

Thanks for the good work!

By: Bob Jonkman

Bob Jonkman — Mon, 10 Dec 2007 11:47:44 +0000

Good security practice says that the default settings should deny everything, then things are permitted explicitly one-at-a-time.

Yes, please set all the defaults to be as safe as possible, right out of the box. People who install NoScript are doing it to enhance their browsing safety, so make it easy for them.

People who need to access scripts will have enough tech savvy to enable scripts on individual sites; by corollary, those lacking tech savvy shouldn’t be browsing with Allow scripts Globally anyway.

Thanx for a great tool!

–Bob.

By: D Sojourner

D Sojourner — Mon, 10 Dec 2007 10:10:31 +0000

I would very much appreciate having the pluggin options switched to “on by default”. I have several computers I’m using this on, and I can’t always count on my kids checking options.

D Sojourner