Comments on: Petko Was Playing With Fire…

By: Giorgio

Giorgio — Tue, 19 Aug 2008 08:08:18 +0000

@surfergirl:
I read the e-book by Mrs. Suggs, and it’s quite different than you’re suggesting.
In facts, it explain web marketer why and how to tell users of their e-commerce sites to “disable” NoScript on their sites, i.e. adding them to their whitelists.

There’s no technique to “get around the security features” there yet, and I can assure you there’s a lot of people more technically skilled than Mrs. Suggs trying every day :)
Have you got an actual example of bypass occurring to you?

By: surfergirl54

surfergirl54 — Tue, 19 Aug 2008 02:34:31 +0000

I have one for you. A woman by the name of Sunny Suggs published an E-book about Firefox add-ons specifically NoScript and how internet marketers can get around the security features. As a surfer I detest audio and video starting up without my permission. Suddenly I am not able to stop videos using UTube and some other audio and video, despite the fact that I have these disabled.

Is there a way around this problem, because so far I have not been able to find a solution to stop the stuff that is heavy on bandwidth - my opinion is: If I want to look at the video then I can press the button, do not supply me with something that auto-starts. It is the auto-start that needs to be stopped. Darn shame because NoScript has been working so well.

By: Sebastian Tschan

Sebastian Tschan — Sun, 17 Aug 2008 11:49:27 +0000

I’d like to throw in that the Secure Login add-on makes Firefox Password Manager somewhat more robust against XSS attacks.

Regards,
Sebastian

By: Giorgio

Giorgio — Sat, 16 Aug 2008 15:06:06 +0000

@Wladimir Palant: As you know well, relying on AdBlock Plus for security purposes is not advisable, especially until bug 431782 gets fixed. You don't want to be rickrolled by bad guys, do you? ;)

By: Wladimir Palant

Wladimir Palant — Sat, 16 Aug 2008 14:20:43 +0000

Password manager has issues, true. Using an external "password manager" is a better solution so far.

As to Prism, even in that unlikely situation, with Adblock Plus and the filter "*$third-party" it will do great (yes, Prism isn’t officially supported by Adblock Plus yet, working on that).

By: Giorgio

Giorgio — Thu, 14 Aug 2008 09:46:48 +0000

@Wladimir:

Well, best solution for this kind of problem is still not staying logged in on a site longer than necessary

That, and remembering all your passwords without assistance.
If your memory isn’t that great and you do use the password manager, I can steal your username and password with no need for you to be logged in (actually, it’s even easier when you’re logged out).
Regarding Prism, I guess it won’t save you either if the malicious content is served by an iframe or an external script embedded in the web application itself.

By: Wladimir Palant

Wladimir Palant — Thu, 14 Aug 2008 09:00:40 +0000

Well, best solution for this kind of problem is still not staying logged in on a site longer than necessary. If you need a web application that is constantly running - that’s what Prism is for. Separate process, separate environment, no interaction with the browser.