Comments on: Microsoft Recommends NoScript

By: Dauns Wurst

Dauns Wurst — Mon, 26 Apr 2010 23:17:02 +0000

Forget what I wrote, I was in a hurry.

By: Dauns Wurst

Dauns Wurst — Mon, 26 Apr 2010 23:16:40 +0000

Forgot what I wrote, I was in a hurry.

By: Dauns Wurst

Dauns Wurst — Mon, 26 Apr 2010 22:49:35 +0000

So according to this chart NoScripts XSS is bypassable, but in what sense? Generally or just in special cases, because latter was and probably always will be the case.

By: sirdarckcat

sirdarckcat — Thu, 22 Apr 2010 15:10:49 +0000

Hey!

So, yeah.. NoScript is safer, because it stops requests from happening in the first place, however that makes it have a bigger false positive ratio.

In terms of which one is harder to bypass, the winner is IE8, followed by NoScript, followed by Chrome.. considering that it takes days to bypass IE8, as opposed to chrome/noscript.

Greetings!!

By: Giorgio

Giorgio — Thu, 22 Apr 2010 06:40:48 +0000

@David Lindsay:
OK, apologizes accepted. Please accept mine regarding the “big players bias” allegation, I just had that feeling looking at the table and combining that with the preamble.

Like you said, no hard feelings.

By: David Lindsay

David Lindsay — Wed, 21 Apr 2010 20:44:09 +0000

The wording in the whitepaper preamble was completely mine, so yes, you can blame me. When I said IE8’s filters were "somewhat novel", I was referring to to the fact that they were not the first to develop thorough client-side XSS filters, clearly NoScript had been doing this for quite some time, however they were the first *browser* to have such filters built in by default.

It was not my intent to slight NoScript in any way. In hindsight, I can clearly see your point of view and I apologize for not properly acknowledging NoScript’s pioneering role in terms of client-side filters.

That being said, I make no apologies for the content of the comparison slide in our presentation. Although Eduardo and I had a lot of back-and-forth discussion regarding how to compare things on that slide, the final contents accurately reflect the average of our opinions (which were never that far apart to begin with). And I take offense to any accusations of bias towards "big players"; if anything, the opposite is true.

By: Morgan Storey

Morgan Storey — Wed, 21 Apr 2010 11:26:12 +0000

A bit of spurious reasoning, not that I don’t use noscript. I think they were trying to spruik IE8 still. But maybe you could help them along and port noscript to IE, and then they would at least have something to crow about, once they offer you an obscene amount of money and put it into the code natively.
I am surprised you didn’t mention the recent network solutions attack and its injection of malicious javascript, if something like noscript was globally used this breach may have been found sooner with less collateral damage, if I saw javascript on my page I would know as there is very little and it isn’t whitelisted.

By: uberVU - social comments

uberVU - social comments — Wed, 21 Apr 2010 10:36:50 +0000

Social comments and analytics for this post

This post was mentioned on Twitter by ma1: Microsoft endorses Firefox+NoScript :) http://snipurl.com/ms4ns