Archive for the NoScript Category

This is a real exchange from NoScript “User Reviews” section at AMO, copied here as a memento and a caveat (for NoScript potential “customers”? for free software developers?), since some or all of it may be edited by its authors or deleted by those nasty AMO editors in a near future.

  1. Deception and rude treatment of users

    Rated 1 out of 5 stars
    by JamesOnTheWay on May 12, 2014

    My negative review was deleted; therefore, I no longer have confidence in NoScript or its developer. I was not looking for a bug fix. I was warning potential users away, which is permitted in the review guidelines. I will report this to Mozilla and blog about this treatment. Deleting negative reviews is pure deception!

    NoScript was slowing my Firefox and freezing it, and the worst was in GMail. It became non-functional every time a NoScript update was released, which was often daily. FanMaderWeb reported this same issue on April 9, 2014 and his/her 1-star review was not removed. I removed NoScript, which solved all of those problems. I have since discovered that I had unknowingly been switched to beta versions. Whether this was the cause of all those issues, I will never know; because my review was rudely deleted, as I expect this one will be.

    (no title)

    by FanMaderWeb on April 9, 2014
    translate

    Sehr schlecht. Ständig muss das AddOn eingestellt werden bei Seiten, die nur JavaScript oder ähnliches benutzen. Man kann noch nichtmal sein E-Mail-Postfach damit abgreifen!

  2. Non-reproducible (yet) bug report

    by Giorgio Maone (Developer) on May 12, 2014

    Review guidelines don’t allow bug reports because they cannot be discussed and followed up here, since this is not a tracker / forum. Since you’re the only one (at this moment) reporting this issue (out of millions of users), it is likely related to your specific configuration and worth investigating, but you choose to scare other users away instead, which is not a very constructive approach (it doesn’t help other users in your situation, nor the product to improve). This is anyway still a “misplaced bug report”, no matter if you were looking for a fix or not. That’s why yes, this review will likely be deleted again. Notice that I cannot delete any review by myself: this decision is up to AMO’s editorial staff. You can still go ahead and “report this to Mozilla and blog about this treatment” if it makes you feel better, but sharing more details at noscript.net/forum would be the right thing to do for everyone’s benefit.

  3. No Free Professional Services

    Rated 3 out of 5 stars
    by JamesOnTheWay on May 12, 2014

    Maone, I am a retired computer professional. My training began with machine language in 1972. I do not debug other people’s work for free. I was taught to never release a buggy product and that customers are only kept with good customer service. Belittling customers drives us away.

  4. Refund

    by Giorgio Maone (Developer) on May 12, 2014

    Dear “customer”, you’ve got a point. I’ll be happy to fully refund the price of the buggy software you paid for. Then I’ll go back in my cubicle trying to blindly reproduce the problem you (alone, so far) have experienced, but whose details you rightfully refuse to reveal unless paid for this service. Thank you for your business!

Notice to mariners: starting with NoScript version 2.6.6.9 (ATM still a RC) and next version of FlashGot (1.5.5.6, most likely) the packages (XPIs) of my Firefox add-ons won’t be signed anymore.

Almost no other Firefox extension gets signed these days (NoScript and FlashGot had been among the earliest and few for a long time), and AMO being the only authorized repository you can install the add-on from by default, there’s little or no point in keeping the relatively expensive and clunky signature machinery in place.

You probably noticed AMO lags quite a lot behind stable versions. That’s because the editorial staff manually checks every line of code published as “stable” for security issues and known performance problems. Therefore, if you’d like to always run the latest and safest (a good idea for a security tool like NoScript), you may want to switch to the fast lane, i.e. the automatically up-to-date beta channel, by installing 2.6.6.9rc1 now.

NoScript: Site Security and Privacy InfoMaybe you haven’t noticed yet (and I admit it’s not an exceedingly discoverable thing), but for a long time now NoScript has offered a “Security and Privacy Info” page.

This feature is meant to help you assess the trustworthiness of any web site shown in your NoScript menu.

You can access this service by middle-clicking or shift-clicking the relevant menu item.

Furthermore, power users can customize it by changing the value of their noscript.siteInfoProvider about:config preference to any URL template of their choice.

NSA++, NoScript on Android

NSA++ (NoScript Anywhere Plus Plus, or NoScript 3.5 alpha for Android Native) has been in the works for a while now, and it’s finally ready for prime time, thanks also to the continuous help of the NLNet Foundation.

Even if it’s not as complete as its legacy Electrolysis-orphaned obsolete predecessor (NSA, designed for the now discontinued XUL Fennec, AKA Firefox 4 Mobile) yet, NSA++ already provides the best security you can get in any mobile browser: beside its trademark flexible script blocking facility, it features the first ever and still strongest XSS filter available, plus partial but functional portings of the unique ClearClick anti-Clickjacking technology and ABE’s firewall/LAN CSRF protection.

You can read more or try it with a recent Firefox Nightly (mobile or desktop, too!) on the NSA project page.

Universal XSS 0day in Adobe Flash controlled users’ Web accounts:

As useful as sandboxes are in restricting potentially buggy code to a small part of the operating system, they do nothing to minimize the damage that can be done by attacks that exploit universal XSS flaws, researchers said.

I was already preaching this four years ago: the more our assets move “in the cloud”, the less traditional security measures, meant to protecting just your local system, suffice.

The battlefield is the web now, and there’s no coming back…

Bad Behavior has blocked 22059 access attempts in the last 7 days.