Just 3 of the many reasons why I'm seriously considering to ship next NoScript versions with Forbid Macromedia® Flash®, Forbid Microsoft® Silverlight™ and Forbid other plugins checked by default in the Plugins options panel, like it already happens for Java™:
- A Quicktime RTSP Response vulnerability is being actively exploited in the wild.
- Programming errors in Flash or Silverlight applets can be as exploitable as traditional XSS/CSRF, if not more, no matter if the plugin itself is vulnerable or not. If recent attack on RSnake failed, it's most likely because he had NoScript configured to block Flash even on his own site. Not impractical as it may sound: in facts, you can select Apply these restrictions to trusted sites as well and enable multimedia clips or applets individually, on the fly with a click on their placeholder -- that's exactly what I do, by the way.
- As Pasqual Meunier of CERIAS put it,
Fully functional PDF viewers are now about as safe and loyal (under your control) as your web browser with full scripting enabled. That may be good enough for some people, but clearly falls short for risk-averse industries.
Update:
Another good reason to keep Flash off by default.
Update 2:
Update 3:
Oops! :P
Update 4:
I did it, in the end. NoScript now blocks all plugins by default on untrusted sites, and you can optionally extend this restrictions to trusted sites as well.
December 6th, 2007 at 3:38 am
Thanks for the advice. I'll try it out.
December 6th, 2007 at 7:54 am
Vote 1 for disabling all plugin action by default.
With placeholders, there's no need for any unsafe stuff to be run until the user can vet the site.
I go to a public broadcaster where I once would have trusted all operations.
Within the past month, the website has become a mess of beta players and me-too content that makes it feel more like an untrusted site.
Easy to restrict all plugins and allow content as needed.
December 6th, 2007 at 10:25 am
I vote for blocked by default, as this is how I use NoScript anyway.
I do however have an issue whereby loading a video or swf directly with these options enabled results in an object that can never be activated, which would suck to have by default.
December 6th, 2007 at 10:52 am
@Dan:
Could you report a test-case, including website URL where you run into this "unactivable object" issue?
Please do so by email or posting on the Mozillazine Forum thread for current NoScript version
December 6th, 2007 at 1:03 pm
In your advisory for the latest version of NoScript (1.1.9), you mentioned that you were considering shipping the next NoScript versions with the Forbid [plugin] options enabled by default.
I think that checking these options as a default is a good idea; it will enhance security for users who don't look that closely at the configuration options, and it will make installing NoScript more convenient for users like me who do go in and check those options.
Since desired content can still be accessed with a click, this extra level of security comes with a minimal cost to those who wish to live a bit more dangerously.
Thanks for all your hard work on NoScript - it's the strongest argument I have for using Firefox.
-Brian
December 6th, 2007 at 1:15 pm
Since you mentioned PDF readers, check out Sumatra PDF: http://blog.kowalczyk.info/software/sumatrapdf/
It's stupidly simple, but works quite nicely. So far I've only come across one document that I needed to use Adobe Acrobat to read it, but that appears to be a rarity.
December 6th, 2007 at 1:24 pm
Why would it not be a good idea to enable these additional blockers by default? In the absence of compelling arguments, I'll vote to enable them, please. And thanks for this utility, it's awesome!
December 6th, 2007 at 4:08 pm
I agree, block everything by default. Those who are unaware will be unaware anyway. Those who know better will allow only those modules of interest. Opt-in is better than opt-out, since sometimes it is too late to opt-out.
By the way, the recaptcha.net challenge script was blocked and until I realized this I found no way to answer the challenges. Something to keep in mind. We shall see if the world sees this comment submission. Thank you.
December 6th, 2007 at 4:55 pm
I agree with everything being blocked by default too. I'm seeing a lot more people using FF and some just assume that they're now magically safe. With my family and friends they at least know that FF isn't magically safe, but after installing no-script they balk at the need to actually change anything in its options. It's a great add on to mozilla, but I think it would be better to automatically block everything and let the users change their options if they want to be less safe.
December 6th, 2007 at 5:08 pm
I'm happy for plugins to be blocked by default but I'm not sure everyone else will be especially for Flash. Perhaps a couple of predefined choices should be provided.
December 6th, 2007 at 5:58 pm
I like the idea of having plugins blocked for untrusted sites by default.
I also suggest you ship NoScript with "Enable Scripts Globally (dangerous)" UNCHECKED -- there's no reason for most users to even know that option is available. In fact, why even have that option? Just disable NoScript in the Add-ons menu.
I would like a way to lock down NoScript for users on networks. If you could figure some way to password-lock NoScript's "Global" option, that would be great!
December 6th, 2007 at 6:32 pm
@Angus S-F:
You can already lock down NoScript for network users.
The following sample file can be found inside the XPI file if you unarchive it with a zip utility.
It should be self-explanatory after you read this preference locking how-to, but I'll write down a "Locking NoScript" tutorial as soon as I've got one minute to breathe...
December 6th, 2007 at 9:04 pm
Cool. I take it that
user_pref("noscript.showGlobal", false);
is the preferences line that allows toggling of global scripting?
What does "user_pref("noscript.blockNSWB", true);" control?
Question: when you update NoScript, do you add back the default domains to the whitelist if they have been removed?
December 6th, 2007 at 9:15 pm
Go for it. The safer the better. The option to allow the content is very user friendly.
TJ
December 6th, 2007 at 9:17 pm
Yes it is.
noscript.blockNSWB is the Forbid Web Bugs option.
NoScript updates do not touch your whitelist.
December 6th, 2007 at 10:44 pm
Shipping with Forbid Flash, Forbid Silverlight and Forbid other plugins checked is good idea
December 6th, 2007 at 10:57 pm
Coming from a large system environment to the desktop and server world, I am *very* comfortable with the default deny permission stance.
It is a lot easier to grant permissions if needed than to try to lock down after the horses are out of the barn.
December 6th, 2007 at 11:05 pm
Yes, block flash etc by default.
But add a (larger?) "content blocked" signal, perhaps slightly less obtrusive than the 'pop-up blocked' message I see so often.
Slightly irritating sitting at a site wondering why nothing works. Not irritating enough that I want to turn java script back on.
But worried that if flash is blocked, I may think that a site just failed to load, since some sites start with only flash.
December 6th, 2007 at 11:30 pm
Grazie
December 7th, 2007 at 9:51 am
Disabling Flash, Silverlight and other plugins should be default, so I agree you should ship your next version like that.
It is much easier to turn them off when needed (eg. "this stopped working just after this upgrade"), than to remember that you are vulnerable when "everything seems to work".
So go ahead with making it default by all means!
December 7th, 2007 at 1:24 pm
I would say yes to switching those on by default. Really, my thought is, we use No Script as a safety feature (we being my family and friends, not the voices in my head, I don't count them...) and so my expectation has always been when a new feature comes out that they are one by default. It wasn't until I went in and played with the settings that I realized that they are not on by default and had to go turn them on. No big deal, just not what I was expecting out of default behavior. So, yes please mark me down for turning them on by default.
December 7th, 2007 at 3:53 pm
I would recommend making the new plug-in protections the default. I don't know how long I have been running without those protections, because I assumed they were on by default.
I just happened to notice the issue with the latest upgrade.
Thanks for a valuable tool for all of us.
December 7th, 2007 at 5:04 pm
Disabling is fine, but I'd prefer to have them not disabled. One thing for sure, with the next release please don't overwrite my current settings for plugins. It'd be really obnoxious to have to go re-enable flash every time there's an upgrade.
December 7th, 2007 at 6:03 pm
Fine by me! I strongly prefer to have this kind of stuff only on an opt-in basis.
December 7th, 2007 at 7:13 pm
Obviously i am Firefox user. I like Firefox - i switched to it long time ago and ditched IE with it's bulky interface and paranoid security settings and annoying prompts. And also because i liked it's 'style'. I didn't have to change a lot of settings - it was already working as i would like it to. I installed NoScript because it was powerful and useful. But i am disappointed with the direction of it's development. It is becoming more and more paranoid, just like IE. Addon is supposed to extend browser functionality. For me that means that its default settings must match current browser behavior. If it is going to disable plugins by default, i will either stick to old version or uninstall it. Reason - author's position is so different from my own, that i can't trust him any more - who knows what else he will put in there 'for my own good'. I lived fine without NoScript before - i can manage on my own.
December 7th, 2007 at 8:17 pm
I like the idea of shipping with most of these disabled. But about Flash, is FlashBlock sufficient to block these attacks?
If so, it would also be nice if NoScript could detect the presence of FlashBlock (if that's even possible for a plugin), and enable Flash if it's there.
December 7th, 2007 at 9:05 pm
Went through the options again after new update. Your defaults set as they are is just what I would set myself except I add the Web Bugs under the Untrusted tab.
I have been recommending your NoScript tool to everyone I meet that uses Firefox. Best tool available that I have run across in ages.
December 7th, 2007 at 9:47 pm
Agree with most of the posts here - happy for the 'forbid' options to be enabled by default.
One thing I would *love* to see though is the ability to define what should be enabled on a per site basis. So, some sort of extended options for the whitelist. Adding a site to the whitelist defaults to allowing all blocked content (as it does currently), but give a user the option to select that they wish to block Flash for a particular site (I'm thinking a bunch of tick boxes alongside the site names in the whitelist box).
December 8th, 2007 at 6:45 am
Higher security by default is a great idea! Thanks for your work. I've been stucked to your great product at http://twit.tv/sn For me until now it wasn't possible to spread the word to any computer non savy person. Maybe there are ideas in this community to higher the proliferation. Thanks to all.
December 8th, 2007 at 8:30 am
Hi, I just read your updated advisory 1.1.9. Yes, I support your intention to activate any restrictions by default. For the average user it's become quite difficult to follow-up and understand all the potential threats. They feel secure by just having installed the software, and aren't aware that they remain vulnerable. So, opt-in is better than opt-out!
December 9th, 2007 at 11:52 am
Security by default is the way to go. You just have to make sure that users understand what's being blocked, why, and how to enable it for "safe" sites (what is safe nowadays is a different story). I've been a fan of NoScript for many years now. Keep up the good work. Dr. Veltsos, CISSP.
December 9th, 2007 at 11:42 pm
@Maone: put a flag on the "disabled by default" column also for me : ) needless to say great job with noscript
December 10th, 2007 at 11:24 am
I did forbid the plugins in options and encourage to make it default setting. Many times plugins are just CPU and bandwith hogs and start to act automatically even if not desired.
December 10th, 2007 at 12:10 pm
I would very much appreciate having the pluggin options switched to "on by default". I have several computers I'm using this on, and I can't always count on my kids checking options.
D Sojourner
December 10th, 2007 at 1:47 pm
Good security practice says that the default settings should deny everything, then things are permitted explicitly one-at-a-time.
Yes, please set all the defaults to be as safe as possible, right out of the box. People who install NoScript are doing it to enhance their browsing safety, so make it easy for them.
People who need to access scripts will have enough tech savvy to enable scripts on individual sites; by corollary, those lacking tech savvy shouldn't be browsing with Allow scripts Globally anyway.
Thanx for a great tool!
--Bob.
December 11th, 2007 at 2:56 pm
Go ahead and disable active content by default.
Thanks for the good work!
December 13th, 2007 at 8:30 pm
Yeah, I support blocking all plugins by default. That IS how I use it after all. (I'm really paranoid about security, even though I only use OS X and Linux and haven't touched Windows in about 3 or 4 months.)
I know that not all NoScript users know about the plugin blocking features, so if you were to block Flash by default, I would recommend using some sort of splash screen or a large notice on the NoScript home page that expressly mentions that Flash is turned off, explains why Flash is turned off, and explains how to turn Flash back on. Of course, since us techies are suggesting NoScript to our friends and family (I've completely lost track of the number of times I've recommended NoScript), it should be explained in a non-techie friendly way but without seeming too condescending.
December 14th, 2007 at 1:59 pm
I'm all for making the flash/silverlight/java/quicktime turned off by default in the next version. That is how I run things now, and it works just fine. My browsing is a lot faster, and I see far fewer adds. The very few times I want to download things, I can.
Could you also have an option to turn off sound? I only know of 1 old exploit in a sound format, but there isn't any reason to expect we won't see some in the future, and it is a pain to hear the computer start playing something unexpectedly. I'm not sure how to indicate sound existence, however.
December 16th, 2007 at 2:17 am
[...] safe setup by unchecking the relevant Forbid preferences in the NoScript Options|Plugins panel. Read more about the security reasons behind these new default [...]
December 18th, 2007 at 8:46 pm
I was fine with Flash and for example QuickTime movies being allowed. I don't like this recent change in NoScript. Here's why. Whenever NoScript blocks content I get the impression that I escaped a security risk and that I shouldn't trust the webmaster of that respective site. However, similar to what former_ns_user said that is too paranoid for me now that it includes Flash and QuickTime. I liked the fact that NoScript blocks JavaScript (JS) by default. I'm convinced that there are JS features that a proper HTML or PHP website can deliver as well. Actually _forcing_ the visitor to have JS enabled looks like sloppy web design to me. That's avoidable.
After I was done working on my own website today (it has Flash videos) I checked it online and found that the videos weren't loading. I sat up straight, scratched my head and wondered when in the last days my own website had become a security risk to its visitors. At the same time I had other tabs open loading this week's movie trailers. That particular website delivers trailers as QuickTime movies. I saw these tabs blocking content and again I wondered: when since my last visit had this website become a security risk?
Blocking JavaScript should stay enabled by default. I encourage that as I hardly ever see JavaScript contributing a unique feature to my browsing experience. However, blocking for example Flash and QuickTime movies gives the impression that I shouldn't trust websites that I actually do trust. Websites I trust because I'm convinced they are harmless. My perception does not matter. NoScript knows better. If I were a visitor of my own website it'd be the other way round: I'd see blocked content and get the impression that the website is a security risk. At the very least I'd hesitate to click anywhere near the blocked content. Maybe I'd just turn tail. It would make me automatically suspicious of the webmaster's intentions.
Next stop is my regular movie trailer website; too risky now. I should find a new one that NoScript approves of. When it comes to movie trailers, too, my perception does not matter. NoScript knows better. Since I like to see videos I should look for a website that delivers .gif animations. The current NoScript version doesn't block them by default.
In my opinion NoScript overshot the mark in disabling these content types by default. They should be re-enabled by default.
December 25th, 2007 at 6:45 pm
[...] Register has also “discovered” Flash-based XSS, something that is surely old news in our circles: as you may remember, Sirdarkcat’s attack on RSnake was based on [...]
April 1st, 2008 at 12:15 am
[...] OS X was taken because the high-level softwares it bundles (especially its web browser and multimedia plugins) are not as safe as its FreeBSD-derivative [...]
July 1st, 2008 at 8:08 pm
[...] is that nothing could be said about browser plugins, universally recognized as an endless source of security pain. Even on this side, though, Firefox has some clear advantages: plugins can be disabled either [...]
February 7th, 2009 at 7:02 pm
[...] This can cause major security concerns, no doubt about that. They’ve accumulated lots of security issues of their own over the time, and the scriptable ones (like Flash or Java) are often used in combination with [...]
August 26th, 2009 at 10:09 pm
Hi,
Don't know much about the threats you mentioned but I am glad to use your tools.
I feel more confident when my whole family surfes the web without paying attention to anything.
Thank you so much for the time you give contributing to a safer environment (yes even on our so-called virus-free Mac)
C.