hackademix.net » Mozilla https://hackademix.net Giorgio Maone on NoScript, the Universe, and Everything Thu, 06 Aug 2020 18:35:54 +0000 http://wordpress.org/?v=2.2.3 en Save Trust, Save OTF https://hackademix.net/2020/06/30/save-trust-save-otf/ https://hackademix.net/2020/06/30/save-trust-save-otf/#comments Tue, 30 Jun 2020 17:56:22 +0000 Giorgio https://hackademix.net/2020/06/30/save-trust-save-otf/ OTF-funded security/privacy FLOSS

As the readers of this blog almost surely know, I'm the author of NoScript, a web browser security enhancer which can be installed on Firefox and Chrome, and comes built-in with the Tor Browser.

NoScript has received support by the Open Technology Fund (OTF) for specific development efforts: especially, to make it cross-browser, better internationalized and ultimately serving a wider range of users.

OTF's mission is supporting technology to counter surveillance and censorship by repressive regimes and foster Internet Freedom. One critical and strict requirement, for OTF to fund or otherwise help software projects, is them being licensed as Free/Libre Open Source Software (FLOSS), i.e. their code being publicly available for inspection, modification and reuse by anyone. Among the successful projects funded by OTF, you may know or use Signal, Tor, Let's Encrypt, Tails, QubeOS, Wireshark, OONI, GlobaLeaks, and millions of users all around the world, no matter their political views, trust them because they are FLOSS, making vulnerabilities and even intentionally malicious code harder to hide.

Now this virtuous modus operandi is facing an existential threat, started when the whole OTF leadership has been fired and replaced by Michael Pack, the controversial new CEO of th U.S. Agency for Global Media (USAGM), the agency OTF reports to.

Lobbying documents emerged on the eve of former OTF CEO Libby Liu's defenestration, strongly suggesting this purge preludes a push to de-fund FLOSS, and especially "p2p, privacy-first" tools, in favor of large scale, centralized and possibly proprietary "alternatives": two closed source commercial products are explicitly named among the purportedly best recipients of funding.

Beside the weirdness of seeing "privacy-first" used as a pejorative when talking about technologies protecting journalists and human rights defenders from repressive regimes such as Iran or People's Republic of China (even more now, while the so called "Security Law" is enforced against Hong Kong protesters), I find very alarming the lack of recognition for the radical importance of the tools being open source to be trusted by their users, no matter the country or the fight they're in, when their lives are at risk.

Talking of my own experience (but I'm confident most other successful and effective OTF-funded software projects have similar stories to tell): I've been repeatedly approached by law enforcement representatives from different countries (including PRC) - and also by less "formal" groups - with a mix of allegedly noble reasons, interesting financial incentives and veiled threats, to put ad-hoc backdoors in NoScript. I could deny all such requests not because of any exceptional moral fiber of mine, even though being part of the "OTF community", where the techies who build the tools meet the human rights activists who use them on the field, helped me growing awareness of my responsibilities. I could say "no" just because NoScript being FLOSS made it impractical/suicidal: everyone, looking at the differences in the source code, could spot the backdoor, and I would loose any credibility as a security software developer. NoScript would be forked, in the best case scenario, or dead.

The strict FLOSS requirement is only one of the great features in OTF's transparent, fair, competitive and evidence-based award process, but I believe it's the best assurance we can actually trust our digital freedom tools.

I'm aware of (very few) other organizations and funds adopting similar criteria, and likely managing larger budgets too, especially in Europe: so if USA really decides to give up their leadership in the Internet Freedom space, NoScript and other tools such as Tor, Tails or OONI would still have a door to knock at.

But none of these entities, AFAIK, own OTF's "secret sauce": bringing together technologists and users in a unique, diverse and inclusive community of caring humans, where real and touching stories of oppression and danger are shared in a safe space, and help shape effective technology which can save lives.

So please, do your part to save Internet Freedom, save OTF, save trust.

]]>
https://hackademix.net/2020/06/30/save-trust-save-otf/feed/
A cross-browser code library for security/privacy extensions. Interested? https://hackademix.net/2020/03/07/a-cross-browser-code-library-for-securityprivacy-extensions-interested/ https://hackademix.net/2020/03/07/a-cross-browser-code-library-for-securityprivacy-extensions-interested/#comments Fri, 06 Mar 2020 22:16:38 +0000 Giorgio https://hackademix.net/2020/03/07/a-cross-browser-code-library-for-securityprivacy-extensions-interested/ The problem

Google's "Manifest V3" ongoing API changes are severely hampering browser extensions in their ability to  block unwanted content and to enforce additional security policies, threatening the usefulness, if not to the very existence, of many popular privacy and security tools. uBlock's developer made clear that this will cause him to cease supporting Chromium-based browsers. Also EFF (which develops extensions such as HTTPS Everywhere and Privacy Badger) publicly stigmatized Google's decisions, questioning both their consequences and their motivations.

NoScript is gravely affected too, although its position is not as dire as others': in facts, I've finished porting it to Chromium-based browsers in the beginning of 2019, when Manifest V3 had already been announced. Therefore, in the late stages of that project and beyond, I've spent considerable time researching and experimenting alternate techniques, mostly based on standardized Web Platform APIs and thus unaffected by Manifest V3, allowing to implement comparable NoScript functionality albeit at the price of added complexity and/or performance costs. Furthermore Mozilla developers stated that, even though staying as much compatible as possible with the Chome extensions API is a goal of theirs, they do not plan to follow Google in those choices which are more disruptive for content blockers (such as the deprecation of blocking webRequest).

While this means that the future of NoScript is relatively safe, on Firefox and the Tor Browser at least, the browser extensions APIs and capabilities are going to diverge even more: developing and maintaining a cross-browser extension, especially if privacy and/or security focused, will become a complexity nightmare, and sometimes an impossible puzzle: unsurprisingly, many developers are ready to throw in the towel.

What would I do?

NoScript Commons Library

The collection of alternate content interception/blocking/filtering techniques I've experimented with and I'm still researching in order to overcome the severe limitations imposed by Manifest V3, in their current form are best defined as "a bunch of hacks": they're hardly maintainable, and even less so reusable by the many projects which are facing similar hurdles. What I'd like to do is to refine, restructure and organize them into an open source NoScript Commons Library. It will provide an abstraction layer on top of common functionality needed to implement in-browser security and privacy software tools.

The primary client of the library will be obviously NoScript itself, refactored to decouple its core high-level features from their browser-dependent low-level implementation details, becoming easier to isolate and manage. But this library will also be freely available (under the General Public License) in a public code repository which any developer can reuse as it is or improve/fork/customize according to their needs, and hopefully contribute back to.

What do I hope?

Some of the desired outcomes:

  • By refactoring its browser-dependent "hacks" into a Commons Library, NoScript manages to keep its recently achieved cross-browser compatibility while minimizing the cross-browser maintenance burden and the functionality loss coming from Manifest V3, and mitigating the risk of bugs, regressions and security flaws caused by platform-specific behaviors and unmanageable divergent code paths.
  • Other browser extensions in the same privacy/security space as NoScript are offered similar advantages by a toolbox of cross-browser APIs and reusable code, specific to their application domain. This can also motivate their developers (among the most competent people in this field) to scrutinize, review and improve this code, leading to a less buggy, safer and overall healthier privacy and security browser extensions ecosystem.
  • Clearly documenting and benchmarking the unavoidable differences between browser-specific implementations help users make informed choices based on realistic expectations, and pressure browser vendors into providing better support (either natively or through enhanced APIs) for the extensions-provided features which couldn't be optimized for their product. This will clearly outline, in a measurable way, the difference in commitment for a striving ecosystem of in-browser security/privacy solutions between Mozilla and other browser vendors, keeping them accountable.
  • Preserving a range of safe browsing options, beyond Firefox-based clients, increases the diversity in the "safe browsing" ecosystem, making web-based attacks significantly more difficult and costly than they are in a Firefox-based Tor Browser mono-culture.

I want you!

Are you an extensions developer, or otherwise interested in in-browser privacy/security tools? I'd be very grateful to know your thoughts, and especially:

  1. Do you think this idea is useful / worth pursing?
  2. What kind of features would you like to see supported? For instance, content interception and contextual blocking, filtering, visual objects replacement (placeholders), missing behavior replacement (script "surrogates"), user interaction control (UI security)...
  3. Would you be OK with a API and documentation styles similar to what we have for Firefox's WebExtensions?
  4. How likely would you be to use such a library (either for an existing or for a new project), and/or to contribute to it?

Many thanks in advance for your feedback!

]]>
https://hackademix.net/2020/03/07/a-cross-browser-code-library-for-securityprivacy-extensions-interested/feed/
Cross-Browser NoScript hits the Chrome Store https://hackademix.net/2019/04/12/cross-browser-noscript-hits-the-chrome-store/ https://hackademix.net/2019/04/12/cross-browser-noscript-hits-the-chrome-store/#comments Fri, 12 Apr 2019 10:59:26 +0000 Giorgio https://hackademix.net/2019/04/12/cross-browser-noscript-hits-the-chrome-store/ I'm pleased to announce that, some hours ago, the first public beta of cross-browser NoScript (10.6.1) passed Google's review process and has been published on the chrome web store.
This is a major milestone in NoScript history, started on May the 13th 2005 (next year we will celenbrate our 15th birthday!). NoScript on the chrome web store

Over all these years NoScript has undergone many transformations, porting and migrations:

  • three distinct Android portings (one for Fennec "classic", one for Firefox Mobile, the last as a WebExtension);
  • one partial rewrite, to make it multi-process compatible;
  • one full, long and quite dramatic rewrite, to migrate it to the WebExtensions API (in whose design and implementation Mozilla involved me as a contributor, in order to make this possible).

And finally today we've got an unified code-base compatible both with Firefox and Chromium, and in possibly in future with other browsers supporting the WebExtensions API to a sufficient extent.
One difference Chromium users need to be aware of: on their browser NoScript's XSS filter is currently disabled: at least for the time being they'll have to rely on the browser's built-in "XSS Auditor", which unfortunately over time proved not to be as effective as NoScript's "Injection Checker". The latter could not be ported yet, though, because it requires asynchronous processing of web requests: one of the several capabilities provided to extensions by Firefox only. To be honest, during the "big switch" to the WebExtensions API, which was largely inspired by Chrome, Mozilla involved me in its design and implementation with the explicit goal to ensure that it supported NoScript's use cases as much as possible. Regrettably, the additions and enhancements which resulted from this work have not picked up by Google.

Let me repeat: this is a beta, and I urge early adopters to report issues in the "Support" section of the NoScript Forum, and more development-oriented ones to file technical bug reports and/or contribute patches at the official source code repository. With your help as beta testers, I plan to bless NoScript 11 as a "stable Chromium-compatible release" by the end of June.

I couldn't thank enough the awesome Open Technology Fund folks or the huge support they gave to this project, and to NoScript in general. I'm really excited at the idea that, under the same umbrella, next week Simply Secure will start working on improving NoScript's usability and accessibility. At the same time, integration with the Tor Browser is getting smoother and smoother.

The future of NoScript has never been brigther :)

See also ZDNet's and GHacks' coverage of the announcement.

]]>
https://hackademix.net/2019/04/12/cross-browser-noscript-hits-the-chrome-store/feed/
NoScript, "Quantum" vs "Legacy" in a nutshell https://hackademix.net/2017/12/04/noscript-quantum-vs-legacy-in-a-nutshell-2/ https://hackademix.net/2017/12/04/noscript-quantum-vs-legacy-in-a-nutshell-2/#comments Mon, 04 Dec 2017 00:13:46 +0000 Giorgio https://hackademix.net/2017/12/04/noscript-quantum-vs-legacy-in-a-nutshell-2/ Someone seems to be still convinced that changing our beloved NoScript UI has been a whimsical (and suicidal) decision of mine, entirely avoidable.

The ones who know better about recent history of Firefox and of its add-ons ecosystem are aware, though, that the UI couldn't stay the same simply because the technical foundation (XUL/XPCOM) for the "old" one is not there anymore, and NoScript has been forced into being completely rewritten as a WebExtension (and therefore its UI as pure HTML) or just die.

Since it was anyway impossible to replicate exactly the well known user experience provided by NoScript 5.x (which, BTW, is still actively maintained and available here), I've tried to find a silver lining in the forced rewrite, taking it as a chance to incorporate user feedback collected over more than 12 years, especially about making the permissions system more customizable.

And indeed, the old concepts are all still there, but the way they are implemented is more flexible and amenable to customization, albeit admittedly less discoverable and, for long time users, surely confusing at least initially.



Bugs aside, I think the biggest problem with the transition, which I'm truly sorry for, is me not having found the time yet to write any proper user-oriented documentation for NoScript 10; but maybe we can start here by providing a minimalistic overview, mapping the new "Quantum" UI onto the "Legacy" (I actually prefer to call it "Classic") one:

  • In the NoScript 10 we've got 3 presets (DEFAULT, UNTRUSTED and TRUSTED): you can assign one of them to any site, and the sites with the same preset share the same set of (configurable) permissions
  • For sites that don't fit in any of the 3 aforementioned presets, you can choose to use CUSTOM permissions: CUSTOM is not a preset, but a way to give very specific permissions to a site, applying to that site only
  • Back to presets, DEFAULT is the set of permissions that any unknown site has. So if you don't touch NoScript, beside a handful of websites (the "old" default whitelist) pre-assigned with the TRUSTED preset, all the sites on the Web have the permissions of the DEFAULT preset (i.e. almost none).
  • "Temporary allow xyz.com" maps to clicking the TRUSTED preset on the xyz.com row.
  • "Allow xyz.com" (permanently) maps to clicking the clock-shaped icon onto the TRUSTED preset (which means "Temporary"), to disable it (and make the preset assignment "Permanent")
  • "Forbid xyz.com" maps to clicking the DEFAULT preset, which actually means deleting the site from the internal "whitelist". In facts, if you do it in the general Options panel, next time you open the panel (or refresh it) the site is not even listed there anymore. It doesn't disappear right away for convenience, to give you the chance to change your mind or correct mistakes.
  • "Mark xyz.com as untrusted" maps to clicking the UNTRUSTED preset, which contains no permission at all and is meant to collect and remember the "known bad sites" in a permanent blacklist.
  • And then CUSTOM, which is new to NoScript 10 and lets you fine tune just a certain website with its own specific permissions, either more restrictive than DEFAULT or more permissive than TRUSTED ; this tuning is either permanent (by default, the clock shaped icon in this case comes disabled) or temporary, by additionally clicking the clock-shaped icon.
  • Each and all the presets can be freely customized to your own needs, with the convenience constraint that you cannot remove the "script" permission from TRUSTED, and you cannot add it to UNTRUSTED. However, the factory presets are very similar to the "old" NoScript experience.

What about the "Match HTTPS only" green/red lock toggle? If green (locked), the toggle makes base domain entries (e.g. "..google.com") match themselves and all their subdomains, but only if their protocol is HTTPS (and therefore the traffic encrypted and not easily tampered with). Otherwise, if red and unlocked, both HTTP and HTTPS match: this has bad security implications especially on "hostile" networks where injecting malicious scripts directly in the unencrypted traffic is relatively easy, but is unfortunately needed for some sites to work. NoScript tries to gives you the "smartest" default for each site, i.e. green if the page is already served on HTTPS, red otherwise.

A lot more needs to be written yet, but these are the bare bones.
If you find bugs or need support, rather than using in the blog comments or, even worse, the AMO review system as a way to communicate with developers, please submit to the support forum here.

And if you want to help me with development, please install latest development build, which is released even more often than the stable and ships earlier both bug fixes and new features. And please keep providing feedback, as especially the UI is still a work in progress and I'm eager to make it better than before, by merging as much as possible of your valuable contributions.

Thank you all!

]]>
https://hackademix.net/2017/12/04/noscript-quantum-vs-legacy-in-a-nutshell-2/feed/
NoScript Quantum 10.1.5, starts to feel normal https://hackademix.net/2017/12/01/noscript-quantum-1015-starts-to-feel-normal/ https://hackademix.net/2017/12/01/noscript-quantum-1015-starts-to-feel-normal/#comments Fri, 01 Dec 2017 21:52:12 +0000 Giorgio https://hackademix.net/2017/12/01/noscript-quantum-1015-starts-to-feel-normal/ Just released 10.1.5, and its changelog start to taste familiar, with names already well known in NoScript's development history, likw Masato or Mario:

v 10.1.5
=============================================================
+ [XSS] Added "Always block requests from ... to ..." in XSS
  warning prompt
x [XSS] Fixed url decoding bug (thanks Masato Kinugawa for
  reporting)
x Fixed some blocked items not reported in the UI (thanks Bo
  Elam for reporting)
x Changed the CSP internal report URI to noscript-csp.invalid
  (thanks Tom Schuster  Mario Heiderich for RFE)
- Removed unused MSE detection code (thanks Rob Wu for
  reporting)

From an usability standpoint, the biggest new is that now you can silence the XSS filter not just whitelisting ("Always allow requests from... to...") but also blacklisting ("Always block...").
Of course, much more to come in the next days and weeks...

XSS Prompt with "Always Block"

]]>
https://hackademix.net/2017/12/01/noscript-quantum-1015-starts-to-feel-normal/feed/
Time to stabilize: NoScript Quantum 10.1.4 https://hackademix.net/2017/12/01/time-to-stabilize-noscript-quantum-1014/ https://hackademix.net/2017/12/01/time-to-stabilize-noscript-quantum-1014/#comments Fri, 01 Dec 2017 06:58:41 +0000 Giorgio https://hackademix.net/2017/12/01/time-to-stabilize-noscript-quantum-1014/ NoScript Quantum 10.1.4 is out, and while it might seem a fairly minor release, it does fix some performance issues under the hood and a quite annoying bug making maximized windows "jump down" when you open the NoScript UI. Talking of which, now that these back-end cleanup is done, I can finally give some more love to all the suggestion about improving usability that you kindly provided so far.

Starting with the XSS popup, which unfortunately cannot be an "old style", interactive but out of your way, notification anymore because of limitations in the WebExtensions (I cannot even open the NoScript menu programmatically, it must be reacting to user's input); but can, for instance, include an "always block requests from a.com to b.com" to make it less noisy.

Thank you also for all the UI prototypes and wireframes you've sent, I'm gonna start trying merging some of these ideas right away :)

]]>
https://hackademix.net/2017/12/01/time-to-stabilize-noscript-quantum-1014/feed/
Growing Pains (10.1.3 RCs) https://hackademix.net/2017/11/28/growing-pains-1013-rcs/ https://hackademix.net/2017/11/28/growing-pains-1013-rcs/#comments Tue, 28 Nov 2017 16:45:56 +0000 Giorgio https://hackademix.net/2017/11/28/growing-pains-1013-rcs/ You may have noticed I'm rapid-firing NoScript updates to steer the new UI toward most reasonable directions emerging from your feedback.
Unfortunately (or not, in time) it couldn't ever be exactly the same as before, simply because the underlying "legacy" Firefox technology (XUL/XPCOM) is not available to extensions developers anymore. But it can become even better than before, with some patience and some.
Now to the pains.
This morning version 10.1.3rc2 has been available for a couple of hours, with some important fixeds but an even more annoying regression: it erased all permissions from the TRUSTED preset except for "script" (so no objects, no media, no fonts, no background loads and so on). Worse, the checkboxes to restore them were disabled. Since then I've released 10.1.3RC3 which fixes the disabled checkboxes issue, but you still need to restore the TRUSTED permissions (I suggest to check everything, like in the screenshot before, in order to make TRUSTED sites behave as if NoScript wasn't there).
Sorry for the inconvenience, and please keep the suggestions coming, thank you.
All permissions checked in the TRUSTED preset

]]>
https://hackademix.net/2017/11/28/growing-pains-1013-rcs/feed/
NoScript 10.1.2: Temporary allow all and more https://hackademix.net/2017/11/23/noscript-1012-temporary-allow-all-and-more/ https://hackademix.net/2017/11/23/noscript-1012-temporary-allow-all-and-more/#comments Thu, 23 Nov 2017 00:28:17 +0000 Giorgio https://hackademix.net/2017/11/23/noscript-1012-temporary-allow-all-and-more/ v 10.1.2 ============================================================= + Added "Revoke temporary permissions" button + Added "Temporarily allow all this page" button x Simplified popup listing, showing base domains only (full origin URLs can still be entered in the Options window to further tweak permissions) x Fixed UI not launching in Incognito mode x Fixed changing permissions in the CUSTOM preset affecting the DEFAULT permissions sometimes x Fixed UI almost unusable in High Contrast mode x Fixed live bookmark feeds blocked if "fetch" permissions were not given x Fixed background requests from other WebExtensions being blocked

Update

Oh, and in case you missed it (sorry, how couldn't you, since I didn't manage to write any documentation yet?), Alt+Shift+N is the convenient keyboard shortcut to #NoScript10's permission management popup :)

]]>
https://hackademix.net/2017/11/23/noscript-1012-temporary-allow-all-and-more/feed/
Top immediate priorities for NoScript Quantum https://hackademix.net/2017/11/21/top-immediate-priorities-for-noscript-quantum/ https://hackademix.net/2017/11/21/top-immediate-priorities-for-noscript-quantum/#comments Tue, 21 Nov 2017 16:06:32 +0000 Giorgio https://hackademix.net/2017/11/21/top-immediate-priorities-for-noscript-quantum/ Based on the immediate user feedback, here's my TODO list for what I'm doing today:Temporarily allow on NoScript 10 Quantum

  • Fixing the Private Browsing (Incognito) bug making the UI unusable on private windows (even though everything else, including the XSS filter, still works)
  • Getting rid of all the "legacy" localization strings that are creating confusion on internationalized browsers, and restart fresh with just English, refining the messages for maximum clarity and adherence with the new UI paradigm
  • Tweaking a bit the permissions preset system by making them customizable only on the options page, rather than in the popup, except for the CUSTOM preset.
  • Figuring out ways to make more apparent that
    • temporary permissions are still there: you just need to toggle the clock button on the preset (TRUSTED or CUSTOM) you choose: the permission will go away as soon as you close the browser;
    • selecting DEFAULT as a preset really means "forget about this site", even though you keep seeing its entry until you close the UI (for convenience, in case you made a mistake or change your mind);
    • the "lock" icon is actually another toggle button, and dictates how sites are matched: if its locked/green, as suggested by the title ("Match HTTPS only"), only sites served on secured connections will be matched, even if the rule is for a (base) domain and cascades to all its subdomains. This is a convenience to, say, make just "noscript.net" TRUSTED and match also "https://www.noscript.net" and "https://static.noscript.net" but not http:www.noscript.net" neither http:noscript.net".

    OK, an updated guide/tutorial/manual with screenshots is sorely needed, to. One thing at a time. Back to work now!

    ]]> https://hackademix.net/2017/11/21/top-immediate-priorities-for-noscript-quantum/feed/ NoScript 10.1.1 Quantum Powerball Finish... and Rebooting https://hackademix.net/2017/11/21/noscript-1011-quantum-powerball-finish-and-rebooting/ https://hackademix.net/2017/11/21/noscript-1011-quantum-powerball-finish-and-rebooting/#comments Mon, 20 Nov 2017 23:17:44 +0000 Giorgio https://hackademix.net/2017/11/21/noscript-1011-quantum-powerball-finish-and-rebooting/ noscript-quantum.jpg

    v 10.1.1
    =============================================================
    + First pure WebExtension release
    + CSP-based first-party script script blocking
    + Active content blocking with DEFAULT, TRUSTED, UNTRUSTED
      and CUSTOM (per site) presets
    + Extremely responsive XSS filter leveraging the asynchronous
      webRequest  API
    + On-the-fly cross-site requests whitelisting
    

    Thanks to the Mozilla WebExtensions team, and especially to Andy, Kris and Luca, for providing the best Browser Extensions API available on any current browser, and most importantly for the awesome tools around it (like the Add-on debugger).

    Thanks to the OTF and to all the users who supported and are supporting this effort financially, morally and otherwise.

    Coming soon, in the next few weeks: ClearClick, ABE and a public code repository on Github.

    Did I say that we've got a chance to reshape the user experience for the best after more than a dozen years of "Classic" NoScript?
    Make your craziest ideas rain, please.

    Long Live Firefox Quantum, long live NoScript Quantum.

    Update

    Just gave a cursory look at the comments before getting some hours of sleep:

    • Temporary allow is still there, one click away, just toggle the clock inside the choosen preset button.
    • For HTTPS sites the base domain is selected by default with cascading, while for non-secure sites the default match is the full address.
    • For domain matching you can decide if only secure sites are matched by clicking on the lock icon.
    • You can tweak your "on the fly" choices in the Options tab by searching and entering base domains, full domains or full addresses in the text box, then customizing the permissions of each.

    Next to come (already implemented in the backend, working on the UI) contextual permissions (e.g. "Trust facebook.net on facebook.com only").
    And yes, as soon as I get a proper sleep refill, I need to refresh those 12 years old instructions and screenshots. I know I've said it a lot already, but please keep being patient. Thank you so much!

    Update 2

    Thank for reporting the Private Browsing Window bug, I'm gonna fix it ASAP.

    Update 3

    Continues here...

    ]]>
    https://hackademix.net/2017/11/21/noscript-1011-quantum-powerball-finish-and-rebooting/feed/