Friday, 14 September 2007

Firefox security: NoScript review

If you use Firefox, for your own online safety you should install NoScript. This review of the free NoScript extension for Fox (NoScript homepage) explains why I think that.

NoScript is an extension or add-on for Fox which automatically blocks Javascript and Java from running in Fox. As bad guys could use hidden Javascript or Java on web sites that you visit to infect your computer with all sorts of nasties, NoScript is A Very Good Thing. I've been using it for a month or two now, myself.

I should have installed it much earlier, but foolishly I'd mistakenly got the impression that it killed all Javascript indiscriminately, and because many of the sites I visit won't work without Javascript I just didn't look into NoScript properly until relatively recently. As I mentioned, I was wrong.

As it turns out, NoScript does stop good as well as bad Javascript dead in its tracks - but, you can still access the sites you know are "good" or "safe" yet require Javascript to work, like Gmail, because you get a warning line popping up above your status bar when you visit any site that has Javascript or Java, and then via the NoScript options you can positively choose to Allow (or Temporarily allow) script originating from a particular site to run in Fox:

If you trust the site and click the option to allow scripts from it, you won't see the warning again on future visits to the site. So, you only have to allow a trusted site once - it's really not much hassle for the much better security and protection you'll enjoy.

Why do I think installing NoScript is a no-brainer if you're a Firefox user?

It's not just because I'm the ultra-cautious "safe computing safe sex safe everything!" type who runs anti-virus checker, anti-adware (like Ad-Aware which you can get in Google Pack - ) and anti-spyware software (like Spybot) at least once a week, and an online virus scanner like NOD32's Eset at least once a month. I really think there's no excuse not to be safe when there are so many excellent free computer security tools out there.

The bad guys have moved on: viruses were initially spread by opening infected files on floppy disk or in email attachments, then your PC could be attacked if you were simply online, connected to the internet, without a firewall. Now, your system can become compromised even if you have a firewall and anti-virus, anti-spyware etc software on your computer, just by your going to some dodgy website or clicking on certain suspect links.

You need protection for your browser. And, as is usually the case with computer security and internet security generally, you have to look after yourself - you can't just rely on software or hardware suppliers or ISPs etc to do it for you (though some of them may have to at some point, if the UK government takes up the House of Lords' recommendations in their interesting August 2007 report on Personal Internet Security following their investigation).

Generally, Firefox is thought to be safer than Internet Explorer (), but even Firefox has its vulnerabilities.

There are various potential Firefox security holes or risks which NoScript, and in some cases only NoScript, can stop - e.g. cross site scripting or XSS dangers, or the QuickTime security hole in Firefox.

NoScript provides the necessary defence for many potential Firefox exploits, in my view striking the perfect balance between security and usability / functionality - and it's free.

So if you have Fox and you don't already have it, go ahead and try NoScript, you've nothing to lose (how to install Firefox extensions).

However, I'm still waiting for a workable solution for Internet Explorer. It's certainly not Haute Secure toolbar, in my opinion!


IgUaNNa Videos said...

well I found a video that explains the best anti virus solution and seems its really true! :)

Improbulus said...

Haha well I suppose no Net means you won't get certain viruses, that's true - but there's still the possibility of getting viruses from files on floppy disk or USB keys / flash drives...

Daryl said...

My only issue with NoScript is you have to be a fairly sophisticated user to know which scripts to allow to make a site work. Casual computer users would be left nonplussed by NoScript, and even more advanced users could have to take a guess at which scripts to allow.

Also, if a site is completely unfamiliar, do you allow the scripts or not? If not, you just can't use the site. If you do, you're taking a real risk and NoScript may as well not even be there.

It's better than nothing, but Java and JavaScript really should be modified to remove from them the ability to harm your computer. That may not be possible to do while maintaining the usefulness of these tools at the same time, however.

Carl said...

@Daryl: Java & JavaScript are *supposed* to be sandboxed. Unfortunately, the bad guys are forever finding the leaks...therefore only a 'default-deny' policy can really keep up with them.

However, casual users are better off with NoScript even if they can't handle its full protection. To make most sites work by default, but still blocking third-party scripts, try enabling 'Temporarily allow top-level sites by default.'

If even that gets in your way too much, and you're just not willing to take the time to manually trust sites, then try 'Allow Scripts Globally'. You'll still benefit from NoScript's built-in protections against XSS, clickjacking, and miscellaneous other, and can manually blacklist sites if you feel so inclined.

Personally, I always deny sites by default, and I find that I'm getting into the habit of checking the NoScript icon as soon as I see a form.