NoScript FTW
NoScript FTW !
--nuff said
Twitter is sitting on an amateur configuration blunder that makes it trivial for attackers to take control of user accounts, a researcher said Friday. The error resides in an Adobe Flash object hosted on the microblogging site, said Mike Bailey, a senior security analyst with penetration testing firm Foreground Security. …
Yes, but in most of the cases you whitelist sites you go most often and then just add new ones as you crawl there. It's not optimal, I agree, but heck, that's how it works.
I'd be happy to see a managed list (something like Adblock subscription list) with whitelisted domains. If somebody's paranoid, they can always disable it and go the old school way.
...most sites don't require JavaScript to be active for anything other than their OWN domain and/or CDN. The rest is usually just GoogleAds, Google Urchin/Analytics, and other advert serving companies. For instance, for El Reg, I only have register.co.uk allowed and the site remains FULLY functional. Google-Analytics.com, quantserve.com and doubleclick.net are definately not required and actually lead to a better layout of the site (no banners at the top of the page or mid story ads) as text often, if not always, re-flows to occupy the additional white space.
I'm sure we can guess which kind of sites you're visiting if your getting JavaScript served from many different domains... and they're the exact kind of sites that you DON'T want to be allowing to serve you JavaScript from all over the shop!
As a side-note I have noticed Google, being the devious b*stards they are, hosting JQuery scripts, which many sites rely on for "glitzy" functionality, from their analytics domain. I'm sure you can see the problem* with that.
* Actually, its not so much of a problem as, for instance, sites that use a Google hosted JQuery "lightbox" scripts often just fallback to opening the image in a new window/tab so you don't actually need to allow Google Analytics for many sites to remain functional... if a little "old-school"! Google are just being evil by trying to "force" people to allow analytics!!
This post has been deleted by its author
Where's your creativity? Where's your seizure-inducing colours? And the all-important line 40 to stop it from halting with the "scroll?" prompt when the screen gets full!
10 RANDOMIZE
20 LET x = INT(RND * 7) : LET y = INT(RND * 7) : LET z = INT(RND * 7)
30 PAPER x : INK y : BORDER z
40 POKE 23692, 255
50 PRINT "Dixons is crap ";
60 GOTO 20
And they called it a mis-spent youth....
Go back and re-read the article. It's other websites as well, Twitter was just an example. Although I agree it's an over-hyped service.
Does remind me why I stick with FF despite it being a blundering memory hog these days (3.6 is a minor improvement). Still waiting on noscript-a-like support on other browsers (adblock+ and flashblock would be nice as well, but we can't have everything).
Actually the memory issue tends to be related to No-Script - as much as I love the blocking add-on, I do find I purge my whitelist every 12 months or so for a performance boost.
Under vanilla operation FF runs about 20-30 meg,....currently with my NoScript whitelist it runs at 76. (whitelist contains about 280 entries)
I know Opera has the ability to do much of this stuff, but it's not at the same UI level.
For example, everything is disabled with these add-ons on Firefox, I visit a site, I get a few missing items and sometimes some scrambled content from where javascript has been used (usually unnecessarily).
If I then want to enable javascript I have an icon in the bottom-right of the browser window I can click and choose the sites I wish allowed. Usually the site the page is on itself is the most likely to be safe and will fix almost all the issues.
As far as I can tell, to get the same use out of Opera I need to go fiddling through the options to enable things each time I visit a site. I also need to know in advance which sites I need to allow (it's not always obvious where sites are getting their javascript, which is another advantage of noscript).
In short, I acknowledge Opera has the ability, but it lacks the ease of use in this area.
I do use Opera on occasion, same as I use Chrome and, if forced, IE. I just prefer the security package I currently have set up with FF for most browsing. Personal choice and all that. ;o)
This post has been deleted by its author
But I agree, it is quite fiddly to enable Javascript for a site in Opera, then it takes a while to process the new instruction - that may be because I have about 100 web pages open, perhaps it goes through them all evaluating my new preferences.
And then the web site still may not work with Opera. I think the main current gap is in support for dynamic thingies of some sort.
But the problem isn't "Opera isn't safe from this".
Then again, I think you also have to decide to disable Javascript in the first place...
has it's off days and cannot be relied upon, unfortunately.
I have come across a problem where NoScript installed in Firefox using a strange foriegn language, not English. Consequently, not much can be understood of the message content when it stops a script. Making it absolutely useless on my children's PC.
Er, even the program writer has been unable to fathom out this one. Any takers ?
And as for Firefox, you penguin heads might know why I cannot see the media player controls on my Myspace account. Flash Block isn't stopping the adds from playing, just the control panel ? NoScript would appear
superfluous at this time.
PS I'm using Ubuntu 9.04 and SeaMonkey is very wonkey too. Hence the use of Epiphany and Opera, the only browsers that actually work under my version of Linux. Sheesh !
ALF
Out of the twenty two replies at the time of writing not one comment has addressed even vaguely the actual content of the article, with the possible exception of the first sentence from Phillip Webster. All I can see is the usual Twitter is crap, Twitter users are twats, they should use adblock plus turbo with go faster stripes type comments. I'm no stranger to asinine comments but once something has been said is there a need to repeat it. Please Ms.Moderator bring back the automatic response option.
I can't contribute anything because I'm not knowledgeable enough but I wish those who are equally less gifted would STFU and let those who are actually say something constructive.