New Update NoScript Security Suite

[Alhaitham]

The NoScript Security Suite is Free Open Source Software (FOSS) providing extra protection for Firefox (on Android, too!), Chrome, Edge, Brave and other web browsers.




NoScript is a built-in key security component of the Tor Browser, the top anonymity tool defending millions against surveillance and censorship.

This browser extension allows JavaScript and other potentially harmful content to be executed only by trusted web sites of your choice (e.g. your online bank).

NoScript also provides the most powerful anti-XSS protection ever available in a browser.

NoScript's unique pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known, such as Meltdown or Spectre, and even not known yet!) with no functionality loss: you can enable JavaScript and other dynamic capabilities for sites you trust with a simple click.

Staying safe has never been so easy!

Experts* will agree: the web is really safer with NoScript!

* experts endorsing NoScript, among others: Edward Snowden (former NSA analyst and whistleblower against surveillance state); Window Snyder (former top security officer at Microsoft, Square, Inc., Apple, Fastly, Intel and Mozilla Corp.); Douglas Crockford (Javascript expert and creator of the JSON format); the Sans Internet Storm Center

v 11.4.22
============================================================
x [L10n] Updated uk
x Consistently apply DEFAULT policy to top-level data: URLs

Get it! - NoScript: Own Your Browser!

The NoScript Security Suite is Free Software protecting Firefox (on Android, too!), Chrome, Edge, Brave and other web browsers. Install NoScript now!

noscript.net

 

[ForgottenSeer 97327]

OKay, scripts were a nightmare security wise in XP and IE era. With browser processes running with low rights (FF) untrusted (Chrome) rights or even in AppContainer (Edge), are scripts still such a threat? On top of that disabling the Just In Time compiler seems to reduce 95% of the risks.

 

[Jonny Quest]

I personally found it, NoScript, to be to confusing for me when I had tried using it, and gave up on it.

 

[Zappathustra]

OKay, scripts were a nightmare security wise in XP and IE era. With browser processes running with low rights (FF) untrusted (Chrome) rights or even in AppContainer (Edge), are scripts still such a threat? On top of that disabling the Just In Time compiler seems to reduce 95% of the risks.

And 95% of performance?

 

[brambedkar59]

I personally found it, NoScript, to be to confusing for me when I had tried using it, and gave up on it.

Yeah, it's a hassle. At that point might as well start reading a newspaper while listening to songs on FM radio/cable TV.

 

[ErzCrz]

NoScript saved my bacon a number of times when I used it. Switched to Hard-Mode Ublock origin as its's site specific. Great once you whitelist the sites you do use and their data sources but I find uBO a bit easier though I like NS's look up of the domains rating/info.

 

[Digmor Crusher]

Yeah, it's a hassle. At that point might as well start reading a newspaper while listening to songs on FM radio/cable TV.

Coincidentally, all things I do.

 

[ForgottenSeer 97327]

@Zappathustra

No in benchmarks it showed that it only cost 5-10 percent maximum. Also when in default mode, it disables this enhanced protection when you visit a website often, so I can't imagine performance to be an issue.

There is an easy workaround, use policies to disable it for a few TLD's (see pic). The always on strict inprivate overrules these policy setting, so you still safely visit your favorite dodgy website.

Spoiler: Bypass enhancemode on TLD level

 

[Zappathustra]

@Zappathustra

No in benchmarks it showed that it only cost 5-10 percent maximum. Also when in default mode, it disables this enhanced protection when you visit a website often, so I can't imagine performance to be an issue.

There is an easy workaround, use policies to disable it for a few TLD's (see pic). The always on strict inprivate overrules these policy setting, so you still safely visit your favorite dodgy website.

Spoiler: Bypass enhancemode on TLD level

View attachment 276110

I was just joking with the 95% thing, i remember vaguely seeing one or two benchmarks. But thanks for the clarification, made me rethink some misconceptions, useful info!

I don't use Edge, I'll have to check if I can use equivalent group policies with Firefox, too.

 

[HarborFront]

The settings for a website are non-persistent. So it's a hassle every time you visit the same website to reset them. However, you can make them persistent but that will defeat the purpose of using it.

 

[ForgottenSeer 97327]

The settings for a website are non-persistent. So it's a hassle every time you visit the same website to reset them. However, you can make them persistent but that will defeat the purpose of using it.

The default setting is to disable this feature when you vist a website often (then JIT is enabled). So making it persistent on websites you visit often is not against the intended purpose IMO

On my wife's laptop, I had made it persistent for ZiggoGoTV, Netflix, Viaplay and PrimeVideo. I just removed these settings and on all four websites Edge disabled iEnhanced protection by itself.

 

[ichito]

For me the best/efficient addon for controlling and blocking unwanted elements of pages used by me from years as the obligatory one.
It's similar to "anti-exe" apps role in system.

 

[brambedkar59]

On top of that disabling the Just In Time compiler seems to reduce 95% of the risks.

Where are you getting that number "95%" from? From article (link below)

Looking at CVE (Common Vulnerabilities and Exposures) data after 2019 shows that roughly 45% of CVEs issued for V8 were related to the JIT engine.

No in benchmarks it showed that it only cost 5-10 percent maximum. Also when in default mode, it disables this enhanced protection when you visit a website often, so I can't imagine performance to be an issue.

Sometimes it even caused pages to load faster as well.

We find that disabling the JIT does not always have negative impacts. Our tests that measured improvements in power showed 15% improvement on average and our regressions showed around 11% increase in power consumption. Memory is also a mixed story with negatively impacted tests showing a 2.3% regression, but a larger gain on the tests that showed improvements. Page Load times show the most severe decrease with tests that show regressions averaging around 17%. Startup times, however, have only a positive impact and no regressions.

Super Duper Secure Mode

Introduction

microsoftedge.github.io

 

[ForgottenSeer 97327]

@brambedkar59

45 vs 95 percent, I don't have the links at hand, but I remember an article which claimed that 95% of the actionable exploit related CVE's were JIT related. I understand that is something different (only a subset of) than the CVE's related to JIT in V8. In my memory it was a really significant percentage (so high that I asked myself, why did it took so long to develop this enhanced security mode). As said I don't have the links at hand, so can't/won't disagree with you. The link you provided states 45% clearly.

Yes that is also what I remember also, that some websites loaded faster when JIT was disabled.

 

[brambedkar59]

@brambedkar59

45 vs 95 percent, I don't have the links at hand, but I remember an article which claimed that 95% of the actionable exploit related CVE's were JIT related. I understand that is something different (only a subset of) than the CVE's related to JIT in V8. In my memory it was a really significant percentage (so high that I asked myself, why did it took so long to develop this enhanced security mode). As said I don't have the links at hand, so can't/won't disagree with you. The link you provided states 45% clearly.

Yes that is also what I remember also, that some websites loaded faster when JIT was disabled.

Don't worry I trust you. Sorry if I sounded like accusatory in the post above. Different sites claim different numbers doesn't mean they are wrong, maybe they used different methods to test it out.
Here's another article from Malwarebytes which claims disabling JIT reduces speed by almost half.

Edge’s Super Duper Secure Mode benchmarked: How much speed would you trade for security?

The Microsoft Edge browser's Super Duper Secure Mode makes it more secure but slower. We measured how much greater security will cost you.

www.malwarebytes.com

 

[Alhaitham]

v 11.4.24
============================================================
x [XSS] Fix Base64 hash checks interfering with query string
checks (thanks barbaz for reporting)
x [TabGuard] Stop exempting domains bidirectionally by
default
x [TabGuard] Fix destination domain being reported as the
trigger of a warning prompt when all the other tab-tied
domains have been exempted (thanks barbaz for report)

Get it! - NoScript: Own Your Browser!

The NoScript Security Suite is Free Software protecting Firefox (on Android, too!), Chrome, Edge, Brave and other web browsers. Install NoScript now!

noscript.net

 

[Alhaitham]

v 11.4.27
============================================================
x [XSS] Better specificity of HTML elements preliminary
checks
x [XSS] Better specificity of potential fragmented injection
through framework syntax detection (thanks Rom623, barbaz
et al)
x [nscl] RegExp.combo(): RegExp creation by combination for
better readability and comments
x [nscl] Replaced lib/sha256.js with web platform native
implementation (thanks Martin for suggested patch)
x [nscl] Fixed property/function mismatch (thanks Alex)
x Fixed operators precedence issue #312 (thanks Alex)
x [nscl] Prevent dead object access on BF cache (thanks
jamhubub and mriehm)

Get it! - NoScript: Own Your Browser!

The NoScript Security Suite is Free Software protecting Firefox (on Android, too!), Chrome, Edge, Brave and other web browsers. Install NoScript now!

noscript.net