New Update NoScript Security Suite

Alhaitham

Level 1
Thread author
Feb 27, 2014
14
The NoScript Security Suite is Free Open Source Software (FOSS) providing extra protection for Firefox (on Android, too!), Chrome, Edge, Brave and other web browsers.

Working with trust levels in NoScript's popup UI


NoScript is a built-in key security component of the Tor Browser, the top anonymity tool defending millions against surveillance and censorship.

This browser extension allows JavaScript and other potentially harmful content to be executed only by trusted web sites of your choice (e.g. your online bank).

NoScript also provides the most powerful anti-XSS protection ever available in a browser.

NoScript's unique pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known, such as Meltdown or Spectre, and even not known yet!) with no functionality loss: you can enable JavaScript and other dynamic capabilities for sites you trust with a simple click.

Staying safe has never been so easy!

Experts* will agree: the web is really safer with NoScript!

* experts endorsing NoScript, among others: Edward Snowden (former NSA analyst and whistleblower against surveillance state); Window Snyder (former top security officer at Microsoft, Square, Inc., Apple, Fastly, Intel and Mozilla Corp.); Douglas Crockford (Javascript expert and creator of the JSON format); the Sans Internet Storm Center

v 11.4.22
============================================================
x [L10n] Updated uk
x Consistently apply DEFAULT policy to top-level data: URLs

 
F

ForgottenSeer 97327

OKay, scripts were a nightmare security wise in XP and IE era. With browser processes running with low rights (FF) untrusted (Chrome) rights or even in AppContainer (Edge), are scripts still such a threat? On top of that disabling the Just In Time compiler seems to reduce 95% of the risks.
 

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,026
NoScript saved my bacon a number of times when I used it. Switched to Hard-Mode Ublock origin as its's site specific. Great once you whitelist the sites you do use and their data sources but I find uBO a bit easier though I like NS's look up of the domains rating/info.
 
F

ForgottenSeer 97327

@Zappathustra

No in benchmarks it showed that it only cost 5-10 percent maximum. Also when in default mode, it disables this enhanced protection when you visit a website often, so I can't imagine performance to be an issue.

There is an easy workaround, use policies to disable it for a few TLD's (see pic). The always on strict inprivate overrules these policy setting, so you still safely visit your favorite dodgy website.
1686601525218.png
 
Last edited by a moderator:

Zappathustra

Level 2
Jul 1, 2019
48
@Zappathustra

No in benchmarks it showed that it only cost 5-10 percent maximum. Also when in default mode, it disables this enhanced protection when you visit a website often, so I can't imagine performance to be an issue.

There is an easy workaround, use policies to disable it for a few TLD's (see pic). The always on strict inprivate overrules these policy setting, so you still safely visit your favorite dodgy website.
I was just joking with the 95% thing, i remember vaguely seeing one or two benchmarks. But thanks for the clarification, made me rethink some misconceptions, useful info!

I don't use Edge, I'll have to check if I can use equivalent group policies with Firefox, too. (y)
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,039
The settings for a website are non-persistent. So it's a hassle every time you visit the same website to reset them. However, you can make them persistent but that will defeat the purpose of using it.
 
Last edited:
F

ForgottenSeer 97327

The settings for a website are non-persistent. So it's a hassle every time you visit the same website to reset them. However, you can make them persistent but that will defeat the purpose of using it.
The default setting is to disable this feature when you vist a website often (then JIT is enabled). So making it persistent on websites you visit often is not against the intended purpose IMO

On my wife's laptop, I had made it persistent for ZiggoGoTV, Netflix, Viaplay and PrimeVideo. I just removed these settings and on all four websites Edge disabled iEnhanced protection by itself.
 

ichito

Level 11
Verified
Top Poster
Content Creator
Well-known
Dec 12, 2013
541
For me the best/efficient addon for controlling and blocking unwanted elements of pages used by me from years as the obligatory one.
It's similar to "anti-exe" apps role in system.
 

brambedkar59

Level 29
Verified
Top Poster
Well-known
Apr 16, 2017
1,882
On top of that disabling the Just In Time compiler seems to reduce 95% of the risks.
Where are you getting that number "95%" from? From article (link below)
Looking at CVE (Common Vulnerabilities and Exposures) data after 2019 shows that roughly 45% of CVEs issued for V8 were related to the JIT engine.

No in benchmarks it showed that it only cost 5-10 percent maximum. Also when in default mode, it disables this enhanced protection when you visit a website often, so I can't imagine performance to be an issue.
Sometimes it even caused pages to load faster as well. 🤔
We find that disabling the JIT does not always have negative impacts. Our tests that measured improvements in power showed 15% improvement on average and our regressions showed around 11% increase in power consumption. Memory is also a mixed story with negatively impacted tests showing a 2.3% regression, but a larger gain on the tests that showed improvements. Page Load times show the most severe decrease with tests that show regressions averaging around 17%. Startup times, however, have only a positive impact and no regressions.

 
Last edited:
F

ForgottenSeer 97327

@brambedkar59

45 vs 95 percent, I don't have the links at hand, but I remember an article which claimed that 95% of the actionable exploit related CVE's were JIT related. I understand that is something different (only a subset of) than the CVE's related to JIT in V8. In my memory it was a really significant percentage (so high that I asked myself, why did it took so long to develop this enhanced security mode). As said I don't have the links at hand, so can't/won't disagree with you. The link you provided states 45% clearly.

Yes that is also what I remember also, that some websites loaded faster when JIT was disabled.
 
Last edited by a moderator:

brambedkar59

Level 29
Verified
Top Poster
Well-known
Apr 16, 2017
1,882
@brambedkar59

45 vs 95 percent, I don't have the links at hand, but I remember an article which claimed that 95% of the actionable exploit related CVE's were JIT related. I understand that is something different (only a subset of) than the CVE's related to JIT in V8. In my memory it was a really significant percentage (so high that I asked myself, why did it took so long to develop this enhanced security mode). As said I don't have the links at hand, so can't/won't disagree with you. The link you provided states 45% clearly.

Yes that is also what I remember also, that some websites loaded faster when JIT was disabled.
Don't worry I trust you. Sorry if I sounded like accusatory in the post above. Different sites claim different numbers doesn't mean they are wrong, maybe they used different methods to test it out.
Here's another article from Malwarebytes which claims disabling JIT reduces speed by almost half.

 

Alhaitham

Level 1
Thread author
Feb 27, 2014
14
v 11.4.24
============================================================
x [XSS] Fix Base64 hash checks interfering with query string
checks (thanks barbaz for reporting)
x [TabGuard] Stop exempting domains bidirectionally by
default
x [TabGuard] Fix destination domain being reported as the
trigger of a warning prompt when all the other tab-tied
domains have been exempted (thanks barbaz for report)

 

Alhaitham

Level 1
Thread author
Feb 27, 2014
14
v 11.4.27
============================================================
x [XSS] Better specificity of HTML elements preliminary
checks
x [XSS] Better specificity of potential fragmented injection
through framework syntax detection (thanks Rom623, barbaz
et al)
x [nscl] RegExp.combo(): RegExp creation by combination for
better readability and comments
x [nscl] Replaced lib/sha256.js with web platform native
implementation (thanks Martin for suggested patch)
x [nscl] Fixed property/function mismatch (thanks Alex)
x Fixed operators precedence issue #312 (thanks Alex)
x [nscl] Prevent dead object access on BF cache (thanks
jamhubub and mriehm)

 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top