NoScript, uMatrix, uBlock Origin: Medium/Hard Mode

Protomartyr

Level 7
Thread author
Sep 23, 2019
314
Do any of you use NoScript, uMatrix, or uBlock Origin in Medium/Hard Mode? If so,
  • Which extension/method do you prefer and why?
  • What do you use it for?
  • Is it worth the effort in fixing site breakages?
If you're using an extension I haven't listed, feel free to add it into the discussion!

Context: I'm currently running uBlock Origin with filters for ad blocking and blocking third party requests on HTTP (HTTP://*^$third-party,~image,~stylesheet). I was wondering what benefits I'd see if I explored these other options.
 

notabot

Level 15
Verified
Oct 31, 2018
703
Do any of you use NoScript, uMatrix, or uBlock Origin in Medium/Hard Mode? If so,
  • Which extension/method do you prefer and why?
  • What do you use it for?
  • Is it worth the effort in fixing site breakages?
If you're using an extension I haven't listed, feel free to add it into the discussion!

Context: I'm currently running uBlock Origin with filters for ad blocking and blocking third party requests on HTTP (HTTP://*^$third-party,~image,~stylesheet). I was wondering what benefits I'd see if I explored these other options.

I used to use uMarix, sometimes I've found it a bit of a pain when I needed to do things quickly on a new site due to time constraints. Also found it inconvenient with some payment methods.
I think the inconvenience vs security factor skews towards inconvenience here, it's a great tool but essentially it asks you to do granular white listing per page, which arguably is not needed if you only visit popular sites.
it also naturally does nothing for sites where you have disabled it, so if one of these gets hacked and a malicious script is served, it won't be caught using uMatrix.
I think much simpler is to have javascript off by default and only enable it selectively for those sites which you use.
To cover the vector of someone injecting card reading scripts into a legitimate site, it's much easier to use either single use virtual cards (many banks offer this service these days) or use a card which you keep disabled via mobile app and enable on the fly just for the minute you do online purchases.

The above is from a security perspective. Of course if you care a lot about privacy, there may still be an argument to use it, but for me it just seemed like time that's better spent elsewhere as simpler solutions exist to cover the attack vectors related to security.
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,012
µBO @ medium mode, Gorhill's preferred mode. It allows me to keep my filter list configuration very small and easy enough to navigate for my surfing style. It doesn't break my usual news sites where interaction or rule-making might otherwise be needed. I've created custom rules for interactive sites where needed and my rule list is still compact. When a user wishes or needs to un-break a site but has no time to fix via rules, he can easily fall back with a couple of clicks to easy mode+, with the added benefit of any added custom rules, e.g. globally blocking Google, FB, etc. In those cases, Privacy Possum clean up any extras. This system works for me but not everyone, and depends on your surfing habits. (y)(y)

Check here for developer's guide µBO Wiki - Blocking mode: medium mode.
You may also check this thread for additional links.

Edit: proper use of dynamic filtering, e.g. when and how to apply rules, will avoid pollution of your rule set, i.e. bloat!
 
Last edited:

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,010
I'm using uBO in hard mode (with filters) and noop rules from Decentraleyes

According to the below discussions NoScript seems not supporting ABE, HTTPS Cookie management, Clearclick anymore in v10 and above.

Quote

AFAIK uBO doesn't have a dedicated XSS protection because blocking third party resources inherently protects you. XSS = Cross-Site-Scripting = Third-Party-Scripting = Loads stuff from unknown third party = well blockable with uBO.

Furthermore as CSP (Content Security Policy) is implemented and more widespread over time, XSS attacks become less and less a problem.

Conclusion: No need for uMatrix and NoScript.

Unquote



Some discussions here as well

 
Last edited:

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
I use uMatrix and I find it easier to understand and configure. I find it difficult to configure uBlock in medium/hard mode but uMatrix is simpler for me. You just visit a site and if something useful breaks the UI shows you what has been blocked whether it's a script, xhr, frame and you allow that to load, reload the page. If it's a site you regularly visit then make that rule permanent so that the next time you visit the site it is loaded as intended. I've seen many people shifting from NoScript to uMatrix because of the ui and more granular control. But anyway it's just a personal preference. It can be a bit frustrating to configure your regularly visited sites at first. Sites like MalwareTips doesn't need any manual configuration though. If you're familiar with uBlock Origin medium mode then follow the links oldschool provided, that should be enough.
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,012
I'm using uBO in hard mode (with filters) and noop rules from Decentraleyes

I use uMatrix and I find it easier to understand and configure.

OP can conclude that it comes down to personal preference, that he should try 2 or 3 of these choices and see which he prefers and consider combination with other extensions. There are multiple ways to achieve roughly comparable protection. For example: combos of µBO + NS, µMatrix + µBO, µBO + other, etc. The thread that @HarborFront cited includes some discussion of NoScript I believe.
 

Protomartyr

Level 7
Thread author
Sep 23, 2019
314
Thank you all for your replies!
Don't know why but I found NoScript's UI to be the most intuitive. That seems to come with the sacrifice of granularity though.
uMatrix seemed to offer the most flexibility out of all the methods discussed so far with uBlock Origin in medium/hard mode coming in second.
Ideally, uBlock Origin in medium/hard mode would be the best in my situation since I already use uBlock. However, uMatrix provides a better UI (in my opinion) and provides more info when it comes to what is being requested/blocked.
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
I use uBlockOrigin with Kees1958 small but effective blocklist only together with (nealry) the same rule as you posted ( ||HTTP://*$third-party,~stylesheet,~image,~media). I run uBlockorigin in simple mode (dynamic filtering engine is disabled) and cosmic filtering disabled (for optimal speed)

I also have installed uMatrix installed (see attached file). It runs default with umatrix OFF. Advantage is that it still shows what happens under the hood. With one-click I add some extra privacy protection and stephans's black host file. with a second click I enable medium mode, see pic. So I use a larger blocklist and medium mode blocking on demand).uMatrix dynamic filtering engine is more granular while it static (host) filtering engine is simpeler and faster than uBlock. The Matrix-off option makes uMatrix consume near zero CPU and f is basically only a reporting/logging mode)

1575815377444.png
 

Attachments

  • my-umatrix-backup.txt
    6.9 KB · Views: 437
Last edited:

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Update

I switched to one browser for all (Chrome) to two browsers for different purposes (still using Chrome for work).

I am using Opera (running --private) with hardened site settings (only images and protectected allow, cookies allow for session, file editing ask, scripts block, but allow for HTTPS://*) and uMatrix in medium mode with medium mode (block all, first-party and all css, images and media) with Steven Black's filter

I run Edge-chromium with most on default (so also anti-tracking) and smartscreen OFF, in stead I have Adguard installed (with Peter Low's filter only) amd malware protection enabled (Google+Yandex safe browsing) to compensate for having smart screen disabled.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,471
Update

I switched to one browser for all (Chrome) to two browsers for different purposes (still using Chrome for work).

I am using Opera (running --private) with hardened site settings (only images and protectected allow, cookies allow for session, file editing ask, scripts block, but allow for HTTPS://*) and uMatrix in medium mode with medium mode (block all, first-party and all css, images and media) with Steven Black's filter

I run Edge-chromium with most on default (so also anti-tracking) and smartscreen OFF, in stead I have Adguard installed (with Peter Low's filter only) amd malware protection enabled (Google+Yandex safe browsing) to compensate for having smart screen disabled.
Why anti-tracking and smart screen off?
In balanced mode anti-tracking it's very quiet and can block things Peter Low's filter misses.
Smart screen is one of it's best features security wise.
You could have with AdGuard: MS(Smart Screen), Google and Yandex for safe browsing.
Even crapware downloads are going to be blocked in Edge.
To me it seems to becoming one of the best and safest browser you can get.
 

RKRN3

Level 3
Verified
Well-known
Sep 6, 2019
122
Being a noob, I use uBlockOrigin in simple mode, but have selected all the filters except language ones. While others do get a message of anti-adblock, I never get those.
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Why anti-tracking and smart screen off?
In balanced mode anti-tracking it's very quiet and can block things Peter Low's filter misses.
Smart screen is one of it's best features security wise.
You could have with AdGuard: MS(Smart Screen), Google and Yandex for safe browsing.
Even crapware downloads are going to be blocked in Edge.
To me it seems to becoming one of the best and safest browser you can get.
I agree completely but I don't appreciate Microsoft using full URL's to check whether a website is safe or not. I am using Edge-chromium for banking and booking (adding Code Integrity Guard protection), so not much risky browsing going on with Edge-chromium anyway.

I use Opera with nearly all Site Preferences set to block and uMatrix blocking third-party for (dodgy) surfing. I also run as a standard user and only allow standard user read access to user folders containing important information. With Windows Defender on MAX (block at first sight and bad URL network protection) and Attack Surface Reduction to allow only programs with certain prevalence, age and trust, I think I have similar protection (only at a later stage, execution in stead of download).
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top