Usability vs. Security · 2007-03-25 01:53 by Wladimir Palant
Disclamer: This post is only about using NoScript as a security solution, not as a way to block annoyances.
There is an easy and very reliable solution that will put a stop on all vulnerabilities that can be exploited through your browser — restrict your browser to localhost, only allow it to show your own web pages. Will it solve the problem? Yes, certainly. Is it a good solution? No, not really.
That’s only a few obvious examples, NoScript’s filtering is not restricted to links. So whenever one site will try to use a service from another that is on your NoScript whitelist, be it by linking or by embedding elements of it, there is a high probability that it won’t work. The question is: is it worth it? Do we surf safer if we endure all this? I think to answer this question we should look at the dangers lurking on the Internet. As far as I tell the dangers have been of very theoretical nature so far — there have been only a few attempts to exploit older, already patched vulnerabilities in Firefox. Even though Firefox’ popularity makes it very noticeable already (e.g. all statistics agree that the market share is more than 30% in Germany), with critical vulnerabilities being patched within a few days and an efficient update mechanism Firefox is not an easy target. Given that Internet Explorer is much slower at fixing vulnerabilities (some critical holes stay around for months and others are even redeclared as features) and the patches don’t even reach many users, it is not surprising that malware authors prefer targeting Internet Explorer. At least I have never heard of a malware infection through Firefox (with the exception of the user downloading and running some “great” tool) but I had to fix quite a few of those on computers of Internet Explorer users.
So it seems that NoScript is a solution in search of a problem. And this problem cannot even be worms in social networks like MySpace — any frequent MySpace user is guaranteed to have it in his whitelist. Was there ever some successful attack on Firefox users that NoScript could have prevented? I cannot think of any, and as long as nobody can show me a real world problem that NoScript solves I will stick with my opinion that this extension is only really something for the most paranoid users.
Don’t take me wrong, I am all for a second line of defense just in case Mozilla developers don’t manage to bring out a patch for some serious issue in time. But I didn’t switch from Internet Explorer to throw away all the new browsing comfort (and even more) because of a hypothetical problem. So I largely prefer Firekeeper’s approach — it will warn you if you are on a site that tries to exploit known vulnerabilities so that you can leave and never come back (thanks to Jan Wrobel for clarification, originally I misunderstood the idea of this extension). But ideally I will never notice that this extension is installed until it becomes necessary.
Finally, a few words about another issue with NoScript. The more sites it breaks, the more it conditions users to allow scripts when something doesn’t seem to be working. If every second site doesn’t work with NoScript, a malicious site that fakes useful content not working properly because of NoScript will have no problems making users allow scripts on it (even temporarily, it is sufficient). Yes, it is a social engineering problem, but this attack can only succeed because false positives with NoScript are the rule and not an exception. So while Giorgio Maone seems to believe that breaking some sites isn’t his problem as long as it is for the “greater good”, I disagree: breaking sites makes NoScript absolutely worthless.
Commenting is closed for this article.