There's a browser safer than Firefox...
...it is Firefox, with NoScript!
The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank).
NoScript also provides the most powerful anti-XSS and anti-Clickjacking protection ever available in a browser.
NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality...
You can enable JavaScript, Java and plugin execution for sites you trust with a simple left-click
on the NoScript status bar icon (look at the picture), or
using the contextual menu, for easier operation in popup statusbar-less windows.
Watch the "Block scripts in Firefox" video
by cnet.
Staying safe has never been so easy!
Experts will agree: Firefox is really safer with NoScript!
V. 2.4.1 - Unparalleled Web Security.
If you find any bug or you'd like an enhancement, before reporting here or here, please check if it's fixed in latest development build. Many thanks!
Main good news
- Further anti-XSS enhancements (thanks Soroush Dalili, Masato Kinugawa and Phil Purviance)
- Better compatibility with some misbehaving websites.
- Several InjectionChecker improvements especially in double injections detection (thanks Soroush Dalili, Krzysztof Kotowicz, Gareth Heyes and others).
- Fixed Surrogate Scripts, which had been broken by a Nightly change.
- Vastly improved ClearClick algorithms increase accuracy and reduces false positives.
- Smart integration with the new (Firefox 14) browser-native click to play: if a plugin object is manually allowed from NoScript's UI, it gets also natively activated.
- Improved active content identity tracking, to avoid redundant blocking steps across reloads, e.g. on Youtube.
- ClearClick compatibility with add-ons which mix their UI with content, such as FloatNotes (thanks endofmiles and Tom T. for reports), 1Password, Bitdefender TrafficLight (thanks Christopher A. M. Gerlach for reporting) and others.
- Work-around for 32-bit Flash player bug causing incompatibilities on certain sites (e.g. Google Music).
- Improved XSS protection against window.name attacks (thanks Masato Kinugawa for reports).
- ClearClick protection against partial obscuration attacks via Flash objects with OS-native wmode values (thanks David Lin-Shung Huang for reporting).
- Improved surrogate against Google's scriptless tracking of search results navigation.
- Right-clicking on NoScript menu items copy site domains to the clipboard (useful for reporting and investigating sites, thanks Tom T. for RFE)
- Browserid.org has been added to the default whitelist.
- Protection against Koto's Cursorjacking attack.
- Protection against new kind of response splitting + XSS combo attack disclosed by Mike Brooks (still bypassing Google Chrome's XSS Auditor and MSIE's XSS Filter).
- Protection against new Clickjacking technique based on HTML5 drag and drop (thanks .mario for reporting).
- ClearClick protection against timing attacks demonstrated by Michal Zalewski.
- Defense against a new kind of attacks based discovered by Soroush Dalili and .mario.
- noscript.keys.tempAllowPage about:config preference to configure a keyboard shortcut for "Temporarily allow all this page"
- noscript.keys.revokeTemp about:config preference to configure a keyboard shortcut for "Revoke temporary permissions"
- noscript.menuAccelerators about:config preference to switch keyboard accelerators for "(Temporary) allow all this page" menu items on/off
- Specific protection against so called Double-clickjacking, independent from JavaScript permissions.
- Protection against view-source content extraction attacks.
- "Click to play" protection against WebGL exploitation, now also on whitelisted sites (can be enabled in NoScript Options|Embeddings)
- Security and Privacy Info page is shown whenever you middle-click on sites exposed by NoScript's UI, either in the menus or in the Whitelist options tab.
- Middle clicking NoScript's toolbar button temporarily allows all on current page.
Experts do agree...
08/06/2008, "I'd love to see it in there." (Window Snyder, "Chief Security Something-or-Other" at Mozilla Corp., interviewed by ZDNet about "adding NoScript functionality into the core browser").
03/18/2008, "Consider switching to the Firefox Web browser with the NoScript plug-in. NoScript selectively, and non-intrusively, blocks all scripts, plug-ins, and other code on Web pages that could be used to attack your system during visits" (Rich Mogull on TidBITS, Should Mac Users Run Antivirus Software?).
11/06/2007, Douglas Crockford, world-famous JavaScript advocate and developer of JSON (one of the building blocks of Web 2.0), recommends using NoScript.
03/16/2007, SANS Internet Storm Center, the authoritative source
of computer security related wisdom, runs a front-page
Ongoing interest in Javascript issues
diary entry by William Stearns just to say "Please, use NoScript" :)
Actually, NoScript has been recommended several times by SANS,
but it's nice to see it mentioned in a dedicated issue,
rather than as a work-around for specific exploits in the wild.
Many thanks, SANS!
05/31/2006, PC World's The 100 Best Products of the Year list features NoScript at #52!
Many thanks to PC World, of course, for grokking NoScript so much, and to IceDogg who kindly reported these news...
In the press...
- CNET News: "Giorgio Maone's NoScript script-blocking plug-in is the one-and-only Firefox add-on I consider mandatory." (March 9, 2009, Dennis O'Reilly, Get a new PC ready for everyday use)
- Forbes: "The real key to defeating malware isn't antivirus but approaches like Firefox's NoScript plug-in, which blocks Web pages from running potentially malicious programs" (Dec 11, 2008, Andy Greenberg, Filter The Virus Filters).
- PC World: Internet Explorer 7 Still Not Safe Enough because it doesn't act like "NoScript [...] an elegant solution to the problem of malicious scripting" (cite bite)
- New York Times: "[...] NoScript, a plug-in utility, can limit the ability of remote programs to run potentially damaging programs on your PC", (Jan 7, 2007, John Markoff, Tips for Protecting the Home Computer).
- PC World's Ten Steps Security features using NoScript as step #6. (cite bite)
- The Washington Post security blog compares MSIE "advanced" security features (like so called "Zones") to Firefox ones and recommends NoScript adoption as the safest and most usable approach. (cite bite)
