There's a browser safer than Firefox...
...it is Firefox, with NoScript!
NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality...
on the NoScript status bar icon (look at the picture), or
using the contextual menu, for easier operation in popup statusbar-less windows.
Watch the "Block scripts in Firefox" video by cnet.
Staying safe has never been so easy!
Experts will agree: Firefox is really safer with NoScript!
V. 126.96.36.199 - Friendly Security
Main good news
- Various usability improvements.
- Better Australis compliance.
- Anti-XSS protection against new insidious ES6 constructs introduced in Firefox 34 (thanks .mario for reporting)
- Experimental "Allow HTTPS scripts globally on HTTPS documents" mode (thanks the Tor Project for RFE).
- Yahoo! "DARLA" ads loader post-execution surrogate prevents the browser from stalling due to the many window.name-based XSSes intentionally used by this ads delivery script.
- Updated Script Surrogate replacements for connect.facebook.net and adf.ly.
- Fixed serious compatibility issues with some add-ons on Firefox 31.
- Per-window "Recently Blocked..." submenu, plays nicer with Private Browsing.
- Better synergy with Firefox's built-in Click-to-Play feature.
- Improved compatibility with new Add-on SDK features.
- New NoScript Options|Advanced|Trusted|Cascade top document's permissions to 3rd party scripts preference for users who prefer the convenience of whitelisting just the top-level domain to make everything work on the fly over the higher security provided by the default finer-grained policy.
- New NoScript Options|Advanced|Untrusted|Block scripting in whitelisted subdocuments of non-whitelisted pages prevents scripts from running in iframes even if whitelisted, unless the top-level document's site is whitelisted as well.
- Fixed XSS false positive in the new gmx.com webmail login and in other services (e.g. mail.com) using the same back-end.
- Better compatibility with script inclusion enforcers such as Require.js.
- Safer toStaticHTML() implementation (thanks .mario for reporting).
- Several XSS filter improvements (thanks Masato Kinugawa for reporting).
- CAPS-independent, finer-tuned version of the "Allow local links" feature.
- Better ClearClick compatibility with recent Youtube changes.
- New Script Surrogate for addthis.com scripts emulation.
- Fixed bugs in regexp-based embed blocking exceptions (thanks barbaz for reporting)
- Fixed ClearClick incompatibility with latest Google+ based Youtube comments system. No Google Analytics, because NoScript blocks every cross-site request to GA, no matter the type or the file name).
- New "Security Downgrade Warning" suggests blacklist mode as a better option than uninstalling, in order to retain scripting-unrelated protections.
- Improved Google Analytics Surrogate, makes more sites work correctly with google-analytics.com blocked.
- Holding the left mouse button down on an absolutely positioned page element and hitting the DEL key will remove it if scripts are disabled (useful to forcibly kill in-page popups). This feature can be disabled by setting the noscript.eraseFloatingElements about:config preference to false.
- Right-clicking on NoScript menu items copy site domains to the clipboard (useful for reporting and investigating sites, thanks Tom T. for RFE)
- Browserid.org has been added to the default whitelist.
- "Click to play" protection against WebGL exploitation, now also on whitelisted sites (can be enabled in NoScript Options|Embeddings)
- Security and Privacy Info page is shown whenever you middle-click on sites exposed by NoScript's UI, either in the menus or in the Whitelist options tab.
- Middle clicking NoScript's toolbar button temporarily allows all on current page.
Experts do agree...
03/18/2008, "Consider switching to the Firefox Web browser with the NoScript plug-in. NoScript selectively, and non-intrusively, blocks all scripts, plug-ins, and other code on Web pages that could be used to attack your system during visits" (Rich Mogull on TidBITS, Should Mac Users Run Antivirus Software?).
03/16/2007, SANS Internet Storm Center, the authoritative source
of computer security related wisdom, runs a front-page
diary entry by William Stearns just to say "Please, use NoScript" :)
Actually, NoScript has been recommended several times by SANS, but it's nice to see it mentioned in a dedicated issue, rather than as a work-around for specific exploits in the wild. Many thanks, SANS!
05/31/2006, PC World's The 100 Best Products of the Year list features NoScript at #52!
Many thanks to PC World, of course, for grokking NoScript so much, and to IceDogg who kindly reported these news...
In the press...
- CNET News: "Giorgio Maone's NoScript script-blocking plug-in is the one-and-only Firefox add-on I consider mandatory." (March 9, 2009, Dennis O'Reilly, Get a new PC ready for everyday use)
- Forbes: "The real key to defeating malware isn't antivirus but approaches like Firefox's NoScript plug-in, which blocks Web pages from running potentially malicious programs" (Dec 11, 2008, Andy Greenberg, Filter The Virus Filters).
- PC World: Internet Explorer 7 Still Not Safe Enough because it doesn't act like "NoScript [...] an elegant solution to the problem of malicious scripting" (cite bite)
- New York Times: "[...] NoScript, a plug-in utility, can limit the ability of remote programs to run potentially damaging programs on your PC", (Jan 7, 2007, John Markoff, Tips for Protecting the Home Computer).
- PC World's Ten Steps Security features using NoScript as step #6. (cite bite)
- The Washington Post security blog compares MSIE "advanced" security features (like so called "Zones") to Firefox ones and recommends NoScript adoption as the safest and most usable approach. (cite bite)