Securing Firefox, Part 1: NoScript

This is the start of a short series on making your browsing on Firefox, which is already a more secure browser than Internet Explorer, but there are some improvements that you can make on your own to increase the security you have when browsing.

The first of those is to download an easy-to-use extension called NoScript. The purpose of it is to take all of those various scripts and objects that you find on a webpage and block them from getting to your browser. Needless to say, it is one of the most popular extensions for Firefox out there, consistently in the top ten in terms of downloads. However, there are some detractors who may ask why you’d want to use this, and also those who wonder how it works.

Why NoScript?

Have you ever wondered why it takes a site seemingly forever to load? Does your browser freeze on you when you’re viewing a page? Are you concerned about picking up a virus from an unfamiliar page on the internet?

A lot of the time, these issues all come back to the same sources – a script; either JavaScript, or possibly an object on the page (Flash, Windows Media Player, and Quicktime for example). Depending on the site you go to, there could be a lot of scripts and objects that get loaded as you visit the page. These could be loading just about anything – from those “most recent visitors” widgets, to Entrecard, ads, site counters, and even click-tracking scripts which are used to find out where people are clicking on a site.

Of course, most of these are scripts of the “friendly” variety, but there are some scripts that can be used to your detriment, by trying to exploit a security flaw, or in some rare instances, try to put a virus on your system.

Why not NoScript?

In the interest of fairness, there are several detractors to this particular extension – they point out that Firefox is already a very safe browser, which is true, but the point of NoScript is to allow you to choose which scripts run on a page. My personal favorite is this plea posted in the reviews section for the addon –

Please, for all that is sacred in the world of Web 2.0, do not use NoScript. Firefox is a secure browser, JavaScript can do no damage to your computer, the browser, your privacy or any personal data.

Of course, he goes on to explain how Cross-site scripting can be used to damage your personal data (by the way, NoScript blocks Cross-site scripting attempts).

Another common complaint about NoScript is that it is somewhat confusing for novice users to use, especially when the visit a site that says that they cannot view the contents because of JavaScript being blocked or disabled on a site. The truth is that NoScript can be a bit cumbersome to use to start out with, but the learning curve is not too steep if you have a basic understanding of menus on a program.

Installation & Getting started

To install NoScript, it is no different to installing any other Addon – simply visit the Mozilla Addons site and install the extension. After restarting Firefox, you’ll likely be directed to the NoScript website to see the change log (you’ll be directed to that site every time that it updates as well – you can turn that particular feature off; instructions are available in the FAQ).

When you visit the next site (except for sites that are already preloaded in the whitelist – Google, Yahoo, Microsoft, Mozilla Addons, and the author’s sites), you will receive a notification that looks like this –

Scripts blocked message

You may also hear a sound from NoScript telling you that scripts have been blocked on the page. If you want to allow the scripts on a page, simply click the Options menu and choose to either Permanently or Temporarily allow the site’s scripts.

Options menu

After allowing the scripts, you will need to reload the page to activate them – this is something you will always have to do whenever you select to allow or disallow scripts on a page. Also, when you allow a site, you can revoke the permission by clicking on the NoScript icon in the status bar – which is the blue S in a circle, possibly with a crossed circle on it if there are other scripts on a site which are still blocked.

Also, if you have turned off the notification bar, you can use the S in the status bar to adjust permissions on a site by site basis. This is what the menu looks like after allowing mozilla temporarily (a temporary permission is in italics and a permanent permission is in bold) –

Status bar menu

So far, I’ve only shown which does not have any external scripts running on the site.

More advanced usage – sites with external scripts

However, where NoScript comes into its own is when you’re browsing a site that has a lot of external scripts. For this example, I’ll show you my site. First off, this is what a page on my site looks like with NoScript turned off (i.e. allowing all scripts to run globally) –

My site with scripts turned on

And then, this is what the site looks like with scripts turned off; you’ll notice the missing elements all in the right hand column – Entrecard, MyBlogLog, Blog Catalog and Alexa.

My site with scripts turned off

And, just to show you all the sites that have scripts on here, this is what the menu looks like when I’ve got all scripts blocked (note that this is the status bar menu, and not the information bar menu) –

Script list for my site

This is where, for some users, NoScript can become quite tedious. If you want to allow a script to run on a site, you need to both the site that hosts the script (for example, with Entrecard, you need to allow both (to show the card), and when you refresh the page to show the card, – so that you can drop your card). This is what the widget looks like if you only have allowed –

Entrecard with blocked

As you can see, you can see the card, but the Drop yours link is not there. When you allow and reload the page, you will then see the link to drop your card –

Entrecard with allowed

Now, an important thing to know is that even if you have allowed a site to display its scripts, you need to allow the host site to show scripts before you can see things like Entrecard, MyBlogLog and Blog Catalog.

To use a practical example of how this works, this is what SCHWOIT looks like with blocked (note that the Entrecard widget should appear right in the upper-right corner of the site) –

Schwoit without allowed

If you view the full size image, you’ll notice that the information on the info bar has changed. Since there are scripts on this site from other sites that I’ve permitted to show scripts, it now says that scripts are partially allowed, and tells you how many sites are allowed out of the number of sites that have scripts on that page. Now, if I go to allow, this is how the window looks –

schwoit with allowed

More advanced features

There are a few more advanced features that are included in NoScript, such as a pseudo blacklist – that is available in the menu under Untrusted. However, since NoScript is a whitelist-based add-on, the only thing that this untrusted list does is prevent a site from appearing in the list you see of sites to allow when you open the Options menu, status bar menu, or right-click menu.

For a full list of features, along with the full range of settings that are available to you in NoScript, you can check out the features page at the author’s site.

Any questions?

If you have any questions about how this all works, or if you have more advice on making the NoScript experience better, feel free to leave a comment.

As always, if you’d like a how-to written up about something, all you need to do is drop me a line via the contact form. If I know how to do it, I’ll write it up, but even if I don’t know how to do it, I will go and figure it out and then write up the how-to on getting it sorted out. 🙂

Coming soon

Sometime in the next week or so, I’ll have the other half of the combination that makes (at least) my browsing experience so much more improved – Adblock.

11 thoughts on “Securing Firefox, Part 1: NoScript

  1. So if you’re a regular entrecard dropper, is it still worth the hassle? Does it mean that if I wanted to drop an entrecard on the site I would have to allow ALL scripts or can I set it so that any site I want to just show the entrecard scripts that is okay?

    I’m downloading it now so perhaps it’ll get clearer as I begin to play with it?

  2. Okay, I’m playing and it’s becoming clearer. It’s a little bit frustrating but I trust both you and Snos when it comes to stuff like this so I’ll perservere for a while.

    Bit of a bummer for advertisers if more and more people use it though.

  3. While I understand the theory, the problems for me are…

    1. Although you supposedly save on load, in my experience reloading pages time and time again to allow each script actually increases it.

    2. Many places I visit are on subdomains. I could allow blogspot, for example, to avoid the annoyance of having to deal with scripts every time I visit blogs I read daily there, but there are other pages on blogspot that are not trustworthy so it would defeat the purpose of running no script. They could have malicious scripts within their blog.

    3. Having to deal with scripts every time I open a page is excessively tedious and time consuming. Yes, sometimes I could just leave it everything blocked, but I want to see what I’m getting when I open a page, and the script lists tell me nothing. It’s not always obvious what blocked scripts are hiding. (amazonaws, for example, isn’t exactly intuitive when you’re wanting to allow Entrecard).

    4. Because the script lists mean nothing to me, it is highly likely that I would allow bad scripts anyway because I don’t know what they are for.

    All in all, knowing the risks, the aggravation of my computer being corrupted (which can be easily fixed with proper backups in the worst case scenario) is far less than the aggravation of trying to go about my daily web travels having to deal with this every single time I load a site.

    This seems really negative (and possibly technically ignorant) but I really appreciate that you took the time to write this. I even want to be able to use noscript, but the experience of using it is so painful that it just doesn’t seem like a solution.

  4. Lani,

    I’ve been a scambaiter since 2004 or so now. A long time. The things I have seen scammers do in that time to people you honestly would not believe. Theft of money, theft of identity, theft of trust, and even murder.

    The next big thing in the scamming world is identity theft and also hacking into people’s email or websites. There’s been a scam lately where they get into your email account and then send email to all your friends and family pretending they are you, saying you’re in trouble / danger and you need money. Imagine the pain of having to explain that to everyone. 🙁 Imagine the even worse pain if someone you know and love did send money – a substantial amount of money, even. That has happened to many people – many of them elderly grandparents who were worried that their grandkids were in danger.

    If they can get your banking information, your email password(s) or even just information on you that allows them to “borrow” your identity, life could be a big mess for a long time. Some people never recover their credit rating and it can go on for years – imagine never being able to get a loan if you needed it, and black marks on your credit record which you never created yourself. You do the time for someone else’s crime.. Some people lose their email accounts and are blackmailed by the scammers to get them back – imagine having to contact everyone you’ve ever emailed and letting them know you have a new email address because your last one is being held hostage. Imagine your bank account info being used to create fake checks that are sent all over the world.

    The pain involved in any of the above, I can’t even get into. Some victims literally lose everything – they end up killing themselves. Many lose thousands, hundreds of thousands, and in some cases millions.

    Compared to that kind of pain, a moment to reload the page is nothing. These exploits have been used in the past to steal all the passwords saved in browsers (and I don’t know about you but I rely on that myself because I have 60 zillion passwords), to install nasties on people’s computers like keyloggers (enabling the scammers to get every keystroke you type in emailed to them and you will never, ever know that this is happening until you start to get the bills you never agreed to pay) and to open backdoors onto people’s computers.

    Scammers are also getting into social networking to find new victims, and they are starting up their own blogs. In some cases they steal the content – pretending to be someone they are not in order to scam people. They create fake banking websites. They’ll do anything to get what they want – and what they want is your money, because they don’t want to have to work for it.

    I know it seems like a pain to use it. The truth is, I would never NOT use it, because I know the pain that can be caused far exceeds that momentary little pinprick. It’s like a vaccination. I hate needles, but I know I’d hate getting any of the diseases a vaccine can protect me from, so I do it because I have to.

    Not only that, but some people just don’t know too much is enough, and they load up their pages with all kinds of shyte scripts that I am not interested in loading. You may not know what they are for – my rule is, if I don’t know what it does, I don’t allow it. And that’s the bottom line.

    I probably have too many ones that I know what they are allowed – I might go through and cut them back. For example I noticed I’d allowed the Izea real rank one but I no longer trust that company, so I’m going to get rid of it.


  5. While all that stuff is awful, much of it seems to be covered by antispyware and antivirus software, as well as using safer methods of password protection etc.., far more efficiently and accurately than I am capable of doing.

    The thing is, it’s just not like a needle to me. It’s not a pinprick because after half an hour of using it I am so frustrated by the obstacles it puts in my way I want to scream. (Obviously, I tried it for much longer than half an hour though.) It’s terrible for my productivity, and that’s bad enough already. 😉

    Sephy, if you set it to allow scripts globally, but have populated the pseudo blacklist, will those scripts on the blacklist still be blocked? I could live with that and would be prepared to invest my time and energy in building and maintaining that blacklist. Otherwise, is there a blacklist alternative to using noscript’s whitelist method?

  6. Lani – that is absolutely not the case. Though it is what those software providers would like you to believe.

    The only way you can tell if you have a keylogger is to use a specific piece of software that checks to see if anything is trying to access the net. Most keyloggers are completely untraceable by virus software and with good reason – if you’re using net nanny for your kids, you don’t want the virus software telling them it is on there. The same goes for software that opens the back door to your computer.

    I have AVG antivirus here on my computer. It did not tell me that there was a javascript exploit, it did not warn me. I only found out when I ran spybot which is a little program I use daily. Then we spent a good couple of hours looking at the code of the exploit, trying to work out what it was trying to do.

    Like I said, most people never know they have a KL on their computer – most people never know that they are vulnerable, most people believe in their antivirus software and trust that it is protecting them. Most people only find out when weird stuff starts happening.

    You should only have small obstacles once you have been using the software for a little while. That’s because generally you visit the same sites over and over and you’ll have either approved or not approved what they run. You’ll have a small core list of scripts you allow (statcounter type ones, entrecard, etc) and you won’t allow the rest.

    The only time I have the pinprick these days is when I visit a new site. I only ever allow the site – I don’t allow new scripts on new sites – and once you have allowed the site you never need to do it again for that site.

    Perhaps if you combine it with adblocker it might make less work, because I’d say the majority of scripts on new sites you go to will be ads.

    Maybe there is a way to allow sites, but not scripts globally? That might solve it for you.

  7. I have AVG, Spybot, SpywareBlaster and AdAware. I agree that they can’t catch it all, but I tend to do a lot of research stuff so I visits dozens of pages daily that I’ve never been to before and I prefer to view pages as they are. It might be a stupid choice not to use it but at the moment (and when I have used other noscript tools in the past) the annoyance of using it is too great for me.

  8. What am I doing when I allow a site?

    And with entrecard sites – is it best to only temporarily allow a site or permanently allow a site?

    I can understand how to use this but because I don’t really get what’s okay and what’s nasty out there, I’m figuring just willy-nilly allowing scripts is going to defeat the purpose of having no script. So I’m just trying to get it clear in my head what to do here.

    Thanks. 🙂

  9. I have never been affected by a virus/trojan in the 20 years I have had a PC – but have always been very careful to keep virus scanners up to date and do not visit the more risky sites.. I am probably too complacent. I tried noscript for a couple of days and it drove me crazy so I uninstalled.

    Snos – do you use SpyBot’s Tea Timer memory resident feature? When I run SpyBot these days there is hardly every anything there as Tea Timer has caught them first.

  10. Please stop with the arguments: if you don’t see value in you getting to choose what arbitrary code runs on your computer without your consent, then skip noscript. If you think that running 3 or more programs to prevent problems caused by arbitrary code is better for you, skip noscript. If you think that your time is better spent on cleanup versus prevention, skip noscript.
    This is a powerful new way to only allow that which you trust or are willing to risk. Please don’t paint it as annoying for anyone other than you. If you do not value a more secure method to download files (that’s what browsing is, you are not ‘visiting’ anything, ever), skip it and stop whining about your impaired lifestyle.
    Disclaimer: I use noscript, I do not run any other monitoring software, I do not run as admin, I enjoy being in charge of my computing performance.

Comments are closed.