Running NoScript - how to determine which scripts need to be enabled.
December 15, 2015 3:29 AM Subscribe
I use NoScript, running Firefox browser, WIN7 and WIN8.1. In recent months (absolutely in the last year,) the number of scripts that are built into many (most?) pages has increased dramatically. So then it's like whack-a-mole, enable this script and OH NO! that has just unleashed tons more scripts, it can take a long time to determine which script(s) need to be enabled to be able to reach the pertinent data, whether that data presents as text or video or whatever.
Running NoScript on Firefox in windows environment. (Also running AdBlock, used to run Ghostery until their continual hassle screens became too annoying.) No. Way. am I going to run without NoScript, no way am I going to open myself to so much more tracking, open more possibility of malware put onto my puter. TOR doesn't allow any scripts and there is good reasoning behind that it seems; they *strongly* recommend against enabling NoScript to read any script, for any reason, if you are truly seeking anonymity.
Is there a way I can determine which scripts actually need to run to enable me to get to the relevant data on that page? Perhaps there is a site that contains names of scripts that are not controlled by scum-beings -- do you know of such a site? Is it possible to find out what outfit controls (fake example here) xqk870doe8796.cloudfront.com so if it's from a safe site I can whitelist it?
I can only see this situation getting worse rather than better, more scripts rather than less. How can I deal with this without getting mired every time I want to watch a video, or go to NYT site and read, or whatever else.
Help?
Running NoScript on Firefox in windows environment. (Also running AdBlock, used to run Ghostery until their continual hassle screens became too annoying.) No. Way. am I going to run without NoScript, no way am I going to open myself to so much more tracking, open more possibility of malware put onto my puter. TOR doesn't allow any scripts and there is good reasoning behind that it seems; they *strongly* recommend against enabling NoScript to read any script, for any reason, if you are truly seeking anonymity.
Is there a way I can determine which scripts actually need to run to enable me to get to the relevant data on that page? Perhaps there is a site that contains names of scripts that are not controlled by scum-beings -- do you know of such a site? Is it possible to find out what outfit controls (fake example here) xqk870doe8796.cloudfront.com so if it's from a safe site I can whitelist it?
I can only see this situation getting worse rather than better, more scripts rather than less. How can I deal with this without getting mired every time I want to watch a video, or go to NYT site and read, or whatever else.
Help?
Yeah, also, a script that is necessary to run a video or something may also include a tracker. Scripts can do more than one thing. And whitelisting is problematic because as deathpanels points out, different people are going to draw the "scum-being" line in different places, and as you've noticed it's very hard to tell where scripts are coming from, because so many sites rely on cloud distribution (Cloudfront, AWS, etc.).
Tl;dr: there is no set of scripts that is sufficient to allow you to see everything you want that doesn't also compromise your anonymity.
You are right -- the scripts *will* continue to get more common, or at least javascript will; current fashion in web design favors javascript-heavy pages, for a variety of reasons, some of which have to do with tracking and ads but many of which are relatively malice-free, intended to allow faster access to data and more feature-rich web pages.
posted by mskyle at 7:05 AM on December 15, 2015
Tl;dr: there is no set of scripts that is sufficient to allow you to see everything you want that doesn't also compromise your anonymity.
You are right -- the scripts *will* continue to get more common, or at least javascript will; current fashion in web design favors javascript-heavy pages, for a variety of reasons, some of which have to do with tracking and ads but many of which are relatively malice-free, intended to allow faster access to data and more feature-rich web pages.
posted by mskyle at 7:05 AM on December 15, 2015
I think you might like uMatrix, which is kind of like Request Policy and NoScript rolled into one. It pretty much leaves the whitelisting to you but, like AdBlock and uBlock, it has a bunch of blacklist files you can subscribe to. It might not give you as much granular control as you're looking for but for me it's reduced the amount of right-click, refresh, defeated sigh, right-click, refresh tedium.
posted by stefanie at 7:09 AM on December 15, 2015 [4 favorites]
posted by stefanie at 7:09 AM on December 15, 2015 [4 favorites]
I run FireFox + NoScript like you do, and use that to do most of my browsing, including banking and on-line shopping. But I also have Chrome installed and if I really want to see something and NoScript is proving too painful I open it in Chrome. I only do so for entertainment, and it usually ends up being used for videos, maybe once or twice a week.
Basically FireFox is my trusted browser, the one I've restricted/disabled and I think I understand. I've done nothing to limit Chrome; I just rely on Google keeping it secure enough to be able to visit entertainment sites safely. But I never give it any information that I don't want Google to have.
Not an answer to your question, but maybe a solution to your problem?
posted by benito.strauss at 10:32 AM on December 15, 2015 [2 favorites]
Basically FireFox is my trusted browser, the one I've restricted/disabled and I think I understand. I've done nothing to limit Chrome; I just rely on Google keeping it secure enough to be able to visit entertainment sites safely. But I never give it any information that I don't want Google to have.
Not an answer to your question, but maybe a solution to your problem?
posted by benito.strauss at 10:32 AM on December 15, 2015 [2 favorites]
Is tracking and other script use within a session tolerable, so long as info is purged before and after each browser session? There are plugins to effect such clearing or to save session info that you want so you can restore it after a complete clear. There's also TorButton, but that has tended to lag too far behind Firefox's frequent updates. For hardest-core safety, browse in a Virtual Machine that you snapshot and restore frequently.
The more insidious tracking that bugs me is through site affiliation. This requires cookies and tends to use scripts. I set aside a browser just for gmail, amazon, and banking, nothing else.
Banning or strictly controlling scripts and cookies is not enough to stop tracking. See PanOpticlick. For attempts at cures, search Firefox add-ons for "fingerprint". The last time I looked at these fingerprint obfuscators, they tended to set one fingerprint rather than rotate combinations of plausible fingerprint factors.
posted by gregoreo at 10:34 AM on December 15, 2015 [1 favorite]
The more insidious tracking that bugs me is through site affiliation. This requires cookies and tends to use scripts. I set aside a browser just for gmail, amazon, and banking, nothing else.
Banning or strictly controlling scripts and cookies is not enough to stop tracking. See PanOpticlick. For attempts at cures, search Firefox add-ons for "fingerprint". The last time I looked at these fingerprint obfuscators, they tended to set one fingerprint rather than rotate combinations of plausible fingerprint factors.
posted by gregoreo at 10:34 AM on December 15, 2015 [1 favorite]
+1 for uMatrix and/or uBlock Origin with advanced mode enabled (quick tutorial). I think with uBlock it's even possible to blacklist specific scripts from a domain while allowing others.
Is there a way I can determine which scripts actually need to run to enable me to get to the relevant data on that page?
AFAIK, trial and error as described by stefanie is the way to go, sadly. Having said that, as you know most scripts aren't needed at all and you'll probably find that correctly guessing which domains/resource types to whitelist for each site is quite easy, actually.
posted by Bangaioh at 11:05 AM on December 15, 2015
Is there a way I can determine which scripts actually need to run to enable me to get to the relevant data on that page?
AFAIK, trial and error as described by stefanie is the way to go, sadly. Having said that, as you know most scripts aren't needed at all and you'll probably find that correctly guessing which domains/resource types to whitelist for each site is quite easy, actually.
posted by Bangaioh at 11:05 AM on December 15, 2015
Is there a way I can determine which scripts actually need to run to enable me to get to the relevant data on that page?
I've recently started making better use of the logger to see what exactly the scripts are doing before I play around with the permissions, but the worst stuff is already explicitly blocked so I don't worry too much about temporarily allowing stuff I'm not 100% sure about.
posted by stefanie at 11:54 AM on December 15, 2015 [1 favorite]
I've recently started making better use of the logger to see what exactly the scripts are doing before I play around with the permissions, but the worst stuff is already explicitly blocked so I don't worry too much about temporarily allowing stuff I'm not 100% sure about.
posted by stefanie at 11:54 AM on December 15, 2015 [1 favorite]
Oh, as to which sites to unblock, one thing is to know that CDN means "content delivery network", and if you're on, say, time.com, you'll probably need to allow timecdn.com as well. buzzfeed.com calls theirs buzzfed.com. It's kind of an interesting peek into how companies organize their infrastructure.
posted by benito.strauss at 1:31 PM on December 15, 2015 [3 favorites]
posted by benito.strauss at 1:31 PM on December 15, 2015 [3 favorites]
I got so tired of exactly this that I stopped using NoScript a while back (except during TOR sessions, of course). I changed a few FireFox settings to be a bit more paranoid (no local storage, purge cookies on exit, all plugins "Never Activate" and manually set back on the rare occasion I need one, etc.) and installed Privacy Badger to keep the trackers at bay for average daily surfing. Anything I don't want associated with me I do in TOR, and I like the idea of a separate browser (or separate profile, at least, with a fingerprint spoofer) for the key daily sites like email/shopping/social networking so they won't be associated with the rest of your surfing.
if you want the level of anonymity you are seeking you must choose an inconvenient, Richard Stallman-esque life
This. Balancing convenience with security and privacy is only going to get more difficult...
posted by MoTLD at 1:48 PM on December 15, 2015
if you want the level of anonymity you are seeking you must choose an inconvenient, Richard Stallman-esque life
This. Balancing convenience with security and privacy is only going to get more difficult...
posted by MoTLD at 1:48 PM on December 15, 2015
I got so tired of exactly this that I stopped using NoScript a while back
You should still use NoScript as even in "allow all" mode it still provides some protection against the nastier stuff. In fact, Tor Browser by default ships with NoScript installed and disabled.
posted by Bangaioh at 2:20 PM on December 15, 2015 [2 favorites]
You should still use NoScript as even in "allow all" mode it still provides some protection against the nastier stuff. In fact, Tor Browser by default ships with NoScript installed and disabled.
posted by Bangaioh at 2:20 PM on December 15, 2015 [2 favorites]
« Older Help me write an inspirational note to a kid from... | Can the stars be seen more clearly when flying at... Newer »
This thread is closed to new comments.
posted by deathpanels at 5:18 AM on December 15, 2015 [1 favorite]